Updated on 2025-07-28 GMT+08:00

Managing Workspace Members

To isolate function usage permissions from asset permissions and ensure asset security and management efficiency, you can configure different roles for employees, setting distinct access permissions according to their responsibilities.

If your Huawei Cloud account does not require individual IAM users for permissions management, skip this section.

You can use IAM and the member management function of ModelArts Studio to implement fine-grained permissions management for IAM users.

Creating a User Group

As an administrator, you can create user groups and grant them permissions using policies or roles. Users added to the user groups inherit permissions from the user groups.

To create a user group, do as follows:

  1. Log in to the IAM console using a master account.
  2. On the IAM console, choose User Groups from the navigation pane, and click Create User Group in the upper right corner.
    Figure 1 Creating a user group
  3. On the Create User Group page, enter a user group name, and click OK.
  4. Return to the user group list and click Authorize in the Operation column.
    Figure 2 Authorizing a user group
  5. Search for the required actions using the search box, select the actions, and click Next. For details, see Table 1.
    Table 1 Permissions

    Permissions

    Description

    Agent Operator

    Users with this permission can switch their roles to the delegating account to access the authorized services.

    Tenant Administrator

    Administrator permissions for all cloud services (except IAM)

    Security Administrator

    Full permissions on IAM (except for switching roles).

    Figure 3 Adding permissions for the user group
  6. Select a scope.

    The system automatically recommends an authorization scope based on the policy of the selected action.

    • All resources: IAM users in the user group can use all enterprise projects, region-specific projects, and global services in the account based on the permissions assigned.
    • Region-specific projects: Select a region, for example, CN Southwest-Guiyang1. Then, IAM users in the user group can only use resources in the region-specific projects.
    • Global services: Global services are deployed in all regions, so you can access them seamlessly without having to switch between regions. However, global services cannot be authorized based on regional projects. They include services like Object Storage Service (OBS) and Content Delivery Network (CDN).

    Click OK.

    Figure 4 Selecting a scope
  7. Click OK.
    Figure 5 Authorization completed

Creating a Pangu User

To create a Pangu user, do as follows:

  1. Log in to the IAM console using a master account.
  2. Choose Users from the navigation pane, and click Create User in the upper right corner.
    Figure 6 Creating a user
  3. Configure basic information and click Next.

    When configuring user information, select Programmatic access for Access Types. If this option is not selected, IAM users cannot use PanguLM service APIs and SDKs.

    Figure 7 Configuring basic information about the user
  4. Add the user to the user group created in Creating a User Group and click Create.
    Figure 8 Adding the user to a user group

Adding a Pangu User to a Workspace

You can add a created Pangu user to a workspace. For details about how to create a Pangu user, see Creating a Pangu User.

  1. Log in to ModelArts Studio.
  2. Go to the workspace to which you want to add a user. In the navigation pane, choose Workspace Management. Click the Member Management tab.
  3. Assign a role (for example, model development engineer) to the user, as shown in Figure 9. Search for the user name in the search box, select a role from the drop-down list, and click Add on the right to add the user to the workspace.
    Figure 9 Adding a member as a model development engineer

Modifying Pangu User Permissions

To modify the permissions of a user in a workspace, perform the following steps:

  1. Log in to ModelArts Studio.
  2. Go to the workspace whose user permissions need to be modified. In the navigation pane, choose Workspace Management. On the Role Management tab page, view the role name and permission description.
    Figure 10 Role Management
  3. Click the Member Management tab.
  4. The following figure shows how to grant the model development engineer permission to a user. Click edit in the Operation column of the user list, select the role to be assigned to the user, and click Confirm.
    Figure 11 Granting the Model Development Engineer Permission to a user

Removing a Pangu User

To delete a user from a workspace, perform the following steps:

  1. Log in to ModelArts Studio.
  2. Go to the workspace to which you want to delete a user. In the navigation pane, choose Workspace Management. Click the Member Management tab.
  3. In the user list, locate the user that you want to delete and click Delete in the Operation column.
    Figure 12 Member management
  4. Click OK to confirm the deletion.
    Figure 13 Confirming the deletion