The first time you use iTAG of Machine Learning Platform for AI (PAI), you must grant the Object Storage Service (OSS) access permissions to the service-linked role of iTAG. iTAG provides personnel roles for labeling operations, such as administrator, labeling team leader, or labeling worker. You can assign relevant roles to the RAM users you use to manage operation permissions. This topic describes how to grant permissions to an operation account, the permissions of the three labeling roles, and how to assign these roles to a RAM user.
Authorize the operation account
iTAG is an intelligent data labeling platform that supports multiple data types, such as image, text, video, and audio, as well as multimodal labeling. You may need to activate and authorize the following cloud services when you use iTAG.
PAI module: iTAG
Operation account
Scenario
Reference
Alibaba Cloud account
You can use an Alibaba Cloud account to operate on iTAG. No additional authorization is needed.
N/A
RAM user
(Recommended)
PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, go to the Roles and Permissions page.
Dependent cloud service: OSS
The input and output of dataset labeling need to use OSS as a data source. Therefore, you need to activate and authorize OSS before you start labeling.
Scenario
Description
Reference
Activate OSS
We recommend that you use an Alibaba Cloud account to activate OSS. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the
AliyunOSSFullAccess
permissions to the RAM user.Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets
Use OSS
Use OSS after activation:
Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users as needed.
Common operations: You need to create a bucket to upload objects to OSS.
iTAG personnel
Permissions
The following table describes the permissions of each role type.
Role | Description | Permission |
Administrator | The person who requires labeling results and manages labeling jobs. An administrator creates datasets and labeling jobs, and distributes job packages to labeling team leaders or labeling workers. After the data in the job packages is labeled, the administrator reviews the labeling results and decides whether to accept or reject the job packages. |
|
Labeling team leader | The owner of labeling jobs and manager of labeling workers. A labeling team leader can manage the labeling workforce, and can also claim and review job packages. |
|
Labeling worker | The person who labels data in job packages. A labeling worker can claim and review job packages. |
|
Assign a role
Assign a role to a RAM user
Log on to the PAI console.
On the Workspace Details page of the workspace, add a RAM user as a member of the workspace. For more information, see Manage the members of a workspace.
When you add a RAM user as a workspace member, select a workspace role for the RAM user based on the iTAG role that you want to assign to the RAM user. The following table describes the mappings between the two types of roles.
iTAG role
Workspace role
Administrator, labeling team leader, or labeling worker
Administrator or labeling administrator
Labeling team leader or labeling worker
Any role
Follow the instructions shown in the figure to go to the Users tab of the iTAG page.
Choose .
In the Add Account dialog box, select the RAM user, set Role for the user, and then click OK.
Assign a role to another Alibaba cloud account
You can assign only the labeling team leader or labeling worker role to another Alibaba Cloud account.
Follow the instructions shown in the figure to go to the Users tab of the iTAG page.
Choose .
In the Add Contract Account dialog box, set the required parameters and click OK.
For more information about how to obtain the ID of an Alibaba Cloud account, see Endpoints.