i2 Analyze security permissions

In i2 Analyze, security permissions provide the link between the security dimension values that a record has, and what users are allowed to do with that record. The platform calculates whether users can see or edit a record according to the permissions of the user groups to which they belong.

The result of the calculation that i2 Analyze performs is that for any record, a user receives one of three security access levels:

  • None

    The user has no access to the record. The user cannot examine the record data, or even know that the record exists.

  • Read only

    The user has read-only access to the record and its data.

  • Update

    The user can read, modify, and delete the record and its data (subject to their command access control permissions).

In an i2 Analyze security schema, the security permissions for a user group define mappings from dimension values to access levels. Users receive the security access levels that their user groups indicate for the dimension values of a record.

A representation of the permissions defined in a security schema

For example, a dimension value might mark a record as containing open source intelligence (OSINT). In the diagram, the permissions for users in Group 1 say that they should have the "Read only" access level on records with that dimension value. However, the access level that users eventually receive depends on how all their permissions combine.

Note: It is not compulsory for a set of permissions for a user group to provide an access level for every value of every dimension. Any dimension value that does not appear in a set of permissions implies the default "None" access level, unless the missing value comes later in an ordered dimension than a value that does appear.

For example, consider our Security Classification dimension, whose ordered values are Top Secret, Secret, Confidential, Restricted.

If a particular set of permissions associates the "Read only" access level with Restricted records (and makes no other setting), then the default access level for Confidential records is "None". However, if the permissions associate the "Read only" access level with Confidential records instead, then users in the same group receive that access level for Restricted records as well.

Combining permissions

In practice, records have several dimension values, and users can be members of several user groups. As a result, users generally receive access levels from more than one permission. i2 Analyze computes a single security access level from all the contributing permissions.

An i2 Analyze system administrator must arrange the security schema so that all users can receive at least the "Read only" access level for at least one value in every dimension. In other words, it must be possible for all users to see at least some records.

Note: If the security schema uses a permissions provider, users can have permissions that are based on their login credentials as well as group membership. This detail does not affect how i2 Analyze processes security permissions.