Configuring command access control

You can use command access control to determine which commands and features users can access. You can create a command access control file to match the specific needs of your deployment.

In any command access control file that you create, the group names in the file must match the names of user groups in the user registry.

If you follow this procedure in a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

  1. Create a command access control file.
    1. Navigate to the directory in the deployment toolkit that contains the example security schema: toolkit\configuration\examples\security-schema.
    2. Copy the example-command-access-control.xml file to the configuration\fragments\opal-services\WEB-INF\classes directory, and rename it to command-access-control.xml.
  2. Modify the command access control file.
    1. Open the command-access-control.xml file in your XSD-aware XML editor. For more information, see Setting up your XSD aware XML editor.
      The associated XSD file is: toolkit\scripts\xsd\CommandAccessControl.xsd.
    2. Use the reference information to specify the access control that your system requires.
    3. Save the completed file.
  3. To set the command access control file to be used in the deployment:
    1. Using a text editor, open the toolkit\configuration\fragments\opal-services\WEB-INF\classes\DiscoServerSettingsCommon.properties file.
    2. Specify your command access control file as the value for the CommandAccessControlResource property.
      For example:
      CommandAccessControlResource=command-access-control.xml
    3. Save the file.
Redeploy i2 Analyze to update the application with your changes.
  1. In a command prompt, navigate to the toolkit\scripts directory.
  2. Stop Liberty:
    setup -t stopLiberty
  3. Update the i2 Analyze application:
    setup -t deployLiberty
  4. Start Liberty:
    setup -t startLiberty
Connect to your deployment and test that members of each user group have the correct access to features. Continue to change the configuration until you are satisfied with the access of each user group.

After you set command access control, you can revert to the default state by ensuring that the CommandAccessControlResource property in the toolkit\configuration\fragments\opal-services\WEB-INF\classes\DiscoServerSettingsCommon.properties has no value.