The command access control file

The command access control configuration XML file has the following structure, and can contain the following permissions. Use this reference and example information when you create your own configuration file.

File structure

<CommandAccessControl>
The <CommandAccessControl> element is the root of the configuration file.

It contains child <CommandAccessPermissions> elements.

<CommandAccessPermissions>
The <CommandAccessPermissions> element contains the access permissions for groups of users.

The UserGroup attribute defines the user group that the access permissions apply to. The value of the UserGroup attribute must match a user group from the user registry. To specify that the permissions apply to all user groups, you can use the * wildcard.

It contains one or more child <Permission> elements.

<Permission>
The Value attribute of the <Permission> element defines a permission that members of the user group that is specified in the parent <CommandAccessPermissions> element has access to.

For the list of values that you can specify for the Value attribute, see Command access permissions.

The following example allows users of all groups to upload records and charts, and members of the "Analyst" user group can delete records and charts too:
<tns:CommandAccessControl 
    xmlns:tns="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl CommandAccessControl.xsd ">

  <CommandAccessPermissions UserGroup="*">
    <Permission Value="i2:RecordsUpload"/>
    <Permission Value="i2:ChartsUpload"/>
    <Permission Value="i2:ChartsRead"/>
    <Permission Value="i2:Notes"/>
  </CommandAccessPermissions>

  <CommandAccessPermissions UserGroup="Analyst">
    <Permission Value="i2:RecordsDelete"/>
    <Permission Value="i2:ChartsDelete"/>
  </CommandAccessPermissions>

</tns:CommandAccessControl>

Command access permissions

Record and chart permissions:
i2:RecordsUpload
Members of groups that have this permission can create and modify records and upload them to the Information Store.

Without this permission, users can search for records and add them to charts, but cannot upload changes to records.

i2:RecordsDelete
Members of groups that have this permission can delete records that were originally uploaded through Analyst's Notebook Premium.

Without this permission, users can search for records and add them to charts, but cannot delete records from the Information Store.

i2:RecordsExport
Members of groups that have this permission can export records that are returned in search results to a CSV file.

Without this permission, users cannot export records that are returned in search results to a CSV file.

i2:ChartsUpload
Members of groups that have this permission can create and modify Analyst's Notebook charts and upload them to the Chart Store. Modifying a chart includes deleting versions of a chart, but not deleting the chart itself.

Without this permission, users can save Analyst's Notebook charts locally, but cannot upload new charts and modifications to existing charts.

i2:ChartsBulkUpload
Members of groups that have this permission receive access to the Upload from Folder feature in i2 Analyst's Notebook Premium that enables users to upload charts from disk to the Chart Store in bulk.
Note: This permission automatically includes the i2:ChartsUpload permission. You do not need to give both permissions to the same user groups.
i2:ChartsDelete
Members of groups that have this permission can delete charts that were originally uploaded through Analyst's Notebook Premium.

Without this permission, users cannot delete charts from the Chart Store.

i2:ChartsRead
Members of groups that have this permission can search for and retrieve charts from the Chart Store.

Without this permission, users cannot search for or retrieve charts.

i2:Notes
Members of groups that have this permission can create and access notes on records and charts.

Without this permission, notes are not displayed in the Notes tab, and the contents of any notes are not searchable.

Web client permission:
i2:Notebook
Members of groups that have this permission can access the i2 Notebook web client. Members of groups without this permission see the i2 Investigate web client instead.

For more information, see Enabling access to the i2 Notebook web client.

Connector permissions:
i2:Connectors
If you are using the i2 Connect gateway, members of groups that have this permission can view all i2 Connect connectors.

Without this permission, i2 Connect connectors are not visible unless individual connectors are specified by using the i2:Connectors:connector-id permission.

i2:Connectors:connector-id
If you are using the i2 Connect gateway, members of groups that have this permission can view the i2 Connect connector with the matching connector-id. For example, i2:Connectors:example-connector.

Without this permission, the specified i2 Connect connector is not visible.

Administrator permission:
i2:Administrator
Members of groups that have this permission can access the REST API admin endpoints. For more information, see Using the admin endpoints.