This topic describes how to authorize Resource Access Management (RAM) users to manage Data Science Workshop (DSW) instances and assign service linked roles to DSW.

Background information

For more information about the structure and syntax of permission policies, see Policy structure and syntax.

Authorize RAM users

You can use your Alibaba Cloud account to authorize RAM users to manage DSW instances. Then, the RAM users can create, start, modify, and delete DSW instances.

  1. Log on to the RAM console.
  2. Create a custom policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the following parameters.
      Parameter Description
      Policy Name Enter DSW_Notebook_Access.
      Note Enter DSW access policy
      Configuration Mode Select Script.
      Policy Document Add the following content to Policy Document.
      {
        "Statement": [
          {
            "Action": [
              "notebook:CreateInstance",
              "notebook:StartInstance",
              "notebook:StopInstance",
              "notebook:EditInstance"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "1"
      }
      Action indicates the granted permissions, including:
      • notebook:CreateInstance: create DSW instances.
      • notebook:StartInstance: start DSW instances.
      • notebook:StopInstance: stop DSW instances.
      • notebook:EditInstance: modify DSW instances.
      • notebook:ListInstance: view all DSW instances.
      Resource indicates resources that a RAM user is authorized to manage. You can set this parameter in the following ways:
      • Authorize the RAM user to manage all DSW instances in a specified region.
        "Resource": "acs:notebook:cn-beijing:*:notebook/*"
      • Authorize the RAM user to manage a specified instance, such as the DSW instance hhdemo in the following example:
        "Resource": "acs:notebook:*:*:notebook/hhdemo"
      • Authorize the RAM user to manage all DSW instances.
        "Resource": "*"
      For more information about other permissions, see Policy elements.
    4. Click OK.
  3. Grant permissions to a RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, click Add Permissions in the Actions column.
    3. Optional:In the Add Permissions dialog box, click Custom Policy.
    4. In the Select Policy section, enter DSW_Notebook_Access
    5. Click DSW_Notebook_Access in the Authorization Policy Name column. The policy is then shown in the Selected section.
    6. Click OK.

Assign service linked roles

If you are a first-time user of DSW, you must first assign service linked roles to DSW so that DSW can access the required resources.

  1. Navigate to the Notebook Models page.
    1. Log on to the Machine Learning Platform for AI console.
    2. In the left-side navigation pane, choose Model Training > DSW-Notebook Service.
  2. Click Create Instance.
  3. In the Role Authorization dialog box, click Authorize Now.
  4. On the Cloud Resource Access Authorization page, click Agree to Authorize.
    Service linked roles are automatically assigned to DSW and displayed on the Cloud Resource Access Authorization page.