RAM-Based Permission Model for PAI Access Control - Platform For AI

RAM user authorization

Alibaba Cloud accounts have full access by default. RAM users must be authorized before accessing resources through console or APIs. Authorize RAM users in PAI using these methods:

Manage RAM user permissions through workspaces.
Add system policies: quickly grant permissions to access PAI and dependent services.
Add custom policies for fine-grained control.

Activate and purchase PAI resources

To activate PAI and purchase resources, add the AliyunPAIFullAccess policy.

Note

The AliyunPAIFullAccess policy grants extensive permissions. Use the Alibaba Cloud account for these operations instead.

Use PAI sub-services

PAI provides workspace-based permission management. Add RAM users as workspace members and assign roles like Resource Administrator (Alibaba Cloud Account/through RAM Authorization), Workspace Administrator/Owner, Algorithm Developer, Algorithm O&M Engineer, Labeling Administrator, or Visitor. See Appendix: Role and permission list for role permissions.

For iTAG, see iTAG personnel assignment for further permission settings.
EAS provides system policies to authorize RAM users. For example:
- EAS management permissions: AliyunPAIEASFullAccess
- EAS read-only permissions: AliyunPAIEASReadOnlyAccess
Most AI Acceleration features only require operation permissions of the corresponding sub-services (model development, training, and inference). Dataset acceleration requires AliyunPAIFullAccess and AliyunDatasetAccFullAccess permissions.

Activate and use other cloud services

PAI depends on these cloud services:

Dependent cloud services by PAI sub-service

PAI sub-service	Dependent cloud service
iTAG	OSS
Designer	OSS, MaxCompute, Flink
DSW	OSS, NAS, VPC
DLC	OSS, NAS, VPC
AutoML	OSS, MaxCompute
EAS	OSS, API Gateway, SLS, VPC, Cloud Monitor
LangStudio	OSS, SLS, VPC, OpenTelemetry
AI asset management	ACR

Note

Use the Alibaba Cloud account to activate cloud services (no authorization required). Control RAM account access through RAM policies (see RAM account usage authorization in the table below).

Workspace members have partial permissions for dependent cloud services based on their assigned roles. If permission issues occur when activating or using cloud services, refer to this table for authorization operations.

Example: To use a RAM user to activate OSS, add the system policy AliyunOSSFullAccess. For permission issues when using OSS, refer to OSS RAM Policy for RAM authorization.

Cloud service	Policy required for activation	RAM account usage authorization	Operation guides
OSS	AliyunOSSFullAccess	OSS RAM Policy	Activate: Activate OSS service Common operation: Create a bucket in the console
MaxCompute	AliyunBSSOrderAccess, AliyunDataWorksFullAccess	Add the MaxCompute Developer role for RAM accounts in the workspace. For more information, see Create and manage workspaces.	Activate: Activate MaxCompute Common operation: Create a MaxCompute Project, Associate MaxCompute as a workspace computing resource
Flink	AliyunStreamFullAccess	Management Console authorization	Activate: Activate real-time computing Flink version
NAS	AliyunNASFullAccess	Control NAS access permissions using RAM policies	Authorize RAM users: Control NAS access permissions using RAM policies Common operation: Create a NAS file system
API Gateway	AliyunApiGatewayFullAccess	Use RAM to manage API
SLS	AliyunLogFullAccess	SLS authentication rules	Activate: Quick Start: Collect and analyze ECS text logs using Logtail Common operation: Manage Projects, Create a Logstore
VPC	AliyunVPCFullAccess	VPC authorization information	Common operations: Create and manage virtual private clouds, Create and manage vSwitches
Cloud Monitor	AliyunCloudMonitorFullAccess	Cloud Monitor authorization information	Common operations: Step 1: Configure alert contacts, Step 2: Configure alert rules
OpenTelemetry	AliyunARMSFullAccess	Implement permission separation using RAM users	Activate: Quick Start
ACR	AliyunContainerRegistryFullAccess	ACR RAM authorization information	Common operation: Build images using Enterprise instances

PAI service authorization

Authorization is usually completed during PAI activation. If authorization steps are missed, authorization prompts appear in subsequent operation interfaces. Alternatively, check authorization status as follows (using Designer accessing OSS as an example):

Log on to the PAI console.
In the left navigation pane, click Activation & Authorization > Dependent Services, and find OSS under Designer.
Check authorization status in the Actions column.
- If not authorized, click Authorize in the Actions column and follow the instructions.
- If authorized, click View Authorization in the Actions column to view details.

PAI sub-services access cloud services through regular service roles and service-linked roles. The "Dependent Services" page does not cover all scenarios. Refer to sub-service documentation as needed:

Workspace: Appendix: PAI workspace service-linked roles
EAS: EAS general service-linked role, EAS self-maintained resource service-linked role
LangStudio: PAI service account authorization
DLC: PAI service account authorization
DSW: PAI service account authorization
DatasetAccelerator: Grant dataset accelerator management permissions to RAM users

Appendix

Add a policy to a RAM user

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, add permissions for the RAM user:
- Resource Scope: Select Account.
- Policy: Select the AliyunPAIFullAccess policy.
  
  Important
  A RAM user with this policy can purchase, create, and delete all resources and has administrator permissions on all workspaces. Use with caution.
  
  Refer to Create a custom policy to set minimum required policies for RAM users.
Click Grant permissions.
Click Close.

Create a custom policy

Log on to the RAM console as a RAM administrator.
In the left navigation pane, choose Permissions > Policies.
Click Create Policy, choose the JSON tab, and configure this policy (grants RAM users permission to view all EAS model services).

Important
Follow the principle of least privilege when specifying policy documents.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eas:ListServices"
            ],
            "Resource": "*"
        }
    ]
}
```

For more information, see Create a custom policy in script editor mode.