Skip to main content
Groups grant principals (users and service accounts) the capabilities to access CDF resources. Each group contains a set of capabilities that define what actions the group members can perform and on which resources. One principal can be a member of multiple groups, and one group can have multiple members. The principal’s effective permissions are the union of capabilities from all their groups.
Having more than 20 groups per principal is not supported and may result in login issues.

Membership models

Groups support two membership models:
  • Managed externally — group membership is managed by the external identity provider (IdP). You link a CDF group to an IdP group using a sourceId (for example, the Object ID in Microsoft Entra ID). You cannot edit or view members of these groups in CDF.
  • Managed in CDF — group membership is managed directly in CDF. You can add individual principal IDs as members (up to 100 per group) or set the group to include all authenticated user accounts in the organization.

Capabilities

Each group defines an array of capabilities. A capability specifies:
  • Resource type — the CDF resource (for example, assetsAcl, eventsAcl, timeSeriesAcl)
  • Actions — the permitted operations (for example, READ, WRITE, LIST, CREATE, DELETE)
  • Scope — which resources the capability applies to (for example, all resources, a specific data set, or the current user’s resources)
All users with any group membership automatically receive userProfilesAcl:READ.

Limits

ResourceLimit
Groups per project500
Groups per principal20
Members per CDF-managed group100

Key capabilities

  • Create groups with a name and a set of capabilities
  • List groups that the requesting principal is a member of, or all groups with the groups:list capability
  • Delete groups by ID
Last modified on April 23, 2026