Assign capabilities
To control access to data and features in Cognite Data Fusion (CDF), you define what capabilities users or applications have to work with different resource types in CDF, for example, if they can read a time series (timeseries:read
) or create a 3D model (3D:create
).
Capabilities also decide which features you have access to. For example, you need the 3d:create
capability to upload 3D models to CDF.
A capability is defined by a resource type, a scope, and actions. The resource type and scope define the data the capability applies to, while the action defines the operations you are allowed to perform.
Instead of assigning capabilities to individual users and applications, you use groups in CDF to define which capabilities the group members (users or applications) should have. You link and synchronize the CDF groups to user groups in your identity provider (IdP), for instance, Microsoft Entra ID (ME-ID)(formerly Azure Active Directory).
For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in your IdP to add the relevant users and applications. Next, you create a CDF group with the necessary capabilities (timeseries:read
) and link the CDF group and the IdP group.
You can tag sensitive resources with additional security categories for even more fine-grained access control and protection.
This flexibility lets you manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization's IdP service outside of CDF.
This article explains how to add capabilities to groups, create and assign security categories. You will also find overviews of the necessary capabilities to access and use different features in CDF.
To configure the IdP integration, you need these capabilities: projects:list
, projects:read
, projects:update
To work with CDF groups, you need: groups:list
, groups:read
, groups:create
, groups:update
, groups:delete
Create a group and add capabilities
-
Navigate to Admin > Groups > Create new group.
-
Enter a unique name for the group.
-
Select Add capabilities.
-
In the Capability type field, select a resource type, such as assets and time series, CDF groups, data sets, or specific functionality.
-
In the Action field, allow for actions on the data, such as
read
,write
orlist
. -
In the Scope field, scope the access to all data or a subset within the selected capability type. The subset differs according to the capability type but always includes all data as an option.
-
-
Select Save.
-
In the Source ID field, enter the Object Id for the ME-ID group exactly as it exists in ME-ID. It will link the CDF group to an Microsoft Entra ID group.
Create and assign security categories
You can add an extra access level for time series and files by tagging resources with security categories via the Cognite API. This is useful if you want to protect market-sensitive data. To access resources tagged with a security category, you must have both the standard capabilities for the resource type and capabilities for the security category.
To access, create, update, and delete security categories, you need these capabilities via a group membership:
securitycategories:create
securitycategories:update
securitycategories:delete
To assign security categories to groups:
- Open the group where you want to add security categories.
- In the Capability type field, select Security categories.
- In the Action field, select
securitycategories:memberof
. - In the Scope field, select Security categories, associate a security category or select All.
To perform actions, such as read
or write
on time series and files tagged with capabilities and security categories:
- You must be a member of a group with actions that give access to a times series or files, for instance,
timeseries:read
. - You must be a member of a group with the
securitycategories:memberof
capability for the same time series or files.
Share data and mention coworkers
You must enable user profiles to let users share data and mention (@name) coworkers. By default, CDF will collect user information, such as name, email, and job title.
We currently support using Microsoft Entra ID to enable CDF user profiles. Learn more about our privacy policy.
All users with any group membership in a CDF project get the userProfilesAcl:READ
capability and can search for other users.
To enable or disable user profiles in CDF:
-
Navigate to Admin > User profiles.
-
Select Enable user profiles and Save.
Feature capabilities
The tables below describe the necessary capabilities to access different CDF features.
In addition to the capabilities listed in the sections below, users and applications need these minimum capabilities to access any feature in CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Groups | groups:list | Current user, All | Verifies user group access. |
Projects | projects:list | All | Verifies that a user or application has access to a CDF project. To access the resources in the project, see the capabilities listed below. |
Extractors
PI extractor
Extract time series data from the OSISoft PI Data Archive.
Capability type | Action | Scope | Description |
---|---|---|---|
Timeseries | timeseries:read , timeseries:write | Data set, All | Ingest time series |
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Events | events:read , events:write | Data sets, All | Log extractor incidents as events in CDF. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
PI AF extractor
Extract data from the OSIsoft PI Asset Framework (PI AF).
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
PI Replace utility
Re-ingest time series to CDF by optionally deleting a data point time range and ingesting the data points in PI for that time range.
