Are Custom Extraction Projects, Models tied to the Azure Resource or tied to user account (or something else?)

Question

I'm trying to understand the access and security models of the Projects and Custom Extraction Models. Are they tied to the resource's access/roles control?

Consider this scenario:

1. I create 2 different Document Intelligence resources. Let's call them DI-A, DI-B
2. I create Project 1 and connect with DI-A as the service resource.
3. I launch Document Studio and using the gear icon in the top right, select the DI-A resource
4. Document Studio home screen shows Project 1. This is expected.
5. Gear icon -> select DI-B resource
6. Document Studio home screen still shows Project 1. I would not expect to see the project because I'm connected to DI-B resource, not DI-A

Why is this happening? If I wanted to create two different DI resources groups to have different projects, users, and access controls, how can I do this?

And related question: If I train custom models from these projects, are they tied to the resources and their IAMs access policies? Or are they open for anyone within my organization (?)

Answer 1

Document Studio home screen still shows Project 1. I would not expect to see the project because I'm connected to DI-B resource, not DI-A

• The Document Studio display a global view of all projects associated with the same subscription, not strictly tied to the currently selected DI resource. This would explain why Project 1 remains visible when switching between DI-A and DI-B.

But here you can see all the remaining DI's created with different resource groups because they all are under same subscription ID's.

If I train custom models from these projects, are they tied to the resources and their IAMs access policies? Or are they open for anyone within my organization (?)

If you want to restrict or allow access across different DI resources, you will need to configure IAM policies accordingly.

• By default, users with access to one DI resource do not automatically gain access to another unless explicitly granted.

To grant the access to another resource group DI - GO to IAM policies < Add < Add-role-assignments < cognitive service user role < member < your-another_RG_ID.

After adding role, you can go to First created DI. click on Gear symbol and follow as below.

Configured with another DI and saved it. now I can be able to access with different DI's settings

NOTE: we can change the DI but can't change the storage settings because it is a default setting in portal

Result: