Model Studio supports multi-dimensional access control at the console page and model level for complex organizations that span multiple regions and users.
Identity and access management
A workspace is the smallest management unit for fine-grained permission control (for models and users) and Alibaba Cloud bill splitting.
Permission management in Model Studio is based on three roles:
super administrator: Manages user permissions, available models, model rate limiting, and API keys across workspaces.
workspace administrator: Manages user permissions and resources within a specific workspace.
regular user: Uses resources based on assigned permissions.
Workspace permission | Super administrator (with the AliyunBailianFullAccess system policy) | Workspace administrator | Regular user |
Allowing model calls and rate limiting | |||
Allowing model fine-tuning | |||
User management | |||
User-accessible page management | |||
API key management | |||
Access and use workspaces, pages, and resources | |||
Super administrator
This role includes the following two types of accounts:
An Alibaba Cloud account, which is displayed in the upper-right corner of the Model Studio console:
A RAM user (account) with the AliyunBailianFullAccess (Model Studio administrator) system policy. This RAM user can use the global management menu (Singapore | US (Virginia) | China (Beijing)|China (Hong Kong)|Germany (Frankfurt)) in Model Studio to grant nearly all permissions for any region and any workspace to any RAM user, including themselves. (Only an Alibaba Cloud account can grant OpenAPI permissions.)
A RAM user is a sub-account created by an Alibaba Cloud account to securely assign cloud resources and permissions to team members.
A super administrator can use the global management menu (Singapore | US (Virginia) | China (Beijing)|China (Hong Kong)|Germany (Frankfurt)) to manage multiple workspaces. This includes:
Create workspaces and manage workspace names.
Manage models and model rate limiting for all workspaces.
Manage accounts (users) for all workspaces.
Manage all API keys.
To enable features such asmodel monitoring, we recommend using an Alibaba Cloud account to perform the one-time authorization and activation in the console.
Workspace administrator
This role refers to a RAM user who manages a specific workspace through its Permissions page.
The Administrator permission includes access to all pages within that workspace.
Workspace permission management
Model Studio divides resources and workspaces by region. A single workspace cannot span multiple regions. Default workspaces in different regions are also separate. Go to the global management menu ( Singapore | US (Virginia) | China (Beijing) | China (Hong Kong) | Germany (Frankfurt)).
In Model Studio, a workspace is also the smallest management unit for fine-grained permission control. You can manage the following:
Workspace permission | Super administrator (with the AliyunBailianFullAccess system policy) | Workspace administrator | Regular user |
Allowing model calls and rate limiting | |||
Allowing model fine-tuning | |||
User management | |||
User-accessible page management | |||
API key management | |||
Access and use workspaces, pages, and resources | |||
Limit model calls: Control whether a model can be used (via the console or API) within a workspace, and configure the model's Request Number Limit and Token Limit.
This restriction cannot be set for the default workspace. All models can be used without rate limiting.
Limit model training: Control model fine-tuning and subsequent deployment (via the console or API) within the workspace.
This restriction cannot be set for the default workspace. All models that support fine-tuning can be fine-tuned and subsequently deployed.
User (account) console permission management: Manage a RAM user's access to console features within this workspace. This does not restrict API calls made using an API key that belongs to the user.
An Alibaba Cloud account requires no configuration and can access all pages in all workspaces.
API key permissions
A single API key can only belong to one workspace and one user within a single region, and it cannot be transferred to other workspaces or users. An API key's functions and rate limits are determined by its Workspace's permissions, and are unaffected by user (account) console permission management. You do not need to create separate API keys for different models, such as text generation, text-to-image, or speech synthesis.
An API key's status changes when its owner account is modified:
Starting from March 25, 2026, all new API keys created in the China (Beijing) region will belong to the Alibaba Cloud account.
Action | Alibaba Cloud account | RAM user |
Deleting an API key | Unrecoverable upon failure | Failures are irrecoverable. |
Removing a user from a workspace | — | Failure The API key becomes valid again after the user is added back to the workspace. |
Deleting a user or role in the RAM console | — | Unrecoverable upon failure |
Set an IP whitelist for an API key | Supported for API keys in the China (Beijing) region. | Supported for API keys in the China (Beijing) region. |
Manage API keys: In the Model Studio console, go to the Permissions tab in the left-side navigation pane to grant API key permissions to a RAM user. This grants the RAM user permissions to create, delete, and view all API keys in the workspace.
OpenAPI permissions
By default, RAM users cannot use the OpenAPI to access Model Studio application features, such as data, knowledge base, prompt engineering.
To grant these permissions, an Alibaba Cloud account must grant the RAM user one of the following permissions in the RAM console:
AliyunBailianDataFullAccess: Allows the user to call all APIs in the Model Studio application API catalog.
AliyunBailianDataReadOnlyAccess: Allows the user to call read-only APIs in the Model Studio application API catalog, such as DescribeFile - Query file status and GetIndexJobStatus - Query knowledge base indexing job status.
Applying to a production environment
Workspace planning strategy
Group by environment (Recommended): Create separate workspaces for development, testing, staging, and production environments to ensure strict environment isolation.
project-dev-workspaceproject-test-workspaceproject-prod-workspace
Group by business line: Create separate workspaces for different business departments, such as marketing, customer support, and design. This simplifies permission and cost management.
marketing-team-workspacecustomer-team-workspace
Throttling policy
Allocate the total quota of the root account proportionally to each workspace. Reserve a portion as a buffer to handle traffic spikes.
Example: The total account quota is 1000 QPM. The allocation is as follows:
project-prod-workspace: 600 QPM (60%)project-test-workspace: 200 QPM (20%)project-dev-workspace: 100 QPM (10%)Reserved buffer: 100 QPM (10%)
Billing and subscription permission management
By default, RAM users cannot view Alibaba Cloud bills or purchase subscription products. To grant these permissions, add specific permissions to a RAM user in the RAM console.
The following permissions allow a RAM user to view bills for all Alibaba Cloud products or purchase all Alibaba Cloud subscription products. Grant these permissions with caution.
To view Alibaba Cloud bills, you need to add the
AliyunBSSReadOnlyAccesspermission to a RAM user.To purchase Alibaba Cloud subscription products, you must grant the
AliyunBSSOrderAccesspermission to a RAM user.
Common settings
Super administrator
This operation requires an Alibaba Cloud account or a RAM user with the AliyunRAMFullAccess system policy.
Go to the RAM console and grant the AliyunBailianFullAccess (Model Studio administrator) and
AliyunBSSOrderAccess(purchase subscription products) permissions to a RAM user.Once setup is complete, you can use the Model Studio global management menu ( Singapore | Virginia | China (Beijing)|China (Hong Kong)|Frankfurt) to grant any RAM user (including yourself) permissions for any region and workspace, and purchase subscription products for Model Studio.
Workspace administrator
This operation requires a super administrator or a workspace administrator.
In the Model Studio console, on the Permissions tab in the left-side navigation pane, grant the Administrator permission to the RAM user.
Model calling permissions
If you do not use the default workspace, a super administrator must grant the model calling permission for the specific model in the workspace.
To call models from the Model Studio console, a super administrator or workspace administrator must grant the RAM user the following permissions on the Permissions tab in the left-side navigation pane:
Playground - Operation permission to call models in the console.
Batch Inference - Operation permission to use the batch inference feature.
Model Observation - Operation permission to view the token consumption of model calls and evaluations.
To call models by using the Model Studio API, a super administrator or a workspace administrator must create or assign an API key to the RAM user in the corresponding workspace. For more details, see API key permissions.
API permissions for model fine-tuning
If you do not use the default workspace, a super administrator must grant the model fine-tuning permission for the specific model in the workspace.
A super administrator or a workspace administrator must create or assign an API key to the RAM user in the corresponding workspace. For more details, see API key permissions.
FAQ
1. Get workspace ID
See Get Workspace ID under application development.
2. Calling models from child workspaces
No special configuration is needed. Just use the API key for the sub-workspace.
3. Use an application in a workspace
To use an API to manage or call an application in a specific workspace, you must set the APP ID and Workspace ID.