Permissions Management
If you need to assign different permissions to different personnel in your enterprise to access your PanguLM resources, Identity and Access Management (IAM) and PanguLM's role management function can be used for fine-grained permissions management.
If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.
With IAM, you can use your Huawei Cloud account to create IAM users, and grant permissions to the users to control their access to specific resources. For example, you can create IAM users and assign permissions to software developers, allowing them to call PanguLM service APIs but prohibiting model training or access to training data.
IAM Permissions
By default, a new IAM user created by the administrator does not have any permissions assigned. New users must be added to one or more groups, and permission policies or roles must be attached to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
PanguLM uses OBS to store training data and evaluation data. If fine-grained control over OBS access is required, you can add the Pangu OBSWriteOnly and Pangu OBSReadOnly policies to the agency of PanguLM to control the read and write permissions on OBS.
|
Policy Name |
Fine-grained Permissions/Action |
Description |
|---|---|---|
|
Pangu OBSWriteOnly |
obs:object:AbortMultipartUpload obs:object:DeleteObject obs:object:DeleteObjectVersion obs:object:PutObject |
Write permission on OBS buckets |
|
Pangu OBSReadOnly |
obs:bucket:GetBucketLocation obs:bucket:HeadBucket obs:bucket:ListAllMyBuckets obs:bucket:ListBucket obs:object:GetObject obs:object:GetObjectAcl obs:object:GetObjectVersion obs:object:GetObjectVersionAcl obs:object:ListMultipartUploadParts |
Read-only permission on the user's OBS bucket |
Pangu User Roles
Pangu model users can be assigned different roles to implement refined control over platform resources.
|
Role Name |
Role Description |
|---|---|
|
Super Admin |
Subscribes to the service and has all permissions on all workspaces on the current platform. |
|
Administrator |
Has full access to the workspace, including viewing, creating, editing, and deleting (when applicable) assets in the workspace, adding and removing workspace members, and editing workspace member roles. |
|
Model development engineer |
Has permissions to perform all operations on the model development toolchain module, but cannot create or delete compute resources or modify the workspace where it belongs. |
|
Application development engineer |
Has permissions to perform all operations on the application development toolchain module. Other roles do not have such permissions. |
|
Annotation administrator |
Has permissions on the following modules:
|
|
Annotation operator |
Has permissions on the following modules:
|
|
Annotation auditor |
Has permissions on the following modules:
|
|
Evaluation administrator |
Has permissions on the following modules:
|
|
Evaluation operator |
Has permissions on the following modules:
|
|
Data importer |
Has permissions on the following modules:
|
|
Data processor |
Has permissions on the following modules:
|
|
Data publisher |
Has permissions on the following modules:
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
