- Print
- PDF
Sub Account overview
- Print
- PDF
Available in Classic and VPC
Sub Account is a service that provides sub accounts to enable multiple users to use and manage the same resources.
When multiple people use a single account, it becomes challenging to manage resources as those managed by others and by yourself are mixed. Additionally, sharing the account password among multiple users increases the risk of security issues. Additionally, when multiple personnel are responsible for using and operating NAVER Cloud Platform services, each with different tasks and responsibilities, it may be necessary to assign different resource usage permissions to each person. In such situations, utilizing sub accounts allows you to avoid creating multiple NAVER Cloud Platform accounts or sharing a single account among multiple users. By logging in with sub accounts created from the main account, multiple users can share and manage the same resources. Because the same resources are shared and managed, the service can be operated more reliably, and each user can work only within their assigned permissions, making it safer to use.
Sub Account features
Sub Account provides the following features:
- Convenient web console: you can create and systematically manage sub accounts and the groups they belong to through a web-based console. Managed policies or user-defined policies can be easily assigned to sub accounts and groups.
- Robust security: you can enforce periodic password changes for sub account users through the password expiration feature. Additionally, you can enhance security by setting IP ranges to restrict console access to authorized locations only. Additionally, you can use Secure Token Service (STS) to create and utilize temporary Access Keys, which control access to resources within NAVER Cloud Platform.
- Systematic permission assignment: you can grant service-level permissions to sub accounts or groups, and selectively assign task or resource-level permissions based on the role and properties of the person assigned to the sub account. Systematic resource management is achieved by granting only the minimum necessary permissions required for each person's tasks.
Sub Account user guide information
Sub Account is available in Korea, U.S., Singapore, Japan, and Germany Regions. The same service is provided in each Region. This guide will walk you through the information you need to start using Sub Account.
Sub Account overview: describes features, user guides, and related resources
Sub Account prerequisites: view supported environments and pricing information
Getting started with Sub Account: guide to begin using Sub Account
- Manage subscriptions: learn how to manage subscriptions
Using Sub Account: learn how to use Sub Account
- Create and manage sub account: how to create and manage sub accounts, and apply policies
- Manage policies and roles: how to create and manage policies and roles
- External Access authentication and permissions management: guide to authentication and access permissions management to workloads outside of NAVER Cloud Platform
- Using External Access Signing Helper CLI: learn how to access Signing Helper CLI for using External Access
- Logging in with a sub account: guide for sub account users on how to log in using a sub account
- Permissions information by service: overview of permissions for all services
- Assignment information by resource: guide to resource limits managed by Sub Account by item
- Condition key and operator information: guide on information on required items when setting policy Condition
Sub Account resource management: resource information of the Sub Account service
Sub Account glossary: familiarize yourself with key terms and definitions
Sub Account permissions management: guide to policy
Sub Account release notes: see documentation history for Sub Account user guides
Sub Account related resources
We offer various related resources as well as the user guides so you can better understand Sub Account. If you are a developer or marketer in need of details while you are considering applying Sub Account or establishing data related policies, then make good use of the following resources:
- Pricing information, characteristics, and detailed features: summary of Sub Account's pricing plan, characteristics, and detailed features
- Sub Account easy start guide: basic usage of Sub Account
- Latest service news: the latest news on Sub Account
- FAQs: frequently asked questions from Sub Account users
- Contact us: send direct inquiries in case of any unresolved questions that aren't answered by the user guides
FAQs
Sub Account
Q. How are accounts and sub accounts different?
- An email address registered to use NAVER Cloud Platform is called "account." Account has your personal information and payment information, and can use all the services of NAVER Cloud Platform. In this guide, the term "main account" is also used for distinction from sub accounts.
- A "sub account" is an account that serves as an auxiliary role in sharing and managing resources of the main account. You can use services within the permissions granted to the sub account. If a sub account is granted the permission of "NCP_SERVER_MANAGER," then it can use all features of Server. All details of that sub account's task can be viewed in Cloud Activity Tracer.
