Permission management - Alibaba Cloud Model Studio - Alibaba Cloud Documentation Center

Sharing an Alibaba Cloud account directly for team collaboration creates security risks. Instead, create Resource Access Management (RAM) users and grant fine-grained permissions to each user. These permissions define which workspaces they can access, which features they can use, and which models they can call.

Workspace: If an Alibaba Cloud account has multiple services or projects that use Alibaba Cloud Model Studio, divide them into different workspaces. This allows for separate management, such as controlling model calls and isolating applications and data for each workspace. For more information, see Workspace management.

Core concepts

To configure permissions correctly, first understand the different types of accounts:

Alibaba Cloud account: This is the main account. It has all permissions for Model Studio. It can create and manage RAM users and grant them permissions.
RAM user: This is a sub-account that is typically created by an Alibaba Cloud account. A RAM user must be granted permissions by the Alibaba Cloud account before being able to use and manage Model Studio. Learn more about RAM users

Although using an Alibaba Cloud account is convenient, for security purposes, we recommend RAM users with properly configured permissions. A RAM user can be granted the following four types of permissions:

Member permission: A RAM user only has read-only access to pages and data within the workspaces that they have joined. This permission excludes system administration, permission management, and key management. How to join a workspace
Operation permission: To perform write operations, such as creating, deleting, and editing, on pages within their workspaces, a RAM user must get operation permissions for the corresponding pages.
API permission: To call the APIs for features such as application data, knowledge bases, and prompt engineering, a RAM user must get permissions for the corresponding APIs.
Management permission: To use a RAM user to activate features and pay for subscription orders in Model Studio, or to access the System Administration page to manage workspaces, members, and API keys under the Alibaba Cloud account, the user must get global management permissions.
Important
Management permission does not include access to any specific workspace. To access a workspace, the user must also get member permission for that workspace.

Core examples

1. I am a project member

Scenario: Use a RAM user user-01 to develop AI applications in a workspace named Project A.

Procedure:

(Use Alibaba Cloud account) Create a workspace: In the Model Studio console, create a workspace named Project A. How to create a workspace
If you already have one, skip this step.
(Use Alibaba Cloud account) Create a RAM user: In the RAM console, create a RAM user named user-01. How to create a RAM user
If the user has not joined any workspace, the following message appears when they log on to Model Studio: You do not have access permissions to this workspace.
(Use Alibaba Cloud account) Configure member and operation permissions: Add a new user user-01 to the workspace and grant operation permissions for pages related to models and applications.
(Use RAM user) Log on and verify: user-01 logs on to the Model Studio console and starts using the service.

2. I am an administrator

Scenario: Use a RAM user admin-01 to manage all workspaces within an Alibaba Cloud account, such as creating or deleting workspaces and managing their members and API keys. But the RAM user does not need permission to access the workspaces.

Procedure:

(Use Alibaba Cloud account) Create a RAM user: In the RAM console, create a RAM user named admin-01.
(Use Alibaba Cloud account) Configure management permissions: Grant management permissions to admin-01.
Management permission does not include access to any specific workspace. To access a workspace, see Example 1.
(Use RAM user) Log on and verify: admin-01 logs on to the Model Studio console to start managing resources. For more information, see Workspace management and Manage workspace members.

Permission request flow

RAM users and RAM roles can follow the instructions in this section to get the permissions required to fully access and use Model Studio.

RAM role: Multiple RAM users can assume a predefined role to get a uniform set of permissions to use Model Studio.

Using a RAM user

Step	Description
Step 1: Join a workspace	A RAM user must first join a workspace to get read-only permission for the resources and data in that workspace. After a member is added, the permission usually takes effect within seconds, though there might be a slight delay during peak hours. Once effective, the RAM user can log on to the authorized workspace.
Step 2: Get operation permissions	Within a joined workspace, a RAM user has read-only permissions (such as viewing) for all feature pages by default, except for system administration, permission management, and key management. "Operation" refers to additional write permissions (such as creating, deleting, and editing). Important About model authorization (for members of sub-workspaces) Members of the default workspace do not need model authorization and can skip this note. Whether a member of a sub-workspace (a non-default workspace) can call a model depends on whether the workspace has the call permission for that model. For more information, see Model authorization. If the workspace has already been granted these permissions, you do not need to grant them again.
Step 3: Get API permissions	To call the APIs for features such as application data, knowledge bases, and prompt engineering, a RAM user must get API permissions.
Step 4 (Optional): Get management permissions	If a RAM user needs to activate features, pay for subscription orders within their workspace, or perform global management across workspaces (such as managing all workspaces, members, and API keys), they must get management permissions.
Next step	Start using Model Studio

