Create and manage workspaces

Compute resources

You can associate or disassociate the following compute resources:

• Intelligent Computing Lingjun Resources: Provides high-performance compute resource groups for model development and training. For more information, see AI compute resource usage guide.

• General Computing Resources: Provides dedicated general computing resources to accelerate AI development and training. For more information, see Create a resource group and purchase General Computing Resources.

• MaxCompute Resources:

  • Supports CPU resources from MaxCompute for specific algorithms in Designer. For more information, see MaxCompute resource quotas.

  • You can create a new MaxCompute project or bind an existing one.

• Fully Managed Flink Resources: Used for large-scale distributed model training in PAI. For more information, see Fully Managed Flink resource management.

For more information about AI compute resources, see AI compute resources.

Members and roles

To allow multiple RAM users to perform management, development, or O&M tasks in the same workspace, add them as members and assign appropriate roles.

PAI provides system-defined roles, including basic roles and compute resource roles. You can view the mapping between roles and permissions and assign roles to members based on your needs. If the system-defined roles do not meet your requirements, you can create custom roles.

• Supported role types:

  Role type	Description
  Basic role	The basic roles are: Administrator: Grants permissions to manage workspace members, resource groups, and all assets within the workspace. Algorithm Developer: Grants permissions to perform development and model training within the workspace. Algorithm O&M Engineer: Grants permissions to manage task priorities, model deployments, and online service monitoring. Labeling Administrator: Grants permissions for intelligent labeling operations. Visitor: Grants read-only access to all assets in the workspace.
  Compute resource role	This role currently refers to MaxCompute development, which corresponds to the developer role in DataWorks. It grants permissions related to MaxCompute data development. You can assign this role to RAM users who submit jobs from PAI to run on MaxCompute.
  custom role	Entry point: On the Workspace Configuration page, choose Configure Member and Role > Workspace Role, and then click Create Custom Role. A configuration panel appears on the right. Permission levels: No Permissions: Grants no permissions in the specified product module. Read-only: Grants permissions to view your own resources and public resources in the specified product module. Modify/Execute: Grants permissions to modify and run your own resources in the specified product module. Full Access: Grants permissions to manage all resources in the specified product module.

• Rules for members and roles:

  • Each member must have at least one role.

  • You cannot remove the Owner role. The Alibaba Cloud account or RAM user that creates the workspace is automatically assigned the Owner role. This role grants permissions to edit workspace members, reference and manage resource groups, and manage all assets in the workspace.

  • DataWorks and PAI workspaces are interconnected. The Administrator, Visitor, and Developer roles are shared by both services. If you remove a member from one of these roles in PAI, and that role is the member’s last role in the DataWorks workspace, DataWorks automatically removes the member and triggers an entity transfer.

Resource scheduling

PAI provides workspace-level resource management and scheduling mechanisms. Administrators can flexibly configure resource scheduling based on different business requirements and use cases. For more information, see Resource scheduling.

Event notification

Configure event notifications to track and monitor the status of DLC jobs, pipeline jobs, and DSW instances, or to trigger downstream operations automatically when a model version changes its status. For more information, see Event notification.

Storage paths

• We recommend configuring an OSS path as the default storage path. This path stores temporary data and models from tasks, simplifying data management.

• If the Data Storage is also configured in Designer, when you run a pipeline, the Data Storage path takes precedence.

SLS forwarding

You can forward DLC job logs in the current workspace to Log Service (SLS) for custom analysis. For more information, see Subscribe to job logs.

General settings

• Public Resource Group:

  • Default Network Configuration: Administrators can set default network settings in the workspace, such as the VPC and security group. Centralized configuration helps you effectively control permissions.

• DLC Configurations:

  • Go to Node Container: Controls whether users can access the compute node containers of DLC jobs for debugging or troubleshooting. If this feature is enabled, authorized users can access the containers with a terminal.

• DSW configurations:

  • SSH Logon to Instance from Internet: Controls whether users can log on to DSW instances over the internet by using SSH.

  • Open Instance from Internet: Controls whether users can access DSW instances from the internet.

  • Rate Limit for Internet Access: Limits the network speed of DSW instances when they access the internet through a dedicated NAT gateway. This feature prevents a single instance from consuming excessive bandwidth and ensures the stability of shared resources.

Q: 'Name already exists' error when creating a workspace

If you receive this error but do not see a workspace with the same name in your PAI workspace list, a workspace with that name may exist in DataWorks. Because PAI and DataWorks workspaces are interconnected, we recommend using a name that is unique across both services.

Q: Empty list when configuring SLS log forwarding

Error message: An 'Unauthorized' error occurs with the message: denied by sts or ram, action: log:ListProject, resource: acs:log......

Cause: The user does not have permission to read the SLS Logstores.

Solution: Grant the required permissions to the user. Follow these steps:

1. Log on to the Resource Access Management (RAM) console. In the left-side navigation pane, choose Permissions > Grants, and then click Grant Permission.

2. Set the Principal to a RAM user or RAM role, and select the AliyunLogFullAccess policy.

3. For fine-grained SLS permission control, go to the Log Service console. In the project to which you want to grant permissions, click the More Applications icon, choose Permission Assistant, and generate a custom RAM policy.

Q: Request fails when configuring SLS log forwarding

Error message: Modify configuration failed [SLS] cannot init client for sis service: com.alibaba.pai.workspace.common.exception.ServiceExceptionV2: No Privilege error: {0}

Cause: The user does not have permission to enable or disable log forwarding for the SLS Logstore.

Solution: Log on to the Resource Access Management (RAM) console and create a custom policy to grant log forwarding permissions to the user.

Use the following custom policy. For instructions, see Create a custom policy.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetProductDataCollection",
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection"
            ],
            "Resource": "*"
        }
    ]
}

For more fine-grained control, replace the value of Resource with the specific resources you want to authorize.