Skip to main content
Instead of assigning capabilities to individual users and service accounts, use groups in CDF to define what capabilities members (users or applications) have to work with different CDF resources. You can manage group membership in your identity provider (IdP), for instance, in Microsoft Entra ID, or in Cognite Data Fusion, or in a combination of the two.
For a seamless first-time sign-in for users, we recommend creating a CDF group with capabilities to view and use data and apps. Then, include all user accounts in the group.

Manage group membership in Cognite Data Fusion

To manage group membership for user accounts in Cognite Data Fusion, you can add all authenticated users or individual users to CDF groups. To add individual users, they need to already have signed in to a CDF project. Groups that have All user accounts as members display first in the Groups overview page. To manage membership for service accounts, use your identity provider.

Create a group in CDF and add members

1

Sign in to Cognite Data Fusion

Sign in to Cognite Data Fusion as an admin.
2

Create a group

Select the Admin workspace, and then Access management > Groups > Create group.
3

Configure the group

Enter a unique name and add capabilities.
4

Configure group members

Under Members:
  • To add all users of the organization to the group, select All user accounts.
All authenticated users automatically become members of the group and are granted all the capabilities assigned to the group. Make sure that the group has only the minimum required capabilities to access the necessary applications and data.
  • To add individual users, select List of users and then the users you want to add.
Add members
Only profiles of users who have logged into the organization at least once are visible.
Group membership can be one of Externally managed or List of user or All user accounts. Exercise caution when updating group membership. Any unintended changes can lead to failures in transformations, extractors, monitoring jobs or functions.
5

Link to Application (Client) ID

In the Application (Client) ID dropdown, select the existing or create a new Application (Client) ID to link groups to specific applications to improve query efficiency. Application (Client) ID is a unique public identifier for an application registered with an authorization server. You can set more than one Application (Client) ID for a group.When users make a query to CDF, their Effective Access (EA) is determined by the union of all capabilities and scopes from the groups they’re members of. When users make a query from an application, only the groups linked to that application are considered for EA.
This feature is currently supported only for CDF organizations configured with Microsoft Entra ID as their identity provider (IdP).
If a group isn’t linked to any application and the user is a member of that group, the group is considered for all queries, regardless of the application used.If a service account is a member of a group, and the group is linked to an Application (Client) ID different from the service account’s client ID, the group is ignored for the service account’s effective access.
6

Select Create

Currently, you can only add user accounts as members of a CDF group. For service accounts you need to create the service accounts in your identity provider and manage their group membership as Externally managed.
Last modified on January 27, 2026