- Print
- PDF
Ncloud Single Sign-On permissions management
- Print
- PDF
Available in Classic and VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Ncloud Single Sign-On. Sub Account provides system managed policies and user created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more information on Sub Account, see Service > Management & Governance > Sub Account on the NAVER Cloud Platform console or see Sub Account user guide.
System-managed policies
System-managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once system-managed policies are granted to a sub account created in Sub Account, that sub account can use Ncloud Single Sign-On. The following is a brief description of the system-managed policies of Ncloud Single Sign-On.
Policy name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_INFRA_MANAGER | Permission to use all services in NAVER Cloud Platform and access My Page > Manage notifications in the portal |
NCP_SINGLE_SIGN_ON_MANAGER | Permission to use the full Ncloud Single Sign-On feature sets |
NCP_SINGLE_SIGN_ON_VIEWER | Permission to only use the View list and Search features in Ncloud Single Sign-On |
User-defined policies
User-defined policies are policies that users may create. Once the user-defined policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description of the user-defined policies of Ncloud Single Sign-On.
Type | Action name | Related action | Resource type | Group | Action description |
---|---|---|---|---|---|
View | view/getApplicationList | view/getTenantDetail | - | Application | Check application list |
View | view/getApplicationDetail | view/getApplicationList | Application | Application | Check application details |
View | view/accessApplication | - | Application | Application | Log into application with Sub Account |
Change | change/createApplication | - | - | Application | Create a new Application |
Change | change/updateApplication | view/getApplicationList view/getApplicationDetail | Application | Application | Edit registered Applications |
Change | change/deleteApplication | view/getApplicationList view/getApplicationDetail | Application | Application | Delete registered Applications |
View | view/getConsentStatusList | view/getTenantDetail | - | Consent Status | Check the consent list |
View | view/getConsentStatusDetail | view/getTenantDetail, view/getConsentStatusList | - | Consent Status | Check the consent history |
Change | change/createTenant | - | - | Tenant | Create a Tenant |
Change | change/updateTenant | view/getTenantDetail | Tenant | Tenant | Edit a Tenant |
Change | change/deleteTenant | view/getTenantDetail | Tenant | Tenant | Delete a Tenant |
Change | change/updateOrganizationEnable | view/getTenantDetail | Tenant | Tenant | Change whether to integrate with Organization |
Change | change/manageExternalIDP | view/getTenantDetail | Tenant | Tenant | Change the status of the External IdP |
Change | change/updateLoginSetting | view/getTenantDetail | Tenant | Tenant | Edit login settings |
View | view/getAttributeMapper | view/getTenantDetail | Tenant | Tenant | Check user profile settings |
View | view/getAccountList | - | Tenant | Tenant | View Organization account list |
View | view/getPolicyList | - | Tenant | Tenant | View PermissionSet policy list |
View | view/getTenantDetail | - | Tenant | Tenant | View Tenant |
View | view/getServiceProviderDataDetail | view/getTenantDetail | Tenant | Tenant | View Service Provider Metadata |
Change | change/updateAttributeMapper | view/getTenantDetail | Tenant | Tenant | Edit user profile settings |
View | view/getUserList | view/getTenantDetail | - | User | View User list |
View | view/getUserDetail | view/getUserList | User | User | View User details |
Change | change/createUser | view/getUserList view/getUserDetail | - | User | Create Users |
Change | change/updateUser | view/getUserList view/getUserDetail | User | User | Edit User information |
Change | change/deleteUser | view/getUserList view/getUserDetail | User | User | Delete Users |
Change | change/changeUserStatus | view/getUserList view/getUserDetail | User | User | Change User status |
Change | change/addUserToGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateUser | User | User | Assign Users to the group |
Change | change/removeUserFromGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateUser | User | User | Remove Users from the group |
Change | change/manageUserAllowSourceSetting | view/getUserList view/getUserDetail change/updateUser | User | User | Check and change the Source IP that can access the console or API |
Change | change/expireActiveSession | view/getUserList view/getUserDetail change/updateUser | User | User | Remove Active Sessions of the User |