- Fees of service used by the sub account are charged to the account that created the sub account.
Q. How do I use Sub Account?
- The main account user creates sub accounts within Sub Account.
- The main account user grants permissions to the sub account and sets the access page for the sub account to log in.
- The sub account user accesses the sub account login page and logs in with their sub account.
- Sub account users utilize services on NAVER Cloud Platform based on the permissions granted to their accounts.
Q: What are the key permissions that can be granted to a sub account?
The same access permissions as the main account of NAVER Cloud Platform (access to the portal's My Page and all services in the console)
By granting the managed policy "NCP_ADMINISTRATOR" provided by Sub Account, you can access NAVER Cloud Platform's portal and console similarly to the main account.Service-specific access permissions in NAVER Cloud Platform console
Granting managed policies such as "NCP_ServiceName_MANAGER/VIEWER/EXECUTOR" allows access to specific services.Access permissions to My Page > Usage Management on the NAVER Cloud Platform portal
By granting the managed policy "NCP_FINANCE_MANAGER" provided by Sub Account, you can access the service usage history, current status, promotion history, and billing trend menus in the My Page section of NAVER Cloud Platform portal.
Q. What are the different methods to grant permissions?
- There are 2 methods of granting permissions provided by NAVER Cloud Platform; role-based access control (RBAC) and attribute-based access control (ABAC).
- Role-based access control (RBAC) is a method of granting access or task permissions based on user roles, where the access permissions by role are determined by its permissions to specific resources.
- Attribute-based access control (ABAC) is a method of granting access or task permissions based on properties such as user, resource, and task environment (session).
- In NAVER Cloud Platform, these properties are collectively referred to as "tags," and by associating tags with users, resources, and task environments, you can design to allow tasks when the properties of the target for checking permissions and the properties of the granted permissions match.
Q. What are the benefits of attribute-based access control (ABAC)?
- You can dynamically manage changes. It doesn't require you to update existing policies to allow access to new resources. All you need to do is place tags on the new resource to enforce the policy.
- It enables more granular permissions management. While traditional role-based access control (RBAC) can only manage access permissions for specific resources, attribute-based access control (ABAC) allows the policy to be enforced only if it matches a tag on a resource, enabling granular permissions management than the current system.
Q. What are the available attributes in attribute-based access control (ABAC)?
For more information on available properties, see Condition keys and operator information. You can see the condition keys (properties) and operators provided by attribute-based access control (ABAC), as well as how to check the value of each property.
External Access
Q: Is only PEM format certificates allowed?
- Only PEM format certificates that start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- can be used.
- DER format certificates cannot be used directly and can be converted to PEM using tools like OpenSSL.
Q: Is it not possible to use third-party certificates other than NCP PCA?
- The function will be provided to allow the use of third-party certificates issued outside of NAVER Cloud Platform.
Q: Authentication fails when using a chain certificate.
- Authentication fails if the Root CA certificate is included within the chain certificate. Ensure to check if the Root CA certificate is included in the chain certificate and exclude it if present.
- The order of certificates in the chain is important. Verify that the chain is structured from the lowest-level certificate to the highest-level certificate.
Q: I registered a CRL, but a revoked certificate is successfully authenticated.
- Check if the uploaded CRL is enabled.
- Verify that the CRL is correctly mapped with TrustAnchor through CRL OpenAPI.
- Ensure that the revoked certificate is properly registered in the CRL file.
(You can check the revoked certificates within the CRL file using OpenSSL or CRL web tools.)
Q: Do I need to re-upload the CRL when changes occur?
- If changes occur in the CRL due to certificate revocation, the CRL must be re-downloaded and uploaded again.
Q: Are only PEM format CRLs allowed?
- Only PEM format CRLs that start with -----BEGIN X509 CRL----- and end with -----END X509 CRL----- can be used.