Skip to main content
To control access to data and features in Cognite Data Fusion (CDF), you define what capabilities users or applications have to work with different resource types in CDF, for example, if they can read a time series (timeseries:read) or create a 3D model (3D:create). Capabilities also decide which features you have access to. For example, you need the 3d:create capability to upload 3D models to CDF. A capability is defined by a resource type, a scope, and actions. The resource type and scope define the data the capability applies to, while the action defines the operations you are allowed to perform.
Groups in CDF
Instead of assigning capabilities to individual users and applications, you use groups in CDF to define which capabilities the group members (users or applications) should have. You link and synchronize the CDF groups to user groups in your identity provider (IdP), for instance, Microsoft Entra ID or Amazon Cognito. For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in your IdP to add the relevant users and applications. Next, you create a CDF group with the necessary capabilities (timeseries:read) and link the CDF group and the IdP group. You can tag sensitive resources with additional security categories for even more fine-grained access control and protection. This flexibility lets you manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization’s IdP service outside of CDF. This article explains how to add capabilities to groups, create and assign security categories. You will also find overviews of the necessary capabilities to access and use different features in CDF.
For users to successfully sign in and use Fusion UI, the following minimum set of capabilities is required : projects:list, groups:list and groups:read

Create a group and add capabilities

1

Navigate to the Groups page

Navigate to Admin > Groups > Create group.
2

Enter a name

Enter a unique name for the group.
3

Add capabilities

  • In the Capability type field, select a resource type, such as assets and time series, CDF groups, data sets, or specific functionality.
  • In the Action field, allow for actions on the data, such as read, write or list.
  • In the Scope field, scope the access to all data or a subset within the selected capability type. The subset differs according to the capability type but always includes all data as an option.
4

Save the group

Select Save.
5

Link the group to your identity provider

In the Source ID field, enter the Object Id (Entra ID) or Group name (Cognito) exactly as it exists in your identity provider (IdP). It will link the CDF group to a group in Microsoft Entra ID or Amazon Cognito.
Create new group with link to Microsoft Entra ID group object ID

Create and assign security categories

You can add an extra access level for time series and files by tagging resources with security categories via the Cognite API. This is useful if you want to protect market-sensitive data. To access resources tagged with a security category, you must have both the standard capabilities for the resource type and capabilities for the security category. To access, create, update, and delete security categories, you need these capabilities via a group membership:
  • securitycategories:create
  • securitycategories:update
  • securitycategories:delete
To assign security categories to groups:
1

Open the group

Open the group where you want to add security categories.
2

Select Security categories

In the Capability type field, select Security categories.
3

Set the security category

In the Action field, select securitycategories:memberof.
4

Set the scope

In the Scope field, select Security categories, associate a security category or select All.
To perform actions, such as read or write on time series and files tagged with capabilities and security categories:
  • You must be a member of a group with actions that give access to a times series or files, for instance, timeseries:read.
  • You must be a member of a group with the securitycategories:memberof capability for the same time series or files.

Share data and mention coworkers

User profiles let users share data and mention (@name) coworkers. By default, CDF will collect user information, such as name, email, and job title. All users with any group membership in a CDF project get the userProfilesAcl:READ capability and can search for other users.

Feature capabilities

The tables below describe the necessary capabilities to access different CDF features.
In addition to the capabilities listed in the sections below, users and applications need these minimum capabilities to access any feature in CDF.

Atlas AI

Build and deploy AI agents to automate tasks and workflows. Use the Atlas AI Agents capability type to control who can view, create, edit, and run agents.
Agent lifecycle and permissions
  • Draft agents can be edited, deleted, and published by users with agents:write access to that agent.
  • Published agents can only be unpublished. They cannot be edited or deleted until they are unpublished first. The Agent library view lists only published agents.
  • Create and duplicate always require agents:write with All scope. The agents:write action is scoped to specific agent external IDs and does not grant these actions.

