The item type security configuration file

The type-access-configuration.xml file controls which users get access to each of the item types declared in the schema. The set of permitted XML elements in an item type security configuration file is relatively small.

Root element

<TypePermissions>

<TypePermissions> is the root element of the item type security configuration file. In the file that deployments of i2 Analyze receive by default, the element is empty and its name is prefixed with the tns namespace:

<tns:TypePermissions DefaultSchemaShortName="...">
  ...
</tns:TypePermissions>

The <TypePermissions> element has a single, optional attribute named DefaultSchemaShortName. If the item types that you want to constrain are all or mostly defined in a particular schema, then it is efficient to provide the short name of that schema here.

When the <TypePermissions> element is empty, there are no item type constraints on the records that users can see.

Item type elements

<ItemType>

The <TypePermissions> root element supports any number of child <ItemType> elements that specify the type security permissions. <ItemType> is the only permitted child of <TypePermissions>:

<TypePermissions>
  <ItemType Id="..." SchemaShortName="...">
    ...
  </ItemType>
  ...
</TypePermissions>

The <ItemType> element has two attributes: Id, which is mandatory; and SchemaShortName, which is optional:

  • Id is the identifier of the item type, as defined in the schema that contains it.

  • SchemaShortName is the short name of the schema that contains the item type. When this attribute is set, it overrides DefaultSchemaShortName in the parent element.

Each item type for which the file contains permissions appears in exactly one <ItemType> element. If an <ItemType> element is empty, however, it is as if that element does not exist.

<Allow>

The item type security model assumes that if you want to control access to a particular type, then usually you want to make it so that only users in particular system groups can see records that have that type.

The <ItemType> element supports a single <Allow> child element. As soon as you add the element, access to the type is denied to all groups that are not specifically mentioned:

<TypePermissions>
  <ItemType Id="...">
    <Allow>
      ...
    </Allow>
  </ItemType>
  ...
</TypePermissions>

The <Allow> element has no attributes. If an <ItemType> element has an empty <Allow> child element, then only users who have the i2:Administrator command access permission can see records of that type.

<UserGroup>

The <Allow> element supports any number of child <UserGroup> elements. Members of each system user group that you specify (as well as users who have the i2:Administrator command access permission) are allowed to see records that have the parent item type:

<TypePermissions>
  <ItemType Id="...">
    <Allow>
      <UserGroup Name="..."/>
      ...
    </Allow>
  </ItemType>
  ...
</TypePermissions>

The <UserGroup> element has a single, mandatory Name attribute. For each system user group that should have permission to see records of the specified type, the <Allow> element must contain a <UserGroup> element whose Name attribute is set to the name of the user group.