Available in VPC
You can set up various access permissions for the Data Stream service by using the Sub Account service which is the user management service of NAVER Cloud Platform. The Sub Account service provides system-managed policies and user-defined policies for setting management and administration permissions.
Sub Account is a free service provided upon subscription without additional charge. For more information on Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guides.
System-managed policies
System-managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. When you assign system-managed policies to the sub account created in Sub Account, the sub account with the permissions can use the Data Stream service. The following is a brief description of the system-managed policies of the Data Stream service.
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services with the same scope as the main account |
| NCP_INFRA_MANAGER | Permission to access all services, except the My Account > Billing information and cost management > Billing and payment management menu in the console, which is restricted. |
| NCP_FINANCE_MANAGER | Permission to access only the Cost Explorer service and the My Account > Billing information and cost management > Billing and payment management menu in the console. |
| NCP_VPC_DATA_STREAM_MANAGER | Permission to use the full VPC-based Data Stream feature sets |
| NCP_VPC_DATA_STREAM_VIEWER | Permission to only use the view feature of the VPC-based Data Stream |
| NCP_DATA_STREAM_SERVICE_ROLE | Permissions granted to the Service Role of the Data Stream service |
User-defined policies
User-defined policies are policies that users may create. Once user-defined policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description of system user-defined policies of the Data Stream service:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | View/getTopicSummary | - | - | - | View topic summary information |
| View | View/getTopicMetrics | - | - | - | View topic metrics list |
| View | View/getTopicList | - | - | - | View topic list |
| View | View/getTopicDetail | - | - | - | View topic details |
| View | View/getPreviewData | - | - | - | View topic recent data |
| View | View/getConsumersMetrics | - | - | - | View entire consumer metrics list |
| View | View/getConsumerMetrics | - | - | - | View specific consumer metrics list |
| View | View/getConnector | - | - | - | View connector information |
| View | View/getBucketList | - | - | - | View bucket list |
| View | View/getObjectList | - | - | - | View the list of objects in the bucket and bucket details |
| View | View/getServiceRoleList | - | - | - | View the Service Role for the connector |
| Change | Change/createTopic | - | - | - | Create topic |
| Change | Change/updateTopic | - | - | - | Edit topic information |
| Change | Change/deleteTopic | - | - | - | Delete topic |
| Change | Change/createConnector | - | - | - | Create connector |
| Change | Change/updateConnector | - | - | - | Edit connector information |
| Change | Change/deleteConnector | - | - | - | Delete connector |
| Change | Change/createServiceRole | - | - | - | Create the Service Role for the connector |
| Change | Change/produceData | - | - | - | Data Storage APIs usage permissions |
| Change | Change/consumeData | - | - | - | Data Reading APIs usage permissions |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, you will not be able to perform tasks properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, the system will determine that it was done intentionally by the main account user and will not forcibly include them. Therefore, be careful when setting permissions.