更新时间:2026-07-03 GMT+08:00

授权管理权限

场景级授权示例

  • IAM新版控制台:提供基于IAM5.0版本的系统身份策略。用户可以在IAM服务新版控制台创建新的自定义策略,将创建的自定义策略授权给用户所在的用户组。由于部分模块未完全对接IAM5.0,目前还需在IAM服务旧版控制台创建新的自定义策略,配置以下IAM3.0的策略,将创建的自定义策略授权给用户所在的用户组。详情可参照下表配置。
    表1 IAM新版控制台授权管理操作场景的授权

    策略名称

    描述

    类型

    还需配置的IAM3.0的策略

    ModelArtsPermissionManagementReadOnlyPolicy

    ModelArts服务"系统配置-权限管理"的只读策略

    系统身份策略

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:permissions:listRolesForAgencyOnDomain",
                    "iam:permissions:listRolesForAgencyOnProject",
                    "iam:permissions:listRolesForAgency"
                ]
            }
        ]
    }
    

    ModelArtsPermissionManagementAllPolicy

    ModelArts服务"系统配置-权限管理"的所有策略(读写)

    系统身份策略

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:permissions:listRolesForAgencyOnDomain",
                    "iam:permissions:listRolesForAgencyOnProject",
                    "iam:permissions:listRolesForAgency"
                ]
            }
        ]
    }
    
    
  • IAM旧版控制台,不提供基于IAM3.0版本的系统身份策略,用户需要在IAM服务旧版控制台自定义身份策略来进行场景级授权配置。详情参考下表进行配置。
    表2 IAM旧版控制台授权管理操作场景的授权

    操作场景

    示例

    读写(IAM3.0)

    {"Version":"1.1","Statement":[{"Action":[
                   "modelarts:authorization:list",
                   "modelarts:authorization:create",
                   "modelarts:authorization:delete",
                   "iam:quotas:listQuotasForProject",
                   "iam:quotas:listQuotas",
                   "iam:agencies:createAgency",
                   "iam:agencies:listAgencies",
                   "iam:permissions:listRolesForAgency",
                  "iam:permissions:grantRoleToAgencyOnDomain",
                   "iam:permissions:grantRoleToAgency",
                   "iam:agencies:delete",
                   "iam:users:listUsers",
                   "iam:roles:listRoles",
                   "iam:roles:createRole",
                   "iam:roles:updateRole",
                   "iam:agencies:getAgency",
                   "iam:groups:listGroups",
                   "iam:permissions:listRolesForAgencyOnDomain",
                   "iam:permissions:listRolesForAgencyOnProject",
                   "iam:permissions:listRolesForAgency"
                   ],
    "Effect":"Allow"}

    只读(IAM3.0)

    {"Version":"1.1","Statement":[{"Action":[
                   "modelarts:authorization:list",
                   "iam:quotas:listQuotasForProject",
                   "iam:quotas:listQuotas",
                   "iam:agencies:listAgencies",
                   "iam:permissions:listRolesForAgency",
                   "iam:users:listUsers",
                   "iam:roles:listRoles",
                   "iam:agencies:getAgency",
                   "iam:groups:listGroups",
                   "iam:permissions:listRolesForAgencyOnDomain",
                   "iam:permissions:listRolesForAgencyOnProject",
                   "iam:permissions:listRolesForAgency"
                   ],
    "Effect":"Allow"}]}

接口级授权

表3 服务管理细化权限说明

权限

对应API接口

授权项

依赖的授权项

IAM项目

企业项目

新增授权

POST /v1/{project_id}/atelier/authorizations

modelarts:authorization:create

iam:agencies:listAgencies

iam:groups:list

iam:users:list

iam:agencies:getAgency

删除授权

DELETE /v1/{project_id}/atelier/authorizations

modelarts:authorization:delete

查询授权

GET /v1/{project_id}/atelier/authorizations

modelarts:authorization:list

创建委托

POST /v1/{project_id}/atelier/agency

iam:quotas:list

iam:agencies:createAgency

iam:roles:listRoles

iam:permissions:grantRoleToAgency

iam:roles:createRole

查询委托

GET /v1/{project_id}/atelier/agency

iam:agencies:listAgencies

查询委托对应的权限列表

GET /v1/{project_id}/atelier/agency/{agency_name}/grants

iam:agencies:listAgencies

iam:permissions:listRolesForAgencyOnDomain

iam:permissions:listRolesForAgencyOnProject

iam:permissions:listRolesForAgency

查询委托对应的权限列表

GET /v2/{project_id}/atelier/agency/{agency_id}/grants

iam:permissions:listRolesForAgencyOnDomain

iam:permissions:listRolesForAgencyOnProject

iam:permissions:listRolesForAgency

更新委托对应的权限列表

POST /v1/{project_id}/atelier/agency/{agency_name}/grants

iam:quotas:list

iam:roles:listRoles

iam:roles:createRole

iam:permissions:grantRoleToAgency

查询服务配置的默认委托权限列表

GET /v1/{project_id}/atelier/agency/default-grants

iam:permissions:grantRoleToAgency

查询委托配额

GET /v1/{project_id}/atelier/agency/quotas

iam:quotas:list

删除委托

DELETE /v1/{project_id}/atelier/agency/{agency_id}

iam:agencies:deleteAgency

根据委托名称查询委托id

GET /v1/{project_id}/atelier/agency/info

iam:agencies:listAgencies

查询users

GET /v1/{project_id}/atelier/users

iam:users:list