i2 Analyze security dimensions

In the i2 Analyze security model, a security dimension is a way to categorize a record, with the aim of using its category to determine whether particular users are allowed to view or modify it. The available security dimensions in a deployment of i2 Analyze are specific to that deployment, and they are defined in its security schema.

A deployment of i2 Analyze might need several different ways to categorize records:

  • Records might be categorized by their security classifications

  • Records might be categorized by the type of intelligence that produced them

  • Records might be categorized by the operational teams who are allowed to access them

As a result, the deployment requires several security dimensions. Each dimension contains a set of values that records can have in order to classify them within that dimension.

To continue the example, the three dimensions might contain values as follows:

  • Security classification

    Top Secret, Secret, Confidential, Restricted

  • Intelligence type

    Human Informant, Open Source

  • Operational team

    A, B, C

As a result of these definitions, for example, it is possible to mark a record as containing confidential information derived from a human informant, to be available to users in Team B.

Ordered and unordered

In some dimensions (such as security classification), the possible values form a sequence from which each record takes a single value. In these ordered dimensions, the values act as levels, where each value supersedes all the values after it. If a record is "Top Secret", it cannot be "Restricted" at the same time.

In dimensions such as operational team, where the values do not form a sequence, records can take one or more values. You can use the values of an unordered dimension to say that a record is available to users in Team B or Team C - or, alternatively, to users who are in both Team B and Team C.

Resolution mode

For an unordered dimension, the resolution mode tells i2 Analyze how to behave when a record has more than one value from it. By default, the resolution mode is ANY, which means that the record is available to users who qualify according to any of the assigned values ("Team B or Team C").

The other resolution mode is ALL, which makes a record with multiple dimension values available only to users who qualify according to all of them ("Team B and Team C").

Rules for records

Every record in an i2 Analyze deployment must have at least one value from each of the security dimensions in that deployment. There is no such thing as an "optional" dimension. For example:

A representation of a security schema and two records that comply with it

There are no restrictions on the numbers of dimensions or values that a security schema can define. Keep in mind, though, that the more dimensions there are, the more complicated it becomes to maintain the security schema. Also, for performance reasons, try to avoid using the ALL resolution mode with a dimension that has more than 100 values.