Grant data permissions to a RAM user - Alibaba Cloud Model Studio

Grant data permissions to your RAM user so that the user can use structured knowledge bases or call APIs related to data management and prompt engineering.

For the latest last of APIs related to knowledge base, data management, and prompt engineering, and their input and output parameters, see API catalog. We recommend that you use the latest version of SDK to call these APIs.

If you are not familiar with concepts such as RAM user and data permission, read Permissions first.

Use your Alibaba Cloud account to perform the following operations. If you need to use a RAM user, you must first grant it the AliyunRAMFullAccess system policy. For more information, see Grant permissions to a RAM user.

Procedure

Step 1: Create a RAM user

Skip this step if you already have one.

For instructions, see Create a RAM user.

Step 2: Grant data permission

In the RAM Console, choose Identities > Users from the left-side navigation pane.
Click Add Permissions in the Actions column of the created RAM user.
In the Policy section, select AliyunBailianDataFullAccess or one of the policies in the following list. Click Grant permissions.
We recommend that you assign only the minimum permissions required to avoid security risks.
1. AliyunBailianDataFullAccess: Grants data permissions.
  Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
  - Data: Manage permissions, including:
    - Create, manage, and access structured knowledge bases.
    - Use the hit test feature of knowledge bases.
    - Call all APIs in the API catalog.
2. AliyunBailianDataReadOnlyAccess: Grants limited data permissions.
  Note: Data permissions are different from data layer permissions. This policy does not grant workspace permissions.
  - Data: Read-only permissions, including:
    - Cannot create, manage, and access structured knowledge base.
    - Cannot use the hit test feature of knowledge bases.
    - Cannot call APIs that add, delete, or modify data in the API catalog, such as Retrieve, AddFile, and CreateIndex.
    - Can call read-only APIs in the API catalog, such as DescribeFile and GetIndexJobStatus.

Important

Data permissions do not automatically enable your RAM user to call APIs listed in the API catalog. Due to Model Studio's multitenancy architecture, you must specify a workspace when making API calls. You must assign at least one workspace to your RAM user.

What to do next

Grant workspace access to the RAM user

Advanced usage

Configure custom policy

To restrict a specific RAM user from accessing a particular API in the API catalog, follow the steps below:

1. Create a custom policy

In left-side navigation pane of the RAM console, choose Permissions > Policies
Click Create Policy and configure the policy.
- Effect: Select Allow or Deny.
  Allow or prohibit the user from performing this operation.
- Service: Select Alibaba Cloud Model Studio / SFM.
- Action: Select All actions or Select Actions.
  Enter the desired permission (action) name in the search box, such as sfm:CreateIndex.
  List of permission (action) names.
  When Effect is Allow, selecting All actions will grant the RAM user the access to all APIs under the API catalog.
In the dialog box that appears, specify a name and description.
Then, click OK.

2. Grant custom policy to RAM user

Click Grant Permission on the page that appears.
Or, choose Grants in the left-side navigation pane and click Grant Permission.
- Resource Scope: Select Account.
- Principal: Select one or more RAM users to be authorized.
- Policy: Enter the custom policy you just created in the search box and select it.
Click Grant permissions.
(Optional) Revoke permissions from a RAM user.