Using subaccounts
  • PDF

Using subaccounts

  • PDF

Before use

Q. What is Sub Account?

  • Sub Account is a service that provides sub accounts to enable multiple users to use and manage the same resource.
  • Sub accounts can freely use and manage the NAVER Cloud Platform services within the scope of their privileges.

Q. How are accounts and sub accounts different?

  • An e-mail address registered to use NAVER Cloud Platform is called "account." Account has the user's personal information and payment information, and can use all the services of NAVER Cloud Platform.
  • "Sub-account" plays an auxiliary role to use/manage the resources of the account together, and can freely use the service within the privileges granted. If a sub-account has been granted the privilege of NCP_SERVER_MANAGER (formerly, server administrator), then it can use all the features of the server. All the details of that sub-account's work can be checked in the Cloud Activity Tracer.
  • The fee for a service that uses sub accounts is charged to the account that created the sub account.

Q. How do I use Sub Account?

  1. Register a sub account by setting the login ID, user name, access type, password, and policy to be used by internal users. Account users can create sub accounts using the Sub Account.
  2. In Sub Account, set an access page to log in to the sub account.
  3. Internal users log in to the sub account using the access page for the sub account. The NAVER Cloud Platform services and features are provided according to the policy assigned to the sub account.

Q. What features does Sub Account provide?

  • Dashboard: You can check the number of sub accounts, groups, policies, and access page settings on the dashboard.
  • Sub account: You can create a new sub account, edit/delete, or suspend/cancel the information of an existing sub account. On each sub account detail page, you can add/delete groups and policies, or manage access keys required for the use of API Gateway.
  • Group: You can create/delete or rename sub account groups. You can add/delete sub accounts or policies to a group so that the same policy is reflected in multiple sub accounts.
  • Policy: The privileges that can be used by sub accounts are groups and provided as a policy. You can check the list of policies and the types, privileges, and targets of the policies.
  • STS (Secure Token Service): You can create and use a temporary access key that can control access to resources on NAVER Cloud Platform. This can be used when a permission is temporarily required because sharing the access key with no expiration date can pose a threat to security.
  • Role: This is a temporary credential made up of policies that can grant privileges to resources, such as accounts and servers. The role currently being provided can only be assigned to the server resources, and its usability will be expanded in the future.

Q. What privileges can be granted to sub accounts?

sub accounts created through the Sub Account service can be granted various privileges as follows:

  • Same access as main account on NAVER Cloud Platform (Portal My Page, access to all services in console)

If you grant the NCP_ADMINISTRATOR policy among the System Managed policies provided by the Sub Account service, you can access the portal and console within the NAVER Cloud Platform just like the main account.

  • Access to all services within the NAVER Cloud Platform Console

If you grant the NCP_INFRA_MANAGER policy among the System Managed policies provided by Sub Account Services, you can access all the services in the console just like your main account.

  • Access rights by service within NAVER Cloud Platform Console

If you grant the NCP_{service name}_MANAGER/VIEWER policy among the System Managed policies provided by Sub Account Services, you can access the service.

  • Access to My Page "Manage Usage" menu in NAVER Cloud Platform Portal

If you grant the NCP_FINANCE_MANAGER policy among the System Managed policies provided by the Sub Account service, you can access the "Service Usage History/Status, Promotion Details, Billing Details & Status Graph" menu in the portal My Page.

Create a sub account

Note

Up to 500 can be created.

Step 1. Connect to console and create sub account

Connect to the console and create a sub account.

(If you can't see sub account service under My Products, go to Services > Management & Governance > Sub Account and click ☆ to add them to My Products.)

management-4-101_en

1. Since you do not have a sub account, the following text will be displayed along with the sub account service information.

  • "No sub account found. Please click the Create Sub account button to create a new sub account"To create a sub account, click the [Create sub account] button.

management-4-102_en

2. Enter the login ID, user name, and password of the sub account, select the access type and two-factor authentication, and then click the [Create] button.

