Help Center> ModelArts> Best Practices> Permissions Management> Configuration Practices in Typical Scenarios> Viewing the Notebook Instances of All IAM Users Under One Tenant Account
Updated on 2024-01-09 GMT+08:00
View PDF

Viewing the Notebook Instances of All IAM Users Under One Tenant Account

Any IAM user granted with the listAllNotebooks and listUsers permissions can click View all on the notebook page to view the instances of all users in the current IAM project.

Users granted with these permissions can also access OBS and SWR of all users in the current IAM project.

Assigning the Required Permissions

  1. Log in to the management console as a tenant user, hover the cursor over your username in the upper right corner, and choose Identity and Access Management from the drop-down list to switch to the IAM management console.
  2. On the IAM console, choose Permissions > Policies/Roles from the navigation pane, click Create Custom Policy in the upper right corner, and create two policies.
    Policy 1: Create a policy that allows users to view all notebook instances of an IAM project, as shown in Figure 1.
    • Policy Name: Enter a custom policy name, for example, Viewing all notebook instances.
    • Policy View: Select Visual editor.
    • Policy Content: Select Allow, ModelArts Service, modelarts:notebook:listAllNotebooks, and default resources.
      Figure 1 Creating a custom policy

    Policy 2: Create a policy that allows users to view all users of an IAM project.

    • Policy Name: Enter a custom policy name, for example, Viewing all users of the current IAM project.
    • Policy View: Select Visual editor.
    • Policy Content: Select Allow, Identity and Access Management, iam:users:listUsers, and default resources.
  3. In the navigation pane, choose User Groups. On the User Groups page, locate the row containing the target user group and click Authorize in the Operation column. On the Authorize User Group page, select the custom policy created in 2 and click Next. Then, select the scope and click OK.

    After the configuration, all users in the user group have the permission to view all notebook instances created by users in the user group.

    If no user group is available, create one, add users to it through user group management, and configure authorization for the user group. If the target user is not in a user group, add the user to a user group through user group management.

Enabling an IAM User to Start Other User's Notebook Instance

If an IAM user wants to access another IAM user's notebook instance through remote SSH, they need to update the SSH key pair to their own. Otherwise, error ModelArts.6786 will be reported. For details about how to update a key pair, see Modifying the SSH Configuration for a Notebook Instance.

ModelArts.6789: Failed to find SSH key pair KeyPair-xxx on the ECS key pair page. Update the key pair and try again later.