VPC (Virtual Private Cloud) permissions management

Prev Next

Available in VPC

You can set different access permissions for VPC using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.

Note

Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.

System-managed policies

System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to VPCs. Here are the available system-managed policies for VPC:

Policy name Policy description
NCP_ADMINISTRATOR Full access to all services, with the same scope as the main account
NCP_INFRA_MANAGER Access to all services, except the My Account > Billing Information and Cost Management > Billing and Payment Management menu in the console
NCP_FINANCE_MANAGER Access only to the Cost Explorer service and the My Account > Billing Information and Cost Management > Billing and Payment Management menu in the console
NCP_VPC_MANAGER Full access to all VPC (Virtual Private Cloud) features on the VPC platform

User-defined policies

User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for VPC:

| Type | Action | Related action | Resource type | Group by resource type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getNATGatewayDetail | View/getNATGatewayList | NATGateway | NATGateway | View NAT Gateway details |
| View | View/getNATGatewayList | - | - | NATGateway | View NAT Gateway list |
| View | View/getNetworkACLDenyAllowGroupDetail | View/getNetworkACLDenyAllowGroupList | NetworkACLDenyAllowGroup | NetworkACLDenyAllowGroup | View NACL Deny-Allow Group details |
| View | View/getNetworkACLDenyAllowGroupList | - | - | NetworkACLDenyAllowGroup | View NACL Deny-Allow Group list |
| View | View/getNetworkACLDetail | View/getNetworkACLList | NetworkACL | NetworkACL | View Network ACL details |
| View | View/getNetworkACLList | - | - | NetworkACL| View Network ACL list |
| View | View/getOnPremiseGatewayDetail | View/getOnPremiseGatewayList | OnPremiseGateway | OnPremiseGateway | View On-Premise Gateway details |
| View | View/getOnPremiseGatewayList | - | - | OnPremiseGateway | View On-Premise Gateway list |
| View | View/getRouteTableDetail | View/getRouteTableList | RouteTable | RouteTable | View Route Table details |
| View | View/getRouteTableList | - | - | RouteTable | View Route Table list |
| View | View/getSubnetDetail | View/getSubnetList | Subnet | Subnet | View accessible Subnets for the service |
| View | View/getSubnetList | - | - | Subnet | View Subnet list |
| View | View/getVPCDetail | View/getVPCList | VPC | VPC | View accessible VPCs for the service |
| View | View/getVPCList | - | - | VPC | View VPC list |
| View | View/getVPCPeeringDetail | View/getVPCPeeringList | VPCPeering | VPCPeering | View VPC peering details |
| View | View/getVPCPeeringList | - | - | VPCPeering | Views VPC peering list |
| View | View/getVirtualPrivateGatewayDetail | View/getVirtualPrivateGatewayList | VirtualPrivateGateway | VirtualPrivateGateway | View Virtual Private Gateway details |
| View | View/getVirtualPrivateGatewayGroupDetail | View/getVirtualPrivateGatewayGroupList | VirtualPrivateGatewayGroup | VirtualPrivateGatewayGroup | View Virtual Private Gateway Group list |
| View | View/getVirtualPrivateGatewayGroupList | - | - | VirtualPrivateGatewayGroup | View Virtual Private Gateway Group list |
| View | View/getVirtualPrivateGatewayList | - | - | VirtualPrivateGateway | View Virtual Private Gateway list |
| View | View/getEndpointRouteTableList | - | - | EndpointRouteTable | View Endpoint Route Table list |
| View | View/getEndpointRouteTableDetail | View/getEndpointRouteTableList | EndpointRouteTable | EndpointRouteTable | View Endpoint Route Table details |
| View | View/getServiceFunctionChainList | - | - | ServiceFunctionChain | View Server Function Chain list |
| View | View/getServiceFunctionChainDetail | View/getServiceFunctionChainList | ServiceFunctionChain | ServiceFunctionChain | View Server Function Chain details |
| View | View/getTransitVpcConnectList | - | - | TransitVpcConnect | View Transit VPC Connect list |
| View | View/getTransitVpcConnectDetail | View/getServiceFunctionChainList | TransitVpcConnect | TransitVpcConnect | View Transit VPC Connect details |
| Change | Change/changeNetworkACLDenyAllowGroupIP |

