The command access control file
The command access control XML configuration file has the following structure, and can contain the following permissions. Use this reference and example information when you create your own configuration file.
File structure
<CommandAccessControl>
The <CommandAccessControl> element is the root of the configuration file. It contains child <CommandAccessPermissions> elements.
<CommandAccessPermissions>
The <CommandAccessPermissions> element contains the access permissions for groups of users.
The UserGroup attribute defines the user group that the access permissions apply to. The value of the UserGroup attribute must match a user group from the user registry. To specify that the permissions apply to all user groups, you can use the * wildcard.
The <CommandAccessPermissions> element contains one or more child <Permission> elements.
<Permission>
The Value attribute of the <Permission> element defines a permission that members of the user group that is specified in the parent <CommandAccessPermissions> element have access to.
For the list of values that you can specify for the Value attribute, see Command access permissions
The following example allows users of all groups to upload records and charts, and members of the "Analyst" user group to delete records and charts too:
<tns:CommandAccessControl
xmlns:tns="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl CommandAccessControl.xsd">
<CommandAccessPermissions UserGroup="*">
<Permission Value="i2:RecordsUpload"/>
<Permission Value="i2:ChartsUpload"/>
<Permission Value="i2:Notes"/>
</CommandAccessPermissions>
<CommandAccessPermissions UserGroup="Analyst">
<Permission Value="i2:RecordsDelete"/>
<Permission Value="i2:ChartsDelete"/>
</CommandAccessPermissions>
</tns:CommandAccessControl>
Command access permissions
Record and chart permissions control access to commands for record and chart management.
Web client permissions control access to features in the web client.
Connector permissions control access to connectors when your deployment includes the i2 Connect gateway.
Sharing permissions control access to commands for sharing artifacts with other users.
Administrator permissions control access to REST API endpoints, including the admin endpoint.
Record and chart permissions
i2:RecordsUpload
Members of groups that have this permission can create and modify records and upload them to the Information Store.
Without this permission, users can search for records and add them to charts, but cannot upload changes to records.
i2:RecordsDelete
Members of groups that have this permission can delete records that were originally uploaded through Analyst's Notebook Premium.
Without this permission, users can search for records and add them to charts, but cannot delete records from the Information Store.
i2:RecordsExport
Members of groups that have this permission can:
Export records that are returned in search results to a CSV file
Export a list of records in the i2 Notebook web client to an XSLX file
Copy a list of records in the i2 Notebook web client to the clipboard
Without this permission, users cannot perform any of the above operations.
i2:ChartsRead
Members of groups that have this permission can search for and retrieve charts from the Chart Store.
Without this permission, users cannot search for or retrieve charts.
i2:ChartsUpload
Members of groups that have this permission can create and modify Analyst's Notebook charts and upload them to the Chart Store. Modifying a chart includes deleting versions of a chart, but not deleting the chart itself.
Without this permission, users can save Analyst's Notebook charts locally, but cannot upload new charts and modifications to existing charts.
Note: This permission automatically includes the i2:ChartsRead permission. You do not need to give both permissions to the same user groups.
i2:ChartsBulkUpload
Members of groups that have this permission receive access to the Upload from Folder feature in i2 Analyst's Notebook Premium that enables users to upload charts from disk to the Chart Store in bulk.
Note: This permission automatically includes the i2:ChartsUpload permission. You do not need to give both permissions to the same user groups.
i2:ChartsDelete
Members of groups that have this permission can delete charts that were originally uploaded through Analyst's Notebook Premium.
Without this permission, users cannot delete charts from the Chart Store.
i2:Notes
Members of groups that have this permission can create and access notes on records and charts.
Without this permission, notes are not displayed in the Notes tab, and the contents of any notes are not searchable.
Web client permissions
i2:Notebook
Members of groups that have this permission can access the i2 Notebook web client. Members of groups without this permission see the i2 Investigate web client instead.
For more information, see Enabling access to the i2 Notebook web client.
Connector permissions
i2:Connectors
If you are using the i2 Connect gateway, members of groups that have this permission can view all i2 Connect connectors.
Without this permission, i2 Connect connectors are not visible unless individual connectors are specified by using the i2:Connectors:<connector-id> permission.
i2:Connectors:<connector-id>
If you are using the i2 Connect gateway, members of groups that have this permission can view the i2 Connect connector with the matching <connector-id>. For example, i2:Connectors:example-connector.
Without this permission, the specified i2 Connect connector is not visible.
Sharing permissions
i2:Share
Members of groups that have this permission can take advantage of all the features for sharing artifacts that i2 Analyze supports.
Without this permission, sharing is not available unless it is enabled for particular features.
i2:Share:Records
Members of groups that have this permission can share records with other i2 Analyze users, and see the records that other users have shared.
Administrator permissions
i2:AlertsCreate
Members of groups that have this permission can access the REST API alerts endpoint to create and send alerts to i2 Analyze users. For more information, see Managing i2 Analyze.
i2:Administrator
Members of groups that have this permission can access the REST API admin endpoints. For more information, see Using the admin endpoints.