Register local applications
In the previous units, we've talked about users as identities and touched on how a global application like Cognite Data Fusion (CDF) creates a service principal identity in Microsoft Entra ID (formerly Azure Active Directory). Also, we've mentioned that extractors or Python apps that run over a long time should have their own identity and not use a user's identity. What then about applications that have been developed for a specific organization?
Any application or client you want to connect to only one specific organization's Microsoft Entra ID (ME-ID) follows the same pattern: create a new, ME-ID-specific (not global or federated) app registration in the ME-ID of the organization.
This is what you need to create a local (ME-ID-specific) app registration:
- The ME-ID instance needs to trust the CDF cluster.
- The CDF project needs to trust the ME-ID instance.
- The ME-ID users need to belong to a group that matches a group in the CDF project.
The final thing you need is the identity of the client or application that will connect to CDF. This is a service principal identity, often referred to as an app registration. You can reuse a global app registration for CDF and other globally shared applications.
However, for organization-specific apps, scripts, extractors, and even dashboard tools like Grafana and PlotlyDash, you need a local app registration in the organization's ME-ID.
Think about the hotel room analogy. For the janitor to access your room:
- The lock needs to trust the hotel security system.
- The hotel security system needs to trust the locks.
- The janitor needs an "app registration" (or identity) in the hotel security system.
- Your identity needs to be in the hotel security system with registered "group access" to the hotel room.
And all these things need to be in place before you can grant the janitor access to the room for a time-limited period.