Salt la conținutul principal

Manage groups and group membership

Instead of assigning capabilities to individual users and applications, you use groups in Cognite Data Fusion (CDF) to define what capabilities members (users or applications) have to work with different CDF resources.

You can manage CDF group membership from your identity provider - Microsoft Entra ID

Step 1: Create a group in Microsoft Entra ID

  1. Sign it to your Azure portal > Search for and select Microsoft Entra ID.

  2. Under Manage, select Groups > New group.

  3. In the New Group window, select Security as the Group type, enter a Group name, and then select Create.

    Create group
  4. Select the group to open it, add members - users or service accounts, to the group (service accounts are called applications)

  5. Copy and make a note of the Object Id.

Copy Object Id
  1. Sign in as an admin and navigate to Admin > Groups > Create group.

  2. Enter a Unique name for the group and Add capabilities.

  3. In Members select Externally managed, and in the Source ID field, enter the Object Id for the Microsoft Entra ID (ME_ID) group exactly as it exists in ME-ID. It will link the CDF group to an Azure AD group.

    Create new group with link to AAD group object ID
  4. In the Application (Client) ID dropdown, select the existing or create a new Application (Client) ID to link groups to specific applications to improve query efficiency. Application (Client) ID is a unique public identifier for an application registered with an authorization server. You can set more than one Application (Client) ID for a group.


When users make a query to CDF, their Effective Access (EA) is determined by the union of all capabilities and scopes from the groups they're members of. When users make a query from an application, only the groups linked to that application are considered for EA.

NOTE

This feature is currently supported only for CDF organizations configured with Microsoft Entra ID as their identity provider (IdP).

Caution

If a group isn't linked to any application and the user is a member of that group, the group is considered for all queries, regardless of the application used.


If a service account is a member of a group, and the group is linked to an Application (Client) ID different from the service account's client ID, the group is ignored.

  1. Select Create. The members of the Microsoft Entra ID group automatically become members of the linked CDF group with the associated capabilities.