Platform For AI:Create and manage a workspace

Computing resource configuration

View and associate computing resources.

Member and role configuration

If multiple people (RAM users) need to manage, develop, or perform O&M in the same workspace, you can add them as workspace members and configure their roles. PAI provides various roles. You can view the mappings between roles and permissions and assign different roles to members as needed.

• Add a member or role

  

  You can add multiple roles to a single RAM user. The system supports the following roles:

  Role type	Description
  Basic roles	Basic roles include the following: Administrator: Has permissions to edit workspace members, manage resource groups, and manage all assets within the workspace. Algorithm developer: Has permissions to perform development and model training in the workspace. Algorithm O&M engineer: Has permissions for task priority management, model publishing, and online service monitoring. Labeling administrator: Has operational permissions for iTAG. Visitor: Has read-only permissions on various assets in the workspace.
  Computing resource roles	This role type currently refers to MaxCompute development, which is the developer role in DataWorks. It includes permissions related to MaxCompute data development. You can add this role to RAM users who submit tasks from PAI to MaxCompute for execution.
  Custom roles	Entry point for adding custom roles: Permission description: No permissions: Has no permissions in the specified product module. Read-only: Can view resources that they own and public resources in the specified product module. Editable and runnable: Can edit and run their own resources in the specified product module. Full control: Has management permissions for all resources in the specified product module.

• Modify a member's role

  

  The relationships between members and roles are as follows:

  • Each member must have at least one role.

  • You cannot delete the Owner role. The Alibaba Cloud account or RAM user that creates a workspace automatically becomes the Owner of that workspace. The owner has permissions to edit workspace members, reference and manage resource groups, and manage all assets in the workspace.

  • DataWorks and PAI workspaces are interconnected. The Administrator, Visitor, and Developer roles are shared between them. If a member's Administrator, Visitor, or Developer role is removed in PAI and it is their last role in the DataWorks workspace, DataWorks automatically deletes the member. This triggers an entity transfer.

Scheduling configuration

PAI provides a workspace-level resource management and scheduling mechanism. This mechanism allows administrators to flexibly configure resource scheduling based on different business needs and scenarios.

Event notification configuration

PAI provides a workspace-level event hub. You can create event rules to track and monitor the status of DLC jobs or workflow tasks, or trigger downstream events based on changes in the version admission status of models in AI Asset Management.

1. (Optional) Authorize notification rules.

   When you create a notification rule for the first time, you must activate EventBridge and grant one-click authorization to the PAIWorkSpace service account. Perform the following steps:

   1. Activate EventBridge.

      To simplify account management, PAI automatically creates a custom event bus for each workspace named pai-system-${WorkspaceName}. You can go to the EventBridge console, switch to your region, and view and manage the list of custom event buses.

   2. Click Authorize Now to grant PAI permission to access cloud resources.

      The system automatically creates the AliyunServiceRoleForPAIWorkspace service-linked role. For more information about this role, see Appendix: Service-linked role for PAI workspaces.

      

   3. Use the following code to create a custom policy and grant permissions to a RAM user.

      { "Statement": [{ "Effect": "Allow", "Action": [ "eventbridge:CreateEventBus", "eventbridge:GetEventBus", "eventbridge:DeleteEventBus", "eventbridge:ListEventBuses", "eventbridge:CreateRule", "eventbridge:GetRule", "eventbridge:UpdateRule", "eventbridge:EnableRule", "eventbridge:DisableRule", "eventbridge:DeleteRule", "eventbridge:ListRules", "eventbridge:PutEvents", "eventbridge:UpdateTargets", "eventbridge:DeleteTargets", "eventbridge:ListTargets" ], "Resource": "acs:eventbridge:*:*:eventbus/*" }], "Version": "1" }

2. Create an event rule.

   

   Parameter	Description
   Event type	The following event types are supported: Workflow task: A Designer workflow task. Event types include task failure and task completion (including success and failure). DLC job: A DLC job. Event types include task progress (such as entering queue, starting bidding, starting to run, and task failure), automatic fault tolerance, task timeout (requires configuring a timeout rule in Scheduling configuration), and other events (such as task preempted and task manually stopped). Model: A model registered in AI Asset Management. Event types include model version approved for release (status changes from Pending to Approved) and model version status change (including approved for release and not approved for release).
   Event target	DingTalk notification: Configure the Webhook and Signature Key parameters. For information about how to obtain the parameter values, see Appendix: Obtain a webhook and a key. After configuration, click Test Connectivity to verify the settings. HTTP/HTTPS: This option is available only when the event type is Model. Configure the URL parameter with the specified HTTP(S) endpoint. The specified HTTP(S) interface is automatically called when the model version status changes. The specified interface must parse the request according to the standard template. Voice call: This option is available only when the event type is Workflow task or DLC job. Configure the contacts. If no contacts are available, you can configure message receiving settings. Text message: The configuration method is the same as for voice calls. Email: The configuration method is the same as for voice calls. Important The default number of event targets per rule is 5. If this does not meet your needs, you can apply for a quota increase. We recommend applying for a quota of no more than 100. Note: When you configure voice calls, text messages, and emails, each added contact consumes one quota unit (contacts are counted without deduplication). For example, if you add Alice and Tony as contacts for text messages, and Alice and Alan for emails, the total quota consumed is 4.

Storage path configuration

Configure the default storage path for the workspace.

• Configure a default storage location for the workspace. This location can be used to store temporary data and models generated during tasks, such as training, which simplifies unified management.

• If a Workflow Data Storage path is also set in Designer, the Workflow Data Storage path takes precedence when a workflow runs.

SLS forwarding configuration

Configure the forwarding of logs from DSW instances and DLC jobs in the current workspace to Simple Log Service (SLS) for custom analysis.

General configuration

This section provides feature switches that allow you to control access permissions to DLC job node containers. It also provides switches to enable Secure Shell (SSH) connections and public network access to DSW instances. These settings can improve the flexibility and security of instance access.