Configuring Sub-accounts and Permissions
Last updated:2026-03-13 10:54:34
Overview
TI-ONE implements permission management capabilities based on Tencent Cloud's CAM (Cloud Access Management). After a Tencent Cloud account is registered, the system creates a root account for you by default, which holds the highest privileges on the platform. The root account (or a sub-account granted CAM permissions) can create sub-accounts for team members and grant them TI-ONE operation permissions matching their roles through TI-ONE's preset policies or custom policies.
This document describes how to create users and assign permissions from two aspects: creating a sub-account and authorizing a sub-account. If sub-account resource isolation is needed, see Implementing Resource Isolation Between Sub-users Based on Tags.
Prerequisites
Note:
Grant permissions to TI-ONE for other cloud products: During the use of the TI-ONE platform, in certain training/inference scenarios, it depends on APIs of other Tencent Cloud products. Therefore, to ensure the normal use of related features, you need to grant TI-ONE the minimum permissions for other cloud products in advance.
1. Register a Tencent Cloud account. For details, see Signing Up for a Tencent Cloud Account. After registration, the system will create a root account for you by default.
2. Use root account to log in to TI-ONE console, and the system will prompt you to create a service role and authorize TI-ONE.
3. Click Go to Authorization to go to the CAM console, and click Agree to Authorization to complete the authorization process. After that, TI-ONE will support your normal access to the resources of other Tencent Cloud products.
Creating a Sub-account
This document only describes the quick creation process for sub-accounts. For more operations, see Creating a Sub-account.
1. Use the root account or an account with CAM permissions to log in to the Access Management (CAM) console.
2. Go to the User List, click Create User to enter the Create User page. Select Quick Creation, fill in the username in the "Set User Information" list, and configure other options as needed.
3. Click Create User. After successful creation, the sub-account information can be viewed in the pop-up window.
Authorizing a Sub-account
After a sub-account is created, you can use preset policies or custom policies to grant corresponding permission policies to the sub-account. For specific operations, see Authorization Management.
Note:
Preset policies: a set of common permissions that are created and managed by TI-ONE and are frequently used, such as full read/write permissions for resources. Preset policies have a broad scope of operation objects and coarse granularity. They are system-defined and cannot be customized or edited.
Custom policies: policies created by users, allowing fine-grained permission division. For example, associating a policy with an algorithm engineer to grant access to training tasks but not to inference services.
To learn how to choose between preset policies and custom policies, see Preset Policies and Custom Policies.
Preset Policy
The following are preset policies for sub-account authorization. They can be assigned as needed when you grant TI-ONE permissions to sub-accounts.
Preset Policy Name | Description |
QcloudTIONEFullAccessContainMultiservice | Full read/write permissions for TI-ONE. Full read/write permissions for all features of TI-ONE, as well as permissions for CAM, VPC, CLS, TCR, TCOP, COS, tags, Finance, CFS, EMR, CVM, GooseFS, and CLB. This policy provides the highest platform permissions and is recommended for platform administrators. |
QcloudTIONEResouceGroupFullAccessContainMultiservice | Full read permissions for TI-ONE and full read/write permissions for the Platform Management module. Full read/write permissions for the Platform Management module and permissions for dependent APIs, including read permissions for CAM, VPC, CLS, TCR, TCOP, COS, tags, Finance, CFS, Elastic MapReduce, CVM, GooseFS, and permissions for placing orders. This policy provides read-only permissions for platform resource management and other models, and is recommended for resource managers. |
QcloudTIONEReadOnlyAccessContainMultiservice | Full read permissions for TI-ONE. Read-only permissions for associated cloud products including CAM, VPC, CLS, TCR, TCOP, COS, tags, CFS, EMR, CVM, and GooseFS. This policy is recommended for users who only need to view content on TI-ONE. |
QcloudTIONEDeveloperContainMultiservice | Read/write permissions required for TI-ONE training and inference, as well as read permissions for platform management. It includes read/write permissions for modules such as Model Hub, Data Center, Training Workshop, Model Management, and Model Services; read permissions for Platform Management; basic permissions for other cloud products that the platform depends on. This policy is suitable for regular developers who are not platform administrators. |
QcloudTIONEOperationalPrecondition | Full permissions to all operational-level APIs of TI-ONE. Includes full permissions to all operational-level APIs of TI-ONE. This policy is suitable when you need to grant fine-grained read/write permissions to sub-users based on tags. |
The following is the preset policy for the TI-ONE service role (TIONE_QcsRole), used to authorize TI-ONE to access the user's other cloud products, such as COS and VPC.
Preset Policy Name | Description |
QcloudAccessForTIONERoleInTakeOver | It authorizes the TI-ONE service role to access other associated cloud service resources when maintaining resource group nodes. It includes operations permissions related to CVM, VPC, Private DNS, and TCR. This policy requires authorization when users add nodes to a resource group for the first time. |
QcloudAccessForTIONERoleInCodeRepository | It authorizes the TI-ONE service role with the permission for Key Management Service (KMS). It includes permissions for creating keys, encryption, decryption, generating data keys, and querying key lists in KMS. This policy requires authorization in scenarios requiring encryption, such as using custom image keys; starting a dev machine, container login for Task-based Modeling/Online Services; using code repository keys. |
QcloudAccessForTIONERole | It authorizes the TI-ONE service role with the basic operational permissions required for running. It includes listing COS files and performing create, read, update, and delete (CRUD) operations on file content; querying VPC networks and subnets; creating, querying, searching, and downloading CLS; querying Cloud Monitor and pulling TCR. This policy requires authorization for background services when users use TI-ONE. |
QcloudAccessForTIONERoleInGoosefs | It authorizes the TI-ONE service role to perform GooseFS storage operations. It includes querying GooseFS clusters; creating and viewing Client nodes; creating, querying, and deleting FUSE clients; querying namespaces. This policy requires authorization when users require additional use of the GooseFS service in managed clusters. |
QcloudTIONESanityCheck | It authorizes TI-ONE service roles to start health check tasks. This policy is associated with TI-ONE service roles and authorizes the TI-ONE Ops team to start health check tasks. This policy requires authorization when the TI-ONE Ops team assists in troubleshooting node failures. |
QcloudAccessForTIONERoleInNetwork | It authorizes the TI-ONE service role to configure networks. This policy is associated with TI-ONE service roles to map task services started in TI-ONE products to the user's network configuration. This policy requires authorization when users configure custom network parameters. |
Custom Policies
When the preset policies of TI-ONE cannot meet the permission management needs for sub-accounts, you can create custom policies to authorize sub-accounts. For the relevant operation guide, see Creating Custom Policies by Policy Generators or Creating Custom Policies by Policy Syntax. For detailed API descriptions, see CAM Business API Description.
Configuring Resource Isolation
Resource isolation enables collaborative management among multiple teams within an enterprise by granting differentiated access permissions to resources (such as resource groups and services) for sub-users of different teams.
If you do not need to implement resource isolation, you can access the TI-ONE platform after completing the sub-account authorization configuration described above.
If you need to implement resource isolation, see Implementing Resource Isolation Between Sub-users Based on Tags.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback