Managing Object Storage permissions

Prev Next

Available in Classic and VPC

By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Object Storage. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.

Note

Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, refer to the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, and Sub Account Guide.

Managed policies

Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once managed policies are granted to a sub account created in Sub Account, that sub account can use Object Storage. The following is a brief description about the managed policies of Object Storage.

Policy name Policy description
NCP_ADMINISTRATOR Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts
NCP_INFRA_MANAGER Permission to use all services in NAVER Cloud Platform but with restricted access to some features (Manage usage, payment management) of My Page in the portal
NCP_OBJECT_STORAGE_VIEWER Permission to only use the view list and view features in Object Storage
NCP_OBJECT_STORAGE_MANAGER Permission to use all features in Object Storage (However, -related permissions cannot be granted to other accounts.)

User Created policies

User Created policies are policies that users may create. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Object Storage.

Type Action name Related action(s) Resource type Group by resource type Action description
View View/getBucketList - - Bucket View bucket list
View View/getObjectList View/getBucketList Bucket Bucket Get the list of files in the bucket and view bucket details
View View/getMultipartUploadList View/getBucketList Bucket Bucket View the list of ongoing multi-part uploads in the bucket.
View View/getBucketCORSList - Bucket Bucket View bucket CORS
View View/getAccessLogList View/getBucketList Bucket Bucket View the content of bucket's access log setting
View View/getLifeCyclePolicyList - - LifeCyclePolicy Get the list of bucket's lifecycle policies
View View/getBucketWebsite View/getBucketList Bucket Bucket View bucket website settings
View View/getBucketEventList View/getBucketList Bucket Bucket View bucket event list
View View/getCloudFunctionsTriggerList - - Bucket View the list of Cloud Functions trigger.
View View/getCloudFunctionsActionList - - Bucket View the list of Cloud Functions actions.
View View/getBucketMetricFilterList - - Bucket View the detailed monitoring policy list of the bucket
Change Change/writeObject View/getBucketList
View/getObjectList		 Bucket Bucket Create and modify bucket object
Change Change/createBucket View/getBucketList - Bucket Create bucket
Change Change/deleteBucket View/getBucketList Bucket Bucket Delete bucket
Change Change/changeBucketCORS - Bucket Bucket Edit bucket CORS
Change Change/deleteBucketCORS - Bucket Bucket Delete bucket CORS
Change Change/changeAccessLog View/getBucketList
View/getAccessLogList		 Bucket Bucket Edit bucket's access log setting
Change Change/createLifeCyclePolicy View/getBucketList
View/getObjectList
Change/writeObject
View/getLifeCyclePolicyList		 - LifeCyclePolicy Create a bucket's lifecycle policy
Change Change/deleteLifeCyclePolicy View/getLifeCyclePolicyList - LifeCyclePolicy Delete a bucket's lifecycle policy
Change Change/changeLifeCyclePolicyStatus View/getObjectList
Change/writeObject
View/getLifeCyclePolicyList		 - LifeCyclePolicy Change a bucket's lifecycle policy
Change Change/changeBucketWebsite View/getBucketList
View/getBucketWebsite		 Bucket Bucket Edit bucket website settings
Change Change/deleteBucketWebsite View/getBucketList
View/getBucketWebsite		 Bucket Bucket Delete bucket website settings
Change Change/createCloudFunctionsTrigger View/getCloudFunctionsTriggerList - Bucket Create Cloud Functions triggers.
Change Change/changeCloudFunctionsTrigger - - Bucket Edit the Cloud Functions trigger information.
Change Change/createBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger		 Bucket Bucket Create bucket event
Change Change/deleteBucketEvent View/getBucketList
View/getBucketEventList
Change/changeCloudFunctionsTrigger		 Bucket Bucket Delete bucket event
Change Change/changeBucketEvent View/getBucketList
View/getBucketEventList
View/getCloudFunctionsActionList
View/getCloudFunctionsTriggerList
Change/changeCloudFunctionsTrigger		 Bucket Bucket Edit bucket event
Change Change/subscribeProduct - - - Request subscription or cancel subscription of Object Storage.
Change Change/sendBucketExtendedMetricData - Bucket Bucket Transmit the event data of the bucket with the detailed monitoring policy set
Change Change/createBucketMetricFilter Change/sendBucketExtendedMetricData
View/getBucketList
View/getBucketMetricFilterList		 - Bucket Create the detailed monitoring policy of the bucket
Change Change/changeBucketMetricFilter View/getBucketMetricFilterList Bucket Bucket Change the detailed monitoring policy of the bucket.
Change Change/deleteBucketMetricFilter View/getBucketMetricFilterList Bucket Bucket Delete the detailed monitoring policy of the bucket
Note

When making SubAccount permission changes, the changes may not take effect immediately and can take up to 1 minute.

Caution

Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.