An organization is used to group CDF projects and facilitate their management.
An organization holds users, projects, and perhaps other organizations. The organization ID is what the users enter when logging into Cognite apps, such as Cognite Data Fusion. The organization has one IdP configuration, which is used for both interactive login and service account authentication against all projects in the organization.
CDF supports interfacing with external IdPs to manage users and groups. The following vendors are supported:
If a user can log into the external IdP configured for the organization, then they have access to the CDF organization. Which of the organization's projects they have access to, and what they may do inside those projects, is determined by the access settings within each project.
After a user has logged into the organization for the first time, they will be visible in the organization's user list. Users can see each other, which enables them to collaborate on projects.
An organization can have child organizations. The ownership relationship is materialized through the parentId
field of the organization resource.
An organization holds CDF projects. The users that are logged into the organization can see all the projects in the organization, but what they can actually do within each project is controlled by the project's access control lists (ACLs) and other access control settings.
An organization has a list of clusters on which it can hold projects. This is the allowedClusters
field on the
resource.
An organization can have admins, which are identified principals that can perform an extended set of modifications on the organization, such as creating projects, changing who the admins are, and so on.
Admins are identified by the adminGroupId
field on the organization resource, which is the ID of a group that is
managed in the external IdP.
The different organization API endpoints have different access rules, which are documented under each endpoint. The general rule is that admins of a given organization have control over most aspects of the organization itself and full control of any sub-organizations.
Organizations are global, which means that they are not tied to specific projects or clusters.
API requests against organizations are directed to auth.cognite.com
, instead of a specific cluster and projects
as for other resources.
Only OAuth tokens issued by https://auth.cognite.com
(such as the ones issued when logging into Fusion) are accepted
by the organizations API.
It is also possible to obtain a token by initiating a login flow against the authorization server directly. See the "Authorizations" sections for more information.
CDF supports interfacing with external IdPs to manage users and groups. The following vendors are supported:
If a user can log into the external IdP configured for the organization, then they have access to the CDF organization. Which of the organization's projects they have access to, and what they may do inside those projects, is determined by the access settings within each project.
After a user has logged into the organization for the first time, they will be visible in the organization's user list. Users can see each other, which enables them to collaborate on projects.
An organization can have child organizations. The ownership relationship is materialized through the parentId
field of the organization resource.
An organization holds CDF projects. The users that are logged into the organization can see all the projects in the organization, but what they can actually do within each project is controlled by the project's access control lists (ACLs) and other access control settings.
An organization has a list of clusters on which it can hold projects. This is the allowedClusters
field on the
resource.
An organization can have admins, which are identified principals that can perform an extended set of modifications on the organization, such as creating projects, changing who the admins are, and so on.
Admins are identified by the adminGroupId
field on the organization resource, which is the ID of a group that is
managed in the external IdP.
The different organization API endpoints have different access rules, which are documented under each endpoint. The general rule is that admins of a given organization have control over most aspects of the organization itself and full control of any sub-organizations.
Organizations are global, which means that they are not tied to specific projects or clusters.
API requests against organizations are directed to auth.cognite.com
, instead of a specific cluster and projects
as for other resources.
Only OAuth tokens issued by https://auth.cognite.com
(such as the ones issued when logging into Fusion) are accepted
by the organizations API.
It is also possible to obtain a token by initiating a login flow against the authorization server directly. See the "Authorizations" sections for more information.