  • Access type
    • Console Access: Check to allow the console access of sub account.
      • The management console access IP of the sub account can be restricted by band.
    • API Gateway Access: Check to allow the access of API Gateway. If you select the item, you can manage the access key on the detail page after creating a sub account and use the key to use API Gateway. Moreover, sub accounts can manage their own access key through the Portal > My page > Manage authentication key menu after logging in.
  • Two-factor authentication setting
    • You can configure sub accounts to mandatorily set and use two-factor authentication.
    • The information for two-factor authentication is initially set when the sub account logs in for the first time. It can be edited in My page > Manage account > Manage two-factor authentication of the portal.
  • Password reset requirement
    • If you check the Password Reset Requirement item, it enables the sub account to go to the password setting page and change the password when it logs in.
    • If you do not change your password on the password setting page, then you will be directed to the password setting page each time you log in.

Step 2. Add policy

After creating a sub account, add a policy in the Policy tab of the sub account detail screen.

  • The add all permissions allows you to grant policies that allow you to perform any action.

management-4-103_en

① Click the [Add] button of the policy tab.

management-4-104_en

② Select a policy to add from the list of policies displayed on the screen (multiple selections possible).

③ Finally, click the [Add] button to add the policy to the sub account.

  • Policy: This defines the privileges that can be used by users logged in as sub accounts.

Step 3. Dashboard

This sets the access page.

image.png

You can check the access page settings, and the number of sub accounts, groups, and policies on the dashboard.

1. Sub account login page access key.

2. The set access page can be edited and deleted, and its address can be copied.

3. The URL to access with your sub account. Sub accounts can access only with the URL.

4. You can set an unused session expiration time for the sub account.

5. The unused session expiration time can be selected from 10 minutes, 30 minutes, 1 hour, and 3 hours. If the sub account is not used without activity until the set expiration time is exceeded, the user is automatically logged out.

6. You can set the forced password expiration date for the sub account.

7. The expiration date can be selected from 60, 90, 120, and 180 days. If the sub account continues to use the same password after the set expiration date, then the console can't be used until the password is changed.

8. You can check the number of sub accounts, groups, and policies that the account holds.

Manage sub account

Sub account menu

You can create a new sub account by accessing the sub account menu, check the list of sub accounts that currently exist, and delete, suspend/reactivate multiple sub accounts at once.

  • You can't use the NAVER Cloud Platform service with a suspended sub account.
  • When selecting a suspended sub account, the feature to reactivate the suspended feature is provided.
  • Suspended sub accounts are displayed as Suspended in the Status column.

Sub account details

You can check the details of the sub account by clicking the sub account login ID in the list.

management-4-107_en

management-4-107_en

1. You can [modify], [delete], [suspend], and [reactivate] the current sub account.

  • In the edit feature, you can edit the sub account information except login ID.
  • You can't use the NAVER Cloud Platform service with a suspended sub account.
  • When selecting a suspended sub account, the feature to reactivate the suspended feature is provided.
  • Suspended sub accounts are displayed as Suspended in the Status column.

2. The management console access IP of the sub account can be restricted by band.

2-1. IP bandwidth that allows console access

  • Access from anywhere: Access is available without any additional IP restrictions.
  • Access available only in the designated IP band: You can register up to 30 IP bands including a single IP or subnet.

3. The API access source of the sub account can be restricted by IP, VPC Server

3-1. API accessible source

  • Access from anywhere: Access is available without any additional IP / VPC Server restrictions.
  • Accessible only from the specified source:
    • IP: You can register with a single IP or IP band including subnets.
    • VPCServer: You can register servers within your VPC.

4. The login password is not shown, and it can be changed to a new password by clicking Reset password, if necessary.

5. Showing password life-cycle information and access key life-cycle information

  • Password life-cycle: This shows the information of the total accumulated days used without changing the password of the sub account. This can help with periodic password changes.
  • Access key life-cycle: You can manage access keys on the detail page for sub-accounts with the API Gateway access settings. At this time, it shows the life-cycle information of the created access key. This can help with periodic key changes.

6. At the bottom of the detail screen, a tab to check the policy, group, and access key of the sub account is provided.

  • [Policy] tab: You can grant or withdraw a policy to a sub account.

  • [Group] tab: You can add or remove a sub account as a member of a group.

  • [Access key] tab: It is shown only to sub accounts that include the API Gateway access in the access type, and you can add/delete or use/disable the access key Id for using API Gateway.

    management-4-108_en

Manage group

You can create, edit, delete groups or add/delete sub accounts or policies to a group.

