IAM
This section describes the IAM permission configurations for all ModelArts functions.
IAM Permissions
If no fine-grained authorization policy is configured for a user created by the administrator, the user has all permissions of ModelArts by default. To control user permissions, the administrator needs to add the user to a user group on IAM and configure fine-grained authorization policies for the user group. In this way, the user obtains the permissions defined in the policies before performing operations on cloud service resources.
You can grant users permissions by using roles and policies.
- Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Only a limited number of service-level roles are available. When using roles to grant permissions, you must also assign other roles on which the permissions depend to take effect. Roles are not ideal for fine-grained authorization and secure access control.
- Policies are a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. For example, you can grant ECS users permissions that only allow them to manage a certain type of ECS.
ModelArts does not support role-based authorization. It supports only policy-based authorization.
Policy Structure
A policy consists of a version and one or more statements (indicating different actions).
Policy Parameters
The following describes policy parameters. You can create custom policies by specifying the parameters.
Parameter |
Description |
Value |
|
---|---|---|---|
Version |
Policy version |
1.1: indicates policy-based access control. |
|
Statement: authorization statement of a policy |
Effect |
Whether to allow or deny the operations defined in the action |
|
Action |
Operation to be performed on the service |
Format: "Service name:Resource type:Action". Wildcard characters (*) are supported, indicating all options. Example: modelarts:notebook:list: indicates the permission to view a notebook instance list. modelarts indicates the service name, notebook indicates the resource type, and list indicates the operation. View all actions of a service in its API Reference. |
|
Condition |
Condition for a policy to take effect, including condition keys and operators |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you set multiple conditions, the policy takes effect only when all the conditions are met. Example: StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid for users whose names end with specialCharacter. |
|
Resource |
Resources on which a policy takes effect |
Format: Service name:Region:Account ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources.
NOTE:
ModelArts authorization does not allow you to specify a resource path. |
ModelArts Resource Types
During policy-based authorization, the administrator can select the authorization scope based on ModelArts resource types. The following table lists the resource types supported by ModelArts:
Resource Type |
Description |
---|---|
notebook |
Notebook instances in DevEnviron |
exemlProject |
ExeML projects |
exemlProjectInf |
ExeML-powered real-time inference service |
exemlProjectTrain |
ExeML-powered training jobs |
exemlProjectVersion |
ExeML project version |
workflow |
Workflow |
pool |
Dedicated resource pool |
network |
Networking of a dedicated resource pool |
trainJob |
Training job |
trainJobLog |
Runtime logs of a training job |
trainJobInnerModel |
Preset model |
trainJobVersion |
Version of a training job (supported by old-version training jobs that will be discontinued soon) |
trainConfig |
Configuration of a training job (supported by old-version training jobs that will be discontinued soon) |
tensorboard |
Visualization job of training results (supported by old-version training jobs that will be discontinued soon) |
model |
Models |
service |
Real-time service |
nodeservice |
Edge service |
workspace |
Workspace |
dataset |
Dataset |
dataAnnotation |
Dataset labels |
aiAlgorithm |
Algorithm for training jobs |
image |
Image |
ModelArts Resource Permissions
For details, see "Permissions Policies and Supported Actions" in ModelArts API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.