All Products
Search

This Product

    Platform For AI:System polices for PAI

    Document Center

    Platform For AI:System polices for PAI

    Last Updated:Jul 24, 2024

    This topic describes the system policies supported by Platform for AI (PAI) and the corresponding permissions.

    What is a system policy?

    A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies based on your business requirements. During service iteration, PAI adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.

    Note

    • System policies help new users quickly get started with Alibaba Cloud services in the Alibaba Cloud Management Console. New users to which system policies of PAI are attached can access PAI and its dependent services with a few clicks. System policies also allow users to use more advanced methods, such as API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on users who can call specific API operations and improve security.

    • System policies can be classified into service system policies, service role policies, and service-linked role policies. Specific cloud services provide only one or two of the three types of policies. For information about the policy types supported by PAI, see the following section.

    Service system policies

    Platform for AI (PAI)

    • AliyunPAIFullAccess

      You can attach this policy to RAM users and roles to grant management permissions on PAI.

      For more information, see AliyunPAIFullAccess.

    • AliyunPAIReadOnlyAccess

      You can attach this policy to RAM users and roles to grant read-only access permissions to PAI.

      For more information, see AliyunPAIReadOnlyAccess.

    Dataset Accelerator (PAI-DatasetAcc)

    • AliyunDatasetAccFullAccess

      You can attach this policy to RAM users and roles to grant permissions on DatasetAcc.

      For more information, see AliyunDatasetAccFullAccess.

    • AliyunDatasetAccReadOnlyAccess

      You can attach this policy to RAM users and roles to grant read-only access permissions to DatasetAcc.

      For more information, see AliyunDatasetAccReadOnlyAccess.

    Online model services (PAI- EAS)

    • AliyunPAIEASFullAccess

      You can attach this policy to RAM users and roles to grant management permissions on PAI-EAS.

      For more information, see AliyunPAIEASFullAccess.

    • AliyunPAIEASReadOnlyAccess

      You can attach this policy to RAM users and roles to grant read-only access to PAI-EAS.

      For more information, see AliyunPAIEASReadOnlyAccess.

    Service-linked role policies

    AliyunServiceRolePolicyForPaiLangStudio

    By default, PAI uses the AliyunServiceRoleForPaiLangStudio service-linked role to access your resources in other Alibaba Cloud services. The AliyunServiceRolePolicyForPaiLangStudio policy is the dedicated authorization policy of the role. This policy is defined and used by PAI. You can use this policy, but cannot modify or delete it. Do not attach this policy to a RAM user or role other than the service-linked role.

    For more information, see AliyunServiceRolePolicyForPaiLangStudio.

    AliyunServiceRolePolicyForPAIABTest

    By default, PAIABTest uses the AliyunServiceRoleForPAIABTest service-linked role to access your resources in other Alibaba Cloud services. The AliyunServiceRolePolicyForPAIABTest policy is the dedicated authorization policy of the role. This policy is defined and used by PAIABTest. You can use the policy, but cannot modify or delete it. Do not attach this policy to a RAM user or role other than the service-linked role.

    For more information, see AliyunServiceRolePolicyForPAIABTest.

    References

    By default, RAM users or roles are not granted permissions and cannot access Alibaba Cloud services until the administrator of the Alibaba Cloud account to which the RAM user or role belongs grants the required permissions to them. To ensure resource security, we recommend that you grant only the required permissions to the RAM users and roles based on the principle of least privilege. For more information, see the following topics: