Security groups and application authorizations

We all know how flexible Security Groups are when dealing with user roles and granting application authorizations. However, flexibility often brings complexity.
You have carefully designed user’s roles defining what applications and actions they are allowed to access in Maximo and implemented all using Security Groups application. The system goes live and after one or two years everything is messed up. Is too hard to check who has access to what and you no longer sure if the young electrician that was just hired 2 months ago has access to Database Configuration or Application Designer  🙂

Maximo has a built-in report called Security Group Access that can help but I hardly find it useful. In my opinion it is too detailed to get an overall idea of the security configuration. For example, I’m now working on a medium-sized Maximo solution with 20 security groups and around 250 users. Well… the ‘Security Group Access’ report is 89 pages long!

That was not going to work. I needed I better solution for my purpose so I decided to open my preferred SQL client and Eclipse BIRT Designer to have some fun. Results were pretty good so I have decided to share them with the Maximo community.

I came up with two custom reports that give me a quick grasp of the setup of user’s authorizations. The first one is called Security Overview and simply lists all the Security Groups and Start Centers counting how many users are assigned to them.

The second report is called Application Security Overview. It tries to represent which security groups provide access to applications. It is not an easy task to represent so many information in a single report but I’m finally proud of the results so here is what I have achieved to get.

The report lists all the applications in the rows and the security groups in the columns. The cell is yellow if read access is granted, orange if write access is granted, the number is the count of sigoptions granted.
The report can easily get too big if more than 20 security groups are defined so I decided to accept a list of security groups as filter so I can analyze smaller sets of data separately.

Download and installation instruction is available here.

Any feedback is highly appreciated.

Security groups and application authorizations

12 thoughts on “Security groups and application authorizations

  1. Muchisimas Gracias Bruno!!! Excelente articulo y superutil para la Administracion de MAXIMO. Realmente si aprendieramos a trabajar en "comunidad" seria un gran avance para nuestras sociedades, este es un claro ejemplo.

  2. Hi Bruno!
    I use Birt reports in the MAXIMO environment, And they work perfectly. I would like to run the report separately from Maxim as it does the eclipse development environment. I try to use genReport.bat from birt runtime. genReport.bat -f HTML -o outp.html C:\MaxRep\ListCommod.rptdesig (report without any paraments) but got error org.eclipse.birt.report.model.parser.DesignParserException (code = Error.DesignParserException.FILE_NOT_FOUND, message : The file "MaximoSystemLibrary.rptlibrary" is not found.) and many other… Looks like I'm doing something wrong.

    How can I run the Birt report separately from the Eclipse or Мaximо?

  3. Hi Bruno,

    Many thanks for the report.Just a suggestion,We need to put a logic to remove the inactive users from the report.

  4. Appreciate if you can send the zip file to my email ID as the download link is showing 404 error.

  5. Report is great but how can I use MxLoader to manage the Application settings? I dont see any MXL Sheets having the SIGOPTION MBO? AM I missing it? Has anyone added the SIGOTION MBO to the MXL_MAXGROUP?

    Thanks in advance,
    Miller

    1. I just realized the ApplicationAuth is to do it but it just does not seem to work. When I pull data from one env on the MXL_MAXGROUP and run it on another env I am not seeing the group (MAXADMIN) Granted all the same permissions I gave to the MAXADMIN in the env I pulled from where I manually clicked all the checkboxes to grant rights.

      please help,
      Miller

      1. So, wow.. What and adventure this was but I figured a solution that is not pretty but gets the job for most part done…. I am convinced there are bugs in Maximo limiting this for some reason…

        Issue one.. AppAuth table in 7.6.1.1 now contains rows for OS (Object Structures) and WC (work Centers). This stops the MXL_MAXGROUP from properly working as it will pull in these non app objects that fail to insert to the table.. The MXL would need the MAXAPPS object as that has the apptype column to distinguish these types but when I included it it them jacked up my apps and I