  • View/getNetworkACLDenyAllowGroupList
  • View/getNetworkACLDenyAllowGroupDetail
| NetworkACLDenyAllowGroup | NetworkACLDenyAllowGroup | Set NACL Deny-Allow Group's IP |
| Change | Change/createNATGateway |
  • View/getNATGatewayList
  • View/getVPCDetail
  • View/getVPCList
| - | NATGateway | Create NAT Gateway |
| Change | Change/createNetworkACL |
  • View/getNetworkACLList
  • View/getVPCDetail
  • View/getVPCList
| - | NetworkACL | Create Network ACL |
| Change | Change/createNetworkACLDenyAllowGroup |
  • View/getNetworkACLDenyAllowGroupList
  • View/getVPCDetail
  • View/getVPCList
| - | NetworkACLDenyAllowGroup | Create NACL Deny-Allow Group |
| Change | Change/createOnPremiseGateway |
  • View/getVPCDetail
  • View/getOnPremiseGatewayList
  • View/getVPCList
| - | OnPremiseGateway | Create On-Premise Gateway |
| Change | Change/createRouteTable |
  • View/getRouteTableList
    View/getVPCDetail
  • View/getVPCList
| - | RouteTable | Create Route Table |
| Change | Change/createSubnet |
  • View/getSubnetList
  • View/getNetworkACLList
  • View/getVPCDetail
  • View/getNetworkACLDetail
  • View/getVPCList
| - | Subnet | Create Subnet |
| Change | Change/createVPC | View/getVPCList | - | VPC | Create VPC |
| Change | Change/createVPCPeering |
  • View/getVPCPeeringList
  • View/getVPCDetail
  • View/getVPCList
| - | VPCPeering | Create VPC Peering |
| Change | Change/createVirtualPrivateGateway |
  • View/getVirtualPrivateGatewayList
  • View/getVPCDetail
  • View/getVPCList
| - | VirtualPrivateGateway | Create Virtual Private Gateway |
| Change | Change/createVirtualPrivateGatewayGroup |
  • View/getVirtualPrivateGatewayDetail
  • View/getVirtualPrivateGatewayGroupDetail
  • View/getVirtualPrivateGatewayGroupList
| - | VirtualPrivateGatewayGroup | Create Virtual Private Gateway Group |
| Change | Change/createVirtualPrivateGatewayGroupAssociationProposal |
  • View/getVirtualPrivateGatewayDetail
  • View/getVirtualPrivateGatewayList
| VirtualPrivateGateway | VirtualPrivateGatewayGroup | Request to be added to another account's Virtual Private Gateway Group |
| Change | Change/deleteNATGateway |
  • View/getNATGatewayDetail
  • View/getNATGatewayList
| NATGateway | NATGateway | Delete NAT Gateway |
| Change | Change/deleteNetworkACL |
  • View/getNetworkACLList
  • View/getNetworkACLDetail
| NetworkACL | NetworkACL | Delete Network ACL |
| Change | Change/deleteNetworkACLDenyAllowGroup |
  • View/getNetworkACLDenyAllowGroupList
  • View/getNetworkACLDenyAllowGroupDetail
| NetworkACLDenyAllowGroup | NetworkACLDenyAllowGroup | Delete NACL Deny-Allow Group |
| Change | Change/deleteOnPremiseGateway |
  • View/getOnPremiseGatewayDetail
  • View/getOnPremiseGatewayList
| OnPremiseGateway | OnPremiseGateway | Delete On-Premise Gateway |
| Change | Change/deleteRouteTable |
  • View/getRouteTableList
  • View/getRouteTableDetail
| RouteTable | RouteTable | Delete Route Table |
| Change | Change/deleteSubnet |
  • View/getSubnetList
  • View/getSubnetDetail
| Subnet | Subnet | Delete Subnet |
| Change | Change/deleteVPC |
  • View/getVPCDetail
  • View/getVPCList
| VPC | VPC | Delete VPC |
| Change | Change/deleteVPCPeering |
  • View/getVPCPeeringDetail
  • View/getVPCPeeringList
