Identity and access management

Tokens

Inspect the token currently used by the client

TokenAPI.inspect() → cognite.client.data_classes.iam.TokenInspection

Inspect a token.

Get details about which projects it belongs to and which capabilities are granted to it.

Returns:The object with token inspection details.
Return type:TokenInspection

Example

Inspect token:

>>> from cognite.client import CogniteClient
>>> c = CogniteClient()
>>> res = c.iam.token.inspect()

Groups

List groups

GroupsAPI.list(all: bool = False) → cognite.client.data_classes.iam.GroupList

List groups.

Parameters:all (bool) – Whether to get all groups, only available with the groups:list acl.
Returns:List of groups.
Return type:GroupList

Example

List groups:

>>> from cognite.client import CogniteClient
>>> c = CogniteClient()
>>> res = c.iam.groups.list()

Create groups

GroupsAPI.create(group: Union[cognite.client.data_classes.iam.Group, Sequence[cognite.client.data_classes.iam.Group]]) → Union[cognite.client.data_classes.iam.Group, cognite.client.data_classes.iam.GroupList]

Create one or more groups.

Parameters:group (Union[Group, Sequence[Group]]) – Group or list of groups to create.
Returns:The created group(s).
Return type:Union[Group, GroupList]

Example

Create group:

>>> from cognite.client import CogniteClient
>>> from cognite.client.data_classes import Group
>>> c = CogniteClient()
>>> my_capabilities = [{"groupsAcl": {"actions": ["LIST"],"scope": {"all": { }}}}]
>>> my_group = Group(name="My Group", capabilities=my_capabilities)
>>> res = c.iam.groups.create(my_group)

Delete groups

GroupsAPI.delete(id: Union[int, Sequence[int]]) → None

Delete one or more groups.

Parameters:id (Union[int, Sequence[int]]) – ID or list of IDs of groups to delete.
Returns:None

Example

Delete group:

>>> from cognite.client import CogniteClient
>>> c = CogniteClient()
>>> c.iam.groups.delete(1)

Security categories

List security categories

SecurityCategoriesAPI.list(limit: int = 25) → cognite.client.data_classes.iam.SecurityCategoryList

List security categories.

Parameters:limit (int) – Max number of security categories to return. Defaults to 25.
Returns:List of security categories
Return type:SecurityCategoryList

Example

List security categories:

>>> from cognite.client import CogniteClient
>>> c = CogniteClient()
>>> res = c.iam.security_categories.list()

Create security categories

SecurityCategoriesAPI.create(security_category: Union[cognite.client.data_classes.iam.SecurityCategory, Sequence[cognite.client.data_classes.iam.SecurityCategory]]) → Union[cognite.client.data_classes.iam.SecurityCategory, cognite.client.data_classes.iam.SecurityCategoryList]

Create one or more security categories.

Parameters:security_category (Union[SecurityCategory, Sequence[SecurityCategory]]) – Security category or list of categories to create.
Returns:The created security category or categories.
Return type:Union[SecurityCategory, SecurityCategoryList]

Example

Create security category:

>>> from cognite.client import CogniteClient
>>> from cognite.client.data_classes import SecurityCategory
>>> c = CogniteClient()
>>> my_category = SecurityCategory(name="My Category")
>>> res = c.iam.security_categories.create(my_category)

Delete security categories

SecurityCategoriesAPI.delete(id: Union[int, Sequence[int]]) → None

Delete one or more security categories.

Parameters:id (Union[int, Sequence[int]]) – ID or list of IDs of security categories to delete.
Returns:None

Example

Delete security category:

>>> from cognite.client import CogniteClient
>>> c = CogniteClient()
>>> c.iam.security_categories.delete(1)

Sessions

List sessions

SessionsAPI.list(status: Optional[str] = None) → cognite.client.data_classes.iam.SessionList

List all sessions in the current project.

Parameters:status (Optional[str]) – If given, only sessions with the given status are returned.
Returns:a list of sessions in the current project.
Return type:SessionList

Create a session

SessionsAPI.create(client_credentials: Optional[cognite.client.data_classes.iam.ClientCredentials] = None) → cognite.client.data_classes.iam.CreatedSession

Create a session.

