- Print
- PDF
Managing Sub Account permissions
- Print
- PDF
Available in Classic and VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Sub Account. Sub Account provides System-Managed policies and User-Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, and Sub Account Guide.
System-managed policies
System-managed policies are role-based policies defined by the NAVER Cloud Platform for user convenience. Once System-managed policies are granted to a sub account created in Sub Account, that sub account can use Sub Account. The following is a brief description of the system-managed policies of Sub Account.
Policy name | Description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_FINANCE_MANAGER | Permission to view the Manage usage and Manage payment method, and Solution usage status menu on the portal's My Page |
NCP_SUB_ACCOUNT_MANAGER | Permission to use all features of Sub Account |
NCP_SUB_ACCOUNT_VIEWER | Permission to only use the View list and Search features in Sub Account |
User-created policies
User-created policies are policies that users may create. Once User-created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description of the user-created policies of Sub Account.
Division | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getResourceCount | - | - | Dashboard | View sub account resource information |
View | View/getSubAccountList | - | - | SubAccount | View sub account list |
View | View/getSubAccountDetail | View/getSubAccountList | SubAccount | SubAccount | View sub account details |
View | View/getSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | View sub account's access key |
View | View/getGroupList | - | - | Group | View group list |
View | View/getGroupDetail | View/getGroupList | Group | Group | View group details |
View | View/getPolicyList | - | - | Policy | View policy list created by user |
View | View/getPolicyDetail | View/getPolicyList | Policy | Policy | View details of policy created by user |
View | View/validatePolicy | - | - | Policy | View policy validity |
View | View/getRoleList | - | - | Role | View role list |
View | View/getRoleDetail | View/getRoleList | Role | Role | View role details |
View | View/getServerInstanceList | - | - | Role | View server resource list to be granted a role |
View | View/getServerInstanceDetail | View/getServerInstanceList | VPCServer:Server | Role | View server resource details to assign roles |
View | View/getStsSessionToken | - | - | STS | Create STS token and view created STS token information |
Change | Change/manageLoginPageSetting | - | - | Dashboard | Manage access page settings |
Change | Change/managePasswordSetting | - | - | Dashboard | Manage password settings |
Change | Change/manageSessionSetting | - | - | Dashboard | Manage session expiration settings |
Change | Change/createSubAccount | View/getSubAccountList | - | SubAccount | Create sub account |
Change | Change/updateSubAccount | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | Edit sub account |
Change | Change/deleteSubAccount | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | Delete sub account |
Change | Change/suspendSubAccount | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | Temporarily suspend and disconnect sub account |
Change | Change/resetSubAccountPassword | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | Reset sub account password |
Change | Change/addPolicyToSubAccount | View/getSubAccountDetail View/getSubAccountList View/getPolicyList View/getPolicyDetail | SubAccount | SubAccount | Assign policy to sub account |
Change | Change/removePolicyFromSubAccount | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | Delete policy from sub account |
Change | Change/createSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey | SubAccount | SubAccount | Create sub account's access key |
Change | Change/deleteSubAccountAccessKey | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey | SubAccount | SubAccount | Delete sub account's access key |
Change | Change/manageSubAccountAccessKeyState | View/getSubAccountDetail View/getSubAccountList View/getSubAccountAccessKey | SubAccount | SubAccount | Manage sub account key status |
Change | Change/manageSubAccountAllowSourceSetting | View/getSubAccountDetail View/getSubAccountList | SubAccount | SubAccount | View and edit the source IP or VPC server that can access the console or API |
Change | Change/resetSubAccountMFA | getSubAccountList getSubAccountDetail | SubAccount | SubAccount | Reset sub account's two-factor authentication settings |
Change | Change/addSubAccountToGroup | View/getGroupList View/getSubAccountDetail View/getSubAccountList View/getGroupDetail | Group SubAccount | Group SubAccount | Add sub accounts to group |
Change | Change/removeSubAccountFromGroup | View/getGroupList View/getSubAccountDetail View/getSubAccountList View/getGroupDetail | Group SubAccount | Group SubAccount | Delete sub account from group |
Change | Change/addPolicyToGroup | View/getGroupList View/getPolicyList View/getPolicyDetail View/getGroupDetail | Group | Group | Assign policy to group |
Change | Change/removePolicyFromGroup | View/getGroupList View/getGroupDetail | Group | Group | Delete policy from group |
Change | Change/createGroup | View/getGroupList | - | Group | Create group |
Change | Change/updateGroup | View/getGroupList View/getGroupDetail | Group | Group | Edit group information |
Change | Change/deleteGroup | View/getGroupList View/getGroupDetail | Group | Group | Delete group |
Change | Change/createPolicy | View/getPolicyList | - | Policy | Create new policy |
Change | Change/updatePolicy | View/getPolicyList View/getPolicyDetail | Policy | Policy | Change policy created by user |
Change | Change/deletePolicy | View/getPolicyList View/getPolicyDetail | Policy | Policy | Delete policy created by user |
Change | Change/createRole | View/getRoleList | - | Role | Create role |
Change | Change/updateRole | View/getRoleDetail View/getRoleList | Role | Role | Edit role |
Change | Change/deleteRole | View/getRoleDetail View/getRoleList | Role | Role | Delete role |
Change | Change/addPolicyToRole | View/getPolicyList View/getRoleDetail View/getRoleList View/getPolicyDetail | Role | Role | Assign policy to role |
Change | Change/removePolicyFromRole | View/getRoleDetail View/getRoleList | Role | Role | Delete policy from role |
Change | Change/attachRoleToServer | View/getRoleDetail View/getServerInstanceList View/getRoleList View/getServerInstanceDetail | Role | Role | Assign role to server resource |
Change | Change/detachRoleFromServer | View/getRoleDetail View/getRoleList | Role | Role | Remove roles from server resource |
Change | Change/suspendRole | View/getRoleDetail View/getRoleList | Role | Role | Suspend and release roles |
Change | Change/attachRoleToAccont | View/getRoleDetail View/getRoleList | Role | Role | Set target accounts in account role |
Change | Change/detachRoleFromAccont | View/getRoleDetail View/getRoleList | Role | Role | Delete target accounts in account role |
Change | Change/switchRole | - | Role | Role | Switch permissions to the assigned account role |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be cautioned when setting permissions.