Permissions for Managing Models
This topic describes the IAM permissions required to use and manage offered models in OCI Generative AI. It includes resources such as dedicated AI clusters, models, imported models and using chat, embedding, and rerank features in the service.
The level of access is cumulative as you go from inspect to read to use to manage.
For example, if you have the manage permission for the generative-ai-endpoint resource type, you can list, get details, create, and delete endpoints. You don't require another permission to inspect the endpoints.
generative-ai-chat
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_CHAT
|
Chat
|
POST
|
use
|
Example:
allow group GenAIusers to use
generative-ai-chat in compartment AI-Models-Compartment
generative-ai-text-generation
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_TEXT_GENERATE
|
GenerateText
|
POST
|
use
|
Example:
allow group GenAIusers to use
generative-ai-text-generation in compartment AI-Models-Compartment
generative-ai-text-summarization
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_TEXT_SUMMARIZE
|
SummarizeText
|
POST
|
use
|
Example:
allow group GenAIusers to use
generative-ai-text-summarization in compartment AI-Models-Compartment
generative-ai-text-embedding
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_TEXT_EMBED
|
EmbedText
|
POST
|
use
|
Example:
allow group GenAIusers to use
generative-ai-text-embedding in compartment AI-Models-Compartment
generative-ai-model
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_MODEL_INSPECT
|
ListModels
|
GET
|
inspect
|
GENERATIVE_AI_MODEL_READ
|
GetModel
|
GET
|
read
|
GENERATIVE_AI_MODEL_UPDATE
|
UpdateModel
|
PUT
|
use
|
GENERATIVE_AI_MODEL_MOVE
|
ChangeModelCompartment
|
POST
|
manage
|
GENERATIVE_AI_MODEL_CREATE
|
CreateModel
|
POST
|
manage
|
GENERATIVE_AI_MODEL_DELETE
|
DeleteModel
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-model in compartment AI-Models-Compartment
generative-ai-imported-model
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_IMPORTED_MODEL_INSPECT
|
ListImportedModels
|
GET
|
inspect
|
GENERATIVE_AI_IMPORTED_MODEL_READ
|
GetImportedModel
|
GET
|
read
|
GENERATIVE_AI_IMPORTED_MODEL_UPDATE
|
UpdateImportedModel
|
PUT
|
use
|
GENERATIVE_AI_IMPORTED_MODEL_MOVE
|
ChangeImportedModelCompartment
|
POST
|
manage
|
GENERATIVE_AI_IMPORTED_MODEL_CREATE
|
CreateImportedModel
|
POST
|
manage
|
GENERATIVE_AI_IMPORTED_MODEL_DELETE
|
DeleteImportedModel
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-imported-model in compartment AI-Imported-Models-Compartment
generative-ai-dedicated-ai-cluster
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_INSPECT
|
ListDedicatedAiClusters
|
GET
|
inspect
|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_READ
|
GetDedicatedAiCluster
|
GET
|
read
|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_UPDATE
|
UpdateDedicatedAiCluster
|
PUT
|
use
|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_MOVE
|
ChangeDedicatedAiClusterCompartment
|
POST
|
manage
|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_CREATE
|
CreateDedicatedAiCluster
|
POST
|
manage
|
GENERATIVE_AI_DEDICATED_AI_CLUSTER_DELETE
|
DeleteDedicatedAiCluster
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-dedicated-ai-cluster in compartment AI-Models-Compartment
generative-ai-endpoint
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_ENDPOINT_INSPECT
|
ListEndpoints
|
GET
|
inspect
|
GENERATIVE_AI_ENDPOINT_READ
|
GetEndpoint
|
GET
|
read
|
GENERATIVE_AI_ENDPOINT_UPDATE
|
UpdateEndpoint
|
PUT
|
use
