Permission management - Platform For AI - Alibaba Cloud Documentation Center

Platform for AI (PAI) requires two aspects of authorization: RAM user authorization (activating and using the services) and service authorization (PAI accessing other Alibaba Cloud services).

Authorize RAM users

Alibaba Cloud accounts do not require additional authorization. RAM users must be authorized before they can log on to the console or use APIs to access resources under an Alibaba Cloud account. This section describes how to authorize RAM users in PAI usage scenarios through the following methods:

Manage RAM user permissions through workspace management in PAI.
Add system policies for RAM users: quickly obtain permissions to access PAI and its dependent services through the console.
Add custom policies for RAM users.

Authorize RAM users to activate PAI and purchase PAI resources

To activate PAI and purchase PAI resources, you need to add the AliyunPAIFullAccess policy to RAM user.

Note

The AliyunPAIFullAccess policy grants extensive permissions. We recommend that you use the Alibaba Cloud account for these operations instead.

Authorize RAM users to use PAI sub-services

PAI provides the ability to manage permissions through workspaces. You can add RAM users as workspace members and grant different RAM accounts the permissions of Resource Administrator (Alibaba Cloud Account/through RAM Authorization), Workspace Administrator/Owner, Algorithm Developer, Algorithm O&M Engineer, Labeling Administrator, and Visitor member roles. For role permissions, see Appendix: Role and permission list.

For iTAG, see iTAG personnel assignment for further permission settings.
EAS provides system policies to authorize RAM users. For example:
- EAS management permissions: AliyunPAIEASFullAccess.
- EAS read-only permissions: AliyunPAIEASReadOnlyAccess.
Most AI Acceleration features only require the operation permissions of the corresponding model development, training, and inference sub-services, with no additional authorization needed. When using dataset acceleration only, RAM accounts need the AliyunPAIFullAccess and AliyunDatasetAccFullAccess permissions.

Authorize RAM users to activate/use other cloud services

The following table lists other services that PAI depends on:

Vview cloud services that PAI depends on

PAI sub-service	Dependent cloud service
iTAG	OSS
Designer	OSS, MaxCompute, Flink
DSW	OSS, NAS, VPC
DLC	OSS, NAS, VPC
AutoML	OSS, MaxCompute
EAS	OSS, API Gateway, SLS, VPC, Cloud Monitor
LangStudio	OSS, SLS, VPC, OpenTelemetry
AI asset management	ACR

Note

We recommend using the Alibaba Cloud account to activate other cloud services (no additional authorization required) and controlling RAM accounts' access to other cloud services through RAM policies (see the RAM account usage authorization in the table below).

If your RAM users have been added as workspace members, they will have partial permissions for other cloud services based on their assigned roles. If you encounter permission issues when activating or using other cloud services, you can refer to the following table for authorization operations.

For example: To use a RAM user to activate OSS, you need to add the system policy AliyunOSSFullAccess to the RAM user. If you encounter permission issues when using OSS, you can refer to OSS RAM Policy for RAM authorization.

Dependent cloud service	Policy required for activation	RAM account usage authorization	Operation guide
OSS	AliyunOSSFullAccess	OSS RAM Policy	Activation: Activate OSS service Common operation: Create a bucket in the console
MaxCompute	AliyunBSSOrderAccess, AliyunDataWorksFullAccess	Add the MaxCompute Developer role for RAM accounts in the workspace. For more information, see Create and manage workspaces.	Activation: Activate MaxCompute Common operation: Create a MaxCompute project, Associate MaxCompute as a workspace computing resource
Flink	AliyunStreamFullAccess	Management Console authorization	Activation: Activate real-time computing Flink version
NAS	AliyunNASFullAccess	Control NAS access permissions using RAM policies	Authorize RAM users: Control NAS access permissions using RAM policies Common operation: Create a NAS file system
API Gateway	AliyunApiGatewayFullAccess	Use RAM to manage API
SLS	AliyunLogFullAccess	SLS authentication rules	Activation: Quick Start: Collect and analyze ECS text logs using Logtail Common operation: Manage Projects, Create a Logstore
VPC	AliyunVPCFullAccess	VPC authorization information	Common operations: Create and manage virtual private clouds, Create and manage vSwitches
Cloud Monitor	AliyunCloudMonitorFullAccess	Cloud Monitor authorization information	Common operations: Step 1: Configure alert contacts, Step 2: Configure alert rules
OpenTelemetry	AliyunARMSFullAccess	Implement permission separation using RAM users	Activation: Quick Start
ACR	AliyunContainerRegistryFullAccess	ACR RAM authorization information	Common operation: Build images using Enterprise instances

Authorize PAI to access other cloud services

Authorization is usually completed when PAI is activated. If any authorization operations were missed during activation, you will be prompted to authorize when needed in subsequent operation interfaces. You can also refer to the following steps to check the authorization status. Taking Designer accessing OSS as an example:

Log on to the PAI console.
In the navigation pane on the left, click Activation & Authorization > Dependent Services, and find OSS under the Designer function module.
Check the authorization status of OSS in the Actions column.
- If not yet authorized, click Authorize in the Actions column and follow the instructions to complete the authorization.
- If authorization is complete, click View Authorization in the Actions column to view details.

PAI sub-services access other cloud services through two methods: regular service roles and service-linked roles. The current "Dependent Services" page does not cover all situations. You can also refer to the introduction of each sub-service as needed:

Workspace: Appendix: PAI workspace service-linked roles
EAS: EAS general service-linked role, EAS self-maintained resource service-linked role
LangStudio: PAI service account authorization
DLC: PAI service account authorization
DSW: PAI service account authorization
DatasetAccelerator: Grant dataset accelerator management permissions to RAM users

Appendix

Add a policy to a RAM user (such as AliyunPAIFullAccess)

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, add permissions for the RAM user. Where:
- Resource Scope: Select Account.
- Policy: Select the AliyunPAIFullAccess policy.
  Important
  A RAM user with this system policy can purchase, create, and delete all types of resources and has administrator permissions on all workspaces. Proceed with caution.
  You can refer to Create a custom policy to set the minimum available policy for RAM users.
Click Grant permissions.
Click Close.

Create a custom policy

Log on to the RAM console as a RAM administrator.
In the navigation pane on the left, choose Permissions > Policies
Click Create Policy and choose the JSON tab and configure the following policy (grants RAM users permission to view the list of all EAS model services in the account).
Important
When you specify the policy document, we recommend that you follow the principle of least privilege.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eas:ListServices"
            ],
            "Resource": "*"
        }
    ]
}
```

For more information, see Create a custom policy in script editor mode.