Available in VPC
You can set different access permissions for Cloud Security Watcher using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Cloud Security Watcher. Here are the available system-managed policies for Cloud Security Watcher:
| Policy name | Policy description |
|---|---|
| NC | NCP_ADMINISTRATOR |
| NCP_INFRA_MANAGER | Access to all NAVER Cloud Platform services, except the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_FINANCE_MANAGER | Access to Cost Explorer and the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_VPC_CLOUD_SECURITY_WATCHER_MANAGER | Full access to all Cloud Security Watcher features on the VPC platform |
| NCP_VPC_CLOUD_SECURITY_WATCHER_VIEWER | View-only access to all Cloud Security Watcher features on the VPC platform |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Cloud Security Watcher:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| Change | Change/CreatCSWGroup | View/GetCSWGroupList | - | CSW | Create CSW group. |
| View | View/GetCSWConsoleDomain | - | - | CSW | Access CSW group access domain. |
| View | View/GetCSWGroupList | - | - | CSW | View CSW group details. |
| Change | Change/UpdateCSWGroup | View/GetCSWGroupList | - | CSW | Change CSW group settings. |
| Change | Change/DeleteCSWGroup | View/GetCSWGroupList | - | CSW | Delete CSW group. |
| Change | Change/CreatCSWSubscription | - | - | CSW | Subscribe to CSW. |
| Change | Change/DeleteCSWSubscription | - | - | CSW | Unsubscribe from CSW. |
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.
Precautions for setup
Here are the precautions when setting the permissions for accessing Cloud Security Watcher for a sub account using Sub Account:
- Prohibition on main account usage: It is recommended not to use the main account to use Cloud Security Watcher. If you use an account with NAVER Cloud Platform's admin permissions, all the permissions for the account can be captured and abused when an intrusion occurs.
- Create sub accounts for each role: To distinguish users of Cloud Security Watcher, you can create sub-accounts for each role and grant the necessary permissions.