Editing permissions in the security schema file

If you're not using a security permissions provider, modifying the security permissions of a deployed i2 Analyze server means editing the security schema file.

About this task

If the requirements for security groups change, you can modify the <GroupPermissions> element and its children:

  • To add a group, insert a complete <GroupPermissions> element. To use the new group, you must ensure that the user repository contains a group that matches the value of the UserGroup attribute.

  • To modify the name that is associated with a group, change the value of the UserGroup attribute.

  • To remove a group, remove the <GroupPermissions> element for that group.

If the requirements for the permissions of a security group change, you can add or remove <Permissions> elements, and add, modify, and remove child <Permission> elements.

  • To change which dimensions are affected by membership of a particular group, you can add or remove <Permissions> elements as follows:

    • To add to the dimensions whose values appear in the permissions that group members receive, insert a <Permissions> element whose Dimension attribute matches the value of the Id attribute of the dimension.

    • To remove a dimension so that its values no longer appear in the permissions that group members receive, delete the <Permissions> element whose Dimension attribute matches the value of the Id attribute of the dimension.

  • To change the security permissions that group members receive for the values of a particular dimension, you can add, modify, and remove <Permission> elements as follows:

    • To add a permission to a group, insert a <Permission> element. The DimensionValue attribute must match a value in the dimension that's identified in the Dimension attribute of the parent <Permissions> element.

    • To modify the current permission that a group has for a dimension value, set the Level attribute to a different value.

    • To modify the dimension value that a permission is for, set the DimensionValue attribute to a different value.

    • To remove a permission that a group has for a dimension value, remove the <Permission> element in which the DimensionValue attribute matches that dimension value.

If you follow this procedure in a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

Procedure

Edit the security schema:

  1. Using an XML editor, open the security schema for the deployment.

    The security schema is in the toolkit\configuration\fragments\common\WEB-INF\classes directory. The name of the security schema is specified in the DynamicSecuritySchemaResource property of the ApolloServerSettingsMandatory.properties file in the same directory.

  2. Modify the security permissions in the security schema according to your requirements.

  3. Increment the version number that is stated in the Version attribute of the <SecurityDimensions> element in the security schema.

  4. Check your updated schema to ensure that it remains possible for all users to get a "Read only" or "Update" access level for at least one value in every dimension.

  5. Save and close the file.

Redeploy i2 Analyze to update the application with your changes.

  1. In a command prompt, navigate to the toolkit\scripts directory.

  2. Stop Liberty:

    setup -t stopLiberty

  3. Update and redeploy the system:

    setup -t updateSecuritySchema
setup -t deployLiberty

  4. Start Liberty:

    setup -t startLiberty