Skip to main content
Planned for development

Cognite Function unscoped access to trigger function

  • February 4, 2025
  • 2 replies
  • 45 views
Markus Pettersen
MVP ⭐️⭐️⭐️⭐️⭐️

Hi,

At the moment the access to Cognite Functions are all or nothing with no option for granularity. Is there a plan to add more granular access to Functions? 

Ideally giving a user access to Function should not mean they immediately have access to all functions. A bad scenario, and I wish this was hypothetical, a user having write access to one Function means that the user has delete access to all functions, I will let you speculate as to what happened, but this is not good.

I would expect some kind of scoping to data sets and/or space/data models in the future.

 

Regards
Markus Pettersen
Aker BP - CDF Data Delivery - Tech Lead

2 replies

Mithila Jayalath
Expert ⭐️⭐️⭐️⭐️
Forum|alt.badge.img+8
  • Mithila Jayalath
  • Expert ⭐️⭐️⭐️⭐️
  • February 4, 2025

@Markus Pettersen I checked with the engineering team regarding this and there are no plans at the moment. I’ll convert this question to a product idea and you will hear back from the product team when there is an update on this.

rajkamalsarma
Practitioner ⭐️⭐️⭐️
  • rajkamalsarma
  • Practitioner ⭐️⭐️⭐️
  • April 22, 2026

 

🚀 Granular Access Control for Cognite Functions is Here!

We are excited to announce that the functions:run capability is now officially live! This update provides the granular layer of security and flexibility needed to manage your Cognite Functions at scale.

What’s New?

Previously, permissions were broader, requiring higher-level access (write) to execute functions. With the introduction of the specific run capability, you can now implement the principle of least privilege across your organization:

  • Secure your CI/CD: Restrict functions:write exclusively to function developers. This ensures that only authorized pipelines can create, update, or delete code.

Empower your Users: Grant data consumers and analysts functions:read and functions:run. This allows them to discover and execute existing functions and view results without the risk of accidental deletions or unauthorized code changes.

Capability Breakdown

Here is how you can now structure your CDF Groups:

  • Function Developers: functions:read, functions:write
  • Consumers/Analysts: functions:read, functions:run

Why this matters

This update is a step towards improving the governance. By decoupling the ability to deploy from the ability to execute, you can safely open up your library of industrial functions to a wider audience while maintaining a "locked-down" production environment.

Get Started

You can start configuring these permissions today in the Access Management tab of your CDF project.

Next Steps

We are planning to further improve the governance of functions by enabling the ability to scope access to specific sets of functions grouped together. This will help enterprises manage the access to their resources better.

 

    Terms & ConditionsCookie SettingsAccessibility statement