# About Access management
In this article:
# Access management concepts
Use Access management to manage access to the various types of resources (assets, files, events, time series, etc.) through Cognite Data Fusion (CDF).
Manage groups to define how members of the group can work with the data in the resource types. For example, you can create a group that allows its members to read, but not write, time series data in CDF. Both service accounts and users can be members of a group. Learn more: Manage groups.
Manage service accounts and associated API keys to enable apps and services, for example extractors and machine learning models, to interact with CDF resource types through the Cognite API or one of our SDKs. You can also set group memberships for each service account. Learn more: Manage access for apps and services.
Users can use their existing organizational identity to work with CDF and related applications such as Asset Data Insight and Operation Support. You manage the organizational identities for users in an Identity Provider (IdP) service outside of CDF, for example in Microsoft's Azure Active Directory (Azure AD) or other OpenID Connect compliant providers. Learn more: Manage access for users.
See how the concepts are related in the figure below.
# Access management patterns
# Grant users access to data through an application
Example: An IT manager at a company that uses Azure Active Directory wants to grant 240 users access to read selected data sets in the Cognite business application Operation Support. What should the IT manager do?
Learn more in our guide to manage access for users.
# Grant access to a service reading or writing data from CDF, such as an extractor, a transformation, or a data science model
The service can be an internally developed service or a service developed by a third party.
Learn more in our guide to manage access for apps and services.
# Hide market sensitive data
You can hide market sensitive data by adding the capability
securityCategoriesAclwhen you create a group.
This must be done using the API through Postman or SDKs.