i2 Analyze security permissions

In i2 Analyze, security permissions provide the link between the security dimension values that a record has, and what users in a particular group are allowed to do with that record. The platform calculates the access rights of users according to the permissions of the user groups to which they belong.

The result of the calculation that i2 Analyze performs is that for any record, a user receives one of three security access levels:

None
The user has no access to the record. The user cannot examine the record data, or even know that the record exists.
Read only
The user has read-only access to the record and its data.
Update
The user can read, modify, and delete the record and its data.

In an i2 Analyze security schema, the set of security permissions for a user group defines mappings from dimension values to access levels. Users receive the security access levels that their user group indicates for the dimension values of a record.

For example, a dimension value might mark a record as containing open source information, and a security permission might state that members of a certain user group have the "Update" access level on records with that dimension value. In that case, a user in that group receives the "Update" access level on that record.

In practice, when a user is a member of several user groups, or a record has multiple dimension values, it is possible for a user to receive several security access levels from different security permissions. In these circumstances, i2 Analyze computes a single security access level from all the contributors.



It is not compulsory for a set of permissions for a user group to provide a security access level for every value of every dimension. Any dimension value that does not appear in a set of permissions receives a default security access level, according to a set of rules:

  • For an unordered dimension, a dimension value that does not appear in the permissions receives the "None" level.
  • For an ordered dimension:
    • If the unspecified value comes after a dimension value that does appear, then the unspecified value receives the same level as the specified value.
    • If the unspecified value comes before a dimension value that does appear, then the unspecified value receives the "None" level.

    For example, if a particular set of permissions associates the "Read only" access level with "Restricted" records (and makes no other setting), then the default access level for "Confidential" records is "None". However, if the permissions associate the "Read only" access level with "Confidential" records instead, then users in the same group receive that access level for "Restricted" records as well.

An i2 Analyze system administrator must arrange the security schema so that all users can receive a security access level that is not "None" for at least one value in every dimension.