Capability type | Action | Scope | Description | |
---|---|---|---|---|
Time series | timeseries:read , timeseries:write | Data sets, All | Re-ingest time series into CDF. | |
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. | |
Events | events:read , events:write | Data sets, All | Log extractor incidents as events in CDF. |
DB extractor
Extract data from any database supporting Open Database Connectivity (ODBC) drivers.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest to CDF RAW and for state store configured to use CDF RAW. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
OPC UA extractor
Extract time series, events, and asset data via the OPC UA protocol.
Capability type | Action | Scope | Description |
---|---|---|---|
Time series | timeseries:read , timeseries:write | Data sets, All | Ingest time series. |
Assets | assets:read , assets:write | Data sets, All | Use if the configuration parameters raw-metadata or skip-metadata aren't set. |
Events | events:read , events:write | Data sets, All | Ingest events if enabled. |
RAW | RAW:read , RAW:write , RAW:list | Tables, All | Ingest metadata to CDF RAW or the state-store is set to use CDF RAW. |
Relationships | relationsships:read , relationships:write | Data sets, All | Ingest relationships if enabled in the configuration. |
Data sets | data-sets:read | Data sets, All | Ingest the data set external ID if enabled in the configuration. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
Studio for Petrel extractor
Connect to SLB Studio for Petrel through the Ocean SDK and stream Petrel object data to the CDF files service as protobuf objects.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write , files:list | Data sets, All | Ingest SLB Studio for Petrel object data into CDF. |
WITSML extractor
Connect via the Simple Object Access Protocol (SOAP) and the Energistics Transfer Protocol (ETP) and extract data using the Wellsite Information Transfer Standard Markup Language (WITSML) into CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Time series | timeseries:read , timeseries:write , timeseries:list | Data sets, All | Ingest WITSML growing objects, such as WITSML logs, into the CDF time series services. |
Sequences | sequences:read , sequences:write , sequences:list | Data sets, All | Ingest WITSML growing objects, such as WITSML logs, into the CDF sequences services. |
RAW | raw:read , raw:write , and raw:list | Tables, All | Ingest WITSML non-growing objects, such as wellbore , into CDF RAW. |
Extraction pipelines | extractionpipelines:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
EDM extractor
Connect to the Landmark Engineers Data Model server and extract data through the Open Data protocol (OData) from DecisionSpace Integration Server (DSIS) to CDF RAW.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest data from Landmark EDM model into CDF RAW. |
OSDU extractor
Connect to the Open Group OSDU™ Data Platform and ingest data into CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest configurable OSDU records, such as wells, wellbores, and well logs. |
Files | files:read , files:write | Data sets, All | Ingest linked data files. |
Extraction pipelines | extractionpipelines:read , extractionpipelines:write | Data sets, Extraction pipelines, All | Create and edit extraction pipelines. |
Extraction pipeline runs | extractionruns:read , extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
File extractor
Connect to local file systems, SharePoint Online Document libraries, and network sharing protocols, like FTP, FTPS, and SFTP, and extract files into CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write | Data sets, All | Ingest files. |
RAW | raw:read , raw:write , raw:list | Tables, All | For state store configured to use CDF RAW. |
Documentum extractor
Extract documents from OpenText Documentum or OpenText D2 systems.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write | Data sets, All | Ingest files. |
RAW | raw:read , raw:write , raw:list | Tables, All | Ingest metadata to CDF RAW. |
Extraction pipeline runs | extractionruns:write | Data sets, Extraction pipelines, All | Allow the extractor to report state and heartbeat back to CDF. |
Remote configuration files | extractionconfigs:write | Data sets, Extraction pipelines, All | Use versioned extractor configuration files stored in the cloud. |
Simulator connectors
Integrate existing simulators with CDF to remotely run simulations.
Capability type | Action | Scope | Description |
---|---|---|---|
Time series | timeseries:read , timeseries:write | Data sets, All | Use CDF time series as source/destination for simulation data. |
Extraction pipelines | extractionpipelines:read , extractionpipelines:write | Data sets, All | Store the connector configuration remotely. |
Files | files:read | Data sets, All | Download simulation model files. |
Data sets | datasets:read | Data sets, All | View data sets. |
Hosted extractors
Extract data from source systems using Cognite hosted extractors.
Capability type | Action | Scope | Description |
---|---|---|---|
Hosted extractors | hostedextractors:read , hostedextractors:write | All | Monitor and manage hosted extractors. |
Time series | timeseries:read , timeseries:write | Data sets, All | Use CDF time series as destination. |
Events | events:read , events:write | Data sets, All | Use CDF events as destination. |
RAW | raw:read , raw:write , raw:list | Data sets, All | Use CDF RAW as destination. |
Assets | assets:read | Data sets, All | Contextualize time series or events with assets. |
PostgreSQL gateway
Ingest data into CDF using the Cognite PostgreSQL gateway.
Capability type | Action | Scope | Description |
---|---|---|---|
Resource types | read , write | Data sets, All | Add read and write capabilities for the CDF resources you want to ingest data into. For instance, to ingest assets, add assets:read and assets:write . |
If you revoke the capabilities in the CDF group, you also revoke access for the PostgreSQL gateway.
Manage staged data
Work with tables and databases in CDF RAW.
Capability type | Action | Scope | Description |
---|---|---|---|
RAW | RAW:read , RAW:list | Tables, All | View tables and databases in CDF RAW. |
RAW | RAW:write | Tables, All | Create, update, delete tables and databases in CDF RAW. |
Transform data
Transform data from RAW tables into the CDF data model.
Capability type | Action | Scope | Description |
---|---|---|---|
Resource types | read and write actions according to the CDF resources you want to read from and write to using transformations. | Data sets, All | For instance, to transform data in CDF RAW and write data to assets, add RAW:read and assets:write . |
Transformations | transformations:read | All | View transformations. |
Transformations | transformations:write | All | Create, update, delete CDF transformations. |
Session | sessions:create | All | Run scheduled transformations. You must also set the token_url . Read more here. |
To ensure backward compatibility, groups named transformations
or jetfire
are treated as having both transformations:read:All
and transformations:write:All
. We're deprecating this access control method and will remove it in a future release.
Upload 3D models
Upload and work with 3D models, 3D revisions and 3D files.
Capability type | Action | Scope | Description |
---|---|---|---|
3D | 3d:read , file:read | Data sets, All | View 3D models. |
3D | 3d:create , file:read | Data sets, All | Upload 3D models to CDF. |
3D | 3d:update | Data sets, All | Update existing 3D models in CDF. |
3D | 3d:delete | Data sets, All | Delete 3D models. |
Extraction pipelines
Set up and monitor extraction pipelines and report the pipeline run history.
User | Action | Capability | Description |
---|---|---|---|
End-user | Create and edit extraction pipelines | extractionpipelines:write | Gives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline. |
View extraction pipelines | extractionpipelines:read | Gives access to list and view pipeline metadata. | |
Create and edit extraction configurations | extractionconfigs:write | Gives access to create and edit an extractor configuration in an extraction pipeline. | |
View extraction configurations | extractionconfigs:read | Gives access to view an extractor configuration in an extraction pipeline. | |
View extraction logs | extractionruns:read | Gives access to view run history reported by the extraction pipeline runs. | |
Extractor | Read extraction configurations | extractionconfigs:read | Gives access to read an extractor configuration from an extraction pipeline. |
Post extraction logs | extractionruns:read | Gives access to post run history reported by the extraction pipeline runs. | |
Third-party actors | Create and edit extraction pipelines | extractionpipelines:write | Gives access to create and edit individual pipelines and edit notification settings. Ensure that the pipeline has read access to the data set being used by the extraction pipeline. |
Create and edit extraction configurations | extractionconfigs:write | Gives access to create and edit the extractor configuration from an extraction pipeline. |
Match entities
Create and tune models to automatically contextualize resources.
Capability type | Action | Scope | Description |
---|---|---|---|
Entity matching | entitymatchingAcl:read | All | List and view entity matching models. |
Entity matching | entitymatchingAcl:write | All | Create, update, delete entity matching models. |
Assets | assets:read | Data sets, All | Match entities to assets. |
Interactive engineering diagrams
Find, extract, and match tags on engineering diagrams and link them to an asset hierarchy or other resource types.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write | Data sets, All | List and extract tags from engineering diagrams. |
Assets | assets:read , assets:write | Data sets, All | Add tags to assets. |
Events | events:read , events:write | Data sets, All | View and create annotations manually or automatically in the engineering diagrams. |
Labels | labels:read , labels:write | Data sets, All | View, approve, and reject tags in the engineering diagrams. |
Document parser
Extract data from documents, such as datasheets, equipment specifications, or process flow diagrams.
Capability type | Action | Scope | Description |
---|---|---|---|
Data models | datamodels:read | Space IDs, All | Start a document parsing job or see the results of completed parsing jobs. |
Data models | datamodels:write | Space IDs, All | Approve the results of completed parsing jobs. The data are saved in a data model instance. |
Files | files:read | Data sets, All | Start a document parsing job or see the results of completed parsing jobs. |
Explore data and Image and video data
Find, validate, and learn about the data you need to build solutions in the Data explorer and Image and video management.
Capability type | Action | Scope | Description |
---|---|---|---|
Resource types | files:read | Data sets, All | All resource types used in the CDF project. |
Annotations | annotations:write | All | Create new/edit existing annotations. |
Data modeling
Create data models and ingest data into them.
Capability type | Action | Scope | Description |
---|---|---|---|
Data models | datamodels:read | All | View data models. |
Data models | datamodels:write | All | Create, update, delete data models. |
Data model instances | datamodelinstances:read | All | View data in data models. |
Data model instances | datamodelinstances:write | All | Create, update, delete data model instances. |
Data workflows
Use data workflows to coordinate interdependent processes.
Capability type | Action | Scope | Description |
---|---|---|---|
Data workflows | workfloworchestration:read | All | View data workflows and triggers. |
Data workflows | workfloworchestration:write | All | Create, update, delete, and run data workflows and triggers. |
Functions
Deploy Python code to CDF and call the code on-demand or schedule the code to run at regular intervals.
Capability type | Action | Scope | Description |
---|---|---|---|
Functions | functions:write | All | Create, call and schedule functions. |
Functions | functions:read | All | Retrieve and list functions, retrieve function responses and function logs. |
Files | files:read | All | View functions. |
Files | files:write | All | Create functions. |
Sessions | sessions:create | All | Call and schedule functions. |
Streamlit apps
Build custom web applications in CDF.
Capability type | Action | Scope | Description |
---|---|---|---|
Files | files:read , files:write | Data sets, All | Edit Streamlit applications. |
Files | files:read | Data sets, All | Use Streamlit applications. |
Canvas
Add assets, engineering diagrams, sensor data, images, and 3D models from your CDF project to a canvas.
The first time you set up a canvas, you must:
-
Grant
datamodels:read
with the scope set to All for admin users. -
Create
IndustrialCanvasInstanceSpace
andCommentInstanceSpace
spaces. If you don't add create these spaces, CDF will prompt you to add these when you open a canvas.
Capability type | Action | Scope | Description |
---|---|---|---|
Data models | datamodels:read | cdf_industrial_canvas , cdf_apps_shared , IndustrialCanvasInstanceSpace , CommentInstanceSpace | View data from data models within IndustrialCanvasInstanceSpace and CommentInstanceSpace . |
Data model instances | datamodelinstances:read | cdf_industrial_canvas , cdf_apps_shared , IndustrialCanvasInstanceSpace , CommentInstanceSpace | View canvases. |
Data model instances | datamodelinstances:write | cdf_industrial_canvas , cdf_apps_shared , IndustrialCanvasInstanceSpace , CommentInstanceSpace | Create, update, delete canvas data. |
Resource types | read actions for the resource types you want to add to canvas | Data sets, All | View asset, events, files, time series, and 3D models |
Files | write | Data sets, All | Add local files on a canvas. This is an optional capability. |
You must set up the CommentInstanceSpace
space and enable user profiles to comment or mention coworkers on a canvas.
Private canvases aren't governed by CDF access management.
Charts
Capability type | Action | Scope | Description |
---|---|---|---|
Assets | assets:read | Data sets, All | Search for assets. |
Time series | timeseries:read | Data sets, All | Search for time series. |
Time series | timeseries:write | Data sets, | Needed to schedule calculations. |
Files | files:read | Data sets, All | Search for files. |
Groups | groups:list | Current user, All | Use calculations in Charts. |
Projects | projects:list | All | Use calculations in Charts. |
Sessions | Sessions:list | All | Needed for monitoring and to schedule calculations. |
Sessions | Sessions:create | All | Needed for monitoring and to schedule calculations. |
Sessions | Sessions:delete | All | Needed for monitoring and to schedule calculations. |
Data sets and Data catalog
Use the Data sets capability type to grant users and applications access to add or edit metadata for data sets.
To add or edit data within a data set, use the relevant resource type capability. For instance, to write time series to a data set, use the Time series capability type. Read more here.
Capability type | Action | Scope | Description |
---|---|---|---|
Data sets | datasets:read | Data sets, All | View data sets. |
Data sets | datasets:write | Data sets, All | Create or edit data sets. |
Configure InField
Set up the InField application.
Capability type | Action | Scope | Description |
---|---|---|---|
Assets | assets:read | Data sets, All | View asset data from the CDF project that InField runs on top of. |
Groups | groups:read | Current user, All | For InField administrators to grant access to users. |
3D | 3d:read | Data sets, All | Upload 3D models to be displayed in InField. |
Files | files:write | Data sets | Allow users to upload images. |
Time series | timeseries:write | Data sets, Time series, Root assets, All | Allow users to upload measurement readings. |
Add the InField admin users to an access group named applications-configuration
. Learn more
Solutions Portal
Set up the Solutions Portal.
Capability type | Action | Scope | Description |
---|---|---|---|
Data sets | data-sets:read , data-sets:write | Data sets, All | For Solution Portal administrators to create data sets for images files (optional). |
Files | files:read , files:write | Data sets, All | For Solution Portal administrators to view and upload images, such as board previews and a company logo. |
Groups | groups:write | All | For Solution Portal administrators to grant access to users. |
Add the Solutions Portal admin users to an access group named dc-system-admin
.
Configure InRobot
Configure access for users
Set up the InRobot application.
Capability type | Action | Scope | Description |
---|---|---|---|
Assets | assets:read | Data sets, All | Find asset tags of equipment the robot works with and view asset data. |
Data models | datamodels:read | Space IDs: APM_Config , cdf_core , cdf_apm , and cdf_apps_shared | View data models. |
Data models instances | datamodelinstances:read | Space IDs: cognite_app_data , cdf_apm , <yourRootLocation_source_data> 1, <yourRootLocation_app_data> 2 | View data in data models. |
Events | events:read | Data sets, All | View events in the canvas. |
Files | files:read , files:write | Data sets, All | Allow users to upload images. |
Groups | groups:read , groups:create , groups:update | Data sets, All | For InRobot administrators to grant access to users. |
3D | 3d:read | Data sets, All | Upload 3D models of maps. |
Projects | projects:read , projects:list | Data sets, All | Extract the projects the user has access to. |
Robotics | robotics:read , robotics:create , robotics:update , robotics:delete | Data sets, All | Control robots and access robotics data. |
Time series | timeseries:read | Data sets, All | Allow users to view measurement readings as time series. |
Configure access for robots
Set up a robot's access for the InRobot application.
Capability type | Action | Scope | Description |
---|---|---|---|
Assets | assets:read | Data sets, All | For the robot to find asset tags of equipment so that the data collected can be connected to the corresponding asset. |
Data models | datamodels:read , datamodels:write | Select Space IDs: APM_Config , cdf_core , cdf_apm , and cdf_apps_shared . Otherwise, All. | For the robot to write the robotics data to the APM data model. |
Data model instances | datamodelinstances:read | Select Space IDs: APM_Config . Otherwise, All. | For the robot to write the robotics data to the APM data model. |
Data model instances | datamodelinstances:read , datamodelinstances:write | Select Space IDs: cognite_app_data , cdf_apm , <yourRootLocation_source_data> 1, <yourRootLocation_app_data> 2. Otherwise, All. | For the robot to write the robotics data to the APM data model. |
Files | files:read | All | For the robot to download robot-specific files, such as maps; read or access uploaded robot data. |
Files | files:write | Robot dataSetID | For the robot to upload the data collected by the robot to CDF. |
Labels | labels:read , labels:write | All | For the robot to label data according to how the data should be processed in CDF. |
Robotics | robotics:read , robotics:create , robotics:update , robotics:delete | Data sets (robot's data set ID) | For the robot to access robotics data. |