Manage policies and roles

Prev Next

Available in Classic and VPC

You can create and manage policies and roles.

Manage policy

A policy is a set of permissions that sub account users can work with. You can assign policies to sub accounts or groups, and sub accounts have varying permissions on portals and consoles depending on the policies assigned.
Here are the types of policies:

  • System-managed policy: Pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. These are policies provided with predefined Change/View permissions of the service, and can't be edited or deleted by the user.
  • User-defined policy: Policies that lets you create custom permissions.

Create user-defined policy

You can create a policy by combining various detailed actions for each service. For example, you can create a sub account with limited access to perform only "view Server list" and "stop specific server" permissions, and assign it to an administrator. Not all services provide detailed action features, and the detailed actions provided for each service are different, so see the permissions management page of each service for detailed descriptions.
To create your own user-defined policy:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Policies.
  2. Click [Create policy].
  3. In Policy information, enter the name and description of the policy you want to create.
    • You can only enter letters, numbers, and special characters (., -, _) in a policy name, and the first character must be a letter.
  4. In Policy application targets, select the service to which you wish to apply the policy.
    • When selecting a service, the types of action provided by that service are displayed.
    • The unit of action varies by service, so see the managing permissions guide for each service for descriptions of each service's action.
  5. Select the action name to apply to the policy.
    • Permission to view: Permission to only use the viewing feature of the corresponding service. Click [Expand] to select detailed permissions.
    • Permission to edit: Permission to use features such as creating, editing, and deleting in the corresponding service. Click [Expand] to select detailed permissions.
    Note

    When selecting an action, other actions associated with that action are automatically selected, so you can create policies even if you do not know the relationship between each action. You can deselect the automatically selected related actions, but if a related action is deleted, it may cause problems when using sub accounts. For example, if you select the permission to view server details, the permission to view the server list is automatically selected as well, but if you manually deselect the permission to view the server list, you are not able to view server details.

  6. Configure the Condition to apply to the policy.
    • Condition key: Property information to apply to the policy. Checks permissions by comparing the "key:value" set in condition with the "key:value" of the permission subject to check.
    • Operator: A string condition that checks the "key:value" of the permission subject to check when checking permissions.
    • Tag key, value: A key/value pair to identify the resource, meaning what key, value the property by the condition key should have.
Note
  • The condition feature is only available for services where the minimum permission unit is a "detailed action unit," and the condition keys ncp:resourceTag and ncp:requestTag can only be used with services where the minimum permission unit is an "ABAC unit." For more information on the minimum permission unit that can be granted by service, see Permission information by service.
  • For more information on condition keys, operators, and values provided by NAVER Cloud Platform, see Condition keys and operator information.
  • There are condition keys that cannot be specified depending on actions. If you set the condition keys that cannot be specified to condition, the action is not to be performed. For more information on the condition keys that can be allocated by action, see Sub Account permissions management.
  1. Specify the Resources to apply to the policy. If no specific resource is selected, all resources within the resource type are applied.
    subaccount-policy-role_policy_target_ko.png
  2. Click [Add target].
  3. Check if the policy has been added to the application target list.
    subaccount-policy-role_policy_target_2_ko.png
  4. If you need to assign a tag to identify the policy, specify the tag in the [Tag management] section.
  5. Click [Create].
Note

You can create up to 500 policies.

View policy details

To view a policy's details:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Policies.
  2. Enter the policy in the search area in the top right corner of the page, or select the product associated with the policy.
  3. Click the policy name in the policy list.
  4. You can check the policy details.
    Item Description
    ID
    NRN
    Creation date and time
    Edit date and time
    Policy name
    Policy type
    Policy description
    Tag
  5. Check the [Application target] and [Allocated resource] tabs at the bottom of the Details page.
    • Application target: You can view the permission information applied to the policy.
    • Allocated resource: You can check information such as sub account, group, and role of resourced where the policy is allocated, and you can cancel the policy allocation through the [Unsubscribe] button.

Edit policies

To edit policies:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Policies.
  2. Click the policy name in the policy list.
  3. Click [Edit] from the Policy details page.
  4. Edit the policy information, and then click [Edit].

Delete policies

To delete policies:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Policies.
  2. Click the policy name in the policy list.
  3. Click [Delete] at the top of the Policy details page.
  4. Click [Delete] once the delete window appears.
Note

If there are resources where the policy is allocated, the policy cannot be deleted. After cancelling the policy allocation on the Policy details page, the policy can be deleted.

Manage roles

A role is a temporary credential configured with policies. Unlike policies, which are permanent credentials that can only be assigned to sub accounts, roles can also assign permissions to resources themselves, such as Servers, in addition to accounts.

Here are the types of roles:

  • Server role: A server role can only be assigned to VPC-based server resources. On a server assigned with roles, you can access services and resources within NAVER Cloud Platform without storing separate access keys for credentials.
  • Account role: Assign sub accounts with the permission to access the main account's portal/console. Sub accounts with assigned roles can access resources of the target account through role switching.
  • Single Sign-On role: Assign access permissions to the portal/console for external IdP users of Ncloud Single Sign-On.
  • Service role: Assign the targeted service the permission to access another service resource.
Note

By utilizing server roles, you can prevent the risk of access keys that need to be stored within the server being leaked, and omit release tasks for the periodical changing of the key.

Create roles

To create a role:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.
  2. Click [Create role].
  3. When the Role information page appears, enter the name, type, and description of the role you want to create.
    • If the role type is "Account", also enter the expiration time for unused sessions.
  4. If you need to assign a tag to identify the role, specify the tag in the [Tag management] section.
  5. Click [Create].
Note

Single Sign-On role can be created from Ncloud Single Sign-On.

View role details

To view a policy's details:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.

  2. Enter the role in the search area in the top right corner.

  3. Click the role name in the role list.

  4. You can view the role setting information.

    Item Description
    ID
    NRN
    Creation date and time
    Edit date and time
    Role name
    Type
    Status
    Valid session expiration time
    Description
    Tag

  5. See the [Policy] and [Role application target] tabs at the bottom of the Details page.

    • Policy: Assign or withdraw a policy to and from a sub account.
    • Role application target: Depending on the role type, you can set the targets to which the role applies.

Set role details

To manage a role:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.
  2. Click the role name.
  3. See the [Policy] and [Role application target] tabs at the bottom of the Role details page.
    • Policy: Assign or withdraw a policy to and from a sub account.
      • Click [Add all permissions] to grant permission to perform all actions.
    • Role application target: Depending on the role type, you can set the targets to which the role applies.
      • Server role: Specify the server resource to which the role is assigned. Only 1 role can be assigned per 1 server resource. When the specify server resource window appears, specify the resource and click [Apply].
      • Account role: Specify the main account to which the role is assigned. If you want to specify a main account other than your own, you must authenticate the account by entering the account name and login ID.
      • Single Sign-On role: During assignment configuration in Ncloud Single Sign-On, you can view the assignment information of Ncloud Single Sign-On as the role application target.
      • Service role: Specify the server resource to which the role is assigned.
    Note
    • The main account set as the application target for the account role must assign the switchRole policy to the sub account so that the sub account can switch roles with the account role. To learn how to assign the switchRole policy, see Assign switchRole policy.
    • Single Sign-On role policy can be set from Ncloud Single Sign-On.

Edit role information

To edit the role name and description:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.
  2. Click the role name.
  3. Click [Edit] from the Role details page.
    • You can edit the name and description of the role.
      • If the role type is "Account", you can also edit the valid session expiration time.
    • You cannot edit the role type.
  4. Click [Edit] when you are done editing the role.
Note

Detailed information on Single Sign-On role can be edited from Ncloud Single Sign-On.

Delete roles

To delete a role:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.
  2. Click the check box of the role you want to delete in the role list.
  3. Click [Delete].
  4. Click [Delete] once the delete window appears.
Note
  • Single Sign-On role must be deleted in Ncloud Single Sign-On.
  • The service application using a role may be suspended when deleting a service role, so delete the service role after canceling the role from the service.

Disable roles

You can disable a role to suspend it, making it unavailable for use. To disable a role:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Roles.
  2. Click the role name.
  3. Click [Disable] from the Role details page.
  4. When the deactivate window appears, click [Disable].
    • The disabled roles show their Status as Suspended.
Note
  • When a server role is disabled, the access key is also invalidated.
  • When an account role is disabled, the sub account that has switched to the role is automatically logged out, and the Secure Token Service (STS) also expires.
  • Single Sign-On role must be disabled in Ncloud Single Sign-On.
  • When disabling the Service Role, the application service applying the role may be suspended.

Switch roles

To switch roles: Role switching is only available for sub accounts.

  1. Click the user name in the top right of the NAVER Cloud Platform console.
  2. Click [Switch role].
    subaccount-policy-role_switchRole_ko(2)
  3. In the role switching popup, select the role you wish to switch.
    • Account role: In the role list, set the role switch status of the role you will use to "ON."
      • You need to enter account role NRN information when registering the role for the first time, so request account role information from the main account.
    • Single Sign-On role: Under the Single Sign-On role tab, click [Switch role] and select the role you wish to switch.
Note

While the roles are switched, you cannot register, edit, or delete roles. If necessary, click [Return to sub account] to register, edit, and delete roles in the sub account status.

Assign switchRole policy

To enable a sub account to switch to a role that is assigned as the application target of the account role, the switchRole policy must be assigned to the sub account.

To assign the switchRole policy to a sub account:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Policies.
  2. Click [Create policy].
  3. Create a policy by entering the Set application targets.
    • Service: Sub Account.
    • Action name: Change/switchRole.
    • Resource: Select whether to specify a resource > click [Select resource] > select the assigned account role resource to apply.
      • If you have been assigned an account role in another main account, you can apply the role to resources by clicking [Register other account resource], thus authenticating the account role NRN.
        subaccount-policy-role_switchRole2_ko
  4. In the NAVER Cloud Platform console, navigate to i_menu > Services > Management & Governance > Sub Account > Sub Account.
  5. Click the login ID of the sub account that you want to use for role switching.
  6. Click the Policy tab on the [Sub account details] page, and then click [Add].
  7. Add the user-defined policy that you have created.
  8. Confirm if the policy has been added successfully.