Assign capabilities
To control access to data and features in Cognite Data Fusion (CDF), you define what capabilities users or applications have to work with different resource types in CDF, for example, if they can read a time series (timeseries:read
) or create a 3D model (3D:create
).
Capabilities also decide which features you have access to. For example, you need the 3d:create
capability to upload 3D models to CDF.
A capability is defined by a resource type, a scope, and actions. The resource type and scope define the data the capability applies to, while the action defines the operations you are allowed to perform.
Instead of assigning capabilities to individual users and applications, you use groups in CDF to define which capabilities the group members (users or applications) should have. You link and synchronize the CDF groups to user groups in your identity provider (IdP), for instance, Microsoft Entra ID (ME-ID)(formerly Azure Active Directory).
For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in your IdP to add the relevant users and applications. Next, you create a CDF group with the necessary capabilities (timeseries:read
) and link the CDF group and the IdP group.
You can tag sensitive resources with additional security categories for even more fine-grained access control and protection.
This flexibility lets you manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization's IdP service outside of CDF.
This article explains how to add capabilities to groups, create and assign security categories. You will also find overviews of the necessary capabilities to access and use different features in CDF.
To configure the IdP integration, you need these capabilities: projects:list
, projects:read
, projects:update
To work with CDF groups, you need: groups:list
, groups:read
, groups:create
, groups:update
, groups:delete
Create a group and add capabilities
-
Navigate to the CDF portal application > Manage & Configure > Manage access.
-
In the Access management window, select Groups > Create new group.
-
In the Create new group window, enter a unique name for the group.
-
Select Add capabilities.
-
In the Capability type field, select a resource type, such as assets and time series, CDF groups, data sets, or specific functionality.
-
In the Action field, allow for actions on the data, such as
read
,write
orlist
. -
In the Scope field, scope the access to all data or a subset within the selected capability type. The subset differs according to the capability type but always includes all data as an option.
-
-
Click Save.
-
In the Source ID field, enter the Object Id for the ME-ID group exactly as it exists in ME-ID. It will link the CDF group to an Microsoft Entra ID group.
Create and assign security categories
You can add an extra access level for time series and files by tagging resources with security categories via the Cognite API. This is useful if you want to protect market-sensitive data. To access resources tagged with a security category, you must have both the standard capabilities for the resource type and capabilities for the security category.
To access, create, update, and delete security categories, you need these capabilities via a group membership:
securitycategories:create
securitycategories:update
securitycategories:delete
To assign security categories to groups:
- Open the group where you want to add security categories.
- In the Capability type field, select Security categories.
- In the Action field, select
securitycategories:memberof
. - In the Scope field, select Security categories, associate a security category or select All.
To perform actions, such as read
or write
on time series and files tagged with capabilities and security categories:
- You must be a member of a group with actions that give access to a times series or files, for instance,
timeseries:read
. - You must be a member of a group with the
securitycategories:memberof
capability for the same time series or files.
Share data and mention coworkers
You must enable user profiles to let users share data and mention (@name) coworkers. By default, CDF will collect user information, such as name, email, and job title.
We currently support using Microsoft Entra ID to enable CDF user profiles. Learn more about our privacy policy.
All users with any group membership in a CDF project get the userProfilesAcl:READ
capability and can search for other users.
To enable or disable user profiles in CDF:
-
Navigate to CDF > Data management > Manage access.
-
On the Access management page, select User profiles.
-
Select Enable user profiles and Save.
Feature capabilities
The tables below describe the necessary capabilities to access different CDF features.
In addition to the capabilities listed in the sections below, users and applications need these minimum capabilities to access any feature in CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Groups | groups:list | Current user, All | Verifies user group access. |
Projects | projects:list | All | Verifies that a user or application has access to a CDF project. To access the resources in the project, see the capabilities listed below. |
Extractors
PI extractor
Extract time series data from the OSISoft PI Data Archive.
Capability type | Action | Scope | Description |
---|---|---|---|
Timeseries | timeseries:read , timeseries:write | Data set, All | Ingest time series |
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Events | events:read , events:write | Data sets, All | Log extractor incidents as events in CDF. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
PI AF extractor
Extract data from the OSIsoft PI Asset Framework (PI AF).
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
PI Replace utility
Re-ingest time series to CDF by optionally deleting a data point time range and ingesting the data points in PI for that time range.
Capability type | Action | Scope | Description | |
---|---|---|---|---|
Time series | timeseries:read , timeseries:write | Data sets, All | Re-ingest time series into CDF. | |
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. | |
Events | events:read , events:write | Data sets, All | Log extractor incidents as events in CDF. |
DB extractor
Extract data from any database supporting Open Database Connectivity (ODBC) drivers.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
OPC UA extractor
Extract time series, events, and asset data via the OPC UA protocol.
Capability type | Action | Scope | Description |
---|---|---|---|
Time series | timeseries:read , timeseries:write | Data sets, All | Ingest time series. |
Assets | assets:read , assets:write | Data sets, All | Use if the configuration parameters raw-metadata or skip-metadata aren't set. |
Events | events:read , events:write | Data sets, All | Ingest events if enabled. |
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest metadata to CDF RAW or the state-store is set to use CDF RAW. |
Relationships | relationsships:read , relationships:write | Data sets, All | Ingest relationships if enabled in the configuration. |
Data sets | data-sets:read | Data sets, All | Ingest the data set external ID if enabled in the configuration. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
Studio for Petrel extractor
Connect to SLB Studio for Petrel through the Ocean SDK and stream Petrel object data to the CDF files service as protobuf objects.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write , files:list | Data sets, All | Ingest SLB Studio for Petrel object data into CDF. |
WITSML extractor
Connect via the Simple Object Access Protocol (SOAP) and the Energistics Transfer Protocol (ETP) and extract data using the Wellsite Information Transfer Standard Markup Language (WITSML) into CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Time series | timeseries:read , timeseries:write , timeseries:list | Data sets, All | Ingest WITSML growing objects, such as WITSML logs, into the CDF time series services. |
Sequences | sequences:read , sequences:write , sequences:list | Data sets, All | Ingest WITSML growing objects, such as WITSML logs, into the CDF sequences services. |
RAW | raw:read , raw:write , and raw:list | Tables, All | Ingest WITSML non-growing objects, such as wellbore , into CDF RAW. |
Extraction pipelines | extractionpipelines:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
EDM extractor
Connect to the Landmark Engineers Data Model server and extract data through the Open Data protocol (OData) from DecisionSpace Integration Server (DSIS) to CDF RAW.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest data from Landmark EDM model into CDF RAW. |