Available in Classic and VPC
You can set different access permissions for Private CA using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Private CA. Here are the available system-managed policies for Private CA:
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services, same as the main account |
| NCP_INFRA_MANAGER | Access to all NAVER Cloud Platform services, except the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_FINANCE_MANAGER | Access to Cost Explorer and the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_PRIVATE_CA_MANAGER | Full access to all features of Private CA |
| NCP_PRIVATE_CA_VIEWER | View-only access to all Private CA features |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Private CA:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | View/getCAList | - | - | PrivateCA | View CA list. |
| View | View/getCADetail | View/getCAList | CA | PrivateCA | View specific CA. |
| View | View/getCASubCsr | View/getCADetail | CA | PrivateCA | View Sub CSR. |
| View | View/getCAChain | View/getCADetail | CA | PrivateCA | View CA chain. |
| View | View/getCACrl | View/getCADetail | CA | PrivateCA | View CA CRL. |
| Change | Change/createCA | - | - | PrivateCA | Create new CA. |
| Change | Change/deleteCA | View/getCADetail | CA | PrivateCA | Delete CA permanently. |
| View | View/getCACrlConfig | View/getCADetail | CA | PrivateCA | View CRL settings. |
| Change | Change/updateCACrlConfig | View/getCADetail | CA | PrivateCA | Edit CRL settings. |
| Change | Change/rotateCACrl | View/getCADetail | CA | PrivateCA | Rotate CA CRL. |
| Change | Change/trimCA | View/getCADetail | CA | PrivateCA | Clean up CRL by removing expired certificates. |
| Change | Change/createOcsp | View/getCADetail | CA | PrivateCA | Deploy OCSP URL. |
| Change | Change/deleteOcsp | View/getCADetail | CA | PrivateCA | Remove OCSP URL. |
| Change | Change/activateCA | View/getCADetail | CA | PrivateCA | Enable self-signed CA. |
| Change | Change/signSubCsr | View/getCADetail | CA | PrivateCA | Sign Sub CSR. |
| Change | Change/signEndCsr | View/getCADetail | CA | PrivateCA | Issue a CA certificate by signing a CSR. |
| View | View/getCertList | View/getCADetail | CA | PrivateCA | View a list of certificates issued by CA. |
| View | View/getCertDetail | View/getCADetail View/getCertList |
CA | PrivateCA | View certificates issued by CA. |
| Change | Change/issueEndCert | View/getCADetail View/getCertList View/getCertDetail |
CA | PrivateCA | Issue CA certificates. |
| Change | Change/revokeCert | View/getCADetail View/getCertList View/getCertDetail |
CA | PrivateCA | Revoke CA certificates. |
| Change | Change/updateCAMemo | View/getCADetail | CA | PrivateCA | Edit CA memos. |
| Change | Change/requestCADeletion | View/getCADetail | CA | PrivateCA | Request CA deletion. |
| Change | Change/cancelCADeletion | View/getCADetail | CA | PrivateCA | Cancel CA deletion. |
| Change | Change/updateCAStatus | View/getCADetail | CA | PrivateCA | Update CA status. |
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.
Migration of role-based permissions
The [Permission management] feature provided by the existing Private CA is integrated into the Policy feature of Sub Account. The CA Manager role of an active CA is automatically migrated to a policy with equivalent permissions. The migrated policies have the following permissions:
| Role name | Policy name to be migrated | Permissions to be migrated |
|---|---|---|
| CA Manager | PCA_CA_MGR-{CATag} | View*, Change* |
For more information on migrated policies, see the [User-defined policy] tab in Management & Governance > Sub Account > Policies.
