Model Studio provides access control at the console page and model levels for organizations with multiple regions and users.
Identity management
A single workspace is the smallest unit for fine-grained permission control (for models and users) and Billing and subscription permission management.
Model Studio uses three roles for workspace permissions:
Super administrator: Manages users, available models, model rate limiting, and API keys across all workspaces.
Workspace administrator: Manages user permissions and resources within a specific workspace.
Regular user: Uses resources according to the assigned permissions.
Workspace permission | Super administrator (has AliyunBailianFullAccess) | Workspace administrator | Regular user |
Allow specific model calls & rate limiting | |||
Allow specific model fine-tuning | |||
User management | |||
Manage user-accessible pages | |||
API key management | |||
Access/use authorized workspaces, pages, and resources |
Super administrator
This role includes the following two types of accounts:
An Alibaba Cloud account, which is displayed in the upper-right corner of the Model Studio console:
A RAM user (account) with the AliyunBailianFullAccess (Model Studio administrator) system policy can use the Model Studio global management menu ( Singapore | Virginia | Beijing | Hong Kong | Frankfurt) to grant almost all permissions in any region and any workspace to any RAM user. (Only an Alibaba Cloud account can grant OpenAPI permissions.)
Overview is a sub-account created by an Alibaba Cloud account to securely assign cloud resources and permissions to team members.
The upper-right corner displays the following:
In Model Studio, a super administrator can use the global management menu ( Singapore | Virginia | Beijing | Hong Kong | Frankfurt) to manage multiple workspaces. This includes:
Create workspaces and manage workspace names.
Manage models and model rate limiting for all Workspace permission management.
Manage accounts (users) for all workspaces.
Manage all API keys.
To enable features such as Monitoring, use an Alibaba Cloud account to grant one-time authorization and enable them in the console.
Workspace administrator
This role refers to an Alibaba Cloud RAM user who has access to the Permissions page of a workspace and can use it to manage the workspace.
Administrator permission includes access to all pages within that workspace.
Workspace permission management
Model Studio divides resources and workspaces by region. A single workspace cannot span multiple regions. The default workspaces in different regions are also separate. Go to global management menu ( Singapore | Virginia | Beijing | Hong Kong | Frankfurt) .
A Model Studio workspace is also the smallest unit for fine-grained permission control. You can use it to manage the following:
Workspace permission | Super administrator (has AliyunBailianFullAccess) | Workspace administrator | Regular user |
Allow specific model calls & rate limiting | |||
Allow specific model fine-tuning | |||
User management | |||
Manage user-accessible pages | |||
API key management | |||
Access/use authorized workspaces, pages, and resources |
Limit model calls: You can manage whether a model can be called (from the console and via API) in the workspace and set Request Number Limit and Token Limit for the model.
This limit cannot be set for the default workspace. In the default workspace, all models can be called without rate limiting.
Limit model training: You can manage whether a model can be fine-tuned (from the console and via API) and deployed in the workspace after fine-tuning.
This limit cannot be set for the default workspace. In the default workspace, all models that support fine-tuning can be fine-tuned and deployed after fine-tuning is complete.
User (account) console permission management: You can control which workspace console features a RAM user can access. This does not limit the API calls made with an API key that belongs to the user.
No settings are required for an Alibaba Cloud account. An Alibaba Cloud account can access all pages of all workspaces.
API key permissions
A single API key can only belong to one workspace and one user within a single region, and it cannot be transferred to other workspaces or users. An API key's functions and rate limits are determined by its Workspace's permissions, and are unaffected by user (account) console permission management. You do not need to create separate API keys for different models, such as text generation, text-to-image, or speech synthesis.
An API key's status changes when its owner account is modified:
Starting from March 25, 2026, all new API keys created in the China (Beijing) region will belong to the Alibaba Cloud account.
Action | Alibaba Cloud account | RAM user |
Deleting an API key | Unrecoverable upon failure | Unrecoverable upon failure |
Removing a user from a workspace | — | Failure The API key becomes valid again after the user is added back to the workspace. |
Deleting a user or role in the RAM console | — | Unrecoverable upon failure |
Set an IP whitelist for an API key | Supported for API keys in the China (Beijing) region. | Supported for API keys in the China (Beijing) region. |
Manage API keys: Go to the Permissions page in the left-side navigation pane of the Model Studio console. Add API key permissions for a RAM user. This grants the RAM user permissions to create, delete, and view all API keys in the workspace.
OpenAPI permissions
By default, RAM users do not have permission to call the API for features of Model Studio applications, such as data, knowledge bases, and prompt engineering.
To invoke the operation, you must use your Alibaba Cloud account in the RAM console to grant one of the following permissions to the RAM user:
AliyunBailianDataFullAccess: Allows the user to call all APIs in the Model Studio application API catalog.
AliyunBailianDataReadOnlyAccess: Allows the user to call read-only APIs in the Model Studio application API catalog, such as DescribeFile and GetIndexJobStatus.
Best practices
Workspace planning strategies
By environment (recommended): Create separate workspaces for development, testing, staging, and production environments to achieve strict environment isolation.
project-dev-workspaceproject-test-workspaceproject-prod-workspace
By line-of-business: Create separate workspaces for different business departments within the company, such as marketing, after-sales, and design, to simplify permission and cost management.
marketing-team-workspacecustomer-team-workspace
Rate limiting strategies
Allocate the total quota of the Alibaba Cloud account to each workspace proportionally. Reserve a portion as a buffer to handle traffic bursts.
Example: If the total account quota is 1,000 queries per minute (QPM), the allocation plan is as follows:
project-prod-workspace: 600 QPM (60%)project-test-workspace: 200 QPM (20%)project-dev-workspace: 100 QPM (10%)Reserved buffer: 100 QPM (10%)
Billing and subscription permission management
By default, RAM users do not have permission to view Alibaba Cloud bills or purchase subscription products. To grant these permissions, you must add specific permissions for the RAM user in the RAM console.
The following permissions grant a RAM user the ability to view bills for all Alibaba Cloud products or purchase all subscription products. Grant these permissions with caution.
To allow a RAM user to view Alibaba Cloud bills, you must add the
AliyunBSSReadOnlyAccesspermission to the RAM user.To allow a RAM user to purchase Alibaba Cloud subscription products, you must grant the
AliyunBSSOrderAccesspermission to the RAM user.
Common settings
Set up a super administrator
This operation must be performed by an Alibaba Cloud account or a RAM user with the AliyunRAMFullAccess system policy.
Go to the RAM console and add the AliyunBailianFullAccess (Model Studio administrator) and
AliyunBSSOrderAccess(purchase subscription products) permissions for a RAM user.After the setup is complete, the user can grant any permission for any region and any workspace to any RAM user, and purchase subscription products for Model Studio on the global management menu ( Singapore | Virginia | Beijing | Hong Kong | Frankfurt) .
Set up a workspace administrator
This operation must be performed by a super administrator or a workspace administrator.
Go to the Permissions page in the left-side navigation pane of the Model Studio console, add the Administrator permission to the RAM user.
Set permissions for model calling
If you are not using the Default workspace, ensure that the model calling permission is enabled for the specific model in the workspace. This operation must be performed by a super administrator.
To call models from the Model Studio console, go to the Permissions page in the left-side navigation pane of the Model Studio console, add the following permissions for the RAM user. This operation must be performed by a super administrator or a workspace administrator.
ModelExperience-FullAccess permission to call models in the console.
BatchInference-FullAccess permission to support the Batch inference feature.
ModelObservation-FullAccess permission, which lets you view the token consumption of model calls and evaluations.
To call models via the Model Studio API, create or assign an API key for the RAM user in the corresponding workspace. For more information, see API key permissions. This operation must be performed by a super administrator or a workspace administrator.
Set API permissions for model fine-tuning
If you are not using the Default workspace, ensure that the fine-tuning permission is enabled for the specific model in the workspace. This operation must be performed by a super administrator.
Create or assign an API key for the RAM user in the corresponding workspace. For more information, see API key permissions. This operation must be performed by a super administrator or a workspace administrator.
FAQ
1. How do I get a workspace ID?
2. How do I call a model in a non-default workspace?
Use the API key of that workspace.
3. How do I use an application in a specific workspace?
To use the API to manage and call an application in a specific workspace, set both the Get an APP ID and a workspace ID.