Available in Classic and VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Sub Account. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Note
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. Once system-managed policies are granted to a sub account created in Sub Account that sub account can use it. The following is a brief description of the system-managed policies of Sub Account.
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services, same as the main account |
| NCP_INFRA_MANAGER | Access to all services, except My Account > Billing and Cost Management > Billing and Payments in the console |
| NCP_FINANCE_MANAGER | Access only to Cost Explorer and My Account > Billing and Cost Management > Billing and Payments in the console |
| NCP_SUB_ACCOUNT_MANAGER | Permission to use the full Sub Account feature sets including External Access |
| NCP_SUB_ACCOUNT_VIEWER | Permission to only use the view list and view feature in Sub Account |
| NCP_EXTERNAL_ACCESS_MANAGER | Permission to use all the features in External Access |
| NCP_EXTERNAL_ACCESS_VIEWER | Permission to only use the view list and search function in External Access |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Sub Account:
Sub Account
| Type | Action | Related action | Resource type | Group by resource type | Action description | Applicable condition keys |
|---|---|---|---|---|---|---|
| View | View/getResourceCount | - | - | Dashboard | Check Sub Account resource information | - All Principal properties condition keys |
| View | View/getSubAccountList | - | - | SubAccount | Check sub account list. | - All Principal properties condition keys |
| View | View/getSubAccountDetail | View/getSubAccountList | SubAccount | SubAccount | Check sub account details | - All Principal properties condition keys - ncp: resourceTag |
| View | View/getSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | View sub account's Access Key | - All Principal properties condition keys - ncp: resourceTag |
| View | View/getGroupList | - | - | Group | View group list | - All Principal properties condition keys |
| View | View/getGroupDetail | View/getGroupList | Group | Group | Viewing Group Details | - All Principal properties condition keys - ncp: resourceTag |
| View | View/getPolicyList | - | - | Policy | View policy list created by user | - All Principal properties condition keys |
| View | View/getPolicyDetail | View/getPolicyList | Policy | Policy | View details of policy created by user | - All Principal properties condition keys - ncp: resourceTag |
| View | View/validatePolicy | - | - | Policy | View policy validity | - All Principal properties condition keys |
| View | View/getRoleList | - | - | Role | View role list | - All Principal properties condition keys |
| View | View/getRoleDetail | View/getRoleList | Role | Role | View role details | - All Principal properties condition keys - ncp: resourceTag |
| View | View/getServerInstanceList | - | - | Role | View server resource list to be granted a role | - All Principal properties condition keys |
| View | View/getServerInstanceDetail | View/getServerInstanceList | VPCServer:Server | Role | View Server resource details to assign roles | - All Principal properties condition keys - ncp: resourceTag |
| View | View/getStsSessionToken | - | - | STS | Create STS token and view created STS token information | - All Principal properties condition keys |
| Change | Change/manageLoginPageSetting | - | - | Dashboard | Manage access page settings | - All Principal properties condition keys |
| Change | Change/managePasswordSetting | - | - | Dashboard | Manage password settings | - All Principal properties condition keys |
| Change | Change/manageSessionSetting | - | - | Dashboard | Manage session expiration settings | - All Principal properties condition keys |
| Change | Change/createSubAccount | View/getSubAccountList | - | SubAccount | Create sub account | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/updateSubAccount | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | Edit sub account | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/deleteSubAccount | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | Delete sub account | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/suspendSubAccount | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | Temporarily suspend and disconnect sub account | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/resetSubAccountPassword | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | Initialize sub account password | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/addPolicyToSubAccount | View/getSubAccountDetail View/getSubAccountList View/getPolicyList View/getPolicyDetail |
SubAccount | SubAccount | Assign policy to sub account | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/removePolicyFromSubAccount | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | Delete policy from sub account | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/createSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey |
SubAccount | SubAccount | Create sub account's Access Key | - All Principal properties condition keys |
| Change | Change/deleteSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey |
SubAccount | SubAccount | Delete sub account's Access Key | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/manageSubAccountAccessKeyState | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey |
SubAccount | SubAccount | Manage sub account access key status | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/manageSubAccountAllowSourceSetting | View/getSubAccountDetail View/getSubAccountList |
SubAccount | SubAccount | View and edit the source IP or VPC Server that can access the console or API | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/resetSubAccountMFA | getSubAccountList getSubAccountDetail |
SubAccount | SubAccount | Initialize sub account's two-factor authentication settings | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/addSubAccountToGroup | View/getGroupList View/getSubAccountDetail View/getSubAccountList View/getGroupDetail |
Group SubAccount |
Group SubAccount |
Add sub accounts to group | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/removeSubAccountFromGroup | View/getGroupList View/getSubAccountDetail View/getSubAccountList View/getGroupDetail |
Group SubAccount |
Group SubAccount |
Delete sub account from group | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/addPolicyToGroup | View/getGroupList View/getPolicyList View/getPolicyDetail View/getGroupDetail |
Group | Group | Assign policy to group | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/removePolicyFromGroup | View/getGroupList View/getGroupDetail |
Group | Group | Delete policy from group | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/createGroup | View/getGroupList | - | Group | Creating Groups | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/updateGroup | View/getGroupList View/getGroupDetail |
Group | Group | Edit group information | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/deleteGroup | View/getGroupList View/getGroupDetail |
Group | Group | Deleting Groups | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/createPolicy | View/getPolicyList | - | Policy | Create new policy | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/updatePolicy | View/getPolicyList View/getPolicyDetail |
Policy | Policy | Change policy created by user | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/deletePolicy | View/getPolicyList View/getPolicyDetail |
Policy | Policy | Delete policy created by user | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/createRole | View/getRoleList | - | Role | Creating Roles | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/updateRole | View/getRoleDetail View/getRoleList |
Role | Role | Edit role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/deleteRole | View/getRoleDetail View/getRoleList |
Role | Role | Deleting Roles | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/addPolicyToRole | View/getPolicyList View/getRoleDetail View/getRoleList View/getPolicyDetail |
Role | Role | Assign policy to role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/removePolicyFromRole | View/getRoleDetail View/getRoleList |
Role | Role | Delete policy from role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/attachRoleToServer | View/getRoleDetail View/getServerInstanceList View/getRoleList View/getServerInstanceDetail |
Role | Role | Assign role to server resource | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/detachRoleFromServer | View/getRoleDetail View/getRoleList |
Role | Role | Remove roles from server resource | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/suspendRole | View/getRoleDetail View/getRoleList |
Role | Role | Suspend and release roles | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/attachRoleToAccount | View/getRoleDetail View/getRoleList |
Role | Role | Set target accounts in account role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/detachRoleFromAccount | View/getRoleDetail View/getRoleList |
Role | Role | Delete target accounts in account role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/switchRole | - | Role | Role | Switch permissions to the assigned account role | - All Principal properties condition keys - ncp: resourceTag |
| Change | Change/tagSubAccount | View/getSubAccountList View/getSubAccountDetail |
SubAccount | SubAccount | Assign tag to sub account | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/untagSubAccount | View/getSubAccountList View/getSubAccountDetail |
SubAccount | SubAccount | Delete tag from sub account | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/tagGroup | View/getGroupList View/getGroupDetail |
Group | Group | Assign tag to group | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/untagGroup | View/getGroupList View/getGroupDetail |
Group | Group | Delete tag from group | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/tagPolicy | View/getPolicyList View/getPolicyDetail |
