Hi all, looking for guidance on two issues we hit with CDF related to timeseries visibility and datamodel queries.403 error leaking timeseries externalIds:when a user without access requests a timeseries resource, a 403 error is returned as expected, but the error body contains the externalIds of the timeseries. Those externalIds are sensitive and should not be exposed to users who don’t have access.Is it expected behavior that externalIds are included in 403 error messages? If not, is there a setting / configuration / log-level that controls whether identifiers are returned in errors? Any recommended mitigation or planned fix? Datamodel query returns datapoints from unauthorized timeseriesSetup: Created dataset_1 and dataset_2 Created two timeseries, TS_A in dataset_1 and TS_B in dataset_2 Attached both TS_A and TS_B to a datamodel Granted the user only timeseries:READ scope:dataset_2 (so they should see TS_B only) Observed behavior: querying the datamodel returns datapoints for TS_A (dataset_1) and TS_B (dataset_2) even though the user only has dataset_2 timeseries:READ Questions: Shouldn’t datamodel queries respect dataset scoped timeseries permissions and only surface datapoints from accessible timeseries? Any recommended best practices or configuration to enforce dataset scoped enforcement when datamodels reference timeseries across datasets? Thanks!

Question

Security/permissions: 403 exposing timeseries externalIds and datamodel returning datapoints from unauthorized timeseries

Forum|Forum|1 month ago
October 29, 2025
4 replies
95 views

S

Soumaya ZAMMIT
Active

Hi all,

looking for guidance on two issues we hit with CDF related to timeseries visibility and datamodel queries.

403 error leaking timeseries externalIds:

when a user without access requests a timeseries resource, a 403 error is returned as expected, but the error body contains the externalIds of the timeseries. Those externalIds are sensitive and should not be exposed to users who don’t have access.

Is it expected behavior that externalIds are included in 403 error messages? If not, is there a setting / configuration / log-level that controls whether identifiers are returned in errors? Any recommended mitigation or planned fix?

Datamodel query returns datapoints from unauthorized timeseries

Setup:
- Created dataset_1 and dataset_2
- Created two timeseries, TS_A in dataset_1 and TS_B in dataset_2
- Attached both TS_A and TS_B to a datamodel
- Granted the user only timeseries:READ scope:dataset_2 (so they should see TS_B only)
Observed behavior: querying the datamodel returns datapoints for TS_A (dataset_1) and TS_B (dataset_2) even though the user only has dataset_2 timeseries:READ
Questions:
- Shouldn’t datamodel queries respect dataset scoped timeseries permissions and only surface datapoints from accessible timeseries?
- Any recommended best practices or configuration to enforce dataset scoped enforcement when datamodels reference timeseries across datasets?

Thanks!

+8

Mithila Jayalath
Seasoned Practitioner
Forum|Forum|1 month ago
October 29, 2025

@Soumaya ZAMMIT I will check on this with the engineering team and get back to you with an update.

S

Like

Everton Colling
Seasoned Practitioner
Forum|Forum|1 month ago
October 29, 2025

Hi @Soumaya ZAMMIT !

I can provide some clarity on both points.

1. ExternalIds in 403 error messages

What you're observing is the current intended behavior. Our API is designed to distinguish between a resource that doesn't exist and a resource that exists but you don't have permission to access. Including the identifier in the 403 error is part of how the API confirms which specific resource access was denied for.

We understand your concern about exposing externalIds that you consider sensitive, but changing this behavior now would be a significant breaking change for many existing applications that rely on this error structure for their logic.

However, we can transform this request into a Product Idea here in the Hub. If it gathers enough interest across our customers, we can investigate potential future changes.

2. Data model queries and Time series permissions

This is also the expected behavior, and it relates on how access control is designed to work with Data Models.

When you query a resource directly, like a time series, permissions are checked against that specific resource (e.g., its dataset). However, when you query a data model, the access control check is performed on the data model instance itself, not on the individual time series linked to it. When managing CogniteTimeSeries (representation of Time series in a data model), you should not rely on datasets but instead use spaces for access control.

You can read more about access control for CogniteTimeSeries here: https://docs.cognite.com/cdf/dm/dm_guides/dm_integrate_with_time_series/#access-control

S

Like

S

Soumaya ZAMMIT
Author
Active
Forum|Forum|1 month ago
October 30, 2025

Thanks for the helpful explanations @Everton Colling !

Could you please provide migration suggestions for existing data models that reference sensitive timeseries, specifically showing how to enforce group-based access controls for those sensitive data?

Like

Everton Colling
Seasoned Practitioner
Forum|Forum|1 month ago
October 30, 2025

I suggest reaching out to your Cognite account manager for guidance on this topic, as this would require careful evaluation on your specific solution architecture and potential migration paths.

S

Like

Sign up

Welcome to the HUB

Scanning file for viruses.

This file cannot be downloaded