- Print
- PDF
Managing Object Storage permissions
- Print
- PDF
Available in Classic and VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Object Storage. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, refer to the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, and Sub Account Guide.
Managed policies
Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once managed policies are granted to a sub account created in Sub Account, that sub account can use Object Storage. The following is a brief description about the managed policies of Object Storage.
Policy name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_INFRA_MANAGER | Permission to use all services in NAVER Cloud Platform but with restricted access to some features (Manage usage, payment management) of My Page in the portal |
NCP_OBJECT_STORAGE_VIEWER | Permission to only use the view list and view features in Object Storage |
NCP_OBJECT_STORAGE_MANAGER | Permission to use all features in Object Storage (However, -related permissions cannot be granted to other accounts.) |
User Created policies
User Created policies are policies that users may create. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Object Storage.
Type | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getBucketList | - | - | Bucket | View bucket list |
View | View/getObjectList | View/getBucketList | Bucket | Bucket | Get the list of files in the bucket and view bucket details |
View | View/getMultipartUploadList | View/getBucketList | Bucket | Bucket | View the list of ongoing multi-part uploads in the bucket. |
View | View/getBucketCORSList | - | Bucket | Bucket | View bucket CORS |
View | View/getAccessLogList | View/getBucketList | Bucket | Bucket | View the content of bucket's access log setting |
View | View/getLifeCyclePolicyList | - | - | LifeCyclePolicy | Get the list of bucket's lifecycle policies |
View | View/getBucketWebsite | View/getBucketList | Bucket | Bucket | View bucket website settings |
View | View/getBucketEventList | View/getBucketList | Bucket | Bucket | View bucket event list |
View | View/getCloudFunctionsTriggerList | - | - | Bucket | View the list of Cloud Functions trigger. |
View | View/getCloudFunctionsActionList | - | - | Bucket | View the list of Cloud Functions actions. |
View | View/getBucketMetricFilterList | - | - | Bucket | View the detailed monitoring policy list of the bucket |
Change | Change/writeObject | View/getBucketList View/getObjectList | Bucket | Bucket | Create and modify bucket object |
Change | Change/createBucket | View/getBucketList | - | Bucket | Create bucket |
Change | Change/deleteBucket | View/getBucketList | Bucket | Bucket | Delete bucket |
Change | Change/changeBucketCORS | - | Bucket | Bucket | Edit bucket CORS |
Change | Change/deleteBucketCORS | - | Bucket | Bucket | Delete bucket CORS |
Change | Change/changeAccessLog | View/getBucketList View/getAccessLogList | Bucket | Bucket | Edit bucket's access log setting |
Change | Change/createLifeCyclePolicy | View/getBucketList View/getObjectList Change/writeObject View/getLifeCyclePolicyList | - | LifeCyclePolicy | Create a bucket's lifecycle policy |
Change | Change/deleteLifeCyclePolicy | View/getLifeCyclePolicyList | - | LifeCyclePolicy | Delete a bucket's lifecycle policy |
Change | Change/changeLifeCyclePolicyStatus | View/getObjectList Change/writeObject View/getLifeCyclePolicyList | - | LifeCyclePolicy | Change a bucket's lifecycle policy |
Change | Change/changeBucketWebsite | View/getBucketList View/getBucketWebsite | Bucket | Bucket | Edit bucket website settings |
Change | Change/deleteBucketWebsite | View/getBucketList View/getBucketWebsite | Bucket | Bucket | Delete bucket website settings |
Change | Change/createCloudFunctionsTrigger | View/getCloudFunctionsTriggerList | - | Bucket | Create Cloud Functions triggers. |
Change | Change/changeCloudFunctionsTrigger | - | - | Bucket | Edit the Cloud Functions trigger information. |
Change | Change/createBucketEvent | View/getBucketList View/getBucketEventList View/getCloudFunctionsActionList View/getCloudFunctionsTriggerList Change/changeCloudFunctionsTrigger | Bucket | Bucket | Create bucket event |
Change | Change/deleteBucketEvent | View/getBucketList View/getBucketEventList Change/changeCloudFunctionsTrigger | Bucket | Bucket | Delete bucket event |
Change | Change/changeBucketEvent | View/getBucketList View/getBucketEventList View/getCloudFunctionsActionList View/getCloudFunctionsTriggerList Change/changeCloudFunctionsTrigger | Bucket | Bucket | Edit bucket event |
Change | Change/subscribeProduct | - | - | - | Request subscription or cancel subscription of Object Storage. |
Change | Change/sendBucketExtendedMetricData | - | Bucket | Bucket | Transmit the event data of the bucket with the detailed monitoring policy set |
Change | Change/createBucketMetricFilter | Change/sendBucketExtendedMetricData View/getBucketList View/getBucketMetricFilterList | - | Bucket | Create the detailed monitoring policy of the bucket |
Change | Change/changeBucketMetricFilter | View/getBucketMetricFilterList | Bucket | Bucket | Change the detailed monitoring policy of the bucket. |
Change | Change/deleteBucketMetricFilter | View/getBucketMetricFilterList | Bucket | Bucket | Delete the detailed monitoring policy of the bucket |
When making SubAccount permission changes, the changes may not take effect immediately and can take up to 1 minute.
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.