Grant the permissions that are required to use iTAG - Platform For AI

The first time you use iTAG of Machine Learning Platform for AI (PAI), you must grant the Object Storage Service (OSS) access permissions to the service-linked role of iTAG. iTAG provides personnel roles for labeling operations, such as administrator, labeling team leader, or labeling worker. You can assign relevant roles to the RAM users you use to manage operation permissions. This topic describes how to grant permissions to an operation account, the permissions of the three labeling roles, and how to assign these roles to a RAM user.

Authorize the operation account

iTAG is an intelligent data labeling platform. In iTAG, you can label data of different modals, such as images, text, videos, and audio or multimodal data. You may need to activate and authorize the following cloud services when you use iTAG.

PAI module: iTAG

Operation account

Service

Reference

Alibaba Cloud account

You can use an Alibaba Cloud account to perform operations on iTAG. No additional authorization is required.

N/A

RAM user

(Recommended)

PAI provides different member roles. You can assume different member roles to the RAM users for convenient permission management. For more information about the permissions of each role, see Appendix: Roles and permissions.

Manage members of a workspace

Dependent cloud service: OSS

The input and output of dataset labeling use OSS as a data source. Therefore, you need to activate and authorize OSS before you start labeling.

Scenario

Description

Reference

Activate OSS

We recommend that you use an Alibaba Cloud account to activate Container Registry. No additional authorization is required. If you want to use a RAM user to activate OSS, you need to grant the AliyunOSSFullAccess permissions to the RAM user.

Activation: Activate OSS
Authorization: Overview of RAM policy
Common operations: Create buckets

Use OSS

Use OSS after activation:

Authorization: OSS provides detailed RAM control policies. You can grant permissions to RAM users based on your business requirements.
Common operations: You need to create a bucket to upload objects to OSS.

iTAG personnel

Permissions

The following table describes the permissions of each role type.

Role	Description	Permission
Administrator	The person who requires labeling results and manages labeling jobs. An administrator creates datasets and labeling jobs, and distributes job packages to labeling team leaders or labeling workers. After the data in the job packages is labeled, the administrator reviews the labeling results and decides whether to accept or reject the job packages.	Access to the iTAG console as an administrator Access to the iTAG console as a labeling worker Management of labeling workforce Participation in all phases of labeling jobs
Labeling team leader	The owner of labeling jobs and manager of labeling workers. A labeling team leader can manage the labeling workforce, and can also claim and review job packages.	No access to the iTAG console as an administrator Access to the iTAG console as a labeling worker Management of labeling workforce Participation in all phases of labeling jobs
Labeling worker	The person who labels data in job packages. A labeling worker can claim and review job packages.	No access to the iTAG console as an administrator Access to the iTAG console as a labeling worker No permissions to manage labeling workforce Participation in all phases of labeling jobs

Assign a role

Assign a role to a RAM user

Log on to the PAI console.
On the Workspace Details page of the workspace, add a RAM user as a member of the workspace. For more information, see Manage members of a workspace.
When you add a RAM user as a workspace member, select a workspace role for the RAM user based on the iTAG role that you want to assign to the RAM user. The following table describes the mappings between the two types of roles.
iTAG role
Workspace role
Administrator, labeling team leader, or labeling worker
Administrator or labeling administrator
Labeling team leader or labeling worker
Any role
In the left-side navigation pane, choose Data Preparation>iTAG. Click Users to go to the Personnel Management tab of the Tenant Configuration page.
Choose Add Account > Add Workspace Account.
In the Add Account dialog box, select the RAM user, set Role for the user, and then click OK.

Assign a role to another Alibaba cloud account

Note

You can assign only the labeling team leader or labeling worker role to another Alibaba Cloud account.

In the left-side navigation pane, choose Data Preparation>iTAG. Click Users to go to the Personnel Management tab of the Tenant Configuration page.
Choose Add Account > Add Contractor Account.
In the Add Contractor Account dialog box, specify Alias, UID, and Role and click OK.
For more information about how to obtain the UID of an Alibaba Cloud account, see Endpoints.

iTAG role	Workspace role
Administrator, labeling team leader, or labeling worker	Administrator or labeling administrator
Labeling team leader or labeling worker	Any role