timeseries:read) or create a 3D model (3D:create).
Capabilities also decide which features you have access to. For example, you need the 3d:create capability to upload 3D models to CDF.
A capability is defined by a resource type, a scope, and actions. The resource type and scope define the data the capability applies to, while the action defines the operations you are allowed to perform.
timeseries:read) and link the CDF group and the IdP group.
You can tag sensitive resources with additional security categories for even more fine-grained access control and protection.
This flexibility lets you manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization’s IdP service outside of CDF.
This article explains how to add capabilities to groups, create and assign security categories. You will also find overviews of the necessary capabilities to access and use different features in CDF.
For users to successfully sign in and use Fusion UI, the following minimum set of capabilities is required :
projects:list, groups:list and groups:readCreate a group and add capabilities
1
Navigate to the Groups page
Navigate to Admin > Groups > Create group.
2
Enter a name
Enter a unique name for the group.
3
Add capabilities
- In the Capability type field, select a resource type, such as assets and time series, CDF groups, data sets, or specific functionality.
- In the Action field, allow for actions on the data, such as
read,writeorlist. - In the Scope field, scope the access to all data or a subset within the selected capability type. The subset differs according to the capability type but always includes all data as an option.
4
Save the group
Select Save.
5
Link the group to your identity provider
In the Source ID field, enter the Object Id (Entra ID) or Group name (Cognito) exactly as it exists in your identity provider (IdP). It will link the CDF group to a group in Microsoft Entra ID or Amazon Cognito.

Create and assign security categories
You can add an extra access level for time series and files by tagging resources with security categories via the Cognite API. This is useful if you want to protect market-sensitive data. To access resources tagged with a security category, you must have both the standard capabilities for the resource type and capabilities for the security category. To access, create, update, and delete security categories, you need these capabilities via a group membership:securitycategories:createsecuritycategories:updatesecuritycategories:delete
1
Open the group
Open the group where you want to add security categories.
2
Select Security categories
In the Capability type field, select Security categories.
3
Set the security category
In the Action field, select
securitycategories:memberof.4
Set the scope
In the Scope field, select Security categories, associate a security category or select All.
read or write on time series and files tagged with capabilities and security categories:
- You must be a member of a group with actions that give access to a times series or files, for instance,
timeseries:read. - You must be a member of a group with the
securitycategories:memberofcapability for the same time series or files.
Share data and mention coworkers
User profiles let users share data and mention (@name) coworkers. By default, CDF will collect user information, such as name, email, and job title. All users with any group membership in a CDF project get theuserProfilesAcl:READ capability and can search for other users.
Feature capabilities
The tables below describe the necessary capabilities to access different CDF features.In addition to the capabilities listed in the sections below, users and applications need these minimum capabilities to access any feature in CDF.
Atlas AI
Build and deploy AI agents to automate tasks and workflows. Use the Atlas AI Agents capability type to control who can view, create, edit, and run agents.Agent lifecycle and permissions
- Draft agents can be edited, deleted, and published by users with
agents:writeaccess to that agent. - Published agents can only be unpublished. They cannot be edited or deleted until they are unpublished first. The Agent library view lists only published agents.
- Create and duplicate always require
agents:writewith All scope. Theagents:writeaction is scoped to specific agent external IDs and does not grant these actions.
All-scope access
Grant the following capabilities when users need broad access across all agents in projects.Scoped access (specific agents)
Use scoped capabilities to limit users to a named list of agents by external ID. Users gain page-level access to the Agents page, but all actions are restricted to the agents whose external IDs are listed in the scope. Scopedagents:write does not grant create or duplicate — those always require agents:write with All scope.
To configure scoped access for specific agents:
1
Open or create a group
Go to Admin > Access Management > Groups and open an existing group or create a new one.
2
Add the Agents capability
Select Atlas AI Agents as the capability type and choose the required actions:
agents:read, agents:write, or agents:run.3
Set scope to specific agent external IDs
Select Specific agent external IDs as the scope and enter the external IDs the group can access. Users in this group can complete actions on matching agents but cannot create or duplicate agents.
4
Save and verify
Save the group and verify with a test user that only in-scope agents are accessible.
You might need more capabilities that depend on the tools that are used by agents:
datamodels:readfor tool calls that read data model definitionsdatamodelinstances:readfor tool calls that read data model instance datasessions:createwhen a tool flow requests a user session at runtime
Canvas
Add assets, engineering diagrams, sensor data, images, and 3D models to a canvas. To set up a canvas and its features, you’ll need extended access. To work on a canvas, you’ll need end-user access.The
cdf_industrial_canvas and cdf_apps_shared spaces are system spaces. Access to system spaces is handled automatically by CDF; don’t add them as scopes in access groups.
End-user access
Add these capabilities for users that will work on a canvas:
Private canvasesPrivate canvases aren’t governed by CDF access management.
Charts
Configure InField
Set up the InField application.
Add the InField admin users to an access group named
applications-configuration. Learn more
Project settings
Configure default settings for how data is displayed in search and configure location filters to help users find and select data related to a specific physical location.Data explorer and Image and video data
Find, validate, and learn about the data you need to build solutions in the Data explorer and Image and video management.Data modeling
Create data models and ingest data into them.
For more details, see Access control lists.
Records
Manage streams and ingest or read records in the defined streams.To read or write records, you must have the
datamodels:read capability scoped to All or to at least the Space where the container is located, in addition to the stream records capabilities. For more details, see Records and Streams.Data sets and Data catalog
Use the Data sets capability type to grant users and applications access to add or edit metadata for data sets. To add or edit data within a data set, use the relevant resource type capability. For instance, to write time series to a data set, use the Time series capability type. Read more here.Data workflows
Use data workflows to coordinate interdependent processes.Diagram parsing for asset-centric data models
Find, extract, and match tags on engineering diagrams and link them to an asset hierarchy or other resource types.Diagram parsing for data modeling
Analyze and detect symbols and tags on engineering diagrams and link them to an asset hierarchy or other resource type in CDF.Document parser
Extract data from documents, such as datasheets, equipment specifications, or process flow diagrams.Flows custom apps
Control who can discover and run Flows custom apps and who can create or change them, for example, new versions, lifecycle state, and descriptions. Use the App hosting capability type to grant broad access to all Flows custom apps or scoped access to specific apps.All-scope access
Grant the following capabilities when users need access across all Flows custom apps in the project.Scoped access
Use scoped capabilities to limit users to a named list of apps by external ID.Scoped
apphosting:write lets users create and update only apps whose externalId is listed in the scope. Add apphosting:run to the same capability when those users also need to run the apps.
To configure scoped access, follow the steps in Create a group and add capabilities. When setting the scope, select App external IDs and enter the
externalId values from each app’s app.json file. Save the group and verify with a test user that they can access only in-scope apps.
Common group configurations
Extraction pipelines
Set up and monitor extraction pipelines and report the pipeline run history.| User | Action | Capability | Description |
|---|---|---|---|
| End-user | Create and edit extraction pipelines | extractionpipelines:write | Gives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline. |
| View extraction pipelines | extractionpipelines:read | Gives access to list and view pipeline metadata. | |
| Create and edit extraction configurations | extractionconfigs:write | Gives access to create and edit an extractor configuration in an extraction pipeline. | |
| View extraction configurations | extractionconfigs:read | Gives access to view an extractor configuration in an extraction pipeline. | |
| View extraction logs | extractionruns:read | Gives access to view run history reported by the extraction pipeline runs. | |
| Extractor | Read extraction configurations | extractionconfigs:read | Gives access to read an extractor configuration from an extraction pipeline. |
| Post extraction logs | extractionruns:write | Gives access to post run history reported by the extraction pipeline runs. | |
| Third-party actors | Create and edit extraction pipelines | extractionpipelines:write | Gives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline. |
| Create and edit extraction configurations | extractionconfigs:write | Gives access to create and edit the extractor configuration from an extraction pipeline. |
Functions
Deploy Python code to CDF and call the code on-demand or schedule the code to run at regular intervals.Hosted extractors
Job email notifications
Subscribe to email alerts when hosted extractor job status changes.Cognite Event Hub extractor
Cognite Kafka extractor
Cognite MQTT extractor
Cognite REST extractor
Match entities
Create and tune models to automatically contextualize resources.On-premises extractors
The service principal used by the on-premises extractors must also be assigned the capabilities listed in the Feature capabilities table.
DB extractor
Extract data from any database supporting Open Database Connectivity (ODBC) drivers.Documentum extractor
Extract documents from OpenText Documentum or OpenText D2 systems.EDM extractor
Connect to the Landmark Engineers Data Model server and extract data through the Open Data protocol (OData) from DecisionSpace Integration Server (DSIS) to CDF RAW.File extractor
Connect to local file systems, SharePoint Online Document libraries, and network sharing protocols, like FTP, FTPS, and SFTP, and extract files into CDF.OPC classic extractor
OPC UA extractor
Extract time series, events, and asset data via the OPC UA protocol.OSDU extractor
Connect to the Open Group OSDU™ Data Platform and ingest data into CDF.PI AF extractor
Extract data from the OSIsoft PI Asset Framework (PI AF).PI extractor
Extract time series data from the OSISoft PI Data Archive.PI Replace utility
Re-ingest time series to CDF by optionally deleting a data point time range and ingesting the data points in PI for that time range.SAP extractor
Extract data from SAP ERP servers into Cognite Data Fusion.Studio for Petrel extractor
Connect to SLB Studio for Petrel through the Ocean SDK and stream Petrel object data to the CDF files service as protobuf objects.WITSML extractor
Connect via the Simple Object Access Protocol (SOAP) and the Energistics Transfer Protocol (ETP) and extract data using the Wellsite Information Transfer Standard Markup Language (WITSML) into CDF.PostgreSQL gateway
Ingest data into CDF using the Cognite PostgreSQL gateway.If you revoke the capabilities in the CDF group, you also revoke access for the PostgreSQL gateway.