Parameters:client_credentials (Optional[ClientCredentials]) – The client credentials to create the session. If set to None, a session will be created using the credentials used to instantiate -this- CogniteClient object. If that was done using a token, a session will be created using token exchange. Similarly, if the credentials were client credentials, a session will be created using client credentials. This method does not work when using client certificates (not supported server-side).
Returns:The object with token inspection details.
Return type:CreatedSession

Revoke a session

SessionsAPI.revoke(id: Union[int, Sequence[int]]) → cognite.client.data_classes.iam.SessionList

Revoke access to a session. Revocation of a session may in some cases take up to 1 hour to take effect.

Parameters:id (Union[int, Sequence[int]) – Id or list of session ids
Returns:List of revoked sessions. If the user does not have the sessionsAcl:LIST capability, then only the session IDs will be present in the response.
Return type:SessionList

Data classes

class cognite.client.data_classes.iam.ClientCredentials(client_id: str, client_secret: str)

Bases: cognite.client.data_classes._base.CogniteResource

Client credentials for session creation

Parameters:
  • client_id (str) – Client ID from identity provider.
  • client_secret (str) – Client secret from identity provider.
class cognite.client.data_classes.iam.CreatedSession(id: int = None, type: str = None, status: str = None, nonce: str = None, client_id: str = None, cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResource

Session creation related information

Parameters:
  • id (int) – ID of the created session.
  • type (str) – Credentials kind used to create the session.
  • status (str) – Current status of the session.
  • nonce (str) – Nonce to be passed to the internal service that will bind the session
  • client_id (str) – Client ID in identity provider. Returned only if the session was created using client credentials
class cognite.client.data_classes.iam.Group(name: str = None, source_id: str = None, capabilities: List[Dict[str, Any]] = None, id: int = None, is_deleted: bool = None, deleted_time: int = None, cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResource

No description.

Parameters:
  • name (str) – Name of the group
  • source_id (str) – ID of the group in the source. If this is the same ID as a group in the IDP, a service account in that group will implicitly be a part of this group as well.
  • capabilities (List[Dict[str, Any]]) – No description.
  • id (int) – No description.
  • is_deleted (bool) – No description.
  • deleted_time (int) – No description.
  • cognite_client (CogniteClient) – The client to associate with this object.
class cognite.client.data_classes.iam.GroupList(resources: Collection[Any], cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResourceList

class cognite.client.data_classes.iam.ProjectSpec(url_name: str, groups: List[int])

Bases: cognite.client.data_classes._base.CogniteResponse

A CDF project spec

Parameters:
  • url_name (str) – The url name for the project
  • groups (List[int]) – Group ids in the project
class cognite.client.data_classes.iam.SecurityCategory(name: str = None, id: int = None, cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResource

No description.

Parameters:
  • name (str) – Name of the security category
  • id (int) – Id of the security category
  • cognite_client (CogniteClient) – The client to associate with this object.
class cognite.client.data_classes.iam.SecurityCategoryList(resources: Collection[Any], cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResourceList

class cognite.client.data_classes.iam.Session(id: int = None, type: str = None, status: str = None, creation_time: int = None, expiration_time: int = None, client_id: str = None, cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResource

Session status

Parameters:
  • id (int) – ID of the session.
  • type (str) – Credentials kind used to create the session.
  • status (str) – Current status of the session.
  • creation_time (int) – Session creation time, in milliseconds since 1970
  • expiration_time (int) – Session expiry time, in milliseconds since 1970. This value is updated on refreshing a token
  • client_id (str) – Client ID in identity provider. Returned only if the session was created using client credentials
class cognite.client.data_classes.iam.SessionList(resources: Collection[Any], cognite_client: CogniteClient = None)

Bases: cognite.client.data_classes._base.CogniteResourceList

class cognite.client.data_classes.iam.TokenInspection(subject: str, projects: List[cognite.client.data_classes.iam.ProjectSpec], capabilities: List[Dict[KT, VT]])

Bases: cognite.client.data_classes._base.CogniteResponse

Current login status

Parameters:
  • subject (str) – Subject (sub claim) of JWT.
  • projects (List[ProjectSpec]) – Projects this token is valid for.
  • capabilities (List[Dict]) – Capabilities associated with this token.
dump(camel_case: bool = False) → Dict[str, Any]

Dump the instance into a json serializable Python data type.

Parameters:camel_case (bool) – Use camelCase for attribute names. Defaults to False.
Returns:A dictionary representation of the instance.
Return type:Dict[str, Any]