If you are using a RAM user and need permissions to use or manage Model Studio, you can assume a RAM role with the required permissions. This topic describes how to assume a RAM role.
If you are not familiar with concepts such as RAM user, workspace, and permission, read Permissions first.
Use your Alibaba Cloud account to perform the following operations. If you need to use a RAM user, you must first grant it the AliyunRAMFullAccess system policy. For more information, see Grant permissions to a RAM user.
Background information
Model Studio supports the following login methods:
Log on with a Alibaba Cloud account or RAM user
You can log on to Model Studio with your Alibaba Cloud account or as a RAM user. Once your account is added as a member of a workspace, you can log on with your account and password and use Model Studio with the permissions of the current account.
Log on with a RAM role
Enterprise users may prefer to log on through role-based single sign-on (SSO). An user that assumes a RAM role that is a member of a workspace will have the same permissions for Model Studio features as an account.
Procedure
The figure below describes how to use Model Studio as a RAM role.
Step 1: Create a RAM user
Create a RAM user. Skip this step if you already have one.
Step 2: Create a RAM role
Choose one of the following methods to create a RAM role:
For identity switching through the Alibaba Cloud console, see Create a RAM role for a trusted Alibaba Cloud account.
For enterprise IdP and Alibaba Cloud SSO, see Create a RAM role for a trusted IdP and SSO overview.
Step 3: Allow role assumption
This step is not required if you chose to assume the RAM role through an enterprise IdP in the previous step.
After creating a RAM user and RAM role, you need to allow the RAM user to assume the RAM role. Choose one of the following methods:
Method 1: Allow your RAM user to assume all RAM roles.
Method 2: Allow your RAM user to assume only the specified RAM role.
Method 1 is simpler, but we recommend Method 2 for fine-grained access control.
Method 1: All RAM roles
In the RAM console choose from the left-side navigation pane.
Click Add Permissions in the Actions column of the created RAM user.
On the Grant Permission panel, set Resource Scope to Account.
In the Policy section, select the AliyunSTSAssumeRoleAccess system policy, and click Grant permissions.
(Optional) To revoke a permission, see Revoke permissions from a RAM user.
Method 2: Specified RAM role
Go to the RAM console.
In the left-side navigation pane, choose .
Click Create Policy.
On the Visual editor tab, enter the following content. You must replace
acs:ram:*:<account-id>:role/<role-name>with the actual ARN of the role you created in Step 2. For information about how to view the role ARN, see FAQ about RAM roles and STS tokens.ARN is a unique identifier that specifies a RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": "acs:ram:*:<account-id>:role/<role-name>" } ], "Version": "1" }Click OK. Enter the policy name and description.
Grant the policy to the RAM user, allowing the user to assume this RAM role. For more information, see Grant permissions to a RAM user.
Step 4: Grant workspace permissions
For this step, you must use your Alibaba Cloud account or a member who has management layer permissions in the corresponding workspace.
Grant data layer permissions to your RAM role to specify which workspaces it can access and use.
Go to the Account Management page. Click Add User and configure the following parameters.
If your RAM role already exists in Account Management, you can click Edit Permissions in the Actions column to authorize it.
Type: Select RAM Role.
RAM Role: Select the RAM role you just created.
Name: Enter the name used by the RAM role in Model Studio.
Click Next.
Click Permission. Select a workspace and a role for the RAM role. We recommend that you assign only the minimum permissions required to avoid security risks.
Admin: All features under the workspace.
Visitor: All features under the workspace except for User management and Role management.
Click OK.
Assume the RAM role and log on to the Model Studio console as the RAM role. You can now access and use the corresponding workspace. Switch workspaces in the console.
Step 5 (Optional): Grant data permissions
If your RAM user needs to use knowledge bases or use APIs related to data management and prompt engineering, grant data permissions for your RAM role.
In the RAM console, choose from the left-side navigation pane.
Click Actions in the column of the role to be authorized, and click Grant Permission.
Set Resource Scope to Account.
In the Policy section, select AliyunBailianDataFullAccess or one of the policies in the following list. Click Grant permissions.
We recommend that you assign only the minimum permissions required to avoid security risks.
AliyunBailianDataFullAccess: Data management permission.
Create, manage, and access structured knowledge bases.
Use the hit test feature of knowledge bases.
Call all APIs in the API catalog.
AliyunBailianDataReadOnlyAccess: Data read-only permission.
Cannot create, manage, and access structured knowledge bases.
Cannot use the hit test feature of knowledge bases.
Cannot call APIs that add, delete, or modify data in the API catalog, such as Retrieve, AddFile, and CreateIndex.
Can call read-only APIs in the API catalog, such as DescribeFile and GetIndexJobStatus.
(Optional) To revoke a permission, see Revoke permissions from a RAM user.
Step 6 (Optional): Grant management layer permissions
If your RAM user needs to add, manage, or authorize other accounts, grant management layer permissions for your RAM role.
In the RAM console, choose from the left-side navigation pane.
Click Actions in the column of the role to be authorized, and click Grant Permission.
Set Resource Scope to Account.
In the Policy section, select AliyunBailianControlFullAccess or one of the policies in the following list. Click Grant permissions.
We recommend that you assign only the minimum permissions required to avoid security risks.
AliyunBailianFullAccess: Grants full Management layer and data permissions.
Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
Management layer: All permissions, including:
Data: Manage permissions, including:
Create, manage, and access structured knowledge base.
Use the hit test feature of knowledge bases.
Call all APIs in the API catalog.
AliyunBailianReadOnlyAccess: Grants limited management layer permissions (read-only) and limited data permissions (read-only).
Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
Management layer: Limited permissions (read-only), including:
Read-only access to workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.
Data: Read-only permissions, including:
Cannot create, manage, and access structured knowledge base.
Cannot use the hit test feature of knowledge bases.
Cannot call APIs that add, delete, or modify data in the API catalog, such as Retrieve, AddFile, and CreateIndex.
Can call read-only APIs in the API catalog, such as DescribeFile and GetIndexJobStatus.
AliyunBailianControlFullAccess: Grants limited management layer permissions (control).
Management layer: Limited permissions (control), including:
Manage workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.
AliyunBailianControlReadOnlyAccess: Grants limited management layer permissions (read-only).
Management layer: Limited permissions (read-only), including:
Read-only access to workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.