Configuring command access control
You can use command access control to determine which commands and features users can access. You can create a command access control file to match the specific needs of your deployment.
About this task
In any command access control file that you create, the group names in the file must match the names of system user groups from the user registry.
If you follow this procedure in a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.
Procedure
Create and configure the command access control file.
Create a command access control file.
Navigate to the directory in the deployment toolkit that contains the example security schema: toolkit\configuration\examples\security-schema.
Copy the example-command-access-control.xml file to the configuration\fragments\opal-services\WEB-INF\classes directory, and rename it to command-access-control.xml.
Modify the command access control file.
Open the command-access-control.xml file in your XSD-aware XML editor. For more information, see Setting up your XSD aware XML editor. The associated XSD file is toolkit\scripts\xsd\CommandAccessControl.xsd.
Use the reference information to specify the access control that your system requires.
Save the completed file.
Set the command access control file to be used in the deployment.
Using a text editor, open the toolkit\configuration\fragments\opal-services\WEB-INF\classes\DiscoServerSettingsCommon.properties file.
Specify your command access control file as the value for the CommandAccessControlResource property. For example:
CommandAccessControlResource=command-access-control.xml
Save the file.
Redeploy i2 Analyze to update the application with your changes.
In a command prompt, navigate to the toolkit\scripts directory.
Stop Liberty:
setup -t stopLiberty
Update the i2 Analyze application:
setup -t deployLiberty
Start Liberty:
setup -t startLiberty
What to do next
Connect to your deployment and test that members of each user group have the correct access to features. Continue to change the configuration until you are satisfied with the access of each user group.
After you set command access control, you can revert to the default state by ensuring that the CommandAccessControlResource property in the toolkit\configuration\fragments\opal-services\WEB-INF\classes\DiscoServerSettingsCommon.properties file has no value.