Create group

Note

Up to 300 can be created.

management-4-109_en

1. Click the Create group button to create a group.

2. Enter the group name and click the [Create] button.

Edit group

management-4-110_en

1. Select Edit from the context menu that appears when you put the mouse cursor over the icon next to the group name.

2. Enter the group name to change and click the [Edit] button.

3. You can add/delete sub accounts or policies to a group in the Sub account, Policy tabs on the right.

Delete group

management-4-112_en

1. Select Delete from the context menu that appears when you put the mouse cursor over the icon next to the group name.

2. Check the group name to delete and click the [Delete] button.

  • Even if you delete a group, the sub accounts and policies that are included in the group are not deleted.
  • In the case of a sub account added to a group, the deleted group will be removed from the list in the Details > Group tab of the sub account.

Manage policy

image.png

  • In Sub Account > Policies, you can check, create, edit, and delete the policies that the current account has.

  • Policy defines the privileges that the users logged in as sub account can work on. These policies can be assigned per subaccount or group and the privileges in the portal/console will differ, depending on the assigned policy.

  • There are two types of policies: System managed and User created.

    • System managed: A policy that pre-defines and provides the Change/View privileges for several services for user convenience
    • User created: A policy randomly created by the account user

Create policy

Note

User created policy, Up to 500 can be created.

management-4-114-1_en

1. In Sub Account > Policies, you can create a policy by clicking [Create policy].

management-4-114-2_en

2. In Set policy information, enter the name and description for the policy you want to create.

3. In Set application target, select the product, whose privileges you want to control, and the product's action to add the application target.

  • Actions: You can control the privileges for the actions provided by the product. The unit of action is different for each service, and the action content of the privilege management unit provided by each service can be checked in the user guide of the service.
    • View: It is selected when you want to provide only the privilege for using the service's search-related features.
    • Change: This is selected when you want to provide the privilege of using creation, change, and deletion features.

4. You can check the list of targets added in ③. When you select a specific product, the access rights to the product from the console (ProductAccess Action) are automatically added from the console so that you can access the product through the console.

5. Click the [Create] button.

Policy details

management-4-114-3_en

  • Click the policy name in the policy list to check the policy details.

Edit policy

management-4-114-4_en

  • Click the [Edit] button in the policy detail to edit the policy.

management-4-114-5_en

  • You can edit the same information as when creating the policy.

Delete policy

management-4-114-6_en

1. You can delete a policy by clinking the [Delete] button in the policy details.

2. Click the [Delete] button at the bottom of the pop-up window to completely delete the policy.

Manage role

management-4-149_en

  • In Sub Account > Roles, you can create, edit, and delete roles.

  • Role defines a temporary credential made up of policies. Multiple policies can be configured for a role, and a temporary credential can be granted by assigning them to the servers owned by the account.

  • There is one type of server in a role.

    • Server: A role that can be assigned to the server

Create role

Note

Up to 300 can be created.

1. In Sub Account > Roles, you can create a role by clicking Create role.

management-4-145-2_en

2. In Set role information, enter the name, type, and description for the role you want to create.

3. Click the [Create] button.

Role details

You can click on a role name in the list to check the details of the role.

management-4-146-1_en

1. You can [Edit] or [Delete] the current role.

  • In the edit feature, you can edit the role information except the type.

2. At the bottom of the detail screen, a tab to check the role's policy and owned resource is provided.

  • Policy: You can grant or withdraw a policy to and from a sub account.

  • Role-owned resources: You can check the resources that have the current role, as well as add or delete them.

    • Only one role can be granted per server resource.

    management-4-146-2_en

    management-4-146-3_en_0414

Edit role

  • Click the [Edit] button in the role details to edit the role.

management-4-147-2_en

  • You can edit the same information as when creating the role.

Delete role

1. You can delete a role by clinking the [Delete] button in the role details.

2. Click the [Delete] button at the bottom of the pop-up window to completely delete the role.

Use sub account

Log in

Log in to the access page set in the dashboard of Sub Account.

management-4-115_en

1. Log in to the set access page. For access page setting, refer to Step 3. Dashboard.

2. Enter the sub account login ID and password to log in. (You will not be logged in to a sub account that has not been assigned a policy.)

3. If you have forgotten the name or password of your sub account, then please contact the account administrator.

  • If you enter the wrong password more than 5 times, then you will not be able to log in to the sub account. Ask the account administrator to Reset password so you can log in with a new password.

Set two-factor authentication

management-4-139_en

  • You can set the two-factor authentication by going to My page > Manage account > Manage two-factor authentication in the portal.

Was this article helpful?