更新时间:2026-07-03 GMT+08:00

工作空间管理权限

场景级授权示例

IAM新版控制台:提供基于IAM5.0版本的系统身份策略。用户可以在IAM服务新版控制台创建新的自定义策略,将创建的自定义策略授权给用户所在的用户组。由于部分模块未完全对接IAM5.0,目前还需在IAM服务旧版控制台创建新的自定义策略,配置以下IAM3.0的策略,将创建的自定义策略授权给用户所在的用户组。详情可参照下表配置。
表1 IAM新版控制工作空间管理操作场景的授权

策略名称

描述

类型

还需配置的IAM3.0的策略

ModelArtsWorkspaceReadOnlyPolicy

ModelArts服务"系统配置-工作空间"的只读策略

系统身份策略

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "modelarts:exemlProject:delete",
                "modelarts:fusionJob:getWorkspacesCleanupTask",
                "modelarts:fusionJob:workspacesCleanup",
                "modelarts:model:delete",
                "modelarts:workflow:delete",
                "modelarts:workspace:delete",
                "modelarts:workspace:get",
                "modelarts:pool:list"
            ]
        }
    ]
}

ModelArtsWorkspaceAllPolicy

ModelArts服务"系统配置-工作空间"的所有策略(读写)

系统身份策略

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "modelarts:exemlProject:delete",
                "modelarts:fusionJob:getWorkspacesCleanupTask",
                "modelarts:fusionJob:workspacesCleanup",
                "modelarts:model:delete",
                "modelarts:workflow:delete",
                "modelarts:workspace:delete",
                "modelarts:workspace:get",
                "modelarts:pool:list"
            ]
        }
    ]
}
IAM旧版控制台,不提供基于IAM3.0版本的系统身份策略,用户需要在IAM服务旧版控制台自定义身份策略来进行场景级授权配置。详情参考下表进行配置。
表2 IAM旧版控制台工作空间管理操作场景的授权

操作场景

示例

读写(IAM3.0)

ModelArts需要单独创建的策略:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "modelarts:authorization:create",
                "modelarts:authorization:delete",
                "modelarts:authorization:list",
                "modelarts:exemlProject:delete",
                "modelarts:fusionJob:getWorkspacesCleanupTask",
                "modelarts:fusionJob:workspacesCleanup",
                "modelarts:model:delete",
                "modelarts:pool:list",
                "modelarts:workflow:delete",
                "modelarts:workspace:checkAuthorizations",
                "modelarts:workspace:create",
                "modelarts:workspace:delete",
                "modelarts:workspace:get",
                "modelarts:workspace:getAuthMode",
                "modelarts:workspace:getQuotas",
                "modelarts:workspace:getUserList",
                "modelarts:workspace:getUserRoles",
                "modelarts:workspace:list",
                "modelarts:workspace:update",
                "modelarts:workspace:updateAuthMode",
                "modelarts:workspace:updateQuotas"
            ]
        }
    ]
}

IAM需要单独创建的策略:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:quotas:listQuotasForProject",
                "iam:quotas:listQuotas",
                "iam:agencies:createAgency",
                "iam:agencies:listAgencies",
                "iam:permissions:listRolesForAgency",
                "iam:permissions:grantRoleToAgencyOnDomain",
                "iam:permissions:grantRoleToAgency",
                "iam:agencies:deleteAgency",
                "iam:users:listUsers",
                "iam:roles:listRoles",
                "iam:roles:createRole",
                "iam:roles:updateRole",
                "iam:agencies:getAgency",
                "iam:groups:listGroups",
                "iam:permissions:listRolesForAgencyOnDomain",
                "iam:permissions:listRolesForAgencyOnProject",
                "iam:permissions:listRolesForAgency"
            ]
        }
    ]
}

接口级授权

表3 工作空间管理细化权限说明

权限

对应API接口

授权项(IAM3.0)

授权项(IAM5.0)

依赖的授权项

IAM项目

企业项目

创建工作空间

POST /v1/{project_id}/workspaces

modelarts:workspace:create

modelarts:workspace:create

eps:enterpriseProjects:list

查询工作空间列表

GET /v1/{project_id}/workspaces

modelarts:workspace:list

modelarts:workspace:list

eps:enterpriseProjects:list

查询工作空间详情

GET /v1/{project_id}/workspaces/{workspace_id}

modelarts:workspace:get

modelarts:workspace:get

eps:enterpriseProjects:list

修改工作空间

PUT /v1/{project_id}/workspaces/{workspace_id}

modelarts:workspace:update

modelarts:workspace:update

eps:enterpriseProjects:list

删除工作空间

DELETE /v1/{project_id}/workspaces/{workspace_id}

modelarts:workspace:delete

modelarts:service:delete

modelarts:model:delete

modelarts:tensorboard:delete

modelarts:trainJob:delete

modelarts:exemlProject:deletemodelarts:notebook:delete

modelarts:dataset:delete

modelarts:notebook:delete

modelarts:workspace:delete

modelarts:service:delete

modelarts:model:delete

modelarts:tensorboard:delete

modelarts:trainJob:delete

modelarts:exemlProject:deletemodelarts:notebook:delete

modelarts:dataset:delete

modelarts:notebook:delete

eps:enterpriseProjects:list

查询工作空间配额

GET /v1/{project_id}/workspaces/{workspace_id}/quotas

modelarts:workspace:getQuotas

modelarts:workspace:getQuotas

eps:enterpriseProjects:list

修改工作空间配额

PUT /v1/{project_id}/workspaces/{workspace_id}/quotas

modelarts:workspace:updateQuotas

modelarts:workspace:updateQuotas

eps:enterpriseProjects:list