Get started

In the Cognite Console, use the IAM - Identity and Access Management section to decide who can access data in your CDF project, and what data they're allowed to interact with.

Identity and Access Management

Services need a service account and an API key to interact with CDF through the API or the SDKs, while users typically use their organizational identity.

You assign users and services to groups. Groups define how members of the group can work with what data, for example read a time series, or delete an asset.

In this article:

Manage access for services

Services, for example extractors and machine learning models, need a service account and API key to interact with CDF through the API or the SDKs.

Read the sections below to learn how to create a service account for a service and generate an API key for a service account.

Create a service account for a service

To create a service account:

  1. Select Access management in the left hand bar.

  2. Select Service Accounts.

  3. Click Create new service account and enter a unique Name for the service account. The name should reflect the purpose of the service account. If the service account is for a user, we recommend that you use the user's email address as the name.

  4. Select the group(s) that have the capabilities you want to assign to the service account.

    We recommend that you give the service account the minimum capabilities it needs to perform its functions.

Assign groups to a service account

Generate an API key for a service account

An API key is a secret string that grants access to a project in Cognite Data Fusion. Each API key connects one service to one project. API keys should never be shared, except if you're creating one for someone who can't create their own.

To create an API key for a service account:

  1. Select Access management in the left hand bar.

  2. Select Service Accounts.

  3. Select the service account and click Generate new key.

  4. Copy the generated API key and use a secure method to share the API key with the recipient, typically the programmer developing the service.

    Yopass and password manager tools like LastPass are examples of tools you can use to share the API key securely with the person or service you are creating it for.

Generate an API key for the service account

Manage access for users

To allow users to use their existing organizational identity to work with data in CDF, you need to connect CDF to an Identity Provider (IdP) service outside of CDF, for example Microsoft's Azure Active Directory (Azure AD) or another OpenID Connect compliant provider.

To connect CDF to your IdP, make sure that the sourceId for a Cognite Data Fusion group matches the correct group identifier in the IdP.

Note: You can only specify the sourceId of a group when you first create the group in CDF. You can not change the sourceID for an existing group.

Learn more: authorization in CDF

Manage groups

Groups define how members of the group (users and service accounts) can work with what data, for example read a time series, or delete an asset. If the existing groups don't have the right capabilities for a user or a service account, you can create a new group.

Note: You can not change existing groups.

To create a new group:

  1. Select IAM (Identity Access Management) in the left hand bar.
  2. Select Groups.
  3. Select Create new group and enter a unique Name for the group.
  4. Select the capabilities for the new group and define scope and actions. The scope defines which data the group has access to and the actions define what the group is allowed to do with that data. Create new group with more granular access
Last Updated: 10/22/2019, 6:42:48 AM