Custom provisioning with a user registry

When i2 Analyze is using a registry for user authentication, you can use custom provisioning to control which users and groups from the registry can access the system. To do so, you populate the registryConfig object in the provisioning-configuration.json file.

The registryConfig object contains the following properties:

userFilters

An array of strings that specify the user filters. Only users that match the filters can log in to i2 Analyze.

For example, the following filters mean that i2 Analyze will only accept users in the ou=cambridge and ou=administrators organizational units:

"userFilters": [
  "*,ou=cambridge,*",
  "*,ou=administrators"
]
groupFilters

An array of strings that specify the group filters. Only groups that match the filters can be used in i2 Analyze.

For example, the following filter means that all groups from the registry are available:

"groupFilters": [
  "*"
]
userDisplayNameMappings

An array of objects that allows you to customize the display names of users in i2 Analyze, on either an individual or a generalized basis.

For example, the first of the mappings below results in a user whose login name is "Jenny" being displayed as "Jenny Jones" in i2 Analyze. The second mapping uses a regular expression to extract the first and last names of users whose login names are email addresses in the example.com domain:

"userDisplayNameMappings": [
  {
    "fromSecurityName": "Jenny",
    "toDisplayName": "Jenny Jones"
  },
  {
    "from": "(.+)\\.(.+)@example.com",
    "to": "$1 $2"
  }
],
groupDisplayNameMappings

An array of objects that allows you to customize the display names of groups in i2 Analyze, in the same way as userDisplayNameMappings.

The value of the to output for each group is the value that i2 Analyze uses to determine a user's group membership while evaluating their command access control permissions, for example.