Skip to main content
Security categories provide fine-grained access control on top of standard capabilities. When you apply a security category to a resource, only principals (users or service accounts) that have both the required resource capability and membership in that security category can access the resource.

How security categories work

Security categories add a second layer of access control. A principal needs to satisfy two conditions to access a protected resource:
  1. The principal must have the standard resource capability (for example, timeseries:read).
  2. The principal must have the securitycategories:memberof capability for the same security category applied to the resource.
If either condition is not met, access is denied. You assign security category membership to groups through the capabilities configuration.

Supported resource types

You can apply security categories to the following resource types:
  • Time series
  • Files

Limits

ResourceLimit
Security categories per project1,000
Security categories per time series100
Security categories per file100
Time series linked to a data modeling instance (instanceId) cannot have security categories.

Key capabilities

  • Create security categories by name (names must be unique within a project)
  • List all security categories in a project
  • Delete security categories by ID
To learn more about how security categories work with access control, see Access management concepts.
Last modified on April 23, 2026