You can get access to OCI
Generative AI resources with OCI
Identity and Access Management (IAM)
policies.
By default, only users in the Administrators group have access to all OCI resources including Generative AI resources. If you're a member of another group, ask your administrator to assign you the least privileges that are required to perform your responsibilities by reviewing the following sections.
Access to Generative AI Playground, Custom Models, Dedicated AI Clusters, and Endpoints
To get access to all Generative AI resources in the entire tenancy, use the following policy:
allow group <your-group-name> to manage generative-ai-family in tenancy
To get access to all Generative AI resources in your compartment, use the following policy:
allow group <your-group-name> to manage generative-ai-family in compartment <your-compartment-name>
Access to Generative AI Training Datasets for Fine-tuning Custom Models
Training datasets for fine-tuning custom models must be stored in Object Storage buckets. When creating a custom model, you need permission to list and choose those training datasets in the Create model workflow.
To allow users to add fine-tuning training datasets to Object Storage
buckets:
allow group <your-group-name> to manage object-family in compartment <compartment-with-bucket>
To allow users to list and choose the fine-tuning training data when creating
a custom model in your
compartment:
allow group <your-group-name> to use object-family in compartment <compartment-with-bucket>
Note
If the training data and the custom models are in different compartments, ensure that users creating custom models have permission to use object-family in the compartment with the bucket.
Ask your administrator to review the examples in Securing Object Storage and add policies that apply to you such as policies to avoid accidental deleting of buckets that contain training data.
The following sections list the permissions required for each operation in Generative AI.
Resource-Types
Generative AI has the following individual
resource-types, and you can assign different permissions to different user groups on how they
can use these resources.
generative-ai-chat: The base pretrained
conversational chat models
generative-ai-text-generation: The base pretrained
text generation models
generative-ai-text-summarization: The base
pretrained text summarization model
generative-ai-text-embedding: The base pretrained
text embedding model
generative-ai-model: Custom models
generative-ai-dedicated-ai-cluster: Dedicated AI
clusters
generative-ai-endpoint: Endpoints for custom
models
generative-ai-work-request: Work requests for Generative AI actions
Instead of giving permission to Generative AI individual
resource types, you can use the aggregate resource type,
generative-ai-family to include all eight Generative AI resource types, for example:
allow group <generative-ai-administrators> to manage generative-ai-family in tenancy
Aggregate Resource-Type
Included Individual Resource-Types
generative-ai-family
generative-ai-chat
generative-ai-text-generation
generative-ai-text-summarization
generative-ai-text-embedding
generative-ai-model
generative-ai-dedicated-ai-cluster
generative-ai-endpoint
generative-ai-work-request
Details for Verb + Resource-Type Combinations 🔗
This section lists the permissions for Generative AI operations.
The level of access is cumulative as you go from inspect to
read to use to manage.
For example, if you have the manage permission for the
generative-ai-endpoint resource type, you can list, get details, create,
and delete endpoints. You don't require another permission to inspect the
endpoints.
generative-ai-chat
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_CHAT
Chat
POST
use
Example:
allow group GenAIusers to usegenerative-ai-chat in compartment AI-Models-Compartment
generative-ai-text-generation
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_TEXT_GENERATE
GenerateText
POST
use
Example:
allow group GenAIusers to usegenerative-ai-text-generation in compartment AI-Models-Compartment
generative-ai-text-summarization
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_TEXT_SUMMARIZE
SummarizeText
POST
use
Example:
allow group GenAIusers to usegenerative-ai-text-summarization in compartment AI-Models-Compartment
generative-ai-text-embedding
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_TEXT_EMBED
EmbedText
POST
use
Example:
allow group GenAIusers to usegenerative-ai-text-embedding in compartment AI-Models-Compartment
generative-ai-model
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_MODEL_INSPECT
ListModels
GET
inspect
GENERATIVE_AI_MODEL_READ
GetModel
GET
read
GENERATIVE_AI_MODEL_UPDATE
UpdateModel
PUT
use
GENERATIVE_AI_MODEL_MOVE
ChangeModelCompartment
POST
manage
GENERATIVE_AI_MODEL_CREATE
CreateModel
POST
manage
GENERATIVE_AI_MODEL_DELETE
DeleteModel
DELETE
manage
Example:
allow group GenAIusers to managegenerative-ai-model in compartment AI-Models-Compartment
generative-ai-dedicated-ai-cluster
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_DEDICATED_AI_CLUSTER_INSPECT
ListDedicatedAiClusters
GET
inspect
GENERATIVE_AI_DEDICATED_AI_CLUSTER_READ
GetDedicatedAiCluster
GET
read
GENERATIVE_AI_DEDICATED_AI_CLUSTER_UPDATE
UpdateDedicatedAiCluster
PUT
use
GENERATIVE_AI_DEDICATED_AI_CLUSTER_MOVE
ChangeDedicatedAiClusterCompartment
POST
manage
GENERATIVE_AI_DEDICATED_AI_CLUSTER_CREATE
CreateDedicatedAiCluster
POST
manage
GENERATIVE_AI_DEDICATED_AI_CLUSTER_DELETE
DeleteDedicatedAiCluster
DELETE
manage
Example:
allow group GenAIusers to managegenerative-ai-dedicated-ai-cluster in compartment AI-Models-Compartment
generative-ai-endpoint
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_ENDPOINT_INSPECT
ListEndpoints
GET
inspect
GENERATIVE_AI_ENDPOINT_READ
GetEndpoint
GET
read
GENERATIVE_AI_ENDPOINT_UPDATE
UpdateEndpoint
PUT
use
GENERATIVE_AI_ENDPOINT_MOVE
ChangeEndpointCompartment
POST
manage
GENERATIVE_AI_ENDPOINT_CREATE
CreateEndpoint
POST
manage
GENERATIVE_AI_ENDPOINT_DELETE
DeleteEndpoint
DELETE
manage
Example:
allow group GenAIusers to managegenerative-ai-endpoint in compartment AI-Models-Compartment
generative-ai-work-request
Permission
API Operation
Operation Type
Verb
GENERATIVE_AI_WORK_REQUEST_INSPECT
ListWorkRequests
GET
inspect
GENERATIVE_AI_WORK_REQUEST_READ
GetWorkRequest
GET
read
GENERATIVE_AI_WORK_REQUEST_ERRORS
ListWorkRequestErrors
GET
read
GENERATIVE_AI_WORK_REQUEST_LOGS_READ
ListWorkRequestLogs
GET
read
Example:
allow group GenAIusers to readgenerative-ai-work-request in compartment AI-Models-Compartment
Permissions Required for Each API Operation 🔗
The following table lists the permissions required for OCI
Generative AI API operations.