Change | change/removeUserFromAssignment | view/getUserList view/getUserDetail change/updateUser view/getAssignmentList view/getAssignmentDetail | User | User | Remove Users from Assignment |
View | view/getGroupList | view/getTenantDetail | - | Group | View the Group list |
View | view/getGroupDetail | view/getGroupList | Group | Group | View Group details |
Change | change/createGroup | view/getGroupList view/getGroupDetail | - | Group | Create a Group |
Change | change/updateGroup | view/getGroupList view/getGroupDetail | Group | Group | Edit Group information |
Change | change/deleteGroup | view/getGroupList view/getGroupDetail | Group | Group | Delete a Group |
Change | change/addUserToGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateGroup | Group | Group | Assign Users to the group |
Change | change/removeUserFromGroup | view/getUserList view/getUserDetail view/getGroupList view/getGroupDetail change/updateGroup | Group | Group | Remove Users from the group |
Change | change/removeGroupFromAssignment | view/getGroupList view/getGroupDetail change/updateGroup view/getAssignmentList view/getAssignmentDetail | Group | Group | Remove Assignment from the Group |
View | view/getPermissionSetList | view/getTenantDetail | - | Permission Set | View the Permission Set list |
View | view/getPermissionSetDetail | view/getPermissionSetList | Permission Set | Permission Set | View Permission Set details |
Change | change/createPermissionSet | view/getPermissionSetList view/getPermissionSetDetail | - | Permission Set | Create Permission Set |
Change | change/updatePermissionSet | view/getPermissionSetList view/getPermissionSetDetail | Permission Set | Permission Set | Edit Permission Set |
Change | change/deletePermissionSet | view/getPermissionSetList view/getPermissionSetDetail | Permission Set | Permission Set | Delete Permission Set |
Change | change/removePermissionSetPolicy | view/getPermissionSetList view/getPermissionSetDetail change/updatePermissionSet | Permission Set | Permission Set | Remove managed and user-defined policies assigned to a Permission Set |
View | view/getAssignmentList | view/getTenantDetail | - | Assignment | View the Assignment list |
View | view/getAssignmentDetail | view/getAssignmentList | Assignment | Assignment | View Assignment details |
Change | change/createAssignment | view/getAssignmentList view/getAssignmentDetail - | Assignment | Create Assignment | |
Change | change/updateAssignment | view/getAssignmentList view/getAssignmentDetail | Assignment | Assignment | Edit Assignment |
Change | change/deleteAssignment | view/getAssignmentList view/getAssignmentDetail | Assignment | Assignment | Delete Assignment |
Change | change/changeStatusAssignment | view/getAssignmentList view/getAAssignmentDetail | Assignment | Assignment | Change Assignment status |
Change | change/assignTargetToAssignment | View/getAssignmentList View/getAssignmentDetail Change/updateAssignment View/getUserList View/getUserDetail View/getGroupList View/getGroupDetail View/getIPACLList View/getIPACLDetail | Assignment | Assignment | Assign a User/Group and IP ACL to an Assignment |
Change | change/removeTargetFromAssignment | View/getAssignmentList View/getAssignmentDetail Change/updateAssignment View/getUserList View/getUserDetail View/getGroupList View/getGroupDetail View/getIPACLList View/getIPACLDetail | Assignment | Assignment | Remove a User/Group and IP ACL from an Assignment |
Change | Change/createIPACL | View/getIPACLList View/getIPACLDetail | IP ACL | IP ACL | Create IP ACL |
Change | Change/updateIPACL | View/getIPACLList View/getIPACLDetail | IP ACL | IP ACL | Edit IP ACL |
Change | Change/deleteIPACL | View/getIPACLList View/getIPACLDetail | IP ACL | IP ACL | Delete IP ACL |
View | View/getIPACLList | view/getTenantDetail | - | IP ACL | View IP ACL list |
View | View/getIPACLDetail | View/getIPACLList | IP ACL | IP ACL | View IP ACL details |
View | Change/addIPACLToAssignment | View/getIPACLList View/getIPACLDetail View/getAssignmentList View/getAssignmentDetail Change/updateIPACL | IPACL | IPACL | Add IPACL to Assignment |
View | Change/removeIPACLFromAssignment | View/getIPACLList View/getIPACLDetail View/getAssignmentList View/getAssignmentDetail Change/updateIPACL | IP ACL | IP ACL | Remove IP ACL from Assignment |
View | Change/addMFADevice | View/getUserList View/getuserDetail Change/updateUser | User | User | Add the User's MFA Device |
View | Change/deleteMFADevice | View/getUserList View/getuserDetail Change/updateUser | User | User | Delete the User's MFA Device |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, you will not be able to perform tasks properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and will not forcibly include them. Therefore, use caution when setting permissions.