本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 让用户访问空间
<a name="studio-updated-jl-admin-guide-permissions"></a>

要让用户访问专用空间或共享空间，您必须为其 IAM 角色附加权限策略。您还可以使用权限策略将专用空间及其相关应用程序限制为特定用户配置文件。

以下权限策略允许访问专用空间和共享空间。这样，用户就可以创建自己的空间，并列出其域内的其他空间。使用此策略的用户不能访问其他用户的专用空间。有关 Studio 空间的信息，请参阅 [亚马逊 SageMaker Studio 空间](studio-updated-spaces.md)。

该策略为用户提供以下权限：
+ 专用空间或共享空间。
+ 用于访问这些空间的用户配置文件。

要提供权限，您可以缩小以下策略的权限范围，并将其添加到用户的 IAM 角色中。您还可以使用此策略将您的空间及其相关应用程序限制为特定用户配置文件。

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {

      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:app/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "SMStudioCreatePresignedDomainUrlForUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreatePresignedDomainUrl"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:user-profile/sagemaker:DomainId/sagemaker:UserProfileName"
    },
    {
      "Sid": "SMStudioAppPermissionsListAndDescribe",
      "Effect": "Allow",
      "Action": [
        "sagemaker:ListApps",
        "sagemaker:ListDomains",
        "sagemaker:ListUserProfiles",
        "sagemaker:ListSpaces",
        "sagemaker:DescribeApp",
        "sagemaker:DescribeDomain",
        "sagemaker:DescribeUserProfile",
        "sagemaker:DescribeSpace"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SMStudioAppPermissionsTagOnCreate",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:*/*",
      "Condition": {
        "Null": {
          "sagemaker:TaggingAction": "false"
        }
      }
    },
    {
      "Sid": "SMStudioRestrictSharedSpacesWithoutOwners",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:space/sagemaker:DomainId/*",
      "Condition": {
        "Null": {
          "sagemaker:OwnerUserProfileArn": "true"
        }
      }
    },
    {
      "Sid": "SMStudioRestrictSpacesToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateSpace",
        "sagemaker:UpdateSpace",
        "sagemaker:DeleteSpace"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:space/sagemaker:DomainId/*",
      "Condition": {
        "ArnLike": {
        "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:us-east-2:111122223333:user-profile/sagemaker:DomainId/sagemaker:UserProfileName"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private",
            "Shared"
          ]
        }
      }
    },
    {
      "Sid": "SMStudioRestrictCreatePrivateSpaceAppsToOwnerUserProfile",
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateApp",
        "sagemaker:DeleteApp"
      ],
      "Resource": "arn:aws:sagemaker:us-east-2:111122223333:app/sagemaker:DomainId/*",
      "Condition": {
        "ArnLike": {
          "sagemaker:OwnerUserProfileArn": "arn:aws:sagemaker:us-east-2:111122223333:user-profile/sagemaker:DomainId/sagemaker:UserProfileName"
        },
        "StringEquals": {
          "sagemaker:SpaceSharingType": [
            "Private"
          ]
        }
      }
    }
  ]
}
```

------