- Print
- PDF
Managing Cloud Security Watcher permissions
- Print
- PDF
Available in VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Cloud Security Watcher. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, and Sub Account User Guide.
System Managed policies
System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Cloud Security Watcher. The following is a brief description about System Managed policies of Cloud Security Watcher.
Policy Name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_INFRA_MANAGER | Permission to use all services in NAVER Cloud Platform and access My Page > Manage notifications in the portal |
NCP_VPC_CLOUD_SECURITY_WATCHER_MANAGER | Permission to use all the features in the VPC-based Cloud Security services |
NCP_VPC_CLOUD_SECURITY_WATCHER_VIEWER | Permission to only use the view function in VPC-based Cloud Security Watcher service |
User Created policies
User Created policies are policies that users can create. Once user created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Cloud Security Watcher.
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
Change | Change/CreatCSWGroup | View/GetCSWGroupList | - | CSW | Create CSW group |
View | View/GetCSWConsoleDomain | - | - | CSW | Access the CSW group access domain. |
View | View/GetCSWGroupList | - | - | CSW | View CSW group details |
Change | Change/UpdateCSWGroup | View/GetCSWGroupList | - | CSW | Change CSW group settings |
Change | Change/DeleteCSWGroup | View/GetCSWGroupList | - | CSW | Delete CSW group |
Change | Change/CreatCSWSubscription | - | - | CSW | Request subscription to CSW |
Change | Change/DeleteCSWSubscription | - | - | CSW | Unsubscribe CSW |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.
Precautions for setup
You need to be careful of the following when setting the permissions for accessing Cloud Security Watcher for a sub account using the Sub Account.
- Prohibited to use the main account: It is recommended not to use the main account to use the Cloud Security Watcher. When you use an account having the permissions for manager for NAVER Cloud Platform, if a violation occurs, all the permissions for the account can be captured and abused.
- Creation of sub account for each role: You can create a sub account for each role and grant needed permissions for classifying users to use the Cloud Security Watcher.