Grant RAM User Access for Machine Learning Designer - Platform For AI - Alibaba Cloud - Platform For AI

Before using Machine Learning Designer, grant permissions to two types of accounts: the operating account (root account or RAM user) that runs workloads, and the PAI service account that accesses dependent cloud services on your behalf.

Designer depends on Object Storage Service (OSS) to store intermediate data and trained models. Depending on which features you use, it may also depend on MaxCompute, Flink, or general training resources.

To view the full list of cloud product dependencies and their authorization status, log on to the PAI consolePAI console and go to Activate and Authorize > All Cloud Product Dependencies.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account (root account)
Access to the PAI consolePAI console and RAM console
A PAI workspace (required to assign RAM users to workspace roles)

Permissions by scenario

The permissions you need depend on which Designer features you use. Use the following table to identify what to authorize.

If you use...	Services to authorize
Basic Designer features only	Designer + OSS
Deep learning algorithm components	Designer + OSS
MaxCompute built-in algorithm components	Designer + OSS + MaxCompute
Flink algorithm components (e.g., PyAlink Script)	Designer + OSS + Flink
Custom Python Script component or general training	Designer + OSS + General computing resources
All Designer features	Designer + OSS + MaxCompute + Flink + General computing resources

Grant operating account permissions

Designer

Designer provides a visual development environment for the machine learning lifecycle, including built-in algorithms.

Account type	What to do
Root account	No additional authorization required. Root accounts have full access to Designer by default.
RAM user (recommended)	Add the RAM user as a workspace member and assign an appropriate role. For details on role permissions, see Appendix: Roles and permissions. For steps to add members, see Manage workspace members.

General computing resources

Designer uses PAI general computing resources to run AI training workloads. Grant permissions before submitting training tasks.

Root account: Purchase general computing resources directly — no additional authorization needed.
RAM user: Grant the AliyunPAIFullAccess permission. For details, see Permission management.

To let a RAM user submit training tasks to computing resources associated with a workspace, add the RAM user to the workspace and assign the Developer, Algorithm O&M Engineer, or Administrator role.

OSS

Designer stores intermediate data and trained models in OSS buckets. Activate OSS and grant permissions before using deep learning algorithm components.

Activate OSS

Account type	What to do
Root account	Activate OSS — no additional authorization needed.
RAM user	Grant the `AliyunOSSFullAccess` permission. See RAM Policy for details.

For activation steps, see Activate OSS. To create a bucket after activation, see Create a bucket in the console.

Grant a RAM user access to OSS data in the PAI console

Operations in the PAI console — such as listing buckets, reading data, and writing data — require a custom OSS policy scoped to your bucket. Use the following steps to create the policy.

Important

Define the access policy based on the actual permissions the RAM user needs. Avoid granting broader access than required.

Log on to the RAM console.
In the left navigation pane, choose Permission Management > Policies.
Click Create Policy.

On the Create Policy page, click the Script Editor tab, then enter the following policy document:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:ListObjects",
        "oss:DeleteObject",
        "oss:ListParts",
        "oss:PutObject",
        "oss:AbortMultipartUpload",
        "oss:GetBucketCors",
        "oss:GetBucketCors",
        "oss:DeleteBucketCors"
      ],
      "Resource": [
        "acs:oss:*:*:<yourBucketName>",
        "acs:oss:*:*:<yourBucketName>/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Replace <yourBucketName> with the name of the bucket to grant access to.

Enter a Name and Note for the policy, then click OK.

For a full reference on OSS authorization policies, see RAM Policy.

MaxCompute

Designer includes hundreds of proprietary algorithms built on MaxCompute. To use these algorithm components, activate MaxCompute and grant the necessary permissions.

For activation and authorization steps, go to Activate and Authorize > All Cloud Product Dependencies in the PAI console and locate the MaxCompute section.

Flink

Designer provides algorithm components that run on Flink, such as the PyAlink Script component. To use these components, activate Flink and grant the necessary permissions.

For activation and authorization steps, go to Activate and Authorize > All Cloud Product Dependencies in the PAI console and locate the Flink section.

Grant PAI service account permissions

Authorization is usually completed when activating PAI. If authorization was not completed during activation, complete it as follows:

Log on to the PAI consolePAI console.
In the left navigation pane, click Activate and Authorize > All Cloud Product Dependencies. In the Designer section, locate OSS.
Check the authorization status in the Actions column:
- If OSS is not authorized, click Authorize and follow the on-screen instructions.
- If OSS is already authorized, click View Authorization Information to review the details.