Security model example

At any moment, a user has one security access level for each record in i2 Analyze. The platform calculates this level according to a consistent set of rules.

The process for determining a security access level involves examining security permissions within and across dimensions. The platform does the job in three steps:

  1. Bring together the permissions for all the user groups of which the user is a member.
  2. Use the permissions to determine all the security access levels that the user receives for each dimension value that the record has. Take the least restrictive level in each case.
  3. Examine all of these "least restrictive" dimension-specific security access levels, and take the most restrictive.

For example, consider the following record, which has one value for each of two security dimensions, and two values for a third.

Then, consider a user in a group that has the following security permissions. (It does not matter whether the permissions are due to one user group or several.)

The following diagram then represents the process for determining the security access level of the user for this record.

The record has two values in the "Operational Team" dimension that map to different access levels for this user. At this stage in the calculation, the less restrictive access level ("Update") is taken. However, the values from the "Security Classification" and "Intelligence Type" dimensions both map to the "Read only" access level. The final part of the calculation takes the most restrictive level, and the user therefore has the "Read only" access level on this record.