The command access control file

The command access control configuration XML file has the following structure, and can contain the following permissions. Use this reference and example information when you create your own configuration file.

File structure
Command access permissions

File structure

<CommandAccessControl>

The <CommandAccessControl> element is the root of the configuration file.

It contains child <CommandAccessPermissions> elements.

<CommandAccessPermissions>

The <CommandAccessPermissions> element contains the access permissions for groups of users.

The UserGroup attribute defines the user group that the access permissions apply to. The value of the UserGroup attribute must match a user group from the user registry. To specify that the permissions apply to all user groups, you can use the * wildcard.

It contains one or more child <Permission> elements.

<Permission>

The Value attribute of the <Permission> element defines a permission that members of the user group that is specified in the parent <CommandAccessPermissions> element has access to.

For the list of values that you can specify for the Value attribute, see Command access permissions.

The following example allows users of all groups to upload records and charts, and members of the "Analyst" user group can delete records and charts too:

<tns:CommandAccessControl 
    xmlns:tns="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl CommandAccessControl.xsd ">

  <CommandAccessPermissions UserGroup="*">
    <Permission Value="i2:RecordsUpload"/>
    <Permission Value="i2:ChartsUpload"/>
    <Permission Value="i2:ChartsRead"/>
    <Permission Value="i2:Notes"/>
  </CommandAccessPermissions>

  <CommandAccessPermissions UserGroup="Analyst">
    <Permission Value="i2:RecordsDelete"/>
    <Permission Value="i2:ChartsDelete"/>
  </CommandAccessPermissions>

</tns:CommandAccessControl>

Command access permissions

Record and chart permissions control access to commands for record and chart management.
Web client permissions control access to features in the web client.
Connector permissions control access to connectors when your deployment includes the i2 Connect gateway.
Administrator permissions control access to REST API endpoints, including the admin endpoint.

Record and chart permissions:

i2:RecordsUpload: Members of groups that have this permission can create and modify records and upload them to the Information Store.
Without this permission, users can search for records and add them to charts, but cannot upload changes to records.
i2:RecordsDelete: Members of groups that have this permission can delete records that were originally uploaded through Analyst's Notebook Premium.
Without this permission, users can search for records and add them to charts, but cannot delete records from the Information Store.
i2:RecordsExport: Members of groups that have this permission can export records that are returned in search results to a CSV file.
Without this permission, users cannot export records that are returned in search results to a CSV file.
i2:ChartsUpload: Members of groups that have this permission can create and modify Analyst's Notebook charts and upload them to the Chart Store. Modifying a chart includes deleting versions of a chart, but not deleting the chart itself.
Without this permission, users can save Analyst's Notebook charts locally, but cannot upload new charts and modifications to existing charts.
i2:ChartsBulkUpload: Members of groups that have this permission receive access to the Upload from Folder feature in i2 Analyst's Notebook Premium that enables users to upload charts from disk to the Chart Store in bulk.
Note: This permission automatically includes the i2:ChartsUpload permission. You do not need to give both permissions to the same user groups.
i2:ChartsDelete: Members of groups that have this permission can delete charts that were originally uploaded through Analyst's Notebook Premium.
Without this permission, users cannot delete charts from the Chart Store.
i2:ChartsRead: Members of groups that have this permission can search for and retrieve charts from the Chart Store.
Without this permission, users cannot search for or retrieve charts.
i2:Notes: Members of groups that have this permission can create and access notes on records and charts.
Without this permission, notes are not displayed in the Notes tab, and the contents of any notes are not searchable.

Web client permission:

i2:Notebook: Members of groups that have this permission can access the i2 Notebook web client. Members of groups without this permission see the i2 Investigate web client instead.
For more information, see Enabling access to the i2 Notebook web client.

Connector permissions:

i2:Connectors: If you are using the i2 Connect gateway, members of groups that have this permission can view all i2 Connect connectors.
Without this permission, i2 Connect connectors are not visible unless individual connectors are specified by using the i2:Connectors:connector-id permission.
i2:Connectors:connector-id: If you are using the i2 Connect gateway, members of groups that have this permission can view the i2 Connect connector with the matching connector-id. For example, i2:Connectors:example-connector.
Without this permission, the specified i2 Connect connector is not visible.

Administrator permissions:

i2:AlertsCreate: Members of groups that have this permission can access the REST API alerts endpoint to create and send alerts to i2 Analyze users. For more information, see Managing i2 Analyze.
i2:Administrator: Members of groups that have this permission can access the REST API admin endpoints. For more information, see Using the admin endpoints.