# About access management Deprecated


We are deprecating authentication via CDF service accounts and API keys in favor of registering applications and services with your IdP (identity provider) and using OpenID Connect and the IdP framework to manage CDF access securely. We strongly encourage customers to adopt the new authentication flows as soon as possible.

In this article:

# Access management concepts

Use Access management to manage access to the various types of resources (assets, files, events, time series, etc.) through Cognite Data Fusion (CDF).

Access Management
  • Manage groups to define how members of the group can work with the data in the resource types. For example, you can create a group that allows its members to read, but not write, time series data in CDF. Both service accounts and users can be members of a group. Learn more: Manage groups.

  • Manage service accounts and associated API keys to enable apps and services, for example extractors and machine learning models, to interact with CDF resource types through the Cognite API or one of our SDKs. You can also set group memberships for each service account. Learn more: Manage access for apps and services.

Users can use their existing organizational identity to work with CDF and related applications such as Asset Data Insight and Operation Support. You manage the organizational identities for users in an Identity Provider (IdP) service outside of CDF, for example in Microsoft's Azure Active Directory (Azure AD) or other OpenID Connect compliant providers. Learn more: Manage access for users.

See how the concepts are related in the figure below. Group concepts

# Access management patterns

# Grant users access to data through an application

Example: An IT manager at a company that uses Azure Active Directory wants to grant 240 users access to read selected data sets in the Cognite business application Operation Support. What should the IT manager do?

Learn more in our guide to manage access for users.

# Grant access to a service reading or writing data from CDF, such as an extractor, a transformation, or a data science model

The service can be an internally developed service or a service developed by a third party.

Learn more in our guide to manage access for apps and services.

# Hide market sensitive data

You can hide market sensitive data by adding the capability securityCategoriesAclwhen you create a group. This must be done using the API through Postman or SDKs.

Last Updated: 4/27/2021, 7:45:16 AM