Entitlement service

Access management is a critical function for any service or resource. Entitlement service helps you manage who has access to your Microsoft Energy Data Service instance, what they can do with it, and what services they have access to.

Important

Microsoft Energy Data Services is currently in preview. For legal terms that apply to features that are in beta, in preview, or otherwise not yet released into general availability, see the Supplemental Terms of Use for Microsoft Azure Previews.

Microsoft Energy Data Services requires registration and is available to only approved customers and partners during the preview period. To request access to Microsoft Energy Data Services during the preview period, use this form.

Groups

The entitlements service of Microsoft Energy Data Services allows you to create groups, and an entitlement group defines permissions on services/data sources for your Microsoft Energy Data Services instance. Users added by you to that group obtain the associated permissions.

The main motivation for entitlements service is data authorization, but the functionality enables three use cases:

  • Data groups used for data authorization (for example, data.welldb.viewers, data.welldb.owners)
  • Service groups used for service authorization (for example, service.storage.user, service.storage.admin)
  • User groups used for hierarchical grouping of user and service identities (for example, users.datalake.viewers, users.datalake.editors)

Users

For each group, you can either add a user as an OWNER or a MEMBER. The only difference being if you're an OWNER of a group, then you can manage the members of that group.

Note

Do not delete the OWNER of a group unless there is another OWNER to manage the users.

Group naming

All group identifiers (emails) will be of form {groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}.com. A group naming convention has been adopted such that the group's name should start with the word "data." for data groups; "service." for service groups; and "users." for user groups. An exception is when a data partition is provisioned. When a data partition is created, so is a corresponding group-for example, for data partition opendes, the group users@opendes.dataservices.energy is created.

Permissions and roles

The OSDU™ Data Ecosystem user groups provide an abstraction from permission and user management and--without a user creating their own groups--the following user groups exist by default:

  • users.datalake.viewers: viewer level authorization for OSDU Data Ecosystem services.
  • users.datalake.editors: editor level authorization for OSDU Data Ecosystem services and authorization to create the data using OSDU™ Data Ecosystem storage service.
  • users.datalake.admins: admin level authorization for OSDU Data Ecosystem services.

A full list of all API endpoints for entitlements can be found in OSDU entitlement service. We have provided few illustrations below. Depending on the resources you have, you need to use the entitlements service in different ways than what is shown below. Entitlement permissions on the endpoints and the corresponding minimum level of permissions required.

Note

The OSDU documentation refers to V1 endpoints, but the scripts noted in this documentation refers to V2 endpoints, which work and have been successfully validated

OSDU™ is a trademark of The Open Group.

Next steps