AgentLoop 通过 RAM 策略实现精细化权限管理。本文提供多个角色权限策略模板(R1~R5,含 Prompt 和 MSE 叠加模板),RAM 管理员可按最小授权原则为团队成员分配只读、操作或管理权限。
模板总览
AgentLoop 提供的RAM 策略模板,分为核心权限(R1~R4 增量叠加)和独立叠加模板(R2-P、R3-P、R5)两组。根据角色需求选择模板组合。
模板 | 角色 | 类型 | 权限范围 |
R1 | 只读观察者 | 基础 | 所有资源的 List/Get 权限 |
R2 | 普通用户 | 增量 | 实验计划、评估任务、数据集、记忆存储的创建与更新,SLS 日志查询 |
R3 | 模块管理员 | 增量 | 各模块资源的删除和高级管理(端点连接器、统一模型、实体存储、服务可观测、业务追踪) |
R4 | 工作空间管理员 | 增量 | 工作空间的创建和删除 |
R2-P | Prompt 普通用户 | 独立叠加 | Prompt 和版本的创建、更新、优化调用(依赖 airegistry 服务) |
R3-P | Prompt 管理员 | 增量 | Prompt 和版本的删除(在 R2-P 基础上叠加) |
R5 | 平台初始化管理员 | 独立叠加 | MSE 服务关联角色的检查和初始化(仅首次使用时需要) |
角色组合示例
根据实际需求,将模板组合为完整的权限策略。
角色 | 组合模板 | 适用场景 |
普通用户 | R1 + R2 | 执行实验和评估任务,管理数据集和记忆存储,但不能删除资源 |
模块管理员 | R1 + R2 + R3 | 管理所有模块资源的完整生命周期,但不能创建或删除工作空间 |
完整管理员 | R1 + R2 + R3 + R4 | 工作空间级全部管理权限 |
带 Prompt 能力的普通用户 | R1 + R2 + R2-P | 在普通用户基础上,额外具备 Prompt 创建和版本管理权限 |
带 Prompt 能力的模块管理员 | R1 + R2 + R3 + R2-P + R3-P | 管理所有模块资源,同时具备 Prompt 的完整管理权限 |
首次部署管理员 | R1 + R2 + R3 + R4 + R5 | 首次部署 AgentLoop 时使用,完成初始化后可移除 R5 |
占位符替换
以下模板采用单工作空间最小授权策略。使用前,将模板中的占位符替换为实际值。
占位符 | 适用模板 | 说明 | 示例 |
| R1~R4 | 地域 ID |
|
| R1~R4 | 阿里云账号 ID |
|
| R1~R4 | 工作空间名称 |
|
| R2、R3 | 数据集名称 |
|
| R2、R3 | 记忆存储名称 |
|
| R1、R3 | 端点连接器 ID |
|
| R1、R3 | 服务可观测类型 |
|
| R1、R3 | 业务追踪 ID |
|
| R2 | 评估任务 ID |
|
| R2、R3 | 数据集下载任务名称 |
|
| R2 | SLS 日志项目名称 |
|
| R2-P、R3-P | AI Registry 实例 ID |
|
| R2-P、R3-P | Prompt 命名空间名称 |
|
增量组合策略
R1~R4 采用增量叠加模式,高级角色在低级角色的基础上追加权限:
R1 只读观察者 = R1 基础模板
R2 普通用户 = R1 + R2 增量模板
R3 模块管理员 = R1 + R2 + R3 增量模板
R4 工作空间管理员 = R1 + R2 + R3 + R4 增量模板
如果需要访问多个工作空间,为每个工作空间复制对应的 Statement 并替换 {workspaceName},不要将资源路径放大为 workspace/*。
Prompt(R2-P、R3-P)和 MSE(R5)相关权限建议作为独立策略叠加,不要与 cms:* 主策略合并为一个超大策略。
模板详情
R1 只读观察者基础模板
R1 模板授予所有 AgentLoop 资源的只读权限,涵盖工作空间、实验计划、评估任务、数据集、记忆存储、端点连接器、统一模型、实体存储、服务可观测和业务追踪。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:ListWorkspaces"
],
"Resource": [
"acs:cms::{accountId}:workspace/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetWorkspace",
"cms:ListExperimentPlans",
"cms:GetExperimentPlan",
"cms:ListExperimentTasks",
"cms:GetExperimentTask",
"cms:GetEvaluationTask",
"cms:GetEvaluationRun"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListEvaluationTasks",
"cms:ListEvaluationRuns"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListDatasets"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetDataset"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/{datasetName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListMemoryStores"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/memorystore/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetMemoryStore"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/memorystore/{memoryStoreName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListEndpointConnectors"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:endpointconnector/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetEndpointConnector"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/endpointconnector/{connectorId}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetUmodel",
"cms:GetUmodelData"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/umodel"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetEntityStore",
"cms:GetEntityStoreData"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/entitystore"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetServiceObservability",
"cms:GetServiceDictionary"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/service-observability/{serviceType}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ListBizTraces"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:biztrace/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:GetBizTrace"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:biztrace/{bizTraceId}"
]
}
]
}R2 普通用户增量模板
R2 模板在 R1 基础上新增实验计划、评估任务、数据集和记忆存储的创建与更新权限,以及 SLS 日志查询权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:CreateExperimentPlan",
"cms:UpdateExperimentPlan",
"cms:CreateExperimentTask",
"cms:StopExperimentTask",
"cms:CreateEvaluationTask",
"cms:UpdateEvaluationRun"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:UpdateEvaluationTask"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/evaluationtask/{taskId}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDataset",
"cms:UpdateDataset"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/{datasetName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateDatasetDownloadJob",
"cms:CancelDatasetDownloadJob"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/{datasetName}/datasetdownloadjob/{jobName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateMemoryStore",
