Grant management layer permissions to your RAM user so that the user can manage workspaces, accounts, and all API keys. This topic describes how to grant management layer permissions.
If you are not familiar with concepts such as RAM user, management layer permission, or workspace, read Permissions first.
Use your Alibaba Cloud account to perform the following operations. If you need to use a RAM user, you must first grant it the AliyunRAMFullAccess system policy. For more information, see Grant permissions to a RAM user.
Procedure
Step 1: Create a RAM user
Skip this step if you already have one.
For more information, see Create a RAM user.
Step 2: Grant a management layer permission
Grant your RAM user the permission to manage workspaces, accounts, and all API keys in Model Studio.
In the RAM Console, choose from the left-side navigation pane.
Click Add Permissions in the Actions column of the created RAM user.
On the Grant Permission panel, set Resource Scope to Account.
In the Policy section, select AliyunBailianControlFullAccess or one of the policies in the following list. Click Grant permissions.
We recommend that you assign only the minimum permissions required to avoid security risks.
Only
AliyunBailianFullAccessallows the user to activate new features and pay subscription bills, see More permissions required.
AliyunBailianFullAccess: Grants full Management layer and data permissions.
Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
Management layer: All permissions, including:
Data: Manage permissions, including:
Create, manage, and access structured knowledge base.
Use the hit test feature of knowledge bases.
Call all APIs in the API catalog.
AliyunBailianReadOnlyAccess: Grants limited management layer permissions (read-only) and limited data permissions (read-only).
Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
Management layer: Limited permissions (read-only), including:
Read-only access to workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.
Data: Read-only access to OpenAPI.
Cannot create, manage, and access structured knowledge base.
Cannot use the hit test feature of knowledge bases.
Cannot call APIs that add, delete, or modify data in the API catalog, such as Retrieve, AddFile, and CreateIndex.
Can call read-only APIs in the API catalog, such as DescribeFile and GetIndexJobStatus.
AliyunBailianControlFullAccess: Grants limited management layer permissions (control).
Management layer: Limited permissions (control), including:
Manage workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.
AliyunBailianControlReadOnlyAccess: Grants limited management layer permissions (read-only).
Management layer: Limited permissions (read-only), including:
Read-only access to workspaces, accounts, and all API keys.
Cannot activate new features.
The essential permissions for paying subscription bills, see FAQ.
(Optional) To revoke a permission, see Revoke permissions from a RAM user.
Next step
Use the RAM user to log on to the Model Studio console. If you are not able to access the workspace, the RAM user still lacks data layer permissions.
Management layer permission alone does not give your RAM user access to a workspace. You must also grant data layer permission. For more information, see Grant workspace access to a RAM user.