The use of security groups in Maximo can be a cause of confusion and frustration if not implemented correctly. Business is always changing and giving yourself a clear and flexible methodology in the security of users will help make changes down the line easier, and therefore cheaper to implement. After all the only real constant in business is change.
I may well write a follow up blog on methodologies for security in Maximo along with some pointers on the way to do it. This article will mainly concentrate on the often misunderstood “Independent of Other Groups” flag on the security group.
Security groups in Maximo determine which applications and menu items users have access to as well as some conditional interface options. For each user, you specify their rights by assigning them membership in one or more groups.
You can configure security groups to provide very limited access or wide-ranging access to applications, sites and labour. You can also provide access to approval limits and tolerances.
Maximo uses sites as the initial level of security for multi-site implementations; a security group can give access to one, all or any number of sites as required. To provide flexibility, when you build the security structure for your organisation, you can also choose between two types of security groups; independent and non-independent. When creating a security group, you specify which type of group it is.
If the group is non-independent (Flag unchecked) then the rights in that security group will be merged with the other groups that the user is a member of. The user will be granted the highest access based on the combined rights in the security group. An example of this is shown below.
Group 1 – Access to Site UKFM, allowed to View, create and delete Assets, also approve PO up to £5,000.
Group 2 – Access to Site UKFS, allowed to View, create and delete Locations, £0 PO approval limits and £500 PR Approval limit.
Group 3 – Access to site UKFS, can view Assets, View, create and delete Labour and approve a PO to £10,000.
With these groups set as non-independent the following user access would be given:-
User 1 member of Group 1, 2 and 3 Has access to sites UKFM and UKFS, can View, create and Delete Assets, locations and Labour in both sites and can approve a PO up to £10,000 in both sites. Can approve a PR up to £500 for both sites.
User 2 member of Group 2 has no access to UKFM data and cannot View, create or delete Assets. Can View, create and delete Locations in UKFS site. Can approve PRs for UKFS site only up to £500 but cannot approve any PO.
User 3 member of Group 3 Has access to site UKFS only, can View Assets and labour in that site, as well as add, save and delete Labour. Can also approve a PO for the site up to £10,000.
An independent security group has access rights and privileges that cannot be combined with those from other groups, however, you get the highest privileges available from each of the independent groups you belong to. If this option is selected, you must grant that group access to at least one site and one application. Using the same groups as before with the same options but set as independent groups, will give the following user access:-
User 1 member of Group 1, 2 and 3 can View, create, Save and Delete both Locations and Labour for site UKFS. Can View Assets for site UKFS. Can View, Add, save and delete locations for UKFM site. Can approve a PO for UKFM site up to £500 and for UKFS site up to £10,000. Can approve a PR for up to £500 for UKFS site only.
User 2 Member of Group 2 has no access to UKFM data and can view, create, save or delete Locations in UKFS site. Cannot approve any PO but can Approve a PR to £500 for UKFS site.
User 3 Member of Group 3 Has access to site UKFS only, can View Assets and labour in that site, as well as add, save and delete Labour. Can also approve a PO for the UKFS site up to £10,000.
If you want to see a video demonstrating this functionality then IBM have a training one on You Tube which is accessible from here. Click here for IBM Security video.