PAI-Rec permission management - Artificial Intelligence Recommendation

PAI-Rec permission management is based on the in-account authorization model of Alibaba Cloud Resource Access Management (RAM). This model uses policies and a streamlined process to manage users and delegate permissions within your Alibaba Cloud account, ensuring secure and efficient use of PAI-Rec. This topic also describes the permissions required for the Data Transmission Service (DTS) during PAI-DLC training, and for running the recommendation engine in PAI-EAS.

Concepts

What is Resource Access Management?
Quick start: Create and authorize a RAM user
Policy overview (system policies and custom policies)
Create a custom policy

Prerequisites

Activate and initialize PAI-Rec.
Log on with your Alibaba Cloud account.

PAI-Rec related policies

PaiRecRamAdminAccess: Grants the ram:AttachPolicyToUser permission, which allows a user to attach policies to other users. A user with this policy can also grant the PaiRecRamAdminAccess policy to other users, making them administrators.
PaiRecDataManagementAccess: Grants OpenAPI permissions for data management-related services, including OSS, Container Registry, DataHub, MaxCompute, the PAI-Rec console, and FeatureStore.
PaiRecEngineAccess: Grants OpenAPI permissions for PAI-EAS and Hologres.
PaiRecMonitorAccess: Grants OpenAPI permissions for Flink and Simple Log Service (SLS).

Create users and assign roles

Log on to the RAM console with your Alibaba Cloud account and create RAM users for your team members.
1. PAI-Rec RAM users typically include recommendation algorithm and recommendation engine engineers, as well as business analysts who need to view experiment reports.
2. To designate a user as a PAI-Rec administrator, grant the PaiRecRamAdminAccess policy to that user. To do this, find the PaiRecRamAdminAccess policy and click Authorize.

Add the RAM users you created to the required cloud resources. For example, add algorithm engineers to project workspaces in DataWorks, MaxCompute, PAI, and Flink. If you use Hologres to store features or user behavior data, you must also add the users to Hologres.

In the Add Members By Cloud Resource section, click Add Member next to the target product.

Select a RAM user that you created, click , assign a role to the user, and then click OK.

To build a PAI-Rec recommendation system, a RAM user requires at least the following roles:

Cloud product	Role	References
DataWorks	Developer, Deployer, and O&M.	Appendix: Permissions of built-in roles at the workspace level
MaxCompute	If DataWorks is in basic mode, we recommend that you grant the `role_project_dev` role to the user in MaxCompute. If DataWorks is in standard mode, grant the `role_project_dev` role to the user in the `${project}_dev` development project of MaxCompute. You must also set the task owner for MaxCompute computing resources (project name: `${project}`) in DataWorks to your Alibaba Cloud account.	Permission overview
Flink	EDITOR (default, no manual configuration required).	Permission management
Hologres	normal	Hologres permission model
PAI	Algorithm Developer, Algorithm O&M, and MaxCompute Developer.	Appendix: Roles and permissions

Related operations

To revoke permissions, go to the User Policies tab, click Revoke next to the target policy, and then follow the on-screen instructions.

Configure PAI-DLC for model training

If you purchase and use a dedicated Data Transmission Service (DTS) resource group (subscription), you must run the following command in the specified MaxCompute project: setproject odps.tunnel.enable.quota.route.v2=true;
After you configure the StorageAPI, a role is automatically created in the MaxCompute console under Management Configuration > Tenant Management > Role Management. The created role depends on the storage billing method. The storage_auth_for_pairec_${quota_name} role is created for subscription resources, where ${quota_name} is a variable that represents the quota name. The storage_auth_for_pairec_pay_as_you_go role is created for pay-as-you-go resources. The following code shows the content of the storage_auth_for_pairec_pay_as_you_go policy:
```
{
  "Statement": [{
          "Action": ["odps:List",
              "odps:Usage"],
          "Effect": "Allow",
          "Resource": ["acs:odps:*:regions/*/quotas/pay_as_you_go"]
          }],
  "Version": "1"
}
```

AK-free access for the recommendation engine

Grant the PaiRecDataManagementAccess policy to the AliyunPAIRecEASRole RAM role. This allows the PAI-Rec recommendation engine to start the PAI-EAS service and initialize services such as the ABTest SDK, PAI-FeatureStore SDK, and Datahub without an access key. For more information, see Manage RAM role permissions.

Check cloud service access status

To verify PAI-Rec's access to other cloud services, go to System Configuration > Permission Management > Service Policies in the PAI-Rec console to check the access status of each service and grant authorization if needed.

Prerequisites

You have activated and initialized PAI-Rec.

Procedure

Log on to the PAI-Rec console. In the left-side navigation pane, choose System Configuration > Permission Management.
On the Service Policies tab, check the access status of each cloud service. Note: This status indicates whether the AliyunServiceRoleForPaiRec role can access these cloud services.
If the access status is Failed, click Authorize and follow the on-screen instructions to grant the required permissions.