Modifying security permissions

It is possible to change the mapping between user groups and the security permissions that the security schema defines without reimporting or reindexing your data. You must take care to ensure that all i2 Analyze users retain the ability to access your deployment.

About this task

The following table shows the changes that you can make to the security permissions in a deployed security schema without clearing data from the system:

Change XML elements or attributes Allowed Reindex required
Add a security group <GroupPermissions> Yes No
Modify an existing security group UserGroup Yes No
Remove an existing security group <GroupPermissions> Yes No
Add security dimensions to a security group <Permissions> Yes No
Remove security dimension from a security group <Permissions> Yes No
Add security permissions from a security dimension for a security group <Permission> Yes No
Modify existing security level from a security dimension permission for a security group DimensionValue, Level Yes No
Remove existing security permissions from a security dimension permissions element for a security group <Permission> Yes No

If the requirements for security groups change, you can modify the <GroupPermissions> element and its children.

  • To add a group, insert a complete <GroupPermissions> element. To use the new group, you must ensure that the user repository contains a group that matches the value of the UserGroup attribute.
  • To modify the name that is associated with a group, change the value of the UserGroup attribute.
  • To remove a group, remove the <GroupPermissions> element for that group.

If the requirements for the permissions of a security group change, you can add or remove <Permissions> elements, and add, modify, and remove child <Permission> elements.

  • To change the dimensions that a group has permissions for, you can add or remove <Permissions> elements as follows:
    • To add a dimension that the group has permissions for, insert a <Permissions> element where the value of the Id attribute matches the value of the Id attribute of the dimension.
    • To remove a dimension that the group has permissions for, remove the <Permissions> element where the value of the Id attribute matches the value of the Id attribute of the dimension.
  • To change the security permissions that a group has within a dimension, you can add, modify, and remove <Permission> elements as follows:
    • To add a permission to a group, insert a <Permission> element. The DimensionValue attribute must match a dimension value in the same dimension that is defined in the Dimension attribute of the parent <Permissions> element.
    • To modify the current permission that a group has in a dimension value, set the Level attribute to a different value.
    • To modify the dimension value that a permission is for, set the DimensionValue attribute to a different value.
    • To remove the current permission that a group has in dimension value, remove the <Permission> element in which the DimensionValue attribute matches that dimension value.
If you follow this procedure in a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

Procedure

  1. Using an XML editor, open the security schema for the deployment.

    The security schema is in the toolkit\configuration\fragments\common\WEB-INF\classes\ directory. The name of the security schema is specified in the DynamicSecuritySchemaResource property of the ApolloServerSettingsMandatory.properties file in the same directory.

  2. Modify the security permissions in the security schema according to your requirements.
  3. Increment the version number that is stated in the Version attribute of the <SecurityDimensions> element in the security schema.
  4. Check your updated schema to ensure that it remains possible for all users to get an access level that is not "none" for at least one value in every access dimension.
  5. Save and close the file.
Redeploy i2 Analyze to update the application with your changes.
  1. In a command prompt, navigate to the toolkit\scripts directory.
  2. Stop Liberty:
    setup -t stopLiberty
  3. Update and redeploy the system:
    setup -t updateSecuritySchema
    setup -t deployLiberty
  4. Start Liberty:
    setup -t startLiberty