Login
      Contents x
      Managing policies and roles
        • Print
        • PDF
        Contents

        Managing policies and roles

          • Print
          • PDF
          Article Summary

          Available in Classic and VPC

          This section describes how to create and manage policies and roles.

          Policy management

          A policy is a set of permissions that sub account users can work with. You can assign policies to sub accounts or groups, and sub accounts have varying permissions on portals and consoles depending on the policies assigned.
          The following are the types of policies:

          • System-managed policy: role-based policies defined by NAVER Cloud Platform for user convenience. These are policies provided with predefined Change/View permissions of the service, and can't be edited or deleted by the user.
          • User-defined policy: policies that users may create.

          Create user-defined policy

          You can create a policy by combining various detailed actions for each service. For example, you can create a sub account with limited access to perform only "view Server list" and "stop specific server" permissions, and assign it to an administrator. Not all services provide detailed action features, and the detailed actions provided for each service are different, so see the managing permissions page of each service for detailed descriptions.
          To create your own user-defined policy, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Policies on the NAVER Cloud Platform console in order.

          2. Click the [Create policy] button.

          3. In policy information, enter the name and description for the policy you want to create.

            • You can only enter letters, numbers, and special characters (., -, _) in a policy name, and the first character must be a letter.

          4. After selecting the platform in the policy application targets area, select the service to which you wish to apply the policy.
            subaccount-policy-role_policy_target_ko.png

            • When selecting a service, the types of action provided by that service are displayed.
            • The unit of action varies by service, so see the Managing permissions guide for each service for descriptions of each service’s action.

          5. After selecting the action name to apply, click the [Add application targets] button.

            • Permission to view: permissions to only use the viewing feature of the corresponding service. Click the [Expand] button to select detailed permissions
            • Permission to edit: permissions to use features such as creating, editing, and deleting in the corresponding service. Click the [Expand] button to select detailed permissions
            Note

            When selecting an action, other actions associated with that action are automatically selected, so you can create policies even if you do not know the relationship between each action. It is possible to deselect the automatically selected associated actions, but if an associated action is deleted, it may cause problems when using sub accounts. For example, when selecting permission to view detailed server information, permission to view the server list is automatically selected, but if you forcibly deselect permission to view the server list, you cannot view the detailed information of the server.

          6. Check if the policy has been added to the application target list.
            subaccount-policy-role_policy_target_2_ko.png

            • When selecting a service, permission to access the service (ProductAccess Action) is automatically added in the console.

          7. Click the [Create] button.

          Note

          You can create up to 500 policies.

          View policy details

          To view a policy's details, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Policies on the NAVER Cloud Platform console in order.
          2. Enter the policy in the search area in the top right corner of the page, or select the product associated with the policy.
          3. Click the policy name in the policy list.
          4. You can check the policy details.
            • Policy information: you can view the policy settings information (policy name, policy description, NRN, creation date and time, editing date and time, etc.).
            • Application target: you can review the permission information applied to the policy.
            • Allocated resource: you can check the resource information (Sub Account, Group, and Role) where the policy is allocated, and you can cancel the policy allocation through the [Unsubscribe] button.

          Edit policies

          To edit a policy, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Policies on the NAVER Cloud Platform console in order.
          2. Click the policy name in the policy list.
          3. Click the [Edit] button from the policy details page.
          4. Edit the policy information, and then click the [Edit] button.

          Delete policies

          To delete a policy, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Policies on the NAVER Cloud Platform console in order.
          2. Click the policy name in the policy list.
          3. Click the [Delete] button when the policy details page appears.
          4. Click the [Delete] button once the delete window appears.
          Note

          If there are resources where the policy is allocated, the policy cannot be deleted. After unsubscribing the policy allocation on the policy details page, the policy can be deleted.

          Manage role

          A role is a temporary credential configured with policies. Unlike policies, which are permanent credentials that can only be assigned to sub accounts, roles can also assign permissions to resources themselves, such as Servers, in addition to accounts.

          These are the following role types:

          • Server Role: a Server Role can only be assigned to VPC-based Server resources. On Servers assigned with roles, you can access services and resources within NAVER Cloud Platform without storing separate Access Keys for credentials.
          • Account Role: an Account Role can assign sub accounts the permission to access the main account's portal/console. Sub accounts with assigned roles can access resources of the target account through role switching.
          • Single Sign-On Role: a Single Sign-On Role allows for the assignment of accessible permissions to the portal/console for External IdP users of Ncloud Single Sign-On.
          • Service Role: a Service Role can assign the targeted service the permission to access another service resource.
          Note

          By utilizing Server Roles, you can prevent the risk of Access Keys that need to be stored within the Server being leaked, and omit deployment tasks for the periodical changing of the Key.

