Permissions - Alibaba Cloud Model Studio - Alibaba Cloud Documentation Center

The Alibaba Cloud account and its RAM users can jointly use Alibaba Cloud Model Studio. You can assign corresponding workspaces, features, and model permissions based on account functions to reduce security risks.

Workspace: If your account has multiple businesses or scenarios using Model Studio, and you need to manage them separately, divide them into separate workspaces to control model access and isolate data.

Account description

To use Model Studio, you must first have an account and log in. Choose from the following account types:

Alibaba Cloud account: The primary account that can create, manage, and authorize RAM users.
RAM user: The sub-account that can be created, managed, and authorized in the RAM console, by Alibaba Cloud account or by another RAM user with specific system policies. This allow different RAM users to have different resource access permissions. Learn more about RAM users

If you are not familiar with Model Studio, read the following section first: Permission management system overview.

Permission management system overview

The permissions of Model Studio are categorized into data layer (basic, allow the use of Model Studio) and management layer (advanced, allow the global management) permissions. The two categories do not overlap.

The Alibaba Cloud account that activates Model Studio has all data layer and management layer permissions by default.

Category	Description	How to get
Data layer	Specifies which workspaces a user can access and which features within the workspaces it can use.	Alibaba Cloud account: the Alibaba Cloud account that activates Model Studio has all data layer permissions. RAM user (or RAM role): See Obtain data layer permissions.
Management layer	Specifies whether a user can manage Model Studio, including: Create and edit workspaces. Currently, you cannot delete workspaces. Add, delete, edit, and view permissions for all members under a workspace. Create, delete, and view all members' API keys under a workspace. Activate new features and the essential permissions for paying subscription bills, see the permissions required.	Alibaba Cloud account: the Alibaba Cloud account that activates Model Studio has all management layer permissions. RAM user (or RAM role): See Obtain management layer permissions.

Important

Typically, if a RAM user or RAM role only needs to use authorized features, APIs, and models, data layer permissions alone are sufficient. If the user also needs to manage workspaces, accounts, and all members' API keys, or activate features for others, both data layer and management layer permissions are required.

Activate Model Studio and register new user

Step 1: Activate Alibaba Cloud Model Studio

Yu must use Alibaba Cloud account to activate Model Studio.

Register an account:If you do not have an Alibaba Cloud account, you must register for one and complete account verification.
Activate Model Studio: Go to the Model Studio console. Read and agree to the Service Agreement, and Model Studio will be automatically activated. The system will create a default Model Studio workspace that you can use directly.

What to do if I failed to activate Model Studio?

To keep your account secure, your order is suspended. For more information, you can contact Customer Service.Error code: RISK.RISK_CONTROL_REJECTION
This is because a security issue has been identified in your account. Please go to KYC Verification and submit the required information. After receiving the information, the relevant team will process them and inform you through email. The process may take 1 to 3 working days.
进入百炼平台开通时出错：订单配置参数不符合校验条件，请重新选配商品！错误码：COMMODITY.INVALID_COMPONENT or ORD_T_INVOKE_ACD_ERROR
This is because you are trying to activate Model Studio China site, but your account is of the International site. To solve this and activate Model Studio, use this link (alibabacloud.com) instead.
Your information is incomplete. Complete the required information and try again. Error code: BASIC_INFO_UNCOMPLETED
This is because you haven't completed all your personal information, including a valid payment method. Complete all required information for your account and try again.

Step 2: Register new users

After activating the service, you can choose to use Model Studio by using the Alibaba Cloud account, a RAM user, or a RAM role. The difference is that RAM users or RAM roles require authorization from the Alibaba Cloud account to manage workspaces, accounts, and API keys, activate features, and pay subscription bills.

Use Alibaba Cloud account: With Model Studio activated, the system adds you to the default workspace and grant you the Super Admin role. Super Admin is globally unique, it can access and manage all workspaces and data, and cannot be changed. Then, you can get started immediately.

Using a RAM user or RAM role: Take the following steps to register and authorize a new user.

RAM user

Step	Description
Step 1: Create a RAM user	Create a RAM user
Step 2: Obtain data layer permissions	Use the Alibaba Cloud account that activated Model Studio to add your RAM user as a member of the corresponding workspace. Workspace members with management layer permissions can also perform this step. The change typically takes effect within seconds. Slight delays may occur during peak periods. Once effective, your RAM user can access the workspace. Important About model authorization (important for sub-workspace members) Members of the default workspace do not need model authorization and can skip this note. The members of a sub-workspace can only call a model if the model is authorized for the sub-workspace. First authorize models for a sub-workspace. Important About knowledge base and API If your RAM user needs to use knowledge bases, or access data management and prompt engineering through the API, first get data permissions.
Step 3 (Optional): Obtain management layer permissions	To enable the RAM user to manage Model Studio, get management layer permissions.
Next step	Start using Model Studio.

RAM role

Step	Description
Step 1: Create a RAM user and assign a RAM role	For specific operations, see steps 1 to 3 in Log on and use Model Studio as a RAM role.
Step 2: Obtain data layer permissions	Use the Alibaba Cloud account that activated Model Studio to add your RAM role as a member of the workspace. For specific operations, see step 4 in Step 4: Grant workspace permissions. Workspace members with management layer permissions can also perform this step. The change typically takes effect within seconds. Slight delays may occur during peak periods. Once effective, your RAM role can access the workspace. Important About model authorization (important for sub-workspace members) Members of the default workspace do not need model authorization and can skip this note. The members of a sub-workspace can only call a model if the model is authorized for the sub-workspace. First authorize models for a sub-workspace. Important About knowledge base and API If your RAM role needs to use knowledge bases, or access data management and prompt engineering through the API, the Super Admin must grant it data permissions.
Step 3 (Optional): Obtain management layer permissions	If your RAM role needs to add other accounts or manage and authorize accounts, get management layer permissions. For specific operations, see step 6 in Step 6 (Optional): Grant management layer permissions.
Next step	Start using Model Studio.

FAQ

Why can't I find the entry to create a workspace or manage accounts?

Use the Alibaba Cloud account to grant management layer permissions for your RAM user (or RAM role) in the RAM console.

How to view my bills when using a RAM user or RAM role?

Currently, you cannot use RAM users (or RAM roles) to view bills for a specific service (such as Model Studio). But you can view bills for all services:

Use the Alibaba Cloud account to grant the AliyunBSSReadOnlyAccess system policy for your RAM user (or RAM role) in the RAM console.

What should I do if a bss:PayOrder error occurs when paying for subscription bills?

Use the Alibaba Cloud account to grant the AliyunBSSOrderAccess system policy and one of the management layer permissions (AliyunBailianFullAccess, AliyunBailianReadOnlyAccess, AliyunBailianControlFullAccess, or AliyunBailianControlReadOnlyAccess) in the RAM console.

When activating the model calling service, I encounter an ORD_T_INVOKE_ACD_ERROR error. How should I handle this?

The Model Studio console is divided into China site and international site. Alibaba Cloud accounts on the international site (alibabacloud.com) cannot use China site. Go to Model Studio console (international site) and try again.

What should I do if an error occurs saying that I do not have the AliyunSFMFullAccess/AliyunBailianFullAccess permissions?

Use the Alibaba Cloud account to grant the AliyunBailianFullAccess system policy for your RAM user (or RAM role) in the RAM console.

What should I do if an error occurs saying "You are not authorized to do this operation. Action: sfm:CreateSession"?

Use the Alibaba Cloud account to grant the AliyunBailianDataFullAccess system policy for your RAM user (or RAM role) in the RAM console.

What should I do if a NoPermission, sfm:GetRetrievePromptPipelineMaxLimit error occurs?

Use the Alibaba Cloud account to grant the AliyunBailianDataFullAccess system policy for your RAM user (or RAM role) in the RAM console.

What RAM permissions are required when activating new features using a RAM user or RAM role?

Feature	Required RAM permissions
Model calling	Use the Alibaba Cloud account to grant the `AliyunBailianFullAccess` system policy for your RAM user (or RAM role) in the RAM console. Other management layer permissions are not applicable. Grant permissions to a RAM user Grant permissions to a RAM role
Pay for subscription bills	Use the Alibaba Cloud account to grant the `AliyunBSSOrderAccess` system policy and one of the management layer permissions (`AliyunBailianFullAccess`, `AliyunBailianReadOnlyAccess`, `AliyunBailianControlFullAccess`, or `AliyunBailianControlReadOnlyAccess`) in the RAM console. Grant permissions to a RAM user Grant permissions to a RAM role