# pai-workspace_management

Part of **PAI**

# Platform for AI (PAI) Workspace & Identity Management Console Guide

## Operations Overview

| Operation | Console Entry | Prerequisites | Description |
|----------|---------------|---------------|-------------|
| Create Workspace | Console > PAI > Workspaces > Workspace List | Alibaba Cloud account (main account) or RAM user with AliyunPAIFullAccess permission | Create a new workspace to organize ML projects and associated resources |
| Configure Role Access Conditions | Console > PAI > Workspaces > RAM Policies | A workspace created in PAI, RAM role already created, basic understanding of RAM policies | Define fine-grained access control using RAM policies with condition keys |

## Step-by-Step Instructions

### Create Workspace

**Navigation**: Console > PAI > Workspaces > Workspace List

**Prerequisites**:
- Alibaba Cloud account (main account)
- RAM user with AliyunPAIFullAccess permission

1. Go to the workspace list page and click **Create Workspace**
   - Element: **Create Workspace** (button) — top-right corner
   - Notes: This opens the workspace creation wizard

2. Enter a unique name for the workspace
   - Element: **Workspace Name** (text_input) — main content area
   - Notes: The name must be unique across both PAI and DataWorks

3. Select compute resource types to associate with the workspace
   - Element: **Intelligent Computing Lingjun Resources** (checkbox) — main content area
   - Notes: Additional options include General Computing Resources, ACS compute resources, MaxCompute Resources, and Fully Managed Flink Resources

4. Navigate to the Members and Roles tab to assign users
   - Element: **Members and Roles** (tab) — left navigation panel
   - Notes: You can add members and assign predefined or custom roles

5. Configure default network settings
   - Element: **Default Network Config** (dropdown) — General Settings section
   - Notes: Includes selection of VPC and security group; ensure these are pre-created

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Workspace Name | text_input | Yes | — | Unique name for the workspace across PAI and DataWorks |
| Compute Resource Type | dropdown | No | Intelligent Computing Lingjun Resources, General Computing Resources, ACS compute resources, MaxCompute Resources, Fully Managed Flink Resources | Select the type of compute resource to associate with the workspace |
| Role Assignment | dropdown | Yes | Administrator, Algorithm Developer, Algorithm Operator, Label Manager, Visitor, Custom Role | Assign appropriate role to workspace members based on their responsibilities |
| Event Notification | checkbox | No | DLC jobs, Pipeline jobs, DSW instances, Model version changes | Enable notifications for specific events in the workspace |
| Storage Path | text_input | No | — | Set default storage path for temporary data and models (default: OSS path) |

### Configure Role Access Conditions

**Navigation**: Console > PAI > Workspaces > RAM Policies

**Prerequisites**:
- A workspace created in PAI
- RAM role already created
- Basic understanding of RAM policies and permissions

1. Navigate to the RAM Policies section
   - Element: **RAM Policies** (link) — left navigation panel
   - Notes: Ensure you are in the correct workspace context

2. Start creating a new policy
   - Element: **Create Policy** (button) — top-right corner
   - Notes: A new policy configuration page opens

3. Switch to the JSON editor tab
   - Element: **JSON** (tab) — main content area
   - Notes: Use provided examples as templates for Condition keys like `pai:Accessibility`, `pai:EntityAccessType`, or `acs:SourceIp`

4. Paste the complete RAM policy JSON into the editor
   - Element: **Policy Document Editor** (text_input) — main content area
   - Notes: Ensure the Resource field uses the correct format: `acs:paidsw:*:*:*`

5. Save the policy
   - Element: **Save** (button) — bottom of the page
   - Notes: After saving, the policy can be attached to RAM roles

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Policy Name | text_input | Yes | — | A unique name for the RAM policy being created |
| Description | text_input | No | — | Optional description to explain the purpose of the policy |
| Policy Document | text_input | Yes | — | The full JSON policy document including Version, Statement, Action, Resource, Effect, and Condition elements |

## FAQ

Q: Where do I find the option to create a new workspace?
A: Navigate to Console > PAI > Workspaces > Workspace List and click the **Create Workspace** button in the top-right corner.

Q: Can I change the workspace name after creation?
A: No, the workspace name cannot be modified after creation. Choose a unique and appropriate name during setup.

Q: What permissions are required to configure RAM policies for PAI workspaces?
A: You need to be a RAM user with sufficient permissions to manage RAM policies (e.g., `AliyunRAMFullAccess`) and have access to the target workspace.

Q: Are all compute resource types available in every region?
A: Availability depends on your region and account privileges. Some resource types like Intelligent Computing Lingjun Resources may require special enablement.

Q: Do I need to configure network settings during workspace creation?
A: Yes, you must select an existing VPC and security group under **Default Network Config**. These must be created in advance in the same region.

## Pricing & Billing

### Billing Model
Per instance hour (per_instance_hour)

### Price Reference
| Tier | Input Price | Output Price |
|------|-------------|--------------|
| Standard | 0.01 / | 0.01 / |

### Free Tier
 100 

### Billing Notes
- Billed based on actual usage time; no charge when not in use
- Resource groups begin billing immediately upon creation
- Conditional access via RAM policies is included at no extra charge with PAI workspaces
- No additional cost for using RAM policies or conditional access controls in PAI