Policy | Policy | Assign tag to policy | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/untagPolicy | View/getPolicyList View/getPolicyDetail |
Policy | Policy | Delete tag from policy | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/tagRole | View/getRoleList View/getRoleDetail |
Role | Role | Assign tag to role | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/untagRole | View/getRoleList getRoleDetail |
Role | Role | Delete tag from role | - All Principal properties condition keys - ncp: resourceTag - ncp: requestTag |
| Change | Change/manageLongtermUnusedDeactiveSetting | - | - | Dashboard | Manage the ability to disable long-term inactive sub account | - All principal properties condition keys |
External Access
| Type | Action | Related action | Resource type | Group by resource type | Action description | Available condition keys |
|---|---|---|---|---|---|---|
| Change | Change/createTrustAnchor | getCAList getCADetail |
\- | TrustAnchor | Create TrustAnchor | - All Principal properties condition keys |
| Change | Change/createProfile | getRoleList getRoleDetail |
\- | Profile | Create Profile | - All Principal properties condition keys |
| Change | Change/deleteTrustAnchor | getTrustAnchorList getTrustAnchorDetail |
TrustAnchor | TrustAnchor | Delete TrustAnchor | - All Principal properties condition keys |
| Change | Change/disableTrustAnchor | getTrustAnchorList getTrustAnchorDetail |
TrustAnchor | TrustAnchor | Disable TrustAnchor | - All Principal properties condition keys |
| Change | Change/enableTrustAnchor | getTrustAnchorList getTrustAnchorDetail |
TrustAnchor | TrustAnchor | Enable TrustAnchor | - All Principal properties condition keys |
| View | View/getTrustAnchorList | \- | \- | TrustAnchor | View list of TrustAnchor | - All Principal properties condition keys |
| View | View/getTrustAnchorDetail | getTrustAnchorList | TrustAnchor | TrustAnchor | View TrustAnchor details | - All Principal properties condition keys |
| Change | Change/updateTrustAnchor | getTrustAnchorList getTrustAnchorDetail getCAList getCADetail |
TrustAnchor | TrustAnchor | Edit TrustAnchor | - All Principal properties condition keys |
| Change | Change/deleteProfile | getProfileList getProfileDetail |
Profile | Profile | Delete Profile | - All Principal properties condition keys |
| Change | Change/disableProfile | getProfileList getProfileDetail |
Profile | Profile | Disable Profile | - All Principal properties condition keys |
| Change | Change/enableProfile | getProfileList getProfileDetail |
Profile | Profile | Enable Profile | - All Principal properties condition keys |
| View | View/getProfileList | \- | \- | Profile | View list of Profile | - All Principal properties condition keys |
| View | View/getProfileDetail | getProfileList | Profile | Profile | View Profile details | - All Principal properties condition keys |
| Change | Change/updateProfile | getProfileList getProfileDetail getRoleList getRoleDetail |
Profile | Profile | Edit Profile | - All Principal properties condition keys |
| View | View/getSubjectList | \- | \- | Subject | View SubjectActivity list | - All Principal properties condition keys |
| View | View/getSubjectDetail | getSubjectList | Subject | Subject | View SubjectActivity details | - All Principal properties condition keys |
| View | View/getCAList | \- | \- | TrustAnchor | View CA list | - All Principal properties condition keys |
| View | View/getCADetail | getCAList | Private CA:CA | TrustAnchor | View CA details | - All Principal properties condition keys |
| View | View/getRoleList | \- | \- | Profile | View role list | - All Principal properties condition keys |
| View | View/getRoleDetail | getRoleList | Sub Account:Role | Profile | View role details | - All Principal properties condition keys |
| Change | Change/importCrl | getTrustAnchorDetail | Crl | Crl | Import Crl | - All Principal properties condition keys |
| Change | Change/deleteCrl | getTrustAnchorDetail getCrlDetail getCrlList |
Crl | Crl | Delete Crl | - All Principal properties condition keys |
| Change | Change/disbleCrl | getTrustAnchorDetail getCrlDetail |
Crl | Crl | Disable Crl | - All Principal properties condition keys |
| Change | Change/enableCrl | getTrustAnchorDetail getCrlDetail |
Crl | Crl | Enable Crl | - All Principal properties condition keys |
| View | View/getCrlDetail | getTrustAnchorDetail getCrlList |
Crl | Crl | View Crl details | - All Principal properties condition keys |
| View | View/getCrlList | getTrustAnchorDetail | Crl | Crl | View Crl list | - All Principal properties condition keys |
Caution
Even when you are granted permission for a specific action, you cannot perform the task properly unless it has the required permissions for any related actions. Sub Account automatically includes these related permissions to prevent this issue. Use caution when adjusting permissions, as the system assumes that any manual removal of automatically assigned permissions is intentional and thus will not re-assign them.