Permissions Management
If you need to assign different permissions to different employees in your enterprise to access ModelArts resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, and provides secure access to resources.
With IAM, you can use your account to create IAM users for your employees, and assign permissions to control their access to specific resource types. For example, you have a requirement that certain software developers in your enterprise need to use ModelArts resources but should not be allowed to delete the resources or perform any high-risk operations. To meet this requirement, you can create IAM users and grant them permissions that only allow them to use ModelArts resources.
If the account has met your requirements, you do not need to create an independent IAM user for permission management. Then you can skip this section. This will not affect other functions of ModelArts.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the Identity and Access Management Service Overview.
ModelArts Permissions
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies or roles to these groups. Users inherit permissions of the groups to which they are added. This process is called authorization. After authorization, users can perform operations on ModelArts based on permissions.
To assign ModelArts permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing ModelArts, the users need to switch to a region where they have been authorized to use cloud services.
- Policies: A type of fine-grained authorization mechanism that defines the permissions for performing operations on specific cloud resources under certain conditions. This mechanism allows for flexible policy-based authorization and meets requirements for secure access control. For example, you can grant ECS users permissions that only allow them to manage a certain type of ECS. For more information on the API actions supported by ModelArts, see API Reference > Permissions Policies and Supported Actions.
|
Policy Name |
Description |
Policy Type |
|---|---|---|
|
ModelArts FullAccess |
Administrator permissions for ModelArts. Users granted these permissions can operate and use ModelArts. |
System-defined policy |
|
ModelArts CommonOperations |
Common user permissions for ModelArts. Users granted these permissions can operate and use ModelArts, but cannot manage dedicated resource pools. |
System-defined policy |
When configuring ModelArts permissions for an IAM user, you need to configure the corresponding OBS service permissions for the user to properly use OBS.
- To grant OBS administrator permissions to users, you need to configure a Tenant Administrator policy that takes effect in the Global service region for IAM users. For details, see Permissions Management.
- To restrict user operations, you need to configure the minimum permissions for ModelArts users. For details, see Creating a Custom Policy.
Table 2 lists the common operations supported by each system policy.
|
Operation |
ModelArts FullAccess |
ModelArts CommonOperations |
|---|---|---|
|
ExeML |
Yes |
Yes |
|
Data labeling |
Yes |
Yes |
|
Data management |
Yes |
Yes |
|
Development environment |
Yes |
Yes |
|
Model management |
Yes |
Yes |
|
Deployment |
Yes |
Yes |
|
AI Market |
Yes |
Yes |
|
Dedicated resource pools |
Yes |
No |
|
Settings |
Yes |
Yes |
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.