Manage groups and group membership
Instead of assigning capabilities to individual users and applications, you use groups in Cognite Data Fusion (CDF) to define what capabilities members (users or applications) have to work with different CDF resources.
You can manage group membership in your identity provider (IdP), for instance, in Microsoft Entra ID, or in Cognite Data Fusion, or in a combination of the two.
For a seamless first-time sign-in for users, we recommend creating a CDF group with capabilities to view and use data and apps. Then, include all user accounts in the group.
Manage group membership in Cognite Data Fusion
To manage group membership for user accounts in Cognite Data Fusion, you can add all authenticated users or individual users to CDF groups. To add individual users, they need to already have signed in to a CDF project.
Groups that have All user accounts as members display first in the Groups overview page.
To manage membership for service accounts, use your identity provider.
Create a group in CDF and add members
-
Sign in to Cognite Data Fusion as an admin.
-
In the top menu, select Data management > Manage > Manage access.
-
On the Access management page, select Groups > Create group.
-
Enter a Unique name for the group and Add capabilities.
-
Under Members:
- To add all users to the group, select All user accounts.
cautionAll authenticated users automatically become members of the group and are granted all the capabilities assigned to the group. Make sure that the group has only the minimum required capabilities to access the necessary applications and data.
-
To add individual users, select List of users and then the users you want to add.
-
Select Create.
Manage group membership in Microsoft Entra ID
To manage group membership in Entra ID, you link and synchronize CDF groups to user groups in Entra ID (formerly Azure Active Directory).
For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in Entra ID to add the relevant users and applications. Next, you create a CDF group with the necessary capabilities and then link the CDF group and the Entra ID group.
Step 1: Create a group in Microsoft Entra ID
-
Make sure that you have already registered the Cognite API and applications in Microsoft Entra ID.
-
Sign in to the Azure portal as an admin.
-
If you have access to multiple tenants, in the top menu, use the Directory + subscription filter
to select the tenant in which you want to register an application. -
Search for and select Microsoft Entra ID.
-
Under Manage, select Groups > New group.
-
In the New Group window, select Security as the Group type, enter a Group name, and then select Create.
-
Select the group to open it, and then copy and make a note of the Object Id.
Step 2: Create a group in CDF and link it to the Microsoft Entra ID group
-
Sign in to the CDF portal application as an admin.
-
In the top menu, select Data management > Manage > Manage access.
-
On the Access management page, select Groups > Create group.
-
Enter a Unique name for the group and Add capabilities.
-
In the Source ID field, enter the Object Id for the Microsoft Entra ID (ME_ID) group exactly as it exists in ME-ID. It will link the CDF group to an Azure AD group.
-
Select Create.
Step 3: Add members to the Microsoft Entra ID group
- In Microsoft Entra ID, add members (users or applications) to the group.
The members of the Microsoft Entra ID group automatically become members of the linked CDF group with the associated capabilities.