| VPCPeering | VPCPeering | Delete VPC Peering |
| Change | Change/deleteVirtualPrivateGateway |
  • View/getVirtualPrivateGatewayDetail
  • View/getVirtualPrivateGatewayList
| VirtualPrivateGateway | VirtualPrivateGateway | Delete Virtual Private Gateway |
| Change | Change/deleteVirtualPrivateGatewayGroup |
  • View/getVirtualPrivateGatewayGroupDetail
  • View/getVirtualPrivateGatewayGroupList
| VirtualPrivateGatewayGroup | VirtualPrivateGatewayGroup | Delete Virtual Private Gateway Group |
| Change | Change/manageVPCPeeringRequest |
  • View/getVPCPeeringList
  • View/getVPCDetail
  • Change/deleteVPCPeering
| VPC | VPCPeering | Manage VPC Peering request |
| Change | Change/setNATGatewayMemo |
  • View/getNATGatewayDetail
  • View/getNATGatewayList
| NATGateway | NATGateway | Edit NAT Gateway memo |
| Change | Change/setNetworkACLDenyAllowGroupMemo |
  • View/getNetworkACLDenyAllowGroupList
  • View/getNetworkACLDenyAllowGroupDetail
| NetworkACLDenyAllowGroup | NetworkACLDenyAllowGroup | Edit NACL Deny-Allow Group memo |
| Change | Change/setNetworkACLMemo |
  • View/getNetworkACLList
  • View/getNetworkACLDetail
| NetworkACL | NetworkACL | Edit Network ACL memo |
| Change | Change/setRouteTableMemo |
  • View/getRouteTableList
  • View/getRouteTableDetail
| RouteTable | RouteTable | Edit Route Table memo |
| Change | Change/setSubnetNetworkACL |
  • View/getSubnetList
  • View/getSubnetDetail
  • View/getNetworkACLList
  • View/getNetworkACLDetail
| Subnet | Subnet | Change Subnet's Network ACL |
| Change | Change/setVPCPeeringMemo |
  • View/getVPCPeeringDetail
  • View/getVPCPeeringList | VPCPeering | VPCPeering | Edit VPC Peering memo |
    | Change | Change/setVirtualPrivateGatewayMemo |
    • View/getVirtualPrivateGatewayDetail
    • View/getVirtualPrivateGatewayList
    | VirtualPrivateGateway | VirtualPrivateGateway | Edit Virtual Private Gateway memo |
    | Change | Change/updateNetworkACLRule |
    • View/getNetworkACLDenyAllowGroupList
    • View/getNetworkACLDenyAllowGroupDetail
    • View/getNetworkACLList
    • View/getNetworkACLDetail
    | NetworkACL | NetworkACL | Set Network ACL rules |
    | Change | Change/updateOnPremiseGatewayRoute |
    • View/getOnPremiseGatewayDetail
    • View/getOnPremiseGatewayList
    | OnPremiseGateway | OnPremiseGateway | Set On-Premise Gateway's Route Table rules |
    | Change | Change/updateRouteTableRule |
    • View/getRouteTableList
    • View/getRouteTableDetail
    | RouteTable | RouteTable | Set Route Table rules |
    | Change | Change/updateRouteTableSubnet |
    • View/getSubnetList
    • View/getRouteTableList
    • View/getRouteTableDetail
    • View/getSubnetDetail
    | RouteTable | RouteTable | Set Route Table's related Subnet |
    | Change | Change/updateVirtualPrivateGatewayDescrtiption |
    • View/getVirtualPrivateGatewayDetail
    • View/getVirtualPrivateGatewayList
    | VirtualPrivateGateway | VirtualPrivateGateway | Edit Virtual Private Gateway memo |
    | Change | Change/updateVirtualPrivateGatewayGroup |
    • View/getVirtualPrivateGatewayDetail
    • View/getVirtualPrivateGatewayGroupDetail
    • View/getVirtualPrivateGatewayGroupList
    | VirtualPrivateGatewayGroup | VirtualPrivateGatewayGroup | Edit Virtual Private Gateway Group settings |
    | Change/createEndpointRouteTable |
    • View/getVPCList
    • View/getVPCDetail
    | - | EndpointRouteTable | Create Endpoint Route Table |
    | Change/deleteEndpointRouteTable |
    • View/getEndpointRouteTableList
    • View/getEndpointRouteTableDetail
    | EndpointRouteTable | EndpointRouteTable | Delete Endpoint Route Table |
    | Change/updateEndpointRouteTableRule | - | EndpointRouteTable | EndpointRouteTable | Edit Endpoint Route Table's Route settings |
    | Change/updateEndpointRouteTableEndpoint | - | EndpointRouteTable | EndpointRouteTable | Edit Endpoint Route Table's related Endpoint settings |
    | Change/updateEndpointRouteTableDescription |
    • View/getEndpointRouteTableList
    • View/getEndpointRouteTableDetail
    | EndpointRouteTable | EndpointRouteTable | Edit Endpoint Route Table memo |
    | Change/createServiceFunctionChain |
    • View/getVPCList
    • View/getVPCDetail
    • View/getServerInstanceList
    • View/getServerInstanceDetail
    • View/getLoadBalancerInstanceList
    • View/getLoadBalancerInstanceDetail
    • View/getTransitVpcConnectList
    • View/getTransitVpcConnectDetail
    • View/getVirtualPrivateGatewayList
    • View/getVirtualPrivateGatewayDetail
    • View/getNetworkInterfaceList
    • View/getNetworkInterfaceDetail
    | - | ServiceFunctionChain | Create Service Function Chain |
    | Change/deleteServiceFunctionChain |
    • View/getServiceFunctionChainList
    • View/getServiceFunctionChainDetail
    | ServiceFunctionChain | ServiceFunctionChain | Delete Service Function Chain |
    | Change/updateServiceFunctionChain |
    • View/getVPCList
    • View/getVPCDetail
    • View/getServerInstanceList
    • View/getServerInstanceDetail
    • View/getLoadBalancerInstanceList
    • View/getLoadBalancerInstanceDetail
    • View/getTransitVpcConnectList
    • View/getTransitVpcConnectDetail
    • View/getVirtualPrivateGatewayList
    • View/getVirtualPrivateGatewayDetail
    • View/getNetworkInterfaceList
    • View/getNetworkInterfaceDetail
    | ServiceFunctionChain | ServiceFunctionChain | Edit Service Function Chain |
    | Change/updateServiceFunctionChainDescription |
    • View/getServiceFunctionChainList
    • View/getServiceFunctionChainDetail
    | ServiceFunctionChain | ServiceFunctionChain | Edit Service Function Chain memo |
    | Change/createTransitVpcConnect |
    • View/getVPCList
    • View/getVPCDetail
    | | TransitVpcConnect | Create Transit VPC Connect |
    | Change/deleteTransitVpcConnect |
    • View/getTransitVpcConnectList
    • View/getTransitVpcConnectDetail
    | TransitVpcConnect | TransitVpcConnect | Delete Transit VPC Connect |
    | Change/updateTransitVpcConnectDescription |
    • View/getTransitVpcConnectList
    • View/getTransitVpcConnectDetail
    | TransitVpcConnect | TransitVpcConnect | Edit Transit VPC Connect |
    | Change/updatePublicIPLink |
    • View/getVPCList
    • View/getVPCDetail
    • View/getPublicIPInstanceList
    • View/getPublicIPDetail
    | VPCServer:PublicIP | PublicIP | Edit Public IP's Transit VPC connection settings |

    Caution

    If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.