Security Controls
Setting up a new user, or changing the various setting for a user in Maximo, is bread and butter for an Admin. However, there are a few parts of the system that are not used very often, and these articles are going to go through them.
Some of the dialogues are used in combination to get a desired result, others are actually offering a duplication or another way to do the same thing.
These articles are going to take you through the Security Control options.
The Security Controls dialogue is accessed via the select action menu, or the left-hand pane depending on your system set up. We will be going through a V7.6 screenshot, but the dialogue is similar in all V7 versions.
The dialogue is made up of 4 main sections, each with unique functionality for user interaction with the system.
In the first article we went through the first 2 sections, User defaults and login tracking. In this second part we will go through the rest of the dialogue box.
Automatic Password Generation
This short section has the communication template that will be used by the system to email a new password out, if that functionality is to be used.
The flag below this is for generating the password automatically for the user. If the top option is selected, the person creating the user will not see the password for the new user, nor will they be able to manually add one. The system will email it to the user using the listed communication template (in this case PWRESET), but the user MUST have an email associated with the account. Some companies have users that do not need an email account for their work, so this option cannot be used. A change is possible to make this option available in these circumstances. If the application design is changed so that the option to automatically email the password is made read/write it can then be changed. If you would like this change made in your system, contact Vetasi or Vetasi Support if you are a client and we can assist you..
The communications template can be customised to provide additional reminders e.g. Password rules if the password is set to expire when the user first logs in. there is nothing more frustrating than coming up with a password and then having it rejected because you broke a rule that you didn’t even know about…. When multiple environments are being used the template should be customised to include a reference to the environment e.g. TEST. Adding this reference in will Figure 3 – Password options Figure 4 – Password Requirements avoid people trying to use the TEST password on the production system. Be careful about relying on the URL included in the PWRESET template – it relies on a system property that often isn’t changed when the production database is copied to other systems.
The second option allows the creator of the user to manually enter a password or generate one with a button click. Informing the user of the new ID and password would be a manual step however. This option should be selected for users that do not have an email account in the system.
Password Requirements
This last section is really made up of several sections, but they all relate to each other as they are to do with passwords.
The first section has the minimum password length, again the policies of the company will help with defining this number.
Along with the minimum length of the password, you can also set how many repetitions of a character are allowed. So, Sally would be allowed, but SaLLLy would not. Lastly, you can set if the ID can be used as part or all of the password. Systems with dummy data in them are usually set with this flag ticked so that a demo user will have the same username and password. In a production system, this flag should be unticked.
Next, we have 2 sections which do very similar things. These flags can enforce policies to make users have passwords that conform, such as having UPPER case letters, lower case letters. You can also force the password to have a number and or a special symbol. On the right-hand side, you can set the first and last characters of the password can to be a number or special character. If the flag is off, then the opposite will be true.
Excluded Passwords
As the name implies, our final section allows admins to maintain a list of banned or disallowed words and phrases. If a user tries to use one of these as a password, they will get an error message that this is not a valid password.
The usual initial suspects for this list would be “Maximo” / “password” / 123456 and possibly the company name with several ways of using it. This would be followed by the company name, again with different ways to use it as a password.
That completes the security controls options part of these articles. In the last article we will discuss another less used part of the user security, password hints and resets.
Summary
The security options can help to make the system more secure, especially if LDAP is not being used. However, be cautious of being too restrictive with the settings as you will find you do not get the resulting behaviour you thought you would from users.
Part 1 in this series is available here.
If you have any feedback on this article or feedback of other topics you would like us to feature please email enquiries@vetasi.com.
Share this Blog Post: