All Products
Search

This Product

    Alibaba Cloud Model Studio:RAM permissions

    Document Center

    Alibaba Cloud Model Studio:RAM permissions

    Last Updated:Feb 17, 2025

    If you are using a RAM user or RAM role, you may require RAM permissions to: manage Model Studio, use knowledge bases, or call APIs related to data management and prompt engineering. This topic describes the RAM permission policies of Model Studio.

    RAM permissions: can be divided into system policies and custom policies. System policies cover common scenarios and can help you configure permissions swiftly. For more granular control, such as restricting specific RAM users from calling certain APIs in the API catalog, you can use custom policies. Or, you can use the two policy types together, see Policy overview.

    System policies

    Permission collections created, managed, and updated by Alibaba Cloud. RAM users or RAM roles can use but not modify them. Model Studio provides the following system policies:

    Read Permissions to understand how to use and choose system policies.
    By default, the Alibaba Cloud account that activates Model Studio has the AliyunBailianFullAccess system policy and the permissions for all workspaces.

    • AliyunBailianFullAccess: Grants full Management layer and data permissions.

      Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.

      • Management layer: All permissions, including:

        • Manage workspaces, accounts, and all API keys.

        • Activate new features in Model Studio.

        • The essential permissions for paying subscription bills, see FAQ.

      • Data: Manage permissions, including:

    • AliyunBailianReadOnlyAccess: Grants limited management layer permissions (read-only) and limited data permissions (read-only).

      Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.

      • Management layer: Limited permissions (read-only), including:

        • Read-only access to workspaces, accounts, and all API keys.

        • Cannot activate new features.

        • The essential permissions for paying subscription bills, see FAQ.

      • Data: Read-only permissions, including:

    • AliyunBailianControlFullAccess: Grants limited management layer permissions (control).

      • Management layer: Limited permissions (control), including:

        • Manage workspaces, accounts, and all API keys.

        • Cannot activate new features.

        • The essential permissions for paying subscription bills, see FAQ.

    • AliyunBailianControlReadOnlyAccess: Grants limited management layer permissions (read-only).

      • Management layer: Limited permissions (read-only), including:

        • Read-only access to workspaces, accounts, and all API keys.

        • Cannot activate new features.

        • The essential permissions for paying subscription bills, see FAQ.

    • AliyunBailianDataFullAccess: Grants data permissions.

      Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.

    • AliyunBailianDataReadOnlyAccess: Grants limited data permissions.

      Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.

    Custom policies

    If you are using the Alibaba Cloud account or a RAM user with the AliyunRAMFullAccess system policy, you can create and manage custom policies. You can maintain custom policies by yourself and update or delete the permissions at any time.

    APIs related to knowledge base and data management support custom policies. Select the necessary permissions from the list below to create custom policies and grant minimal authorization to RAM users. For the procedure, see Grant data permissions to a RAM user.

    Feature

    API

    Permission name required to call this API

    Permission description

    Knowledge base

    CreateIndex

    sfm:CreateIndex

    See Authorization information.

    GetIndexJobStatus

    sfm:GetIndexJobStatus

    See Authorization information.

    SubmitIndexJob

    sfm:SubmitIndexJob

    See Authorization information.

    SubmitIndexAddDocumentsJob

    sfm:SubmitIndexAddDocumentsJob

    See Authorization information.

    Retrieve

    sfm:Retrieve

    See Authorization information.

    ListIndexDocuments

    sfm:ListIndexFiles

    See Authorization information.

    ListChunks

    sfm:ChunkList

    See Authorization information.

    ListIndices

    sfm:ListIndex

    See Authorization information.

    DeleteIndex

    sfm:DeleteIndex

    See Authorization information.

    DeleteIndexDocument

    sfm:DeleteIndexDocument 

    See Authorization information.

    Data management

    ApplyFileUploadLease

    sfm:ApplyFileUploadLease

    See Authorization information.

    AddFile

    sfm:AddFile 

    See Authorization information.

    DescribeFile

    sfm:DescribeFile

    See Authorization information.

    FAQ

    What RAM permissions are required when activating new features like model calling using a RAM user (or RAM role)?

    Feature

    RAM permissions required

    Model calling

    Use the Alibaba Cloud account to grant the AliyunBailianFullAccess system policy for your RAM user (or RAM role) in the RAM console. Other management layer permissions are not applicable.

    Paying subscription bills

    Use the Alibaba Cloud account to grant the AliyunBSSOrderAccess system policy and one of the management layer permissions (AliyunBailianFullAccess, AliyunBailianReadOnlyAccess, AliyunBailianControlFullAccess, or AliyunBailianControlReadOnlyAccess) in the RAM console.