Skip to main content

We are currently migrating to OIDC where we need to give access through access groups linked to Azure AD.

On our Statnett cluster it seems that a user needs to explicitly be member of a group “transformations” in order to to delete (or edit) a transformation.

The admin group has the capabilities  (on “test”)

 {'transformationsAcl': {'actions': c'READ', 'WRITE'], 'scope': {'all': {}}}}]

But we need to login to the legacy login without OIDC and have a service account linked explicitly to the group “transformations” in order to delete a transformation. The group “transformations” has no capabilities set.

I have tried both Fusion and the API/python-SDK (read is possible):

CogniteAPIError: Transformation not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: b7c0beb6-d3e0-9ec4-ba50-895533ac1996

Hi! Can you share the transformation ID and project name?

Please make sure that the group, which the service principal (app registration for the credentials used) and you are a part of, has transformationsAcl:WRITE in it. Delete requires write capability. Capabilities are available in both legacy and OIDC flows. 

You can also map the AAD group that has you and service principal in its members to a cdf group named “transformations” but we recommend using capabilities instead.


Hi.

On the project “test”, there is a transformation: id:40, external_id:transformations_test.

I am member of a group “IT-Rolle-CDF-Test-Admin” (with syncs to Azure AD)  with the capabilities transformationsAcl:mREAD,WRITE].

I am able to create a new transformation both on legacy login and OIDC, meaning that the WRITE capability is available, but my service account needs to explicitly have access to the group “transformations” in order to delete or edit a transformation.

The group “transformations” is empty without any Source ID or capabilities.


That is very interesting because transformations group is translated to transformations:read+transformations:write capabilities before entering any endpoint. They should work the same. 

 

Asking more questions to understand where to check:

  • You can create a transformation using fusion or SDK, right (asking this before if you are doing this using the old Jetfire CLI, it uses our old API which does not have capabilities available)? But you cannot delete/update using fusion/CLI. 
  • Do you have datasets scoping on your capabilities or is it read/write for all scope? 
  • “The group transformations is empty without any Source ID or capabilities.” goes for legacy, right?

  1. Creating the transformation in Fusion,both in OIDC and legacy login. Have not tried in the SDK. I can only delete it if I use legacy login with the group “transformations” added.
  2. No dataset scoping on the transformation capabilities.
  3. Yes, the group “transformations” is completely empty.

If I remove the WRITE capability on the AAD group in OIDC I get the error message in Fusion: “Subject does not have 'WRITE' action in this project.”, while if I have it there is a different error message: “Transformation not found. This may also be due to insufficient access rights.”

 

I also tried deleting the “transformations” group without giving any difference.


Is it public or private? If private, there may be inconsistencies when you try to view/update/delete  a transformation created on legacy login, while using new login (or vice versa). It is because OIDC login flow identifies a different user name for owner of transformation than the legacy. If private, I would suggest making it public and see if it fixes the problem. 


 

They seem to be public. But note that the UI is different between the login versions:

OIDC:

legacy:

 

On OIDC I cannot see “Owner” and “Access” and “make private”. Is this related? 

 

 


Hi Anders,

 

Thanks for creating the Support ticket for this issue. It looks like a bug. As you know, we’re already in touch with our engineering team about it, and we’ll get back to you via the Support ticket you created 🙂  

 

Have a nice day!


Reply