--- Title: Manage permissions URL Source: https://company-skill.com/p/pai/pai-manage-permissions Language: en Description: You want to control who can access your PAI workspaces, models, or datasets by assigning roles or defining fine-grained access policies. This includes adding team members with specific capabilities… --- # Manage permissions Part of **Platform for AI (PAI)**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to control who can access your PAI workspaces, models, or datasets by assigning roles or defining fine-grained access policies. This includes adding team members with specific capabilities or programmatically granting cross-account service access. **Typical User Questions**: - How do I set up RAM policies for PAI resources? - Can I control who accesses my models or datasets? ## Decision Tree Pick the best path for your situation: - **If** you are managing permissions **within a single PAI workspace** using predefined roles like `PAI.AlgoDeveloper` or `PAI.WorkspaceAdmin` → Use **** (go to *pai/pai-workspace*) - **If** you need to define **RAM authorization policies for PAIRecService** using `Action`, `Resource`, and `Condition` elements for programmatic or cross-account access → Use ** API RAM ** (go to *pai/pai-instance*) - **Otherwise (default)** → Start with the **workspace interface approach**, as it’s suitable for most team collaboration scenarios and requires no coding. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | Console / Dashboard | medium | No | No | Only supports predefined roles like `PAI.AlgoDeveloper` and `PAI.WorkspaceAdmin` | `pai/guide/pai-workspace` | | API RAM | high | Yes | Yes | Requires defining `Policy` with `Action`, `Resource`, `Condition`, and `ARN` for `PAIRecService` | `pai/api/pai-instance` | ## Path Details ### Path 1: Console / Dashboard **Brief Description**: This approach uses the PAI console to manage workspace members via role assignment. Administrators can use APIs like `CreateMember` and `ListMembers` or navigate to **Console > AI WorkSpace > Workspaces > Roles** to assign roles such as `PAI.AlgoDeveloper` or `PAI.WorkspaceAdmin` using a user’s `member UID` and `workspace ID`. **Key technical facts**: *(No runtime, billing, or instance data provided — these features are unrelated to permission management)* **Known Limitations**: - `PAI.AlgoDeveloper`, `PAI.AlgoOperator`, `PAI.LabelManager`, `PAI.MaxComputeDeveloper`, `PAI.WorkspaceAdmin`, `PAI.WorkspaceGuest`, `PAI.WorkspaceOwner` ### Path 2: API RAM **Brief Description**: This method configures RAM authorization for `PAIRecService` by defining a `Policy` that includes `Action`, `Resource`, and `Condition` elements. It uses Alibaba Cloud `ARN` identifiers and requires an `AccessKey` for authentication. Policies must adhere to `Minimum Permissions` principles and are managed entirely via API or SDK—no console UI is available. **Key technical facts**: *(No runtime, billing, or instance data provided — these features are unrelated to permission management)* - `PAIRecService` `Action``Resource` `Condition` ## FAQ Q: Which path should I start with? A: Start with the **workspace interface** if you’re managing a team within one project. Only use the API path if you need automation, cross-account access, or are working specifically with `PAIRecService`. Q: What if I need to grant access to a service account but used the workspace interface? A: You’ll hit a limitation: the workspace UI only accepts human `member UID`s and predefined roles—it cannot assign permissions to service roles or external accounts. Q: What if I try to define a custom role like “ModelViewer” using the console? A: You’ll be blocked—the console only supports the seven predefined roles (e.g., `PAI.AlgoDeveloper`, `PAI.WorkspaceAdmin`). Custom roles require RAM policy definition via API. Q: Can I use the API method to manage regular team members in a workspace? A: Not effectively—the RAM API path is scoped to `PAIRecService` authorization and doesn’t integrate with workspace membership APIs like `CreateMember` or `ListMembers`. Q: Do both paths use the same authentication method? A: Both ultimately rely on Alibaba Cloud identity, but the console path uses session-based login, while the API path requires explicit credentials like `AccessKey` and uses `Authorization: Bearer $DASHSCOPE_API_KEY`. Q: Where do I find the list of available workspace roles? A: Use the `ListWorkspaceRoles` API or navigate to **Console > AI WorkSpace > Workspaces > Roles**—this shows all assignable roles including `PAI.WorkspaceOwner` and `PAI.LabelManager`. Q: Is there overlap between `role assignment` in workspaces and RAM `Policy` definitions? A: No—they operate at different layers. Workspace roles control UI and job-level access within a project; RAM policies control API-level access to specific services like `PAIRecService` using `ARN` and `Condition`. ## Related queries manage PAI permissions, set up PAI workspace roles, configure RAM policies for PAI, control model access, assign PAI.AlgoDeveloper role, add member to PAI workspace, PAI workspace access control, define RAM Policy for PAIRecService, how to restrict dataset access, grant PAI.WorkspaceAdmin, manage te --- Part of [Platform for AI (PAI)](https://company-skill.com/p/pai.md) · https://company-skill.com/llms.txt