Alibaba Cloud Model Studio provides granular access control at the console and model levels to support complex organizational structures spanning multiple regions.
Identity and permission management
A workspace is the smallest management unit for fine-grained permission control over models and users, and for Alibaba Cloud cost allocation.
Model Studio uses three roles to manage workspace permissions:
-
Super administrator: Manages user permissions, available models, model rate limiting, and API keys across multiple workspaces.
-
Workspace administrator: Manages user permissions and resources within a specific workspace.
-
Regular user: Uses authorized resources.
|
Actions |
Super administrator (with the AliyunBailianFullAccess system policy) |
Workspace administrator |
Regular user |
|
Manage model calls and rate limiting |
|
|
|
|
Manage model fine-tuning |
|
|
|
|
User management |
|
|
|
|
Manage user page access |
|
|
|
|
API key management |
|
|
|
|
Use authorized workspaces, pages, and resources |
|
|
|
|
|
|
|
Super administrator
A super administrator is one of the following account types:
-
An Alibaba Cloud account. You can identify this account in the Model Studio console. Click the profile icon in the upper-right corner to open the account drop-down panel. The account with the Alibaba Cloud account label is the super administrator.
-
A RAM user (account) with the AliyunBailianFullAccess (Model Studio Administrator) system policy can use the Global Management menu ( Singapore | US (Virginia) | China (Beijing)|China (Hong Kong)|Germany (Frankfurt)) of Model Studio to grant almost all permissions for any region and any workspace to any RAM user (including yourself). You can view the account information of the currently logged-in RAM user by clicking the profile picture in the upper-right corner of the Model Studio console to expand the account drop-down panel. (Only an Alibaba Cloud account can add OpenAPI permissions.)
A RAM user is a sub-account created by an Alibaba Cloud account to securely delegate permissions for cloud resources to team members.
Super administrators can use Model Studio's global management menu ( Singapore | US (Virginia) | China (Beijing)|China (Hong Kong)|Germany (Frankfurt)) to manage multiple workspaces. The features include:
-
Create and rename workspaces.
-
Manage models and model rate limiting across all workspaces.
-
Manage accounts (users) for all workspaces.
-
Manage all API keys.
An Alibaba Cloud account must perform a one-time activation in the console to enable features such as the model monitoring.
Workspace administrator
A workspace administrator is an Alibaba Cloud RAM user who manages a specific workspace through its Permissions page.
The Administrator permission grants access to all pages within the workspace.
In the Edit Permissions dialog box, click the Other tab, select Administrator from the list of permissions, and then click OK.
Workspace permission management
Model Studio organizes resources and workspaces by region. A single workspace cannot span multiple regions. Even the default workspaces in different regions are distinct entities. You can switch regions in the global management menu ( Singapore | Virginia | Beijing | China (Hong Kong) | Frankfurt).
A workspace in Model Studio is the smallest administrative unit for fine-grained permission management, allowing you to manage:
|
Actions |
Super administrator (with the AliyunBailianFullAccess system policy) |
Workspace administrator |
Regular user |
|
Manage model calls and rate limiting |
|
|
|
|
Manage model fine-tuning |
|
|
|
|
User management |
|
|
|
|
Manage user page access |
|
|
|
|
API key management |
|
|
|
|
Use authorized workspaces, pages, and resources |
|
|
|
|
|
|
|
-
Restrict model calls: Manage whether a model can be called (from the console or via an API) and configure the model's Request Number Limit and Token Limit.
This restriction does not apply to the default workspace, where all models can be called without any throttling.
In the model list, use the toggle in the Model Call column to control the model's authorization status. In the Current Workspace Throttling column, set the values and time units for the request number limit and token limit.
-
Restrict model fine-tuning: Manage whether a model can be fine-tuned (from the console or via an API) and subsequently deployed within the workspace.
This restriction does not apply to the default workspace. There, all models that support fine-tuning can be fine-tuned and then deployed.
On the Model List tab of the workspace, find the target model. In the Model Authorization area, use the toggle in the Model fine-tuning column to control the model's fine-tuning permission.
-
Manage console permissions for users: Control which console features a RAM user can access within a workspace. This does not affect API calls made with an API key that belongs to the user.
An Alibaba Cloud account does not require this setting and has access to all pages in all workspaces.
In the Edit Permissions dialog box, select the Model tab. In the permission list, find and select the Model Experience - Operations permission. The Model Experience menu in the left navigation pane corresponds to the Model Experience - Operations permission in the list.
API key permissions
A single API key can only belong to one workspace and one user within a single region, and it cannot be transferred to other workspaces or users. The callable functions and model throttling for an API key are inherited from its Workspace permissions; these settings are independent of user console permissions, and you do not need to create different API keys for different models (such as text-to-text, text-to-image, or speech synthesis).
The following actions on the owner's account affect the status of the API key:
Starting March 25, 2026, all new API keys created in the China (Beijing) region belong to the Alibaba Cloud account.
|
Action |
Alibaba Cloud account |
RAM user |
|
Manually delete an API key |
The key becomes invalid and cannot be recovered. |
The key becomes invalid and cannot be recovered. |
|
Remove the user from the workspace |
— |
The key becomes invalid. The API key is reactivated if the user is added back to the workspace. |
|
Delete the user or role in the RAM console |
— |
The key becomes invalid and cannot be recovered. |
|
Set an IP whitelist for the API key |
Supported for API keys in the China (Beijing) region. |
Supported for API keys in the China (Beijing) region. |
To manage API keys, go to the Permissions tab in the left navigation pane of the Model Studio console, where you can grant a RAM user permission to create, delete, and view all API keys in the workspace.
In the Edit Permissions dialog box, switch to the Other tab and select API key.
OpenAPI permissions
By default, RAM users cannot call the OpenAPI for application features in Model Studio, including data, knowledge bases, prompt engineering.
To grant these permissions, the Alibaba Cloud account must assign one of the following policies to the RAM user in the RAM console:
-
AliyunBailianDataFullAccess: Allows the user to call all APIs in the Model Studio application API catalog.
-
AliyunBailianDataReadOnlyAccess: Allows the user to call read-only APIs in the Model Studio application API catalog, such as DescribeFile - Query file status and GetIndexJobStatus - Query the status of a knowledge base creation job.
Production strategies
-
Workspace planning strategy
-
Group by environment (Recommended): Create separate workspaces for development, testing, staging, and production environments to ensure strict environment isolation.
-
project-dev-workspace -
project-test-workspace -
project-prod-workspace
-
-
Group by business line: Create separate workspaces for different business units, such as marketing, after-sales, and design, to simplify permission and cost management.
-
marketing-team-workspace -
customer-team-workspace
-
-
-
Throttling policy
-
Allocate the total quota of your Alibaba Cloud account proportionally among workspaces and reserve a portion as a buffer to handle unexpected traffic spikes.
Example: If the total account quota is 1,000 QPM, a possible allocation plan is as follows:
-
project-prod-workspace: 600 QPM (60%) -
project-test-workspace: 200 QPM (20%) -
project-dev-workspace: 100 QPM (10%) -
Reserved buffer: 100 QPM (10%)
-
-
Billing and subscription permissions
By default, a RAM user does not have permission to view Alibaba Cloud bills or purchase subscription products. To do so, assign specific permissions to the RAM user in the RAM console.
The following permissions enable a RAM user to view bills for all Alibaba Cloud products or purchase all Alibaba Cloud subscription products. Grant these permissions with caution.
-
To enable a RAM user to view Alibaba Cloud bills, grant them the
AliyunBSSReadOnlyAccesspermission. -
To enable a RAM user to purchase Alibaba Cloud subscription products, grant them the
AliyunBSSOrderAccesspermission.
Common settings
Configure a super administrator
Only an Alibaba Cloud account (root account) or a RAM user with the AliyunRAMFullAccess system policy can perform this operation.
-
Go to the RAM console and grant the RAM user the AliyunBailianFullAccess (Model Studio administrator) and
AliyunBSSOrderAccess(for purchasing Alibaba Cloud subscription products) permissions. -
After granting these permissions, you can use the Model Studio global management menu ( Singapore | US (Virginia) | China (Beijing) | China (Hong Kong) | Germany (Frankfurt)) to manage permissions for any RAM user (including yourself) across all regions and workspaces, and to purchase Model Studio subscription products.
Configure a workspace administrator
This operation requires a super administrator or a workspace administrator.
-
In the Model Studio console, go to the Permissions tab in the left-side navigation pane and grant the Administrator permission to a RAM user.
In the Edit Permissions dialog box, switch to the Other tab, and then select Administrator.
Configure model calling permissions
-
If you do not use the default workspace, ensure that the model calling permission is enabled for the specific model in the workspace. (This operation requires a super administrator.)
-
To call models from the Model Studio console, go to the Permissions tab in the left-side navigation pane and grant a RAM user the following permissions: (This operation requires a super administrator or a workspace administrator.)
-
Playground-FullAccess to call models from the console.
-
BatchInference-FullAccess to use the batch inference feature.
-
ModelObservation-FullAccess to view the token consumption of model calls and evaluations.
-
-
To call models using the Model Studio API, create or assign an API key for the RAM user in the corresponding workspace. For more information, see API key permissions. (This operation requires a super administrator or a workspace administrator.)
API permissions for model fine-tuning
-
If you do not use the default workspace, ensure that the model fine-tuning (training) permission is enabled for the specific model in the workspace. (This operation requires a super administrator.)
-
Create or assign an API key for the RAM user in the corresponding workspace. For more information, see API key permissions. (This operation requires a super administrator or a workspace administrator.)
FAQ
Getting the workspace ID
For details, see Get a workspace ID in application development.
2. Call a model from a sub-workspace
You can use the sub-workspace API key without any special configuration.
3. Use applications in a workspace
To call an application in a workspace via the API, you need the corresponding APP ID and Workspace ID.