-
Print
-
PDF
Managing Object Storage permissions
-
Print
-
PDF
Available in Classic and VPC
Sub Account is an account management service in the NAVER Cloud Platform that enables you to set various access permissions in Object Storage. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, refer to the Service > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal and Sub Account user guide.
System managed policy
System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. System managed policies grant permissions to sub accounts to allow them to access and use the Object Storage service. The following is a brief description of managed policies of Object Storage.
Policy name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in the NAVER Cloud Platform in the same manner as the main accounts |
NCP_INFRA_MANAGER | Permission to use all services in NAVER Cloud Platform except some features (Manage usage/Manage payment) in My Page in the portal |
NCP_OBJECT_STORAGE_VIEWER | Allow the account to only view the list and perform a search in Object Storage |
NCP_OBJECT_STORAGE_MANAGER | Allow the account to use all features in Object Storage (except the feature to grant ACL-related permissions to other accounts) |
User created policy
Users created policies are policies created by the users. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description of user created policies in Object Storage.
Item | Action | Related action(s) | Resource type | Group by resource type | Action Description |
---|---|---|---|---|---|
View | View/getBucketList | - | - | Bucket | View the bucket list |
View | View/getObjectList | View/getBucketList | Bucket | Bucket | View the file list and detailed information in the bucket |
View | View/getMultipartUploadList | View/getBucketList | Bucket | Bucket | View the list of multi-part uploads in progress |
View | View/getBucketCORSList | - | Bucket | Bucket | View the CORS settings |
View | View/getAccessLogList | View/getBucketList | Bucket | Bucket | View the bucket’s access log settings |
View | View/getLifeCyclePolicyList | - | - | LifeCyclePolicy | View the bucket’s lifecycle policy list |
View | View/getBucketWebsite | View/getBucketList | Bucket | Bucket | View the bucket website settings |
View | View/getBucketEventList | View/getBucketList | Bucket | Bucket | View the bucket event list |
View | View/getCloudFunctionsTriggerList | - | - | Bucket | View the Cloud Functions trigger list |
View | View/getCloudFunctionsActionList | - | - | Bucket | View the Cloud Functions action list |
View | View/getBucketMetricFilterList | - | - | Bucket | View the bucket’s detailed monitoring policy list |
Change | Change/writeObject | View/getBucketList View/getObjectList |
Bucket | Bucket | Create/change the bucket’s object |
Change | Change/createBucket | View/getBucketList | - | Bucket | Create bucket |
Change | Change/deleteBucket | View/getBucketList | Bucket | Bucket | Delete bucket |
Change | Change/changeBucketCORS | - | Bucket | Bucket | Edit the CORS settings |
Change | Change/deleteBucketCORS | - | Bucket | Bucket | Delete the CORS settings |
Change | Change/createAccessLog | View/getBucketList View/getAccessLogList |
Bucket | Bucket | Create the bucket’s access log settings |
Change | Change/deleteAccessLog | View/getBucketList View/getAccessLogList |
Bucket | Bucket | Delete the bucket’s access log settings |
Change | Change/createLifeCyclePolicy | View/getBucketList View/getObjectList Change/writeObject View/getLifeCyclePolicyList |
- | LifeCyclePolicy | Create a bucket’s lifecycle policy |
Change | Change/deleteLifeCyclePolicy | View/getLifeCyclePolicyList | - | LifeCyclePolicy | Delete a bucket’s lifecycle policy |
Change | Change/changeLifeCyclePolicyStatus | View/getObjectList Change/writeObject View/getLifeCyclePolicyList |
- | LifeCyclePolicy | Change a bucket’s lifecycle policy status |
Change | Change/changeBucketWebsite | View/getBucketList View/getBucketWebsite |
Bucket | Bucket | Edit the bucket website settings |
Change | Change/deleteBucketWebsite | View/getBucketList View/getBucketWebsite |
Bucket | Bucket | Delete the bucket website settings |
Change | Change/createCloudFunctionsTrigger | View/getCloudFunctionsTriggerList | - | Bucket | Create a Cloud Functions trigger |
Change | Change/changeCloudFunctionsTrigger | - | - | Bucket | Edit a Cloud Functions trigger |
Change | Change/createBucketEvent | View/getBucketList View/getBucketEventList View/getCloudFunctionsActionList View/getCloudFunctionsTriggerList Change/changeCloudFunctionsTrigger |
Bucket | Bucket | Creates bucket events. |
Change | Change/deleteBucketEvent | View/getBucketList View/getBucketEventList Change/changeCloudFunctionsTrigger |
Bucket | Bucket | Delete a bucket event |
Change | Change/changeBucketEvent | View/getBucketList View/getBucketEventList View/getCloudFunctionsActionList View/getCloudFunctionsTriggerList Change/changeCloudFunctionsTrigger |
Bucket | Bucket | Edit a bucket event |
Change | Change/subscribeProduct | - | - | - | Request/cancel a subscription to Object Storage |
Change | Change/sendBucketExtendedMetricData | - | Bucket | Bucket | Send event data of a bucket with a detailed monitoring policy |
Change | Change/createBucketMetricFilter | Change/sendBucketExtendedMetricData View/getBucketList View/getBucketMetricFilterList |
- | Bucket | Create a bucket’s detailed monitoring policy |
Change | Change/changeBucketMetricFilter | View/getBucketMetricFilterList | Bucket | Bucket | Edit a detailed monitoring policy |
Change | Change/deleteBucketMetricFilter | View/getBucketMetricFilterList | Bucket | Bucket | Delete a bucket’s detailed monitoring policy |
The features are provided in the Japan region as follows:
- Change/deleteAccessLog and Change/createAccessLog are integrated into Change/changeAccessLog.
- Access to Object Storage is not allowed for servers with roles assigned by a sub account.
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if a user deselects related actions, the system excludes the permissions for the deselected actions when granting permissions automatically. Please choose carefully when setting up the permissions.