User security
In a deployment of i2 Analyze, you can configure how users are authenticated and authorized with the system.
The access levels that each user receives within i2 Analyze are determined by their membership of groups. The names of these groups must match the group permissions elements values that are defined in your security schema. The way that i2 Analyze receives a user's group membership depends on the authentication and authorization mechanism that is used.
A user's group membership must conform to the following rules:
The names of the groups that a user is a member of must exactly match the UserGroup attribute of the group permissions elements in the security schema.
You must ensure that every user is a member of enough groups such that they are assigned a dimension value and level from each access security dimension.
To illustrate these rules, consider that the example security schema defines the following dimensions and groups:
Group Permissions UserGroup value | Group Permissions for Dimension | Dimension values and level |
|---|---|---|
Analyst | Security Compartment | Human Informants - update, Open Source Intelligence - read_only |
Clerk | Security Compartment | Open Source Intelligence - update |
Controlled | Security Level | Controlled - update |
Unclassified | Security Level | Controlled - update, Unclassified - update |
To map to this security schema, the user group values in the table must match with the user groups in the user repository.
Each user in this deployment must be in either of the "Analyst" or "Clerk" groups, and either of the "Controlled" or "Unclassified" groups.
Every deployment must contain an account that is associated with the administrator role. You can create a group in the user repository named "Administrator", or you can change the value of the security.administrator.group property to the name of an existing group in the repository. The security.administrator.group property is in the environment-advanced.properties file for each application, in the toolkit\configuration\environment directory. When an i2 Analyze user is a member of this group, they can access administrative features.