Help Center/ ModelArts/ Best Practices/ Permissions Management/ Configuration Practices in Typical Scenarios/ Assigning Permissions to Individual Users for Using ModelArts
Updated on 2024-03-05 GMT+08:00

Assigning Permissions to Individual Users for Using ModelArts

Certain ModelArts functions require access to Object Storage Service (OBS), Software Repository for Container (SWR), and Intelligent EdgeFabric (IEF). Before using ModelArts, your account must be authorized to access these services. Otherwise, these functions will be unavailable.

Constraints

  • Only a tenant account can perform agency authorization to authorize the current account or all IAM users under the current account.
  • Multiple IAM users or accounts can use the same agency.
  • A maximum of 50 agencies can be created under an account.
  • If you use ModelArts for the first time, add an agency. Generally, common user permissions are sufficient for your requirements. You can configure permissions for refined permissions management.
  • If you have not been authorized, ModelArts will display a message indicating that you have not been authorized when you access the Add Authorization page. In this case, contact your administrator to add authorization.

Adding Authorization

  1. Log in to the ModelArts management console. In the navigation pane on the left, choose Settings. The Global Configuration page is displayed.
  2. Click Add Authorization. On the Add Authorization page that is displayed, configure the parameters.
    Table 1 Parameters

    Parameter

    Description

    Authorized User

    Options: IAM user, Federated user, Agency, and All users

    • IAM user: You can use a tenant account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. For details about IAM users, see IAM User.
    • Federated user: A federated user is also called a virtual enterprise user. For details about federated users, see Configuring Federated Identity Authentication.
    • Agency: You can create agencies in IAM. For details about how to create an agency, see Creating an Agency .
    • All users: If you select this option, the agency permissions will be granted to all IAM users under the current account, including those created in the future. For individual users, choose All users.

    Authorized To

    This parameter is not displayed when Authorized User is set to All users.

    • IAM user: Select an IAM user and configure an agency for the IAM user.
      Figure 1 Selecting an IAM user
    • Federated user: Enter the username or user ID of the target federated user.
      Figure 2 Selecting a federated user
    • Agency: Select an agency name. You can use account A to create an agency and configure the agency for account B. When using account B, you can switch the role in the upper right corner of the console to account A and use the agency permissions of account A.
      Figure 3 Switch Role

    Agency

    • Use existing: If there are agencies in the list, select an available one to authorize the selected user. Click the drop-down arrow next to an agency name to view its permission details.
    • Add agency: If there is no available agency, create one. If you use ModelArts for the first time, select Add agency.

    Add agency > Agency Name

    The system automatically creates a changeable agency name.

    Add agency > Authorization Method

    • Role-based: A coarse-grained IAM authorization strategy to assign permissions based on user responsibilities. Only a limited number of service-level roles are available. When using roles to grant permissions, assign other roles on which the permissions depend to take effect. Roles are not ideal for fine-grained authorization and secure access control.
    • Policy-based: A fine-grained authorization tool that defines permissions for operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control.

    For details about roles and policies, see Basic Concepts.

    Add agency > Permissions > Common User

    Common User provides the permissions to use all basic ModelArts functions. For example, you can access data, and create and manage training jobs. Select this option generally.

    Click View permissions to view common user permissions.

    Add agency > Permissions > Custom

    If you need refined permissions management, select Custom to flexibly assign permissions to the created agency. You can select permissions from the permission list as required.

  3. Select I have read and agree to the ModelArts Service Statement. Click Create.

Viewing Authorized Permissions

You can view the configured authorizations on the Global Configuration page. Click View Permissions in the Authorization Content column to view the permission details.

Figure 4 View Permissions
Figure 5 Common user permissions