Solved

Access control. Sharing data.

  • 10 November 2023
  • 4 replies
  • 49 views
K
Rank
Userlevel 2
Badge +3

Hi. When setting up CDF we were recommended to use CDF data sets scoped to data sources to control access to data. However, we have use cases where we would like to share a selection of data from a source with external parties. What would be the recommended setup for this? Would we need build an API layer on top of CDF,  to copy data from a source dataset to multiple other datasets for sharing? Or could the security categories feature be used for this?

The person in charge of sharing data in our case will often be a data owner / SME without much coding experience. Is there a way our data owners could move/copy a subset of data from a source dataset to a sharing dataset, or somehow label individual time series or assets in a manner making them accessible to specificaccess groups?

icon

Best answer by Nicholas Gerstle 23 November 2023, 12:04

View original

4 replies

N
Rank

When sharing data for these use cases, would you like to share entire datasets, or subsets of datasets?
Should these external parties have any form of write access, or is it read only?

It’s likely possible to grant read access to different data collections, but this may require utilizing different access control scopes, or restructuring the current datasets.
Access to individual timeseries (and some other resources) can be granted by specifying the timeseries ID in the access grant, for example.
If trying to share part of a dataset, it may be more feasible to divide a dataset into two different datasets, both coming from the same source, but only one of which is shared- this would require potential updates to whatever owns the original dataset and has write access to it.

N
Rank

Security categories are a specific form of negative access grants- files or timeseries with a security category cannot be access unless a user has been granted access to all security categories on the data, as well as access to that resource (reading the file otherwise).

I don’t think it would be a particularly suitable mechanism in this case.

K
Rank
Userlevel 2
Badge +3

Thanks @Nicholas Gerstle. For these use cases the need is only read access.

Dividing into separate datasets might not be feasible when there is a partial overlap between the access need of individual groups. But I was not aware of the possibility to grant access to individual time series. I think this may be the solution I’m looking for. The only issue then would be that we would need to handle this manually - it seems that the Bootstrap CLI tool cannot provide access to individual time series.

 

If I may also provide a feature request, I would have loved if there was a functionality in CDF Data Explorer where our data owners (owners of individual datasets) could select a group of time series (through filtering, search, asset id, ..) and then by the click of a button add these time series to the scope of the timeseries:read capability of selected groups. (The same would be relevant for assets, sequences, and events).

Something like this:

 

N
Rank

Improving the experience on sharing access to data, and the access management experience is definitely an area we know could be improved. I’ve shared this with the relevant product managers as inspiration- thanks for the feedback!



I do know that the bootstrap cli tool has a specific framework for access management, and has raised some feedback on access management capabilities as well.

Reply


Terms & ConditionsCookie Settings