|
GENERATIVE_AI_ENDPOINT_MOVE
|
ChangeEndpointCompartment
|
POST
|
manage
|
GENERATIVE_AI_ENDPOINT_CREATE
|
CreateEndpoint
|
POST
|
manage
|
GENERATIVE_AI_ENDPOINT_DELETE
|
DeleteEndpoint
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-endpoint in compartment AI-Models-Compartment
generative-ai-private-endpoint
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_PRIVATE_ENDPOINT_INSPECT
|
ListGenerativeAiPrivateEndpoints
|
GET
|
inspect
|
GENERATIVE_AI_PRIVATE_ENDPOINT_READ
|
GetGenerativeAiPrivateEndpoint
|
GET
|
read
|
GENERATIVE_AI_PRIVATE_ENDPOINT_UPDATE
|
UpdateGenerativeAiPrivateEndpoint
|
PUT
|
use
|
GENERATIVE_AI_PRIVATE_ENDPOINT_MOVE
|
ChangeGenerativeAiPrivateEndpointCompartment
|
POST
|
manage
|
GENERATIVE_AI_PRIVATE_ENDPOINT_CREATE
|
CreateGenerativeAiPrivateEndpoint
|
POST
|
manage
|
GENERATIVE_AI_PRIVATE_ENDPOINT_DELETE
|
DeleteGenerativeAiPrivateEndpoint
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-private-endpoint in compartment AI-Models-Compartment
generative-ai-apikey
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_APIKEY_INSPECT
|
ListApiKeys
|
GET
|
inspect
|
GENERATIVE_AI_APIKEY_READ
|
GetApiKey
|
GET
|
read
|
GENERATIVE_AI_APIKEY_UPDATE
|
UpdateApiKey
|
PUT
|
use
|
GENERATIVE_AI_APIKEY_MOVE
|
ChangeApiKeyCompartment
|
POST
|
manage
|
GENERATIVE_AI_APIKEY_CREATE
|
CreateApiKey
|
POST
|
manage
|
GENERATIVE_AI_APIKEY_DELETE
|
DeleteApiKey
|
DELETE
|
manage
|
Example:
allow group GenAIusers to manage
generative-ai-dedicated-ai-cluster in compartment AI-Models-Compartment
generative-ai-work-request
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_WORK_REQUEST_INSPECT
|
ListWorkRequests
|
GET
|
inspect
|
GENERATIVE_AI_WORK_REQUEST_READ
|
GetWorkRequest
|
GET
|
read
|
GENERATIVE_AI_WORK_REQUEST_ERRORS
|
ListWorkRequestErrors
|
GET
|
read
|
GENERATIVE_AI_WORK_REQUEST_LOGS_READ
|
ListWorkRequestLogs
|
GET
|
read
|
Example:
allow group GenAIusers to read
generative-ai-work-request in compartment AI-Models-CompartmentFine-tuning Permissions to Object Storage
By default, only users in the Administrators group have access to all OCI resources including Generative AI resources. If you're a member of another group, ask your administrator to assign you the least privileges that are required to perform your responsibilities by reviewing the following sections.
- Access to Generative AI Training Datasets for Fine-tuning Custom Models
-
Training datasets for fine-tuning custom models must be stored in Object Storage buckets. When creating a custom model, you need permission to list and select those training datasets in the Create model workflow.
- To allow users to add fine-tuning training datasets to Object Storage buckets:
allow group <your-group-name> to manage object-family in compartment <compartment-with-bucket> - To allow users to list and select the fine-tuning training data when creating a custom model in your compartment:
allow group <your-group-name> to use object-family in compartment <compartment-with-bucket>
Note
If the training data and the custom models are in different compartments, ensure that users creating custom models have permission touse object-familyin the compartment with the bucket. - To allow users to add fine-tuning training datasets to Object Storage buckets:
Ask your administrator to review the examples in Securing Object Storage and add policies that apply to you such as policies to avoid accidental deleting of buckets that contain training data.
The following sections list the permissions required for each operation in Generative AI.