Providing security permissions

In an i2 Analyze security schema, you can use a security permissions provider to return permissions that add to those in the security schema file. i2 Analyze asks the provider for permissions every time a user makes a request that requires a security calculation.

Before you begin

There are two reasons for providing security permissions dynamically that can both be true at the same time:

  • If your security schema uses dimension values providers, the only way to give users permissions that use those provided values is through a security permissions provider.

  • A security permissions provider is the only way to allocate permissions on a strictly per-user, rather than a per-group, basis. i2 Analyze sends the name and system group memberships of the current user to the provider when it asks for permissions.

To use a security permissions provider in a security schema file, you must create or acquire the Java class that contains it. For more information about creating a provider, see i2 Analyze Developer Essentials.

About this task

A security schema can use one permissions provider. To make it do so, you add the name of the class to the <SecurityPermissions> element in the security schema file, and make the class available to the i2 Analyze application by editing the topology file.

  1. Using an XML editor, open the security schema file for the deployment.

    The security schema file is in the toolkit\configuration\fragments\common\WEB-INF\classes directory. The name of the file is specified in the DynamicSecuritySchemaResource property of the ApolloServerSettingsMandatory.properties file in the same directory.

  2. In the <SecurityPermissions> element, add the ProviderClass attribute. For example:

    <SecurityPermissions
        ProviderClass="com.example.security.provider.SecurityPermissionsProvider">
        ...
    </SecurityPermissions>
  3. Increment the version number that is stated in the Version attribute of the <SecurityDimensions> element in the security schema file.

  4. Save and close the file.

Update the topology file so that i2 Analyze can use the provider:

  1. Copy the JAR file that contains the security permissions provider, as well as any dependencies of that file, to a new subdirectory of the fragments directory. For example, toolkit\configuration\fragments\security-permissions-provider.

  2. Using an XML editor, open the toolkit\configuration\environment\topology.xml file.

  3. Edit the <fragments> element to include the new fragment. For example:

    <fragments>
      <fragment name="opal-services-is"/>
      <fragment name="opal-services"/>
      <fragment name="common"/>
      <fragment name="default-user-profile-provider"/>
      <fragment name="security-permissions-provider"/>
    </fragments>

Redeploy i2 Analyze to update the application with your changes:

  1. In a command prompt, navigate to the toolkit\scripts directory.

  2. Stop Liberty:

    setup -t stopLiberty
  3. Update and redeploy the system:

    setup -t updateSecuritySchema
    setup -t deployLiberty
  4. Start Liberty:

    setup -t startLiberty