Updated on 2023-06-25 GMT+08:00

Creating a User and Granting Permissions

This section describes how to use IAM to implement fine-grained permissions control for your ModelArts resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to ModelArts resources.
  • Grant only the permissions required for users to perform a task.
  • Entrust a HUAWEI CLOUD account or cloud service to perform professional and efficient O&M on your ModelArts resources.

If your HUAWEI CLOUD account does not require individual IAM users, you can skip this section.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

  • You have learnt about the permissions supported by ModelArts and understood how to choose policies or roles according to your requirements. For details, see ModelArts Permissions.
  • The permissions to use ModelArts depend on OBS authorization. Therefore, you need to grant OBS system permissions to users. For details, see OBS Permissions.
  • For the system policies of other services, see System Permissions.

Process Flow

Figure 1 Process for granting ModelArts permissions
  1. Create a user group and assign permissions to it.

    Create a user group on the IAM console, and assign the ModelArts CommonOperations policy to the group.

    The use of ModelArts depends on OBS permissions. Therefore, assign the Tenant Administrator policy that takes effect for global services to the user group.

  2. Create a user and add it to a user group.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in and verify permissions.

    Log in to the ModelArts console by using the newly created user, and verify that the user only has read permissions for ModelArts.

    • Choose Service List > ModelArts. On the ModelArts management console, choose Dedicated Resource Pools > Create. If the creation fails (assume that the current permission contains only ModelArts CommonOperations), the ModelArts CommonOperations policy has already taken effect.
    • Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service (assume that the current permission contains only ModelArts CommonOperations), the ModelArts CommonOperations policy has already taken effect.
    • Choose Service List > ModelArts. On the ModelArts management console, choose Data Management > Datasets > Create Dataset. If the corresponding OBS path can be accessed, the Tenant Administrator policy for global services has already taken effect.