Login
      Contents x
      Policy and role management
        • Print
        • PDF
        Contents

        Policy and role management

          • Print
          • PDF
          Article summary

          The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.

          Available in Classic and VPC

          This section describes how to create and manage policies and roles.

          Policy management

          A policy is a set of permissions that sub account users can work with. You can assign policies to sub accounts or groups, and sub accounts have varying permissions on portals and consoles depending on the policies assigned.
          The following are the types of policies:

          • System-managed policy: role-based policies defined by NAVER Cloud Platform for user convenience. These are policies provided with predefined Change/View permissions of the service, and can't be edited or deleted by the user.
          • User-defined policy: policies that users may create.

          Create user-defined policy

          You can create a policy by combining various detailed actions for each service. For example, you can create a sub account with limited access to perform only "view Server list" and "stop specific server" permissions, and assign it to an administrator. Not all services provide detailed action features, and the detailed actions provided for each service are different, so see the managing permissions page of each service for detailed descriptions.
          To create your own user-defined policy, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Policies in order.

          2. Click [Create policy].

          3. In Policy information, enter the name and description for the policy you want to create.

            • You can only enter letters, numbers, and special characters (., -, _) in a policy name, and the first character must be a letter.

          4. After selecting the platform in the Policy application targets area, select the service to which you wish to apply the policy.
            subaccount-policy-role_policy_target_en.png

            • When selecting a service, the types of action provided by that service are displayed.
            • The unit of action varies by service, so see the Managing permissions guide for each service for descriptions of each service’s action.

          5. Select the action name to apply.

            • Permission to view: permissions to only use the viewing feature of the corresponding service. Click the [Expand] button to select detailed permissions
            • Permission to edit: permissions to use features such as creating, editing, and deleting in the corresponding service. Click the [Expand] button to select detailed permissions
            Note

            When selecting an action, other actions associated with that action are automatically selected, so you can create policies even if you do not know the relationship between each action. You can deselect the automatically selected associated actions, but if an associated action is deleted, it may cause problems when using sub accounts. For example, when selecting permission to view detailed server information, permission to view the server list is automatically selected, but if you forcibly deselect permission to view the server list, you cannot view the detailed information of the server.

          6. Set Condition to apply to the policy.

            • Condition key: attribute information to apply to the policy. Checks permissions by comparing the "key:value" set in Condition with the "key:value" of the permission subject to check
            • Operator: a string condition that checks the "key:value" of the permission subject to check when checking permissions
            • Tag key, value: a key/value pair to identify the resource, meaning what key, value the attribute by the condition key should have
          Note

          • Condition feature is only available for services supporting authorization by detailed action unit, and the resource attribute condition key is only available for services supporting authorization by ABAC unit. See Permission information by service for the minimum permission unit that can be granted by service.

          • For information on condition keys, operators, and values provided by NAVER Cloud Platform, see Condition keys and operator information.

          • There are condition keys that cannot be allocated depending on actions. If you set one of the condition keys that cannot be allocated, the action is not to be performed. See Sub Account access management on each service for the condition keys that can be allocated by action.

          1. Check if the policy has been added to the application target list.
            subaccount-policy-role_policy_target_2_en.png
            • When selecting a service, permission to access the service (ProductAccess Action) is automatically added in the console.
          2. Click [Create].
          Note

          You can create up to 500 policies.

          View policy details

          To view a policy's details, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Policies in order.

          2. Enter the policy in the search area in the top right corner of the page, or select the product associated with the policy.

