> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security categories

> Manage security categories in Cognite Data Fusion (CDF).

Security categories provide fine-grained access control on top of standard capabilities. When you apply a security category to a resource, only principals (users or service accounts) that have both the required resource capability **and** membership in that security category can access the resource.

## How security categories work

Security categories add a second layer of access control. A principal needs to satisfy two conditions to access a protected resource:

1. The principal must have the standard resource capability (for example, `timeseries:read`).
2. The principal must have the `securitycategories:memberof` capability for the same security category applied to the resource.

If either condition is not met, access is denied. You assign security category membership to [groups](/api-reference/concepts/20230101/groups) through the capabilities configuration.

## Supported resource types

You can apply security categories to the following resource types:

* **Time series**
* **Files**

## Limits

| Resource                            | Limit |
| :---------------------------------- | :---- |
| Security categories per project     | 1,000 |
| Security categories per time series | 100   |
| Security categories per file        | 100   |

<Note>
  Time series linked to a data modeling instance (`instanceId`) cannot have security categories.
</Note>

## Key capabilities

* **Create** security categories by name (names must be unique within a project)
* **List** all security categories in a project
* **Delete** security categories by ID

To learn more about how security categories work with access control, see [Access management concepts](/cdf/access/concepts/concepts).