All-scope access

Grant the following capabilities when users need broad access across all agents in projects.

Scoped access (specific agents)

Use scoped capabilities to limit users to a named list of agents by external ID. Users gain page-level access to the Agents page, but all actions are restricted to the agents whose external IDs are listed in the scope. Scoped agents:write does not grant create or duplicate — those always require agents:write with All scope. To configure scoped access for specific agents:
1

Open or create a group

Go to Admin > Access Management > Groups and open an existing group or create a new one.
2

Add the Agents capability

Select Atlas AI Agents as the capability type and choose the required actions: agents:read, agents:write, or agents:run.
3

Set scope to specific agent external IDs

Select Specific agent external IDs as the scope and enter the external IDs the group can access. Users in this group can complete actions on matching agents but cannot create or duplicate agents.
4

Save and verify

Save the group and verify with a test user that only in-scope agents are accessible.
You might need more capabilities that depend on the tools that are used by agents:
  • datamodels:read for tool calls that read data model definitions
  • datamodelinstances:read for tool calls that read data model instance data
  • sessions:create when a tool flow requests a user session at runtime
Troubleshooting agent access
  • If a user can access Atlas but cannot run a specific agent, verify that their agents:run access scopes to include that agent’s external ID or to all agents.
  • If a user has agents:write access that scopes to include the agent but they cannot edit or delete an agent, the agent is probably in published state. Unpublish the agent first before making changes.
  • If a user can edit draft agents but cannot create a new agent, add agents:write with scope All.

Canvas

Add assets, engineering diagrams, sensor data, images, and 3D models to a canvas. To set up a canvas and its features, you’ll need extended access. To work on a canvas, you’ll need end-user access.
The cdf_industrial_canvas and cdf_apps_shared spaces are system spaces. Access to system spaces is handled automatically by CDF; don’t add them as scopes in access groups.
Extended access Users with extended access can set up the Canvas tool, create threshold rules, and set up canvas labels: End-user access Add these capabilities for users that will work on a canvas:
Private canvasesPrivate canvases aren’t governed by CDF access management.

Charts

Configure InField

Set up the InField application. Add the InField admin users to an access group named applications-configuration. Learn more

Project settings

Configure default settings for how data is displayed in search and configure location filters to help users find and select data related to a specific physical location.

Data explorer and Image and video data

Find, validate, and learn about the data you need to build solutions in the Data explorer and Image and video management.

Data modeling

Create data models and ingest data into them. For more details, see Access control lists.

Records

Manage streams and ingest or read records in the defined streams.
To read or write records, you must have the datamodels:read capability scoped to All or to at least the Space where the container is located, in addition to the stream records capabilities. For more details, see Records and Streams.

Data sets and Data catalog

Use the Data sets capability type to grant users and applications access to add or edit metadata for data sets. To add or edit data within a data set, use the relevant resource type capability. For instance, to write time series to a data set, use the Time series capability type. Read more here.

Data workflows

Use data workflows to coordinate interdependent processes.

Diagram parsing for asset-centric data models

Find, extract, and match tags on engineering diagrams and link them to an asset hierarchy or other resource types.

Diagram parsing for data modeling

Analyze and detect symbols and tags on engineering diagrams and link them to an asset hierarchy or other resource type in CDF.

Document parser

Extract data from documents, such as datasheets, equipment specifications, or process flow diagrams.

Flows custom apps

Control who can discover and run Flows custom apps and who can create or change them, for example, new versions, lifecycle state, and descriptions. Use the App hosting capability type to grant broad access to all Flows custom apps or scoped access to specific apps.

All-scope access

Grant the following capabilities when users need access across all Flows custom apps in the project.

Scoped access

Use scoped capabilities to limit users to a named list of apps by external ID.
Scoped apphosting:write lets users create and update only apps whose externalId is listed in the scope. Add apphosting:run to the same capability when those users also need to run the apps.
To configure scoped access, follow the steps in Create a group and add capabilities. When setting the scope, select App external IDs and enter the externalId values from each app’s app.json file. Save the group and verify with a test user that they can access only in-scope apps.

Common group configurations

Extraction pipelines

Set up and monitor extraction pipelines and report the pipeline run history.
UserActionCapabilityDescription
End-userCreate and edit extraction pipelinesextractionpipelines:writeGives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline.
View extraction pipelinesextractionpipelines:readGives access to list and view pipeline metadata.
Create and edit extraction configurationsextractionconfigs:writeGives access to create and edit an extractor configuration in an extraction pipeline.
View extraction configurationsextractionconfigs:readGives access to view an extractor configuration in an extraction pipeline.
View extraction logsextractionruns:readGives access to view run history reported by the extraction pipeline runs.
ExtractorRead extraction configurationsextractionconfigs:readGives access to read an extractor configuration from an extraction pipeline.
Post extraction logsextractionruns:writeGives access to post run history reported by the extraction pipeline runs.
Third-party actorsCreate and edit extraction pipelinesextractionpipelines:writeGives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline.
Create and edit extraction configurationsextractionconfigs:writeGives access to create and edit the extractor configuration from an extraction pipeline.

Functions

Deploy Python code to CDF and call the code on-demand or schedule the code to run at regular intervals.

Hosted extractors

Job email notifications

Subscribe to email alerts when hosted extractor job status changes.

Cognite Event Hub extractor

Cognite Kafka extractor

Cognite MQTT extractor

Cognite REST extractor

Match entities

Create and tune models to automatically contextualize resources.

On-premises extractors

The service principal used by the on-premises extractors must also be assigned the capabilities listed in the Feature capabilities table.

DB extractor

Extract data from any database supporting Open Database Connectivity (ODBC) drivers.

Documentum extractor

Extract documents from OpenText Documentum or OpenText D2 systems.

EDM extractor

Connect to the Landmark Engineers Data Model server and extract data through the Open Data protocol (OData) from DecisionSpace Integration Server (DSIS) to CDF RAW.

File extractor

Connect to local file systems, SharePoint Online Document libraries, and network sharing protocols, like FTP, FTPS, and SFTP, and extract files into CDF.

OPC classic extractor

OPC UA extractor

Extract time series, events, and asset data via the OPC UA protocol.

OSDU extractor

Connect to the Open Group OSDU™ Data Platform and ingest data into CDF.

PI AF extractor

Extract data from the OSIsoft PI Asset Framework (PI AF).

PI extractor

Extract time series data from the OSISoft PI Data Archive.

PI Replace utility

Re-ingest time series to CDF by optionally deleting a data point time range and ingesting the data points in PI for that time range.

SAP extractor

Extract data from SAP ERP servers into Cognite Data Fusion.

Studio for Petrel extractor

Connect to SLB Studio for Petrel through the Ocean SDK and stream Petrel object data to the CDF files service as protobuf objects.

WITSML extractor

Connect via the Simple Object Access Protocol (SOAP) and the Energistics Transfer Protocol (ETP) and extract data using the Wellsite Information Transfer Standard Markup Language (WITSML) into CDF.

PostgreSQL gateway

Ingest data into CDF using the Cognite PostgreSQL gateway.
If you revoke the capabilities in the CDF group, you also revoke access for the PostgreSQL gateway.

Simulator connectors

Integrate existing simulators with CDF to remotely run simulations.

Simulators users

Set access to the user interface for integrating existing simulators with CDF to remotely run simulations.

Staged data

Work with tables and databases in CDF RAW.

Streamlit apps

Build custom web applications in CDF.

Transform data

Transform data from RAW tables into the CDF data model.
Legacy access to transformations via group nameTo ensure backward compatibility, groups named transformations or jetfire are treated as having both transformations:read:All and transformations:write:All. We’re deprecating this access control method and will remove it in a future release.

Upload 3D models

Upload and work with 3D models, 3D revisions and 3D files.
Last modified on July 15, 2026