Manage workspace members and their feature permissions.
Add members
A RAM user must be a member of a workspace to obtain read-only access to its feature pages and data. This access excludes the System Administration, Permission Management, and Key Management pages.
Alibaba Cloud Model Studio does not automatically add RAM users to any workspace. Follow the steps below to add them manually. Batch additions and invitations are not currently supported.
Procedure
This operation requires an Alibaba Cloud account or a RAM user with management permissions.
On the System Administration (Singapore or Beijing) page, click Accounts in the navigation pane on the left. In the upper-right corner of the page, click Add User.
Type: Select RAM User.
RAM User: The drop-down list displays all RAM users under the Alibaba Cloud account. Select the RAM user to whom you want to grant permissions. Learn how to create a RAM user
Display Name: Set a display name for the user.
Click OK. The added RAM user appears in the list.
At this point, the RAM user has not been added to any workspace. When the user logs on to Model Studio, the message
You do not have access permissions to this workspace, or the workspace does not existappears. You still need to assign accessible workspaces and feature pages to the user.In the users list, find the user that you just added and click Permissions on the right. Then, click Permission +. Select the workspace that you want the user to access and the page permissions to grant.
A RAM user with the
Administratorpage permission can perform all operations in the authorized workspace except for those accessed through the
button (System Administration) in the upper-right corner.Click Complete. The authorization takes effect immediately.
The RAM user can now access the corresponding workspace.
Configure member permissions
RAM users who join a workspace can be granted four types of permissions: Model Permissions, Page Permissions, API Permissions, and Management Permissions. These permissions do not overlap. You can configure them as needed.
An Alibaba Cloud account has all permissions for all workspaces by default.
Model permissions
A RAM user's model permissions are tied to a workspace. Model authorizations are independent across different workspaces.
Default workspace: After a RAM user joins the default workspace, they can directly call all supported models without requiring the authorization steps below. List of supported models.
Sub-workspaces: Initially, a sub-workspace has no permissions to call any models. You can follow the steps below to authorize the workspace to use specific models, such as
qwen-plus. Then, a RAM user can call that model within the workspace.
Example: A RAM user is a member of both the Default Workspace and Workspace A (a sub-workspace that is not authorized to use qwen-plus). The user can freely use qwen-plus in the default workspace. However, after switching to Workspace A, the user cannot use this model.
Note: If you share an API key from the default workspace with a RAM user in a sub-workspace, the user can bypass workspace authorization and call models directly through the API. Although this method is technically feasible, it may introduce security risks and should be avoided.
Page permissions
By default, RAM users have read-only permissions for all feature pages in a workspace that they have joined. This excludes the System Administration, Permission Management, and Key Management pages.
To use the full features of specific pages, such as knowledge bases (including write operations such as creating, deleting, and editing), follow the steps below to add the necessary page operation permissions.
Procedure
This operation requires an Alibaba Cloud account or a RAM user with Administrator or Permission Management page permissions in the target workspace.
In the lower-left corner of the Model Studio console homepage (Singapore or Beijing), click the
icon to switch to the target workspace.In the navigation pane on the left, click Permissions. Find the target RAM user and click Permissions on the right.
In the Page Permissions section, click Edit. Select the one or more checkboxes for the required feature page permissions. Grant only the permissions necessary for the user to complete their tasks. Then, click Confirm.
API permissions
By default, RAM users do not have permission to call the APIs for features such as application data, knowledge bases, and prompt engineering in a workspace that they have joined.
To call these APIs, you can follow the steps below to manually add the required API permissions.
Procedure
This operation requires an Alibaba Cloud account or a RAM user with the AliyunRAMFullAccess system policy.
In the RAM console, choose in the navigation pane on the left.
Although API permissions are granted through RAM policies, API calls must include the workspace ID
WorkspaceId. Therefore, the scope of permissions is ultimately limited by the user's workspace membership.Find the target RAM user and click Add Permissions on the right.
On the Grant Permission panel, set Resource Scope to Account. In the access policy area, search for and select one of the following policies:
AliyunBailianDataFullAccess: Allows the user to call all APIs in the API directory.
AliyunBailianDataReadOnlyAccess: Allows the user to call read-only APIs in the API directory, such as DescribeFile and GetIndexJobStatus. The user cannot call APIs that create, update, or delete resources, such as Retrieve, AddFile, and CreateIndex.
Click Grant permissions. Learn how to revoke permission.
Note: To restrict a RAM user from invoking a specific API in the API directory, follow the instructions in the collapsible panel below.
1. Create a custom policy
|
|
2. Grant the custom policy to a RAM user
|
|
Management permissions
By default, RAM users do not have permission to access System Administration (Singapore or Beijing) in a workspace that they have joined. Therefore, they cannot manage any Model Studio workspaces, accounts, or API keys under the Alibaba Cloud account.
To authorize a RAM user to perform such global management operations, you can follow the steps below to add management permissions.
Remove members
This operation removes all access and operation permissions of a RAM user for a specific workspace. It also invalidates any API keys created by the user in that workspace. The user's permissions and API keys in other workspaces are not affected.
Procedure
This operation requires an Alibaba Cloud account.
In the lower-left corner of the Model Studio console homepage (Singapore or Beijing), click the
icon to switch to the target workspace.In the navigation pane on the left, click Permissions. Find the target RAM user and click Delete on the right. Note: The Delete button is visible only to the Alibaba Cloud account.
In the confirmation dialog box, click Delete.
FAQ
I have management permissions, but when I log on, I see the message "You do not have access permissions to this workspace, or the workspace does not exist" Why?
The AliyunBailianFullAccess system policy allows a RAM user to access the System Administration (Singapore or Beijing) page. It does not include access permissions for any workspace. To access a workspace, the user must obtain member permissions for that workspace.
I have joined the target workspace, but I still receive an error when I call an Model Studio API (as shown below). What should I do?
{
"AccessDeniedDetail": {
"AuthAction": "sfm:XXXX",
"AuthPrincipalType": "SubUser",
...
"PolicyType": "AccountLevelIdentityBasedPolicy",
"NoPermissionType": "ImplicitDeny",
...
},
"RequestId": "0A944043-F87D-5EAA-XXXX-2A6E51A6296C",
"Message": "You are not authorized to perform this action.",
"Code": "NoPermission",
...
}This error indicates that your account does not have API permissions for this interface. You can request permission for this specific API, or request a RAM system policy that includes permission for this API.