create RAM user and grant permissions - OpenSearch - Alibaba Cloud Documentation Center

If multiple users in your enterprise need access the service together, you can create multiple RAM users and assign them only the necessary permissions. This avoids sharing the Alibaba Cloud account credentials and reduces risks.

Scenarios

The following scenarios require creating RAM users and granting them the minimum permissions needed for business operations:

When RAM users call the AI Search Open Platform service via API/SDK, use AccessKey for identity authentication.
When RAM users use the AI Search Open Platform console, common scenarios include:
- Granting the permission to create workspaces and activate AI Search Open Platform.
- Granting the permission to manage API Keys.
  Important
  In AI Search Open Platform, API Keys exist in independent workspaces. If a RAM user obtains an API Key for a specific workspace (and the API Key is enabled), and uses the API Key in the code, the user can call all services under the workspace via API/SDK with no separate authorization required.
- Granting the permission to experience services such as document parsing and chunking in Experience Center.
- Granting the permission to perform evaluation on RAG chains.

Permission policies

System policies

System policies are created uniformly by Alibaba Cloud. Users can only use them and cannot modify them. The version updates of the policies are maintained by Alibaba Cloud. AI Search Open Platform provides the following system policies:

AliyunOpenSearchFullAccess: Permission to manage OpenSearch. This permission policy includes all permissions in the permission point list. Grant this permission policy with caution.
AliyunOpenSearchReadOnlyAccess: Grants read-only access to OpenSearch. This policy includes all the control API permissions (List, Describe) for read operations and all permissions within the traffic API permissions list, as detailed in the permission point list.

Custom policies

Create custom permission policies to achieve fine-grained permission management.

Permission point list

Control API permissions

Category	API	RAM Action	Resource	Description
Workspace	CreateWorkspace	searchplat:WriteWorkspace	workspaces/*	Create workspace and activate AI Search Open Platform. Note AI Search Open Platform can be activated for free. You are not charged if you do not use it.
	UpdateWorkspace	searchplat:WriteWorkspace	workspaces/{workspaceName}	Update workspace
	GetWorkspace	searchplat:DescribeWorkspace	workspaces/{workspaceName}	Get workspace details
	ListWorkspaces	searchplat:ListWorkspaces	workspaces/*	Get workspace list
	ListServices	searchplat:ListServices	workspaces/{workspaceName}	Get service list
Access credential	CreateCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Create access credentials
	DeleteCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Delete access credentials
	UpdateCredentials	searchplat:WriteCredentials	workspaces/{workspaceName}	Update access credentials
	GetCredentials	searchplat:DescribeCredentials	workspaces/{workspaceName}	Get access credentials details
	ListCredentials	searchplat:DescribeCredentials	workspaces/{workspaceName}	Get access credentials list
Calculate remaining free quota	GetMeasure	searchplat:DescribeMeasure	workspaces/{workspaceName}	Get remaining free service quota for the workspace. Note After activating AI Search Open Platform, the system provides 10 free service calls for each Alibaba Cloud account (Alibaba Cloud and its RAM users share the free quota). Activate Now After exceeding the 10 free calls, the system charges based on actual model service usage.
Experience data	CreateExperienceData	searchplat:WriteExperienceData	workspaces/{workspaceName}	Add experience data
	DeleteExperienceData	searchplat:WriteExperienceData	workspaces/{workspaceName}	Delete experience data
	GetExperienceData	searchplat:DescribeExperienceData	workspaces/{workspaceName}	Get experience data details
	ListExperienceData	searchplat:DescribeExperienceData	workspaces/{workspaceName}	Get experience data list
Asynchronous task	CreateAsyncTask	searchplat:WriteAsyncTask	workspaces/{workspaceName}	Create experience data parsing asynchronous task
	GetAsyncTask	searchplat:DescribeAsyncTask	workspaces/{workspaceName}	View experience data parsing asynchronous task details
	ListAsyncTasks	searchplat:DescribeAsyncTask	workspaces/{workspaceName}	View experience data parsing asynchronous task list
Evaluation	CreateRagEvaluatorTask	searchplat:WriteEvaluation	workspaces/{workspaceName}	Create evaluation task
	GetRagEvaluatorTask	searchplat:DescribeEvaluation	workspaces/{workspaceName}	Get evaluation task details
	ListRagEvaluatorTasks	searchplat:DescribeEvaluation	workspaces/{workspaceName}	Get evaluation task list
	DeleteRagEvaluatorTask	searchplat:WriteEvaluation	workspaces/{workspaceName}	Delete evaluation task
Model service	CreateFunctionInstance	searchplat:WriteFunction	workspaces/{workspaceName}	Create service/model
	CreateFunctionTask		workspaces/{workspaceName}	Activate service configuration immediately
	UpdateFunctionInstance		workspaces/{workspaceName}	Change service/model configuration
	DeleteFunctionInstance		workspaces/{workspaceName}	Delete service/model configuration
	ListFunctionInstances	searchplat:DescribeFunction	workspaces/{workspaceName}	Get service/model configuration details list
	GetFunctionInstance	searchplat:DescribeFunction	workspaces/{workspaceName}	Get service/model configuration details
	GetTableFields	searchplat:GetTableFields	workspaces/{workspaceName}	Get MaxCompute table schema
Model service - service deployment	ListFunctionRestrictions	searchplat:ListFunctionRestrictions	workspaces/{workspaceName}	Get feature restriction items, including deployable regions, model categories, model types, and models.

Traffic API permissions

API	Action	Resource	Description
GetTextEmbedding	searchplat:GetTextEmbedding	workspaces/{workspaceName}	Text embedding service
GetTextSparseEmbedding	searchplat:GetTextSparseEmbedding	workspaces/{workspaceName}	Sparse text embedding service
CreateDocumentAnalyzeTask	searchplat:CreateDocumentAnalyzeTask	workspaces/{workspaceName}	Create asynchronous document parsing service request
DescribeDocumentAnalyzeTask	searchplat:DescribeDocumentAnalyzeTask	workspaces/{workspaceName}	Get asynchronous document parsing result service
GetDocumentAnalysis	searchplat:GetDocumentAnalysis	workspaces/{workspaceName}	Get synchronous document parsing result service
CreateImageAnalyzeTask	searchplat:CreateImageAnalyzeTask	workspaces/{workspaceName}	Create asynchronous image parsing service request
DescribeImageAnalyzeTask	searchplat:DescribeImageAnalyzeTask	workspaces/{workspaceName}	Get asynchronous image parsing result service
GetImageAnalysis	searchplat:GetImageAnalysis	workspaces/{workspaceName}	Get synchronous image parsing result service
GetDocumentSplit	searchplat:GetDocumentSplit	workspaces/{workspaceName}	Document chunking service
GetDocumentRank	searchplat:GetDocumentRank	workspaces/{workspaceName}	Re-ranking service
GetTextGeneration	searchplat:GetTextGeneration	workspaces/{workspaceName}	Content generation LLM service
GetQueryAnalysis	searchplat:GetQueryAnalysis	workspaces/{workspaceName}	Query analysis service
GetEmbeddingTuning	searchplat:GetEmbeddingTuning	workspaces/{workspaceName}	Vector fine-tuning service
GetWebSearch	searchplat:SearchWeb	workspaces/{workspaceName}	Internet search
GetMultiModalEmbedding	searchplat:GetMultiModalEmbedding	workspaces/{workspaceName}	Multimodal embedding service

Procedure

Step 1: Create RAM user

A RAM user is a physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:

A RAM user can be created by an Alibaba Cloud account. In this case, the RAM user belongs to the Alibaba Cloud account. A RAM user can also be created by a RAM user or a RAM role that has administrative rights. In this case, the RAM user belongs to the Alibaba Cloud account that creates the RAM user or the RAM role.
A RAM user does not own resources. Resource usage fees of the RAM user are billed to the Alibaba Cloud account to which the RAM user belongs. A RAM user does not receive individual bills and cannot make payments.
Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After RAM users are authorized, the RAM users can access resources that are owned by the Alibaba Cloud accounts.
RAM users have independent passwords or AccessKey pairs for logon.
An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.

For more information, see Create RAM user.

Step 2: Create custom permission policy

Refer to Common minimum permission combination examples, select permission points from the permission point list to combine into a minimum permission policy. For more information on creating custom authorization policies, see Create custom permission policy.

Step 3: Authorize RAM user

After granting RAM users a system policy or custom policy, the users can access resources with the corresponding permissions in the policy. We recommend that you grant only the required permissions to the RAM user based on the principle of least privilege. For more information on authorization, see Authorize RAM user.

Note

After setting or updating the permission configuration for RAM users, it takes effect after a 5-minute delay.

Common minimum permission combination examples

Example 1: Allow RAM users to view the workspace list, view the remaining free service quota, and call the document chunking service in the default workspace. The corresponding authorization policy is as follows:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "searchplat:ListWorkspaces",
            "Resource": "acs:searchplat:*:*:workspaces/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "searchplat:DescribeWorkspace",
                "searchplat:GetDocumentSplit",
                "searchplat:DescribeMeasure"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/default"
        }
    ]
}

Example 2: Allow RAM users to view the workspace list, view the remaining free service quota, manage API Keys in the default space, and call the document chunking service.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "searchplat:ListWorkspaces"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/*"
        },
        {
            "Effect": "Allow",
           "Action": [
                "searchplat:DescribeWorkspace",
                "searchplat:WriteCredentials",
                "searchplat:GetDocumentSplit",
                "searchplat:DescribeCredentials",
                "searchplat:DescribeMeasure"
            ],
            "Resource": "acs:searchplat:*:*:workspaces/default"
        }
    ]
}