Verify my capabilities

async AsyncCogniteClient.iam.verify_capabilities(

desired_capabilities: Capability | Sequence[Capability] | dict[str, Any] | Sequence[dict[str, Any]] | Group | GroupList | ProjectCapability | ProjectCapabilityList,

) → list[Capability]

Helper method to compare your current capabilities with a set of desired capabilities and return any missing.

Parameters:

desired_capabilities (ComparableCapability) – List of desired capabilities to check against existing.

Returns:

A flattened list of the missing capabilities, meaning they each have exactly 1 action, 1 scope, 1 id etc.

Return type:

list[Capability]

Examples

Ensure that the user’s credentials have access to read- and write assets in all scope, and write events scoped to a specific dataset with id=123:

>>> from cognite.client import CogniteClient
>>> from cognite.client.data_classes.capabilities import AssetsAcl, EventsAcl
>>> client = CogniteClient()
>>> # async_client = AsyncCogniteClient()  # another option
>>> to_check = [
...     AssetsAcl(
...         actions=[AssetsAcl.Action.Read, AssetsAcl.Action.Write],
...         scope=AssetsAcl.Scope.All(),
...     ),
...     EventsAcl(
...         actions=[EventsAcl.Action.Write],
...         scope=EventsAcl.Scope.DataSet([123]),
...     ),
... ]
>>> if missing := client.iam.verify_capabilities(to_check):
...     pass  # do something

Capabilities can also be passed as dictionaries:

>>> to_check = [
...     {"assetsAcl": {"actions": ["READ", "WRITE"], "scope": {"all": {}}}},
...     {"eventsAcl": {"actions": ["WRITE"], "scope": {"datasetScope": {"ids": [123]}}}},
... ]
>>> missing = client.iam.verify_capabilities(to_check)

You may also load capabilities from a dict-representation directly into ACLs (access-control list) by using Capability.load. This will also ensure that the capabilities are valid.

>>> from cognite.client.data_classes.capabilities import Capability
>>> acls = [Capability.load(cap) for cap in to_check]