Create and manage a workspace-Platform For AI(PAI)-阿里云帮助中心

A workspace is the top-level organizational unit in PAI. It gives teams a single place to manage compute resources, control access permissions, collaborate on AI development, and organize AI assets.

Limitations

Only workspace administrators and the workspace owner can modify workspace configuration.
Voice calls, SMS, and email in event notifications are only available in the China (Hangzhou), China (Shanghai), and China North 6 (Ulanqab) regions.

Prerequisites

Alibaba Cloud account (primary account): The primary account can perform all operations without additional authorization.
RAM user (sub-account): The RAM user requires the AliyunPAIFullAccess permission. AliyunPAIFullAccess grants all PAI permissions. Grant this policy with caution. Using the primary account is recommended.

Note
To grant a RAM user read/write access to a specific workspace only, add that RAM user as a workspace member directly. No additional RAM policy configuration is required.

Create a workspace

Go to PAI - Workspace list and click Create Workspace.
Follow the prompts to configure Workspace Name, Alibaba Cloud Resource Group, and other settings.

Note
Members and roles, default storage, and associated resources can be configured after the workspace is created, on the workspace details page.

Configure a workspace

Compute resources

A workspace can be associated with or detached from the following compute resources:

Lingjun intelligent computing resources: High-performance compute resource groups optimized for model training throughput, efficiency, and resource utilization . For details, see AI computing resources.
General-purpose compute resources: Dedicated compute resources for AI development and model training. For details, see Create a resource group and purchase general computing resources.
ACS compute resources: DLC and EAS can use Alibaba Cloud Container Service (ACS) resources to schedule and run jobs and services. For details, see ACS cluster.
MaxCompute resources:
- MaxCompute CPU resources support Designer visual modeling algorithms. For details, see MaxCompute resource quotas.
- Create a new MaxCompute project or bind an existing one.
Flink fully managed resources: Used for large-scale distributed model training in PAI. For details, see Manage fully managed Flink resources.

For a full overview of AI compute resources, see AI computing resources.

Members and roles

When multiple RAM users manage, develop, or operate within the same workspace, add them as workspace members and assign roles accordingly.

PAI provides system default roles (basic roles and compute resource roles). To see role-to-permission mappings, see Role and permission mapping. Custom roles are also supported.

Supported role types:

Role type	Description
Basic roles	Basic roles include: Administrator: Can edit workspace members, manage resource groups, and manage all assets in the workspace. Algorithm Developer: Can develop and train models in the workspace. Algorithm O&M Engineer: Can manage task priorities, publish models, and monitor online services. Labeling Administrator: Can perform intelligent labeling operations. Visitor: Has read-only access to all assets in the workspace.
Compute resource roles	The compute resource role currently refers to MaxCompute development — the DataWorks developer role, which grants MaxCompute data development permissions. Assign this role to RAM users who submit jobs from PAI to MaxCompute.
Custom roles	How to create: On the Workspace configuration page, go to Configure Member and Role > Workspace Role, and click Create Custom Role. A configuration panel slides in from the right. Permission levels: No Permissions: No access to the specified product module. Read-only: Can view resources owned by the user and publicly visible resources in the specified product module. Modify/Execute: Can edit and run resources owned by the user in the specified product module. Full Access: Has full management access to all resources in the specified product module.

Member and role constraints:

Each member must have at least one role.
The Owner role can't be deleted. The Alibaba Cloud account or RAM user who creates the workspace automatically becomes its Owner, with permissions to edit workspace members, manage resource groups, and manage all assets in the workspace.
PAI and DataWorks workspaces are connected at the underlying level. Three roles are shared between them: PAI's workspace administrator, visitor, and MaxCompute development map to DataWorks' workspace administrator, visitor, and developer respectively. If a member's shared role is removed in PAI and that role was their last role in the DataWorks workspace, DataWorks automatically removes that member, which triggers Entity transfer.

Resource visibility:

DSW instances, DLC jobs, and EAS services in a PAI workspace support visibility controls:

Visible to Creator Only: Only the resource creator and workspace administrators can view the resource.
Visible in Workspace: All members of the workspace can view the resource.

Note

Regardless of visibility settings, workspace administrators can view and manage all resources in the workspace.

Sharing a workspace across organizations:

Workspace administrators can view all members' resources. For this reason, we recommend against sharing a workspace across multiple organizations or teams. If sharing is required:

Restrict role assignments carefully. Don't grant workspace administrator to members from other organizations.
Set sensitive resources to Visible to Creator Only to limit their exposure.

Scheduling

PAI provides workspace-level resource management and scheduling. Administrators can flexibly configure resource scheduling based on different business needs and usage scenarios. For details, see Scheduling Configuration.

Event notifications

Configure event notifications to track and monitor the status of DLC jobs, pipeline jobs, and DSW instances, or to automatically trigger downstream actions when a model version status changes. For details, see Event notification configuration.

Storage path

Configure a default OSS path to store temporary data and models generated during jobs. This keeps storage centrally managed.
If Data Storage is also configured in Designer, the Data Storage path takes precedence when running pipelines.

SLS log forwarding

DLC job logs in the current workspace can be forwarded to Log Service (SLS) for custom analysis. For details, see Subscribe to job logs.

General settings

Important

After toggling any of the following settings, restart the instance for the change to take effect.

Public Resource Group:
- Default Network Configuration: Administrators can set default network configurations for the workspace, such as the VPC and security group. Centralizing this configuration helps enforce consistent access controls.
DLC Configurations:
- Go to Node Container: Controls whether users can access the compute node containers of DLC jobs for debugging. When enabled, authorized users can open a terminal to access the container.
DSW settings:
- SSH Logon to Instance from Internet: Controls whether users can SSH into instances over the public internet.
- Open Instance from Internet: Controls whether users can access DSW instances from the public internet.
- Rate Limit for Internet Access: When using a dedicated gateway for public internet access, controls whether bandwidth for DSW instances is throttled. Enabling this prevents a single instance from consuming excessive bandwidth, ensuring stable shared resource access.

Delete a workspace

Important

Before deleting a workspace, clean up DSW instances, EAS services, and other resources inside it to avoid ongoing charges from residual resources.

Deleting a workspace in PAI also deletes the DataWorks workspace with the same name.

Deleting a workspace doesn't delete resource quotas bound to that workspace.

The deleted workspace is moved to the recycle bin and kept for 14 days. It can be restored during this period. After 14 days, the workspace and all its resources — DSW instances, DLC jobs, EAS services, PAIFlow jobs, LangStudio applications, and others — are permanently deleted.

FAQ

Q: "Name already exists" error when creating a workspace

If you see a "name already exists" error but no workspace with that name appears in the PAI workspace list, a DataWorks workspace with the same name likely exists. Because PAI and DataWorks workspaces share the same underlying namespace, use a different name to ensure uniqueness.

Q: No data shown in the SLS log list when configuring SLS log forwarding

Error: Unauthorized error — denied by sts or ram, action: log:ListProject, resource: acs:log.....

Cause: The user lacks permission to read the SLS log store.

Solution: Grant log store permissions to the user:

Log in to the RAM console. In the left navigation pane, go to Permission Management > Authorizations, then click Create Authorization.
Set the principal to the RAM user or RAM role, and select AliyunLogFullAccess as the policy.
For finer-grained SLS permission configuration, go to Log Service console, open the target project, click the More icon, select Permission Helper from the menu, and generate a custom RAM policy.

Q: Request fails when configuring SLS log forwarding

Error: Modify configuration failed [SLS] cannot init client for sis service: com.alibaba.pai.workspace.common.exception.ServiceExceptionV2: No Privilege error: {0}

Cause: The user lacks permission to enable or disable SLS log forwarding.

Solution: Log in to the RAM console and create a custom policy that grants log forwarding permissions.

Use the following policy. For instructions on creating a custom policy, see Create a custom policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetProductDataCollection",
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection"
            ],
            "Resource": "*"
        }
    ]
}

For more granular control, replace the Resource value with the specific resource ARN.

Q: How do I restore a deleted workspace or clean up residual resources?

After a workspace is deleted, its data sources and compute resources are moved to the recycle bin for 14 days.

Any DSW instances, DLC jobs, EAS services, and other resources that weren't cleaned up before deletion continue to accrue charges until they're permanently deleted after 14 days. To stop charges immediately, restore the workspace first, then delete the resources.

Steps:

Access the recycle bin through one of the following entries, find the target workspace, and restore it.
- The Go to Workspace Recycle Bin button in the upper-right corner of the PAI workspace list.
- The DataWorks console recycle bin.
Important
In the recycle bin, switch the region in the upper-left corner to the region where the deleted workspace was located.
After restoring the workspace, delete the DSW instances, EAS services, and other resources inside it.
After confirming all billable resources are deleted, go to the Workspaces page in the PAI console and delete the workspace.

Finding hidden resources: If some resources don't appear in the EAS service list after restoring the workspace (for example, EAS services created through ModelScope authorization), use the following methods to locate them:

Check the ActionTrail console to confirm the resource creation status.
Switch to the correct workspace and check the EAS instance list for any running instances.