          Create role

          To create a role, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Roles on the NAVER Cloud Platform console in order.
          2. Click the [Create role] button.
          3. When the role information page appears, enter the name, type, and description of the role you want to create.
            • If the role type is Account, also enter the expiration time for unused sessions.
          4. Click the [Create] button.
          Note

          Single Sign-On Role can be created from Ncloud Single Sign-On.

          Set role details

          To set a role, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Roles on the NAVER Cloud Platform console in order.

          2. Click the role name.

          3. See the [Policy] and [Role application target] tabs at the bottom of the Role details page.

            • Policy: you can assign or withdraw a policy to and from a sub account.
              • Click the [Add all permissions] button to grant permission to perform all actions.
            • Role application target: depending on the role type, you can set the targets to which the role applies.
              • Server Role: you can specify the server resource to which the role is assigned. Only one role can be assigned per Server resource. When the specify Server resource window appears, specify the resource and click the [Apply] button.
              • Account Role: you can specify the main account to which the role is assigned. If you want to specify a main account other than your own, you must authenticate the account by entering the account name and login ID.
              • Single Sign-On Role: during Assignment configuration in Ncloud Single Sign-On, you can view the Assignment information of Ncloud Single Sign-On as the role application target.
              • Service Role: you can specify the server resource to which the role is assigned. The target currently assigned with a role can be assigned for Data Flow only and will be expanded in the future.
            Note
            • The main account set as the application target for the Account Role must assign the switchRole policy to the sub account so that the sub account can switch roles with the Account Role. For how to assign the switchRole policy, see Assign switchRole policy.
            • Single Sign-On Role policy can be set from Ncloud Single Sign-On.

          Edit role information

          To edit the role name and description, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Roles on the NAVER Cloud Platform console in order.
          2. Click the role name.
          3. Click the [Edit] button from the role details page.
            • You can edit the name and description of the role.
              • If the role type is Account, you can also edit the valid session expiration time.
            • You cannot edit the role type.
          4. Click the [Edit] button when you are done editing the role.
          Note

          Detailed information of Single Sign-On Role can be edited from Ncloud Single Sign-On.

          Delete role

          To delete a role, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Roles on the NAVER Cloud Platform console in order.
          2. Click the checkbox of the role you want to delete in the role list.
          3. Click the [Delete] button.
          4. Click the [Delete] button once the delete window appears.
          Note
          • Single Sign-On Role must be deleted in Ncloud Single Sign-On.
          • The service application using a role may be suspended when deleting the Service Role, so delete the service role after canceling the role from the service.

          Deactivate role

          The deactivate role feature is a feature that suspends a role, making it unavailable for use. To deactivate a role, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Roles on the NAVER Cloud Platform console in order.
          2. Click the role name.
          3. Click the [Deactivate] button from the role details page.
          4. Click the [Deactivate] button when the deactivate window appears.
            • The deactivated roles show their status as Suspended.
          Note
          • When a Server Role is deactivated, the access key is also invalidated.
          • When an Account Role is deactivated, the sub account that has switched to the role is automatically logged out, and the Secure Token Service (STS) also expires.
          • Single Sign-On Role must be disabled in Ncloud Single Sign-On.
          • When disabling the Service Role, the application service applying the role may be suspended.

          Role switching

          To switch roles, follow these steps: Role switching is only available for sub accounts.

          1. Click the username in the top right of the NAVER Cloud Platform console.
          2. Click the [Switch role] button.
            subaccount-policy-role_switchRole_ko
          3. In the role switching popup, select the role you wish to switch.
            • Account role: in the role list, set the role switch status of the role you will use to ON.
              • You need to enter account role NRN information when registering for the first time, so request account role information from the main account.
            • Single Sign-On role: under the Single Sign-On Role tab, click the [Switch role] button and select the role you wish to switch.
          Note

          While in the role switch state, you cannot register, edit, or delete roles. If necessary, click the [Return to sub account] button to register, edit, and delete roles in the sub account status.

          Assign switchRole policy

          To enable a sub account to switch to a role that is assigned as the application target of the Account Role, the switchRole policy must be assigned to the sub account.

          To assign the switchRole policy to a sub account, follow these steps:

          1. Click Services > Management & Governance > Sub Account > Policies on the NAVER Cloud Platform console in order.
          2. Click the [Create policy] button.
          3. Create a policy by entering the set application targets.
            • Service: Sub Account
            • Action name: Change/switchRole
            • Resource: select whether to specify a resource > click [Select resource] > select the assigned Account Role resource to apply
              • If you have been assigned an Account Role in another main account, you can apply the role to resources by clicking the [Register other account resource] button, thus authenticating the Account Role NRN.
                subaccount-policy-role_switchRole2_ko
          4. Click Services > Management & Governance > Sub Account > Sub Accounts on the NAVER Cloud Platform console in order.
          5. Click the login ID of the sub account that you want to use for role switching.
          6. Click the policy tab on the [Sub account details] page, and then click the [Add] button.
          7. Add the user-defined policy that you have created.
          8. Confirm if the policy has been added successfully.
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout