What are the alternatives for scoping read/write rights to different users?
Dataset is the most intuitive way of limiting access rights to subsets of data, but if i would like to share data that is scattered across different datasets, but easily identifiable by sharing a common label, are there any options?
Best answer by Leighton Lustig
View originalI would also love to know more about this.
Hi Andreas and others following this question,
Security categories can be used as an alternative to configure access rights for timeseries and files, specifically. Currently, there aren't any alternatives for other resource types. Here’s relevant documentation for security categories, as a starting point: https://docs.cognite.com/dev/guides/iam/authorization.html#security-categories
We acknowledge the limitation in current access control functionality and are eager to continue investing in this area. Please share any additional use cases or pain points if you think they are relevant or helpful to the discussion. Thank you!
I think our primary concern is to set up a controlled framework (e.g. from Gitlab ) that allows for creation of groups, datasets and connect this with AD groups. Is there an API for defining groups? This will make management easier ( i.e. new users/projects who want to use the platform defines their needs as code and control by admin team is done via approval of merge requests ).
Then comes the access to subsets of data in different datasets. The use case is that Statnett as Transmission System Operator (TSO) stores data that belongs to more than hundred Distribution System Operators (DSOs). DSO data is scattered across datasets. We would like to share data with DSOs, ours and their own raw/processed data, without for instance extracting the data that resides inside different datasets and putting that on a separate tenants. We could create datasets for each DSO, but then other usecases that need data from many or all DSOs will become cumbersome.
Hi Andreas,
Thanks for providing more details. Most of the datasets functionality available in the Fusion UI is also available via API. Re, group management: You are able to list, create and delete groups via the API. (Refer here for documentation.) This excludes group update -- the method for update in the API is to create a new group > add old members > delete old group.
Re, access control for subsets of datasets: this is an enhancement area that we’ve noted, and I’ll add Statnett’s use case to our product feedback repository. Currently, the workaround is to fragment the dataset; however, we don’t recommend this as it increases complexity and administration.
I hope this answers your questions!
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Check the
documentation
Ask the
Community
Take a look
at
Academy
Cognite
Status
Page
Contact
Cognite Support
