Security architecture

The authorization that involves the security schema and permissions and dimensions is one part of the i2 Analyze security architecture. Another part is the authentication mechanism through which users are assigned the identifiers and group memberships that enable authorization to take place.

Authentication

At login, the Open Liberty server that hosts i2 Analyze requires clients to authenticate before they can interact with the application. As a result, the range of available authentication mechanisms is determined by the capabilities of Liberty. The requirements on the authentication mechanism are as follows:

  • The i2 Analyze application must receive user and group information about a user that are derived from the credentials they present.

  • A (potentially) deployment-specific module must be able to map that user and group information onto membership of the system user groups that are named in the security permissions section of the i2 Analyze security schema.

If an authentication system can fulfill these requirements, then it is suitable for use in an i2 Analyze deployment. This documentation describes how to configure authentication that uses Liberty's built-in user registry, Microsoft Active Directory, and claims-based authentication providers including SAML and OpenID Connect.

On successful authentication, the client receives a token. During normal operation, the client passes the token back to the i2 Analyze application, which enforces data access rights with reference to their group memberships.

Authorization

After it receives information about a user and their group memberships from the authentication mechanism, i2 Analyze has an opportunity to augment or modify it (for example, to map from Active Directory group names to system group names) during provisioning.

When provisioning is complete, the i2 Analyze application uses the information to determine the access rights of the user to the records that it manages. The security model of i2 Analyze is based on the interaction between the security dimension values that records have, and the security permissions that user groups convey.

i2 Analyze also uses group membership to determine user access to some features of the application. For more information about that aspect of authorization, see Controlling access to features.