Sub Account overview

Available in Classic and VPC

Sub Account is a service that provides sub accounts to multiple users to use and manage the same resources.
When multiple people use a single account, it becomes challenging to manage resources as those managed by others and by yourself are mixed. Additionally, sharing the account password among multiple users increases the risk of security issues. Also, when multiple personnel are responsible for using and operating NAVER Cloud Platform's services, each with different tasks and responsibilities, it may be necessary to assign different resource usage permissions to each person. In such situations, utilizing sub accounts allows you to avoid creating multiple NAVER Cloud Platform accounts or sharing a single account among multiple users. By logging in with sub accounts created from the main account, multiple users can share and manage the same resources. Because the same resources are shared and managed, the service can be operated more reliably, and each user can work only within their assigned permissions, making it safer to use.

Sub Account features

The description of various features provided by Sub Account is as follows.

• Convenient web console: From the web-based console, you can create and organize subaccounts and the groups they belong to, and easily assign managed or user policies to sub accounts and groups.
• Strong security: Password expiration lets you encourage sub account users to change their passwords periodically, and you can set the IP bands from which the console is accessible to prevent access from unauthorized locations. Also, you can use Secure Token Service (STS) to create and utilize temporary Access Keys, which control access to resources within NAVER Cloud Platform.
• Systematic permission assignment: You can grant service-level permissions to sub accounts or groups, and selectively assign task- or resource-level permissions based on the role of the person assigned to the sub account. Systematic resource management is achieved by granting only the minimum necessary permissions required for each person's tasks.

Sub Account user guide

Sub Account is available in Korea, U.S., Singapore, Japan, and Germany Regions. The service content is identical in the regions. Check the following list and details for smooth use of Sub Account.

• Sub Account Overview: Sub Account Introduction and related resources that are helpful for using it

• Sub Account prerequisites: Environment specification and fees for using Sub Account

• Getting started with Sub Account: How to get started with Sub Account

  • Manage subscriptions: Learn how to manage subscriptions for Sub Account

• Using Sub Account: Learn how to access Sub Account.

  • Create and manage Sub Account: How to create and manage sub-account and how to apply policies
  • Manage policies and roles: How to create and manage the policies and roles
  • External Access authentication and permissions management: External workload authentication and access permissions management of NAVER Cloud Platform
  • Using External Access Signing Helper CLI: Learn how to access Signing Helper CLI for using External Access
  • Log in with a sub account: Instructions for subaccount users to sign in to subaccount
  • Permissions information by service: About permissions for all services
  • Assignment information by resource: Guide to resource limits managed by Sub Account by item
  • Condition key and operator information: Guide on information on required items when setting policy Condition

• Sub Account resource management: Resource information for the Sub Account service

• Sub Account glossary: Key terms and definitions that you must know while using Sub Account

• Sub Account permissions management: Policy guidance for sub accounts

• Sub Account release notes: See documentation updates.

Sub Account related resources

Beyond the user guide, these resources provide additional context and support for Sub Account. Whether you're considering Sub Account or need in-depth information for development, marketing, and other purposes, these resources can help:

• Pricing and features: View pricing details and key capabilities.
• Guides for easily getting started with Sub Account: Basic usage of Sub Account
• Latest announcements: Stay informed about service updates and news.
• FAQs: Get answers to common Sub Account questions.
• Contact Support: Get help if you can't find what you need in the user guide.

FAQs

Sub Account

Q. How are accounts and sub accounts different?

• An email address registered to use NAVER Cloud Platform is called "account." Account has your personal information and payment information, and can use all the services of NAVER Cloud Platform. In this guide, the term "main account" is also used for distinction from sub account.
• A "sub account" is an account that serves as an auxiliary role in sharing and managing resources of the main account. You can use services within the permissions granted to the sub account. If a sub account is granted the permission of "NCP_SERVER_MANAGER," then it can use all features of Server. All details of that sub account's task can be viewed in Cloud Activity Tracer.
• Pricing information of the service used by the sub account are charged to the account that created the sub account.

Q. How do I use Sub Account?

1. The main account user creates sub accounts within Sub Account.
2. The main account user grants permissions to the sub account and sets the access page for the sub account to log in.
3. The sub account user accesses the sub account login page and logs in with their sub account.
4. Sub account users utilize services on NAVER Cloud Platform based on the permissions granted to their accounts.

Q. What are the key permissions that can be granted to a sub account?

• Same access rights as the main account on Naver Cloud PlatformPLATFORM (access to all services in the console)
  If you grant the 'NCP_ADMINISTRATOR' policy among the system-managed policies provided by Sub Account, you can access the portal and console of NAVER Cloud Platform just like using the main account.

• Access rights by service in NAVER Cloud Platform Console
  You can access the service by granting the 'NCP_ServiceName_MANAGER/VIEWER/EXECUTOR' policy among the system-managed policies provided by Sub Account.

• Access only to Cost Explorer and My Account > Billing and Cost Management > Billing and Payments in the console
  If you grant the 'NCP_FINANCE_MANAGER' policy among the system-managed policies provided by Sub Account, you can access the Billing & Payment Management menu in NAVER CLOUD Platform Console.

Q. What are the different permission granting methods?

• There are 2 methods of granting permissions provided by NAVER Cloud Platform; role-based access control (RBAC) and attribute-based access control (ABAC).
• Role-based access control (RBAC) is a method of granting access or task permissions based on user roles, where the access permissions by role are determined by its permissions to specific resources.
• Attribute-based access control (ABAC) is a method of granting access or task permissions based on properties such as user, resource, and task environment (session).
• In NAVER Cloud Platform, these properties are collectively referred to as "tags," and by associating tags with users, resources, and task environments, you can design to allow tasks when the properties of the target for checking permissions and the properties of the granted permissions match.

Q. Q. What are the benefits of attribute-based access control (ABAC)?

• You can dynamically manage changes. It doesn't require you to update existing policies to allow access to new resources. All you need to do is place tags on the new resource to enforce the policy.
• It enables more granular permissions management. While traditional role-based access control (RBAC) can only manage access permissions for specific resources, attribute-based access control (ABAC) allows the policy to be enforced only if it matches a tag on a resource, enabling granular permissions management than the current system.

Q. Q. What are the available properties in attribute-based access control (ABAC)?

For more information on available properties, see "Condition keys and operator information". You can see the condition keys (properties) and operators provided by attribute-based access control (ABAC), as well as how to check the value of each property.

External Access

Q. Q: Is only PEM format certificates allowed?

• Only PEM format certificates that start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- can be used.
• DER format certificates cannot be used directly and can be converted to PEM using tools like OpenSSL.

Q. Q: Is it not possible to use third-party certificates other than NCP PCA?

• You can also use third-party CA other than NAVER Cloud Platform. When you create Trust Anchor, you can use it by selecting an external CA as the CA type.

Q. Authentication fails when using a chain certificate.

• Authentication fails if the Root CA certificate is included within the chain certificate. Check if the Root CA certificate is included in the chain certificate and exclude it if present.
• The order of certificates in the chain is important. Check that the chain is structured from the lowest-level certificate to the highest-level certificate.

Q. I registered a CRL, but a revoked certificate is successfully authenticated.

• Check if the uploaded CRL is enabled.
• Check that the CRL is correctly mapped with TrustAnchor through CRL OpenAPI.
• Check that the revoked certificate is properly registered in the CRL file.
  (You can check the revoked certificates within the CRL file using OpenSSL or CRL web tools.)

Q. Do I need to re-upload the CRL when changes occur?

• If changes occur in the CRL due to certificate revocation, the CRL must be re-downloaded and uploaded again.

Q. Is the CRL format only available in Pem format?

• Only PEM format CRLs that start with -----BEGIN X509 CRL----- and end with -----END X509 CRL----- can be used.