Using a RAM role

Step	Description
Step 1: Join a workspace	A RAM role must first join a workspace to get read-only permission for the resources and data in that workspace. For more information, see Steps 1 to 4 in Log on to and use Model Studio as a RAM role. After a member is added, the permission usually takes effect within seconds, though there might be a slight delay during peak hours. Once effective, a RAM user can log on to the authorized workspace by assuming the RAM role.
Step 2: Get operation permissions	Within a joined workspace, a RAM role has read-only permissions (such as viewing) for all feature pages by default, except for system administration, permission management, and key management. "Operation" refers to additional write permissions (such as creating, deleting, and editing). For more information, see Step 4 in Log on to and use Model Studio as a RAM role. Important About model authorization (for members of sub-workspaces) Members of the default workspace do not need model authorization and can skip this note. Whether a member of a sub-workspace (a non-default workspace) can call a model depends on whether the workspace has the call permission for that model. For more information, see Model authorization. If the workspace has already been granted these permissions, you do not need to grant them again.
Step 3: Get API permissions	To call the APIs for features such as application data, knowledge bases, and prompt engineering, a RAM role must get API permissions. For more information, see Step 5 in Log on to and use Model Studio as a RAM role.
Step 4 (Optional): Get management permissions	If a RAM role needs to activate features, pay for subscription orders within its workspace, or perform global management across workspaces (such as managing all workspaces, members, and API keys), it must get management permissions. For more information, see Step 6 in Log on to and use Model Studio as a RAM role.
Next step	Start using Model Studio

Going live

Principle of least privilege: Grant only the minimum permissions required to complete a task. For example, a developer who only needs operation permissions for features in a specific workspace should not be granted management permissions.
Use RAM users for daily operations: Use the Alibaba Cloud account only for authorization and cost management. Perform all daily tasks, such as AI application development and model calls, using RAM users.
Use workspaces to isolate environments: Create separate workspaces for different projects, teams, or environments, such as development, testing, and production, to enforce strict permission and data isolation.
Audit permissions regularly: Periodically review the permissions of RAM users. Promptly remove permissions that are no longer needed or delete the member accounts of users who have left the team.

FAQ

Why can't I find the entry point to create a workspace or manage accounts?

These features are on the System Administration (Singapore or Beijing) page. To access this page, you must first get management permissions.

How to view my bills when using a RAM user or RAM role?

RAM users and RAM roles currently cannot view bills for a specific product. To view bills for all products, the Alibaba Cloud account must grant the AliyunBSSReadOnlyAccess system policy to the RAM user or RAM role in the RAM console. For the specific procedure, RAM users can see Grant permissions to a RAM user, and RAM roles can see Grant permissions to a RAM role.

What to do if I encounter a bss:PayOrder error when paying for an Alibaba Cloud Model Studio subscription order?

By default, RAM users do not have permission to pay for subscription orders. To grant this permission, the Alibaba Cloud account must grant the RAM user or RAM role management permissions and the AliyunBSSOrderAccess system policy. For the authorization procedure, RAM users can see Grant permissions to a RAM user, and RAM roles can see Grant permissions to a RAM role.

If a RAM user or RAM role already has the AdministratorAccess system policy, do I still need to configure management permissions (AliyunBailianFullAccess policy)?

The AdministratorAccess policy already includes the AliyunBailianFullAccess policy. A RAM user or RAM role with the AdministratorAccess policy already has global management permissions and does not need additional configuration.

What to do if I encounter an AliyunSFMFullAccess/AliyunBailianFullAccess permission error for a RAM user?

The Alibaba Cloud account must grant the AliyunBailianFullAccess system policy to the RAM user or RAM role. For the specific procedure, RAM users can see Management permissions, and RAM roles can see Grant management permissions to a RAM role.

What to do if I encounter a NoPermission, sfm:GetRetrievePromptPipelineMaxLimit error?

The Alibaba Cloud account must grant the AliyunBailianDataFullAccess system policy to the RAM user or RAM role. The AliyunBailianDataReadOnlyAccess policy is not sufficient. For the specific procedure, RAM users can see API permissions, and RAM roles can see Grant API permissions to a RAM role.

When using a RAM user or RAM role, what RAM permissions are required to activate features such as model calling for the first time, or to pay for subscription orders?

Feature	Required permissions
Model calling	The Alibaba Cloud account needs to grant the `AliyunBailianFullAccess` system policy to the RAM user or RAM role. For the specific procedure, RAM users can see Management permissions, and RAM roles can see Grant management permissions to a RAM role.
Pay for subscription orders	The Alibaba Cloud account needs to grant the `AliyunBSSOrderAccess` and `AliyunBailianFullAccess` system policies to the RAM user or RAM role. For the specific procedure, RAM users can see Grant permissions to a RAM user, and RAM roles can see Grant permissions to a RAM role.