Managing Object Storage permissions
  • PDF

Managing Object Storage permissions

  • PDF

Available in Classic and VPC

Sub Account is an account management service in the NAVER Cloud Platform that enables you to set various access permissions in Object Storage. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.

Note

Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, refer to the Service > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal and Sub Account user guide.

System managed policy

System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. System managed policies grant permissions to sub accounts to allow them to access and use the Object Storage service. The following is a brief description of managed policies of Object Storage.

Policy name Policy description
NCP_ADMINISTRATOR Permission to access the portal and console in the NAVER Cloud Platform in the same manner as the main accounts
NCP_INFRA_MANAGER Permission to use all services in NAVER Cloud Platform except some features (Manage usage/Manage payment) in My Page in the portal
NCP_OBJECT_STORAGE_VIEWER Allow the account to only view the list and perform a search in Object Storage
NCP_OBJECT_STORAGE_MANAGER Allow the account to use all features in Object Storage (except the feature to grant ACL-related permissions to other accounts)

User created policy

Users created policies are policies created by the users. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description of user created policies in Object Storage.

Item Action Related action(s) Resource type Group by resource type Action Description
View View/getBucketList - - Bucket View the bucket list
View View/getObjectList View/getBucketList Bucket Bucket View the file list and detailed information in the bucket
View View/getMultipartUploadList View/getBucketList Bucket Bucket View the list of multi-part uploads in progress
View View/getBucketCORSList - Bucket Bucket View the CORS settings
View View/getAccessLogList View/getBucketList Bucket Bucket View the bucket’s access log settings
View View/getLifeCyclePolicyList - - LifeCyclePolicy View the bucket’s lifecycle policy list
View View/getBucketWebsite View/getBucketList Bucket Bucket View the bucket website settings
View View/getBucketEventList View/getBucketList Bucket Bucket View the bucket event list
View View/getCloudFunctionsTriggerList - - Bucket View the Cloud Functions trigger list
View View/getCloudFunctionsActionList - - Bucket View the Cloud Functions action list
View View/getBucketMetricFilterList - - Bucket View the bucket’s detailed monitoring policy list
Change Change/writeObject View/getBucketList
View/getObjectList
Bucket Bucket Create/change the bucket’s object
Change Change/createBucket View/getBucketList - Bucket Create bucket
Change Change/deleteBucket View/getBucketList Bucket Bucket Delete bucket
Change Change/changeBucketCORS - Bucket Bucket Edit the CORS settings
Change Change/deleteBucketCORS - Bucket Bucket Delete the CORS settings
Change Change/createAccessLog View/getBucketList
View/getAccessLogList
Bucket Bucket Create the bucket’s access log settings
Change Change/deleteAccessLog View/getBucketList
View/getAccessLogList
Bucket Bucket Delete the bucket’s access log settings
Change Change/createLifeCyclePolicy View/getBucketList
View/getObjectList
Change/writeObject
View/getLifeCyclePolicyList
- LifeCyclePolicy Create a bucket’s lifecycle policy
Change Change/deleteLifeCyclePolicy View/getLifeCyclePolicyList - LifeCyclePolicy Delete a bucket’s lifecycle policy
Change Change/changeLifeCyclePolicyStatus View/getObjectList
Change/writeObject
View/getLifeCyclePolicyList
- LifeCyclePolicy Change a bucket’s lifecycle policy status
Change Change/changeBucketWebsite View/getBucketList
View/getBucketWebsite
Bucket Bucket Edit the bucket website settings
Change Change/deleteBucketWebsite View/getBucketList
View/getBucketWebsite
Bucket Bucket Delete the bucket website settings
Change Change/createCloudFunctionsTrigger View/getCloudFunctionsTriggerList - Bucket Create a Cloud Functions trigger
Change Change/changeCloudFunctionsTrigger - - Bucket Edit a Cloud Functions trigger
Change Change/createBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger
Bucket Bucket Creates bucket events.
Change Change/deleteBucketEvent View/getBucketList
View/getBucketEventList
Change/changeCloudFunctionsTrigger
Bucket Bucket Delete a bucket event
Change Change/changeBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger
Bucket Bucket Edit a bucket event
Change Change/subscribeProduct - - - Request/cancel a subscription to Object Storage
Change Change/sendBucketExtendedMetricData - Bucket Bucket Send event data of a bucket with a detailed monitoring policy
Change Change/createBucketMetricFilter Change/sendBucketExtendedMetricData
View/getBucketList
View/getBucketMetricFilterList
- Bucket Create a bucket’s detailed monitoring policy
Change Change/changeBucketMetricFilter View/getBucketMetricFilterList Bucket Bucket Edit a detailed monitoring policy
Change Change/deleteBucketMetricFilter View/getBucketMetricFilterList Bucket Bucket Delete a bucket’s detailed monitoring policy
Note

The features are provided in the Japan region as follows:

  • Change/deleteAccessLog and Change/createAccessLog are integrated into Change/changeAccessLog.
  • Access to Object Storage is not allowed for servers with roles assigned by a sub account.
Caution

Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if a user deselects related actions, the system excludes the permissions for the deselected actions when granting permissions automatically. Please choose carefully when setting up the permissions.


Was this article helpful?