Managing Object Storage permissions
  • PDF

Managing Object Storage permissions

  • PDF

It is available in a Classic/VPC environment.

By using Sub Account, which is NAVER Cloud Platform's account management service, you can set management and administration permissions for Object Storage. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions. The Sub Account service is provided free of charge upon subscription request.

Note

For the introduction on Sub Account and details about its pricing plans, refer to the Service > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal.

System Managed policies

System Managed policies are role-based management policies defined by NAVER Cloud Platform for the user's convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Object Storage.
For more details about and how to use System Managed policies, refer to Sub Account Guide. The following is a brief description about System Managed policies.

Policy Name Policy Description
NCP_ADMINISTRATOR Permission to use the portal and console in NAVER Cloud Platform in the same manner as main accounts
NCP_INFRA_MANAGER Permission to use the portal and console in NAVER Cloud Platform in the same manner as main accounts, but with restricted access to some features (usage management, payment management) of My Page in the portal
NCP_OBJECT_STORAGE_MANAGER Permission to use all features in the Object Storage (However, ACL-related permissions cannot be granted to other accounts.)
NCP_OBJECT_STORAGE_VIEWER Permission to only use the View list and Search features in Object Storage

User Created policies

User Created policies are policies that users can create. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations in Object Storage.
Refer to Sub Account Guide for details about User Created policies and how to use them. The following is a brief explanation about actions of User Created policies.

Type Action name Related action (s) Action description
View View/getBucketList Search bucket list
View/getObjectList View/getBucketList Get the list of files in the bucket and search bucket details
View/getMultipartUploadList View/getBucketList Search the list of ongoing multi-part uploads of the bucket
View/getBucketCORSList View bucket CORS
View/getAccessLogList View/getBucketList View the content of bucket's access log setting
View/getLifeCyclePolicyList Get the list of bucket's life cycle policies
View/getBucketWebsite View/getBucketList View bucket website settings
View/getBucketEventList View/getBucketList View bucket event list
View/getCloudFunctionsTriggerList View the list of Cloud Functions triggers
View/getCloudFunctionsActionList View the list of Cloud Functions actions
View/getBucketMetricFilterList Search the detailed monitoring policy list of the bucket
Change Change/writeObject View/getBucketList
View/getObjectList
Create and modify a bucket object
Change/createBucket View/getBucketList Create a bucket
Change/deleteBucket View/getBucketList Delete a bucket
Change/changeBucketCORS View/getBucketCORSList Modify a bucket CORS
Change/deleteBucketCORS View/getBucketCORSList Delete a bucket CORS
Change/createAccessLog View/getBucketList
View/getAccessLogList
View/getObjectList
Change/writeObject
Create bucket's access log setting
Change/deleteAccessLog View/getBucketList
View/getAccessLogList
Delete bucket's access log setting
Change/createLifeCyclePolicy View/getLifeCyclePolicyList
View/getBucketList
View/getObjectList
Change/writeObject
Create a bucket's life cycle policy
Change/deleteLifeCyclePolicy View/getLifeCyclePolicyList Delete a bucket's life cycle policy
Change/changeLifeCyclePolicyStatus View/getLifeCyclePolicyList
View/getObjectList
Change/writeObject
Change a bucket's life cycle policy
Change/changeBucketWebsite View/getBucketList
View/getBucketWebsite
Modify bucket website settings
Change/deleteBucketWebsite View/getBucketList
View/getBucketWebsite
Delete bucket website settings
Change/createBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger
Create a bucket event
Change/deleteBucketEvent View/getBucketList
View/getBucketEventList
Change/changeCloudFunctionsTrigger
Delete a bucket event
Change/changeBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger
Modify a bucket event
Change/createCloudFunctionsTrigger View/getCloudFunctionsActionList Create a Cloud Functions trigger
Change/changeCloudFunctionsTrigger Modify a Cloud Functions trigger
Change/subscribeProduct Request or cancel the service subscription
Change/createBucketMetricFilter Change/sendBucketExtendedMetricData
View/getBucketList
View/getBucketMetricFilterList
Create the detailed monitoring policy of the bucket
Change/changeBucketMetricFilter View/getBucketMetricFilterList Modify the detailed monitoring policy of the bucket
Change/deleteBucketMetricFilter View/getBucketMetricFilterList Delete the detailed monitoring policy of the bucket
Change/sendBucketExtendedMetricData Transmit the event data of the bucket with the detailed monitoring policy set
Caution

Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.


Was this article helpful?