Configuring ModelArts Agency Authorization for Using ModelArts Studio (MaaS)
Using ModelArts' MaaS service requires proper permission management for smooth operation and data safety. ModelArts uses the IAM system to control all features. Administrators can assign specific user permissions. Incorrect settings may cause errors that disrupt service access.
All users must authorize ModelArts access before using the MaaS service; otherwise, errors might happen. Once authorized, individual users can start using ModelArts without managing detailed permissions.
Operation Scenarios
If you have already obtained ModelArts access authorization, you are all set for MaaS – no extra configuration needed. Otherwise, get ModelArts access authorization first, then you can use MaaS.
ModelArts needs to access other services for executing tasks. For example, ModelArts needs to access OBS to read your data for training. For security purposes, ModelArts must be authorized to access other cloud services. This is agency authorization.
ModelArts provides one-click automatic authorization. You can quickly configure agency authorization on the Permission Management page of ModelArts. Then, ModelArts will automatically create an agency for you and configure it in ModelArts.
This section introduces one-click automatic authorization. It allows you to grant permissions to IAM users, federated users (virtual IAM users), agencies, or all users with one click.
Notes and Constraints
- Huawei Cloud account
    - Only a Huawei Cloud account can use an agency to authorize the current account or all IAM users under the current account.
- Multiple IAM users or accounts can use the same agency.
- A maximum of 50 agencies can be created under an account.
- If you use ModelArts for the first time, add an agency. Generally, common user permissions are sufficient for your requirements. You can also customize permissions for refined permissions management.
 
- IAM user
    - If you have obtained the authorization, you can view the authorization information on the Permission Management page.
- If you have not been authorized, ModelArts will display a message indicating that you have not been authorized when you access the Add Authorization page. In this case, contact your administrator to add authorization.
 
Billing
IAM manages user access to ModelArts resources at no cost.
Billing depends on resource usage, including compute resources like vCPUs, GPUs, and NPUs, as well as storage resources like EVS disks and OBS. For details, see Billing.
Prerequisites
You have registered a Huawei account and enabled Huawei Cloud services.
MaaS Agency Authorization
- Log in to the ModelArts console and follow these steps based on your console version.
    - New version: In the navigation pane on the left, choose System Management > Permission Management.
- Old version: In the navigation pane, choose Settings.
 
- Click Add Authorization. On the displayed page, set parameters based on Table 1.
    This example shows how to add authorization for an IAM user. For details, see the "Example" column in Table 1. Table 1 Authorization parameters Parameter Description Example Authorized User The options are IAM user, Federated user, Agency, and All users. - IAM user: You can use a tenant account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on the assigned permissions. For details about IAM users, see IAM User.
- Federated user: A federated user is also called a virtual enterprise user. For details about federated users, see Configuring Identity Federation.
- Agency: You can create agencies in IAM. For details about how to create an agency in IAM, see Creating an Agency and Assigning Permissions.
- All users: If you select this option, the agency permissions will be granted to all IAM users under the account, including those created in the future. For individual users, select All users.
 Select IAM user. Authorized To This parameter is not displayed when Authorized User is set to All users. - IAM user: Select an IAM user and configure an agency for the IAM user.
           Figure 1 Selecting an IAM user  
- Federated user: Enter the username or user ID of the target federated user.
           Figure 2 Entering a federated user  
- Agency: Select an agency name. You can create an agency under account A and grant the agency permissions to account B. When using account B to log in to ModelArts console, you can switch the role in the upper right corner of the console ModelArts console to account A and use the agency permissions of account A.
           Figure 3 Switch Role  
 Select an IAM user and configure an agency for the IAM user. Agency - Use existing: If there are agencies in the list, select an available one to authorize the selected user. Click the drop-down arrow next to an agency name to view its permission details.
- Add agency: If there is no available agency, create one. If you use ModelArts for the first time, select Add agency.
 Select Add agency. Add agency > Agency Name ModelArts automatically creates an agency name for you, but it is editable. ModelArts creates agency names using these rules: - When authorizing an IAM user, the agency name defaults to ma_agency_[IAM username].
- When authorizing other types of users, the agency name defaults to modelarts_agency.
- If an agency name generated based on preceding rules already exists, a four-digit random code is automatically suffixed to the name.
 N/A Add agency > Permissions > Common Choose this option to customize permissions with minimal access for enhanced security. Select MaaS (ModelArts Studio) from the Permission Template drop-down list. Figure 4 Common  Select MaaS (ModelArts Studio). Add agency > Permissions > High-privilege High-privilege grants elevated access permissions and is ideal for users needing administrator permissions. Choose this option for advanced access but manage permissions cautiously when using it. Figure 5 High-privilege  N/A 
- Click Create.
    Log in to the ModelArts Studio (MaaS) console. If no permission configuration information is displayed on the page, the agency configuration is complete. You can also go to the Permission Management page to check permission details. For details, see Viewing Authorized Permissions. 
Viewing Authorized Permissions
You can view the configured authorizations on the Permission Management page. To do so, click View Permissions in the Operation column to view the details.
 
   
  Modifying the Authorization Scope
- To modify the authorization scope, click To view all agency permissions, access IAM in the View Permissions dialog box.
    Figure 8 Modifying permissions in IAM  
- Go to the Agencies page on the IAM console, click the name of the agency you want to modify, and update the basic information as needed. Select your required validity period.
    Figure 9 Agency information  
- On the Permissions page, click Authorize, select policies or roles, and click Next. Select the scope for minimum authorization and click OK.
    When setting the minimum authorization scope, you can select specified projects or all resources. If you select All resources, the selected permissions will be applied to all resources. 
Deleting an Authorization
To better manage your authorization, you can delete the authorization of an IAM user or delete the authorizations of all users in batches. The deletion operation cannot be undone.
- Deleting an authorization of a user
    The authorizations configured for the IAM user of the current account are displayed on the Permission Management page. You can locate an authorization, click Delete in the Operation column, enter DELETE in the text box, and click OK. After it is deleted, the user cannot use ModelArts functions. 
- Deleting authorizations in batches
    On the Permission Management page, click Clear Authorization above the authorization list. Enter DELETE in the text box and click OK. After the deletion, the account and all its IAM users cannot use ModelArts functions. 
FAQs
- How do I configure authorization when I use ModelArts for the first time?
    On the Add Authorization page, set Agency to Add agency and select Common User, which provides the permissions to use all basic ModelArts functions. For example, you can access data, and create and manage training jobs. Select this option generally. 
- How do I obtain access keys (AK/SK)?
    You will need to obtain an access key if you are using access key authentication to access certain functions like accessing model services. For details, see How Do I Obtain an Access Key? 
- How do I delete an agency?
    Go to the IAM console, choose Agencies in the navigation pane, and delete the target agency. For details, see Deleting or Modifying Agencies. 
- Why is a message indicating insufficient permissions displayed when I access a page on the ModelArts console?
    The permissions configured for the user agency are insufficient or the module has been upgraded. The authorization information needs to be updated. In this case, you can add authorization as prompted. For details, see (Optional) Configuring the Missing ModelArts Studio (MaaS) Permissions. 
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot 
    