"cms:UpdateMemoryStore"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/memorystore/{memoryStoreName}"
]
},
{
"Effect": "Allow",
"Action": [
"log:ListLogStores"
],
"Resource": [
"acs:log:{regionId}:{accountId}:project/{projectName}/logstore/*"
]
}
]
}如果需要查询多个日志项目,为每个 {projectName} 复制一条 Statement。
R3 模块管理员增量模板
R3 模板在 R1 + R2 基础上新增各模块资源的删除和高级管理权限,涵盖实验计划、评估任务、数据集、记忆存储、端点连接器、统一模型、实体存储、服务可观测和业务追踪。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:DeleteExperimentPlan",
"cms:DeleteEvaluationTask",
"cms:DeleteEvaluationRun"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:DeleteDataset"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/{datasetName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:DeleteDatasetDownloadJob"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/dataset/{datasetName}/datasetdownloadjob/{jobName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:DeleteMemoryStore",
"cms:ListMemoryStoreAPIKeys",
"cms:CreateMemoryStoreAPIKey",
"cms:DeleteMemoryStoreAPIKey"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/memorystore/{memoryStoreName}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:ValidateMemoryStoreAPIKey"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateEndpointConnector"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/endpointconnector/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:UpdateEndpointConnector",
"cms:DeleteEndpointConnector"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/endpointconnector/{connectorId}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateUmodel",
"cms:UpdateUmodel",
"cms:DeleteUmodel",
"cms:UpsertUmodelData",
"cms:DeleteUmodelData"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/umodel"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateEntityStore",
"cms:DeleteEntityStore"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/entitystore"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateServiceObservability",
"cms:UpdateServiceObservability",
"cms:DeleteServiceObservability"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}/service-observability/{serviceType}"
]
},
{
"Effect": "Allow",
"Action": [
"cms:CreateBizTrace"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:biztrace/*"
]
},
{
"Effect": "Allow",
"Action": [
"cms:UpdateBizTrace",
"cms:DeleteBizTrace"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:biztrace/{bizTraceId}"
]
}
]
}R4 工作空间管理员增量模板
R4 模板在 R1 + R2 + R3 基础上新增工作空间的创建和删除权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:PutWorkspace",
"cms:DeleteWorkspace"
],
"Resource": [
"acs:cms:{regionId}:{accountId}:workspace/{workspaceName}"
]
}
]
}如果需要管理多个工作空间,为每个 {workspaceName} 复制一条 Statement。当前模板以单工作空间最小授权为准。
R2-P Prompt 普通用户叠加模板
R2-P 模板授予 Prompt 管理相关权限,依赖 AI Registry(airegistry)服务。涵盖命名空间查询与创建、Prompt 的创建与更新、版本管理和优化调用。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"airegistry:CreateNamespaceWithSource",
"airegistry:ListNamespaceBySource",
"airegistry:GetNamespace",
"airegistry:GetSupportedModels"
],
"Resource": [
"acs:airegistry:*:*:instance/saas/{aiRegistryInstanceId}"
]
},
{
"Effect": "Allow",
"Action": [
"airegistry:ListPrompts",
"airegistry:ListPromptVersions",
"airegistry:GetPrompt",
"airegistry:GetPromptVersion",
"airegistry:GetPromptVersionDetail",
"airegistry:GetPromptGovernance",
"airegistry:CreatePrompt",
"airegistry:UpdatePrompt",
"airegistry:CreatePromptVersion",
"airegistry:UpdatePromptVersion",
"airegistry:SubmitPromptVersion",
"airegistry:InvokePromptOptimizeStream"
],
"Resource": [
"acs:airegistry:*:*:instance/saas/{aiRegistryInstanceId}/{namespaceName}/prompt",
"acs:airegistry:*:*:instance/saas/{aiRegistryInstanceId}/{namespaceName}/prompt/*"
]
}
]
}如果命名空间已由平台预创建,可以从模板中删除 airegistry:CreateNamespaceWithSource。
R3-P Prompt 管理员增量模板
R3-P 模板在 R2-P 基础上新增 Prompt 和 Prompt 版本的删除权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"airegistry:DeletePrompt",
"airegistry:DeletePromptVersion"
],
"Resource": [
"acs:airegistry:*:*:instance/saas/{aiRegistryInstanceId}/{namespaceName}/prompt/*"
]
}
]
}R5 平台初始化管理员叠加模板
R5 模板授予微服务引擎 MSE 服务关联角色的检查和初始化权限。仅在首次使用 AgentLoop 平台时需要,初始化完成后可移除此策略。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mse:CheckServiceLinkRole",
"mse:InitializeServiceLinkRole"
],
"Resource": [
"*"
]
}
]
}配置步骤
当前操作账号需具有 RAM 权限策略的管理权限。如果使用 RAM 用户操作,需确保该用户已被授予 AliyunRAMFullAccess 或自定义的 RAM 管理权限。
登录 RAM 控制台。
在左侧导航栏,选择权限管理 > 权限策略。
在权限策略页面,单击创建权限策略。
在创建权限策略页面,选择脚本编辑模式,将上方对应的策略 JSON 粘贴到编辑器中。
输入策略名称,单击确定。
在左侧导航栏,选择身份管理 > 用户。
找到目标 RAM 用户,单击新增授权。
在添加权限面板中,选择刚创建的自定义权限策略,单击确定。