          3. Click the policy name in the policy list.

          4. You can check the policy details.

            ItemDescription
            IDID automatically assigned upon policy creation
            NRNNcloud Resource Names. Resource name
            Creation date and timePolicy creation date and time
            Modification datePolicy modification date
            Policy namePolicy name
            Policy type- SYSTEM_MANAGED: a system-managed policy, role-based policies defined by NAVER Cloud Platform for user convenience
            - USER_CREATED: policies that users may create for their own
            Permission status- Allow: allows access in policies
            Policy descriptionBrief information about policy
            TagAssign tag keys/values to easily categorize group
            - View, create, edit and delete tags with [Tag management]
            - Only one tag can be assigned to each tag
            - When adding a tag value to the previously registered tag key, update with newly entered tag value

          5. Check the [Application target] and [Allocated resource] tabs at the bottom of the details page.

            • Application target: you can review the permission information applied to the policy.
            • Allocated resource: you can check the resource information (Sub Account, Group, and Role) where the policy is allocated, and you can cancel the policy allocation through the [Unsubscribe] button.

          Edit policies

          To edit policies, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Policies in order.
          2. Click the policy name in the policy list.
          3. Click the [Edit] button from the policy details page.
          4. Edit the policy information, and then click the [Edit] button.

          Delete policies

          To delete policies, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Policies in order.
          2. Click the policy name in the policy list.
          3. Click the [Delete] button when the policy details page appears.
          4. Click the [Delete] button once the delete window appears.
          Note

          If there are resources where the policy is allocated, the policy cannot be deleted. After unsubscribing the policy allocation on the policy details page, the policy can be deleted.

          Manage role

          A role is a temporary credential configured with policies. Unlike policies, which are permanent credentials that can only be assigned to sub accounts, roles can also assign permissions to resources themselves, such as Servers, in addition to accounts.

          These are the following role types:

          • Server Role: a Server Role can only be assigned to VPC-based Server resources. On Servers assigned with roles, you can access services and resources within NAVER Cloud Platform without storing separate Access Keys for credentials.
          • Account Role: an Account Role can assign sub accounts the permission to access the main account's portal/console. Sub accounts with assigned roles can access resources of the target account through role switching.
          • Single Sign-On Role: a Single Sign-On Role allows for the assignment of accessible permissions to the portal/console for External IdP users of Ncloud Single Sign-On.
          • Service Role: a Service Role can assign the targeted service the permission to access another service resource.
          Note

          By utilizing Server Roles, you can prevent the risk of Access Keys that need to be stored within the Server being leaked, and omit deployment tasks for the periodical changing of the Key.

          Create role

          To create a role, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.
          2. Click [Create role].
          3. When the Role information page appears, enter the name, type, and description of the role you want to create.
            • If the role type is Account, also enter the expiration time for unused sessions.
          4. Click [Create].
          Note

          Single Sign-On Role can be created from Ncloud Single Sign-On.

          View role details

          To view a policy's details, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.

          2. Enter the role in the search area in the top right corner.

          3. Click the role name in the role list.

          4. You can view the role setting information.

            ItemDescription
            IDID automatically assigned upon role creation
            NRNNcloud Resource Names. Resource name
            Creation date and timeRole creation date and time
            Modification dateRole modification date
            Role nameRole name
            TypeTypes that distinguish target each role applies to
            StatusEnabled/Disabled roles
            Valid session expiration timeSession expiration time when the role is applied to Account Role
            DescriptionBrief information about role
            TagAssign tag keys/values to easily categorize group
            - View, create, edit and delete tags with [Tag management]
            - Only one tag can be assigned to each tag
            - When adding a tag value to the previously registered tag key, update with newly entered tag value

          5. See the [Policy] and [Role application target] tabs at the bottom of the details page

            • Policy: you can assign or withdraw a policy to and from a sub account.
            • Role application target: depending on the role type, you can set the targets to which the role applies.

          Set role details

          To set a role, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.

          2. Click the role name.

          3. See the [Policy] and [Role application target] tabs at the bottom of the Role details page.

            • Policy: you can assign or withdraw a policy to and from a sub account.
              • Click the [Add all permissions] button to grant permission to perform all actions.
            • Role application target: depending on the role type, you can set the targets to which the role applies.
              • Server Role: you can specify the server resource to which the role is assigned. Only one role can be assigned per Server resource. When the specify Server resource window appears, specify the resource and click the [Apply] button.
              • Account Role: you can specify the main account to which the role is assigned. If you want to specify a main account other than your own, you must authenticate the account by entering the account name and login ID.
              • Single Sign-On Role: during Assignment configuration in Ncloud Single Sign-On, you can view the Assignment information of Ncloud Single Sign-On as the role application target.
              • Service Role: you can specify the server resource to which the role is assigned.
            Note
            • The main account set as the application target for the Account Role must assign the switchRole policy to the sub account so that the sub account can switch roles with the Account Role. For how to assign the switchRole policy, see Assign switchRole policy.
            • Single Sign-On Role policy can be set from Ncloud Single Sign-On.

          Edit role information

          To edit the role name and description, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.
          2. Click the role name.
          3. Click the [Edit] button from the role details page.
            • You can edit the name and description of the role.
              • If the role type is Account, you can also edit the valid session expiration time.
            • You cannot edit the role type.
          4. Click the [Edit] button when you are done editing the role.
          Note

          Detailed information of Single Sign-On Role can be edited from Ncloud Single Sign-On.

          Delete role

          To delete a role, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.
          2. Click the checkbox of the role you want to delete in the role list.
          3. Click [Delete].
          4. Click the [Delete] button once the delete window appears.
          Note
          • Single Sign-On Role must be deleted in Ncloud Single Sign-On.
          • The service application using a role may be suspended when deleting the Service Role, so delete the service role after canceling the role from the service.

          Disable role

          The disable role feature is a feature that suspends a role, making it unavailable for use. To deactivate a role, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Roles in order.
          2. Click the role name.
          3. Click the [Disable] button from the role details page.
          4. Click the [Disable] button when the deactivate window appears.
            • The deactivated roles show their Status as Suspended.
          Note
          • When a Server Role is disabled, the access key is also invalidated.
          • When an Account Role is disabled, the sub account that has switched to the role is automatically logged out, and the Secure Token Service (STS) also expires.
          • Single Sign-On Role must be disabled in Ncloud Single Sign-On.
          • When disabling the Service Role, the application service applying the role may be suspended.

          Role switching

          To switch roles, follow these steps: Role switching is only available for sub accounts.

          1. Click the username in the top right of NAVER Cloud Platform console.
          2. Click [Switch role].
            subaccount-policy-role_switchRole_ko
          3. In the role switching popup, select the role you wish to switch.
            • Account role: in the role list, set the role switch status of the role you will use to ON.
              • You need to enter account role NRN information when registering for the first time, so request account role information from the main account.
            • Single Sign-On role: under the Single Sign-On Role tab, click the [Switch role] button and select the role you wish to switch.
          Note

          While in the role switch state, you cannot register, edit, or delete roles. If necessary, click the [Return to sub account] button to register, edit, and delete roles in the sub account status.

          Assign switchRole policy

          To enable a sub account to switch to a role that is assigned as the application target of the Account Role, the switchRole policy must be assigned to the sub account.

          To assign the switchRole policy to a sub account, follow these steps:

          1. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Policies in order.
          2. Click [Create policy].
          3. Create a policy by entering the Set application targets.
            • Service: Sub Account
            • Action name: Change/switchRole
            • Resource: select whether to specify a resource > click [Select resource] > select the assigned Account Role resource to apply
              • If you have been assigned an Account Role in another main account, you can apply the role to resources by clicking the [Register other account resource] button, thus authenticating the Account Role NRN.
                subaccount-policy-role_switchRole2_ko
          4. In the NAVER Cloud Platform console, click Services > Management & Governance > Sub Account > Sub Accounts in order.
          5. Click the login ID of the sub account that you want to use for role switching.
          6. Click the Policy tab on the [Sub account details] page, and then click the [Add] button.
          7. Add the user-defined policy that you have created.
          8. Confirm if the policy has been added successfully.
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout