The command access control file

The structure of the command access control XML configuration file and the permissions that it contains combine to control which i2 Analyze commands and features are available to users. Use the following reference and example information when you create your own configuration file.

File structure

<CommandAccessControl>

The <CommandAccessControl> element is the root of the configuration file. It contains child <CommandAccessPermissions> elements.

<CommandAccessPermissions>

The <CommandAccessPermissions> element contains the access permissions for groups of users.

The UserGroup attribute specifies the user group that the access permissions apply to. The value of the attribute must match the display name of a user group. To specify that the permissions apply to all user groups, you can use the * wildcard.

The <CommandAccessPermissions> element contains one or more child <Permission> elements.

<Permission>

The Value attribute of the <Permission> element defines a permission that members of the user group that is specified in the parent <CommandAccessPermissions> element have access to.

For the list of values that you can specify for the Value attribute, see Command access permissions

The following example allows users in all system groups to upload records and charts, and members of the "Analyst" system group to delete records and charts too:

<tns:CommandAccessControl 
    xmlns:tns="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.i2group.com/Schemas/2018-01-19/CommandAccessControl CommandAccessControl.xsd">

  <CommandAccessPermissions UserGroup="*">
    <Permission Value="i2:RecordsUpload"/>
    <Permission Value="i2:ChartsUpload"/>
    <Permission Value="i2:Notes"/>
  </CommandAccessPermissions>

  <CommandAccessPermissions UserGroup="Analyst">
    <Permission Value="i2:RecordsDelete"/>
    <Permission Value="i2:ChartsDelete"/>
  </CommandAccessPermissions>

</tns:CommandAccessControl>

Command access permissions

The i2 Analyze command access permissions control access to features across a number of categories:

Record and chart permissions

i2:RecordsUpload

Members of groups that have this permission can create and modify records and upload them to the Information Store.

Without this permission, users can search for records and add them to charts, but cannot upload changes to records.

i2:RecordsDelete

Members of groups that have this permission can delete records that were originally uploaded through Analyst's Notebook.

Without this permission, users can search for records and add them to charts, but cannot delete records from the Information Store.

i2:RecordsExport

Members of groups that have this permission can:

  • Export records that are returned in search results to a CSV file

  • Export a list of records in the i2 Notebook web client to an XLSX file

  • Copy a list of records in the i2 Notebook web client to the clipboard

Without this permission, users cannot perform any of the above operations.

i2:ChartsRead

Members of groups that have this permission can search for and retrieve charts from the Chart Store.

Without this permission, users cannot search for or retrieve charts.

i2:ChartsUpload

Members of groups that have this permission can create and modify Analyst's Notebook charts and upload them to the Chart Store. Modifying a chart includes deleting versions of a chart, but not deleting the chart itself.

Without this permission, users can save Analyst's Notebook charts locally, but cannot upload new charts and modifications to existing charts.

Note: This permission automatically includes the i2:ChartsRead permission. You do not need to give both permissions to the same user groups.

i2:ChartsBulkUpload

Members of groups that have this permission receive access to the Upload from Folder feature in i2 Analyst's Notebook that enables users to upload charts from disk to the Chart Store in bulk.

Note: This permission automatically includes the i2:ChartsUpload permission. You do not need to give both permissions to the same user groups.

i2:ChartsDelete

Members of groups that have this permission can delete charts that were originally uploaded through Analyst's Notebook.

Without this permission, users cannot delete charts from the Chart Store.

i2:Notes

Members of groups that have this permission can create and access notes on records and charts.

Without this permission, notes are not displayed in the Notes tab, and the contents of any notes are not searchable.

i2:CustomTypes

Members of groups that have this permission can create, delete, and edit custom entity, link, and property types in Analyst's Notebook charts. The functionality that allows users to perform these actions is available through palettes, the Record Inspector, and the import wizard.

Without this permission, user interface elements for manipulating custom types are not displayed. However, users can still use custom types in charts that other users have created.

Web client permissions

i2:Notebook

Members of groups that have this permission can access the i2 Notebook web client. Members of groups without this permission see the i2 Investigate web client instead.

For more information, see Enabling access to the i2 Notebook web client.

Connector permissions

i2:Connectors

If you are using the i2 Connect gateway, members of groups that have this permission can view all i2 Connect connectors.

Without this permission, i2 Connect connectors are not visible unless individual connectors are specified by using the i2:Connectors:<connector-id> permission.

i2:Connectors:<connector-id>

If you are using the i2 Connect gateway, members of groups that have this permission can view the i2 Connect connector with the matching <connector-id>. For example, i2:Connectors:example-connector.

Without this permission, the specified i2 Connect connector is not visible.

Sharing permissions

i2:Share

Members of groups that have this permission receive all the permissions listed below. They can take advantage of all the features for sharing records and artifacts that i2 Analyze supports.

Without this permission, users can have artifacts shared with them, but cannot themselves share unless they have one of the more specific permissions.

i2:Share:Artifacts

Members of groups that have this permission can share artifacts with specific users and groups.

Members of groups that have the i2:Administrator:SavedArtifacts permission can share artifacts with anyone, regardless of whether they also have this permission.

i2:Share:Records

Members of groups that have this permission can share records with other i2 Analyze users, and see the records that other users have shared.

Administrator permissions

i2:AlertsCreate

Members of groups that have this permission can access the REST API alerts endpoint to create and send alerts to i2 Analyze users. For more information, see Managing i2 Analyze.

i2:Administrator

Members of groups that have this permission can access the REST API admin endpoints and all the apps in the admin console. They also get the privileges of all the other administrator permissions.

For more information, see Using the admin endpoints and i2 Analyze Server Admin Console.

i2:Administrator:Connectors

Members of groups that have this permission can access the REST API endpoints for managing connectors. They can also access the i2 Connect gateway status and i2 Analyze type conversion apps in the admin console.

i2:Administrator:Groups

Members of groups that have this permission can access the User group management app in the admin console.

i2:Administrator:Indexing

Members of groups that have this permission can access the REST API endpoints for viewing the status of the Information Store index, and for clearing and rebuilding it if necessary.

i2:Administrator:SavedArtifacts

Members of groups that have this permission have unrestricted access to all saved artifacts, including the ability to change who they're shared with. They can also share any new artifacts of their own.