Available in Classic and VPC
You can set different access permissions for Ncloud Single Sign-On using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Note
Sub Account is a free service with no additional charges. For more information on Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Ncloud Single Sign-On. Here are the available system-managed policies for Ncloud Single Sign-On:
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services, same as the main account. |
| NCP_INFRA_MANAGER | Access to all services, except the My Account > Billing Information & Cost Management > Billing & Payment Management menu in the console. |
| NCP_FINANCE_MANAGER | Access to only the Cost Explorer service and the My Account > Billing Information & Cost Management > Billing & Payment Management menu in the console. |
| NCP_SINGLE_SIGN_ON_MANAGER | Full access to all Ncloud Single Sign-On features. |
| NCP_SINGLE_SIGN_ON_VIEWER | View-only access to lists and all Ncloud Single Sign-On features. |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Ncloud Single Sign-On:
| Type | Action | Related action | Resource type | Group | Action description | Available condition keys |
|---|---|---|---|---|---|---|
| View | view/getApplicationList | view/getTenantDetail | - | Application | Check application list. | - All principal properties condition keys |
| View | view/getApplicationDetail | view/getApplicationList | Application | Application | Check application details. | - All principal properties condition keys - ncp:resourceTag |
| View | view/accessApplication | - | Application | Application | Log into application with Sub Account. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/createApplication | - | - | Application | Create a new application. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/updateApplication | view/getApplicationList view/getApplicationDetail |
Application | Application | Edit registered applications. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deleteApplication | view/getApplicationList view/getApplicationDetail |
Application | Application | Delete registered applications. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getConsentStatusList | view/getTenantDetail | - | Consent Status | Check the consent list. | - All principal properties condition keys |
| View | view/getConsentStatusDetail | view/getTenantDetail view/getConsentStatusList |
- | Consent Status | Check the consent history. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/createTenant | - | - | Tenant | Create a tenant. | - All principal properties condition keys |
| Change | change/updateTenant | view/getTenantDetail | Tenant | Tenant | Edit a tenant. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deleteTenant | view/getTenantDetail | Tenant | Tenant | Delete a tenant. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/updateOrganizationEnable | view/getTenantDetail | Tenant | Tenant | Change whether to integrate with Organization. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/manageExternalIDP | view/getTenantDetail | Tenant | Tenant | Change the status of the external IdP. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/updateLoginSetting | view/getTenantDetail | Tenant | Tenant | Edit login settings. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getAttributeMapper | view/getTenantDetail | Tenant | Tenant | Check user profile settings. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getCertificate | view/getTenantDetail | Tenant | Tenant | View certificate list. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getPolicyList | - | Tenant | Tenant | View PermissionSet policy list. | - All principal properties condition keys |
| View | view/getTenantDetail | - | Tenant | Tenant | View tenant. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getServiceProviderDataDetail | view/getTenantDetail | Tenant | Tenant | View service provider metadata | - All principal properties condition keys - ncp:resourceTag |
| Change | change/updateAttributeMapper | view/getTenantDetail | Tenant | Tenant | Edit user profile settings. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getUserList | view/getTenantDetail | - | User | View user list. | - All principal properties condition keys |
| View | view/getUserDetail | view/getUserList | User | User | View user details. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/createUser | - | - | User | Create users. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/updateUser | view/getUserList view/getUserDetail |
User | User | Edit user information. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deleteUser | view/getUserList view/getUserDetail |
User | User | Delete users. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/changeUserStatus | view/getUserList view/getUserDetail |
User | User | Change user tag. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/addUserToGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateUser |
User | User | Assign users to the group. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removeUserFromGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateUser |
User | User | Remove users from the group. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/manageUserAllowSourceSetting | view/getUserList view/getUserDetail change/updateUser |
User | User | View and change the Source IP that can access the console or API. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/expireActiveSession | view/getUserList view/getUserDetail change/updateUser |
User | User | Remove active sessions of the user. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removeUserFromAssignment | view/getUserList view/getUserDetail change/updateUser view/getAssignmentList view/getAssignmentDetail |
User | User | Remove users from assignment. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getGroupList | view/getTenantDetail | - | Group | View the group list. | - All principal properties condition keys |
| View | view/getGroupDetail | view/getGroupList | Group | Group | View group details. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/updateGroup | view/getGroupList view/getGroupDetail |
Group | Group | Edit group information. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deleteGroup | view/getGroupList view/getGroupDetail |
Group | Group | Delete a group. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/addUserToGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateGroup |
Group | Group | Assign users to the group. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removeUserFromGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateGroup |
Group | Group | Remove users from the group. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removeGroupFromAssignment | view/getGroupList view/getGroupDetail change/updateGroup view/getAssignmentList view/getAssignmentDetail |
Group | Group | Remove assignment from the group. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getPermissionSetList | view/getTenantDetail | - | Permission Set | View the permission set list. | - All principal properties condition keys |
| View | view/getPermissionSetDetail | view/getPermissionSetList | Permission Set | Permission Set | View permission set details. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/createPermissionSet | - | - | Permission Set | Create permission set. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/updatePermissionSet | view/getPermissionSetList view/getPermissionSetDetail |
Permission Set | Permission Set | Edit permission set. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deletePermissionSet | view/getPermissionSetList view/getPermissionSetDetail |
Permission Set | Permission Set | Delete permission set. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removePermissionSetPolicy | view/getPermissionSetList view/getPermissionSetDetail change/updatePermissionSet |
Permission Set | Permission Set | Remove managed and user-defined policies assigned to a permission set. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getAssignmentList | view/getTenantDetail | - | Assignment | View the assignment list. | - All principal properties condition keys |
| View | view/getAssignmentDetail | view/getAssignmentList | Assignment | Assignment | View assignment details. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/createAssignment | View/getAccountList View/getPermissionSetDetail |
- | Assignment | Create assignment. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/updateAssignment | view/getAssignmentList view/getAssignmentDetail |
Assignment | Assignment | Edit assignment. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/deleteAssignment | view/getAssignmentList view/getAssignmentDetail |
Assignment | Assignment | Delete assignment. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getAccountList | - | - | Assignment | View accounts with assignments granted within the organization. | - All principal properties condition keys |
| Change | change/changeStatusAssignment | view/getAssignmentList view/getAssignmentDetail |
Assignment | Assignment | Change assignment status. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/assignTargetToAssignment | View/getAssignmentList View/getAssignmentDetail Change/updateAssignment View/getUserList View/getUserDetail View/getGroupList View/getGroupDetail View/getIPACLList View/getIPACLDetail |
Assignment | Assignment | Assign a user/group and IP ACL to an assignment. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/removeTargetFromAssignment | View/getAssignmentList View/getAssignmentDetail Change/updateAssignment View/getUserList View/getUserDetail View/getGroupList View/getGroupDetail View/getIPACLList View/getIPACLDetail |
Assignment | Assignment | Remove a user/group and IP ACL from an assignment. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/createIPACL | - | - | IP ACL | Create IP ACL. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | Change/updateIPACL | View/getIPACLList View/getIPACLDetail |
IP ACL | IP ACL | Edit IP ACL. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/deleteIPACL | View/getIPACLList View/getIPACLDetail |
IP ACL | IP ACL | Delete IP ACL. | - All principal properties condition keys - ncp:resourceTag |
| View | View/getIPACLList | view/getTenantDetail | - | IP ACL | View IP ACL list. | - All principal properties condition keys |
| View | View/getIPACLDetail | View/getIPACLList | IP ACL | IP ACL | View IP ACL details. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/addIPACLToAssignment | View/getIPACLList View/getIPACLDetail View/getAssignmentList View/getAssignmentDetail Change/updateIPACL |
IPACL | IPACL | Add IP ACL to assignment. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/removeIPACLFromAssignment | View/getIPACLList View/getIPACLDetail View/getAssignmentList View/getAssignmentDetail Change/updateIPACL |
IP ACL | IP ACL | Remove IP ACL from assignment. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/addMFADevice | View/getUserList View/getuserDetail Change/updateUser |
User | User | Add user's MFA device. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/deleteMFADevice | View/getUserList View/getuserDetail Change/updateUser |
User | User | Delete the user's MFA device. | - All principal properties condition keys - ncp:resourceTag |
| View | View/getSpCertificateDetail | view/getTenantDetail view/getCertificate |
Tenant | Tenant | View SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/createSPCertificate | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Create new SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/downloadSPCertificate | view/getSpCertificateDetail view/getCertificate view/getTenantDetail |
Tenant | Tenant | Download SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/activateSPCertificate | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Activate SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/deleteSPCertificate | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Delete SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/manageSPNotificationSetting | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Set expiration notifications for SP certificates. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/addIdPCertificate | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Add a new IdP certificate. | - All principal properties condition keys - ncp:resourceTag |
| View | view/getIdPCertificateDetail | view/getCertificate view/getTenantDetail |
Tenant | Tenant | View IdP certificate. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/deleteIdPCertificate | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Delete IdP certificate. | - All principal properties condition keys - ncp:resourceTag |
| Change | Change/manageIdPNotificationSetting | view/getCertificate view/getTenantDetail |
Tenant | Tenant | Configure expiration notification for the IdP certificate. | - All principal properties condition keys - ncp:resourceTag |
| Change | change/tagTenant | view/getTenantDetail | Tenant | Tenant | Assign a tag to the tenant. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagTenant | view/getTenantDetail | Tenant | Tenant | Remove a tag from the tenant. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagApplication | view/getApplicationList view/getApplicationDetail |
Application | Application | Assign a tag to the application. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagApplication | view/getApplicationList view/getApplicationDetail |
Application | Application | Remove a tag from the application. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagUser | view/getUserList view/getUserDetail |
User | User | Assign a tag to the user. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagUser | view/getUserList view/getUserDetail |
User | User | Remove a tag from the user. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagGroup | view/getGroupList view/getGroupDetail |
Group | Group | Assign a tag to the group. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagGroup | view/getGroupList view/getGroupDetail |
Group | Group | Remove a tag from the group. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagPermissionSet | view/getPermissionSetList view/getPermissionSetDetail |
PermissionSet | PermissionSet | Assign a tag to the PermissionSet. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagPermissionSet | view/getPermissionSetList view/getPermissionSetDetail |
PermissionSet | PermissionSet | Remove a tag from the PermissionSet. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagAssignment | view/getAssignmentList view/getAssignmentDetail |
Assignment | Assignment | Assign a tag to the Assignment. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagAssignment | view/getAssignmentList view/getAssignmentDetail |
Assignment | Assignment | Remove a tag from the Assignment. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/tagIPACL | view/getIPACLList view/getIPACLDetail |
IP ACL | IP ACL | Assign a tag to the IP ACL. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
| Change | change/untagIPACL | view/getAIPACLList view/getIPACLDetail |
IP ACL | IP ACL | Remove a tag from the IP ACL. | - All principal properties condition keys - ncp:resourceTag - ncp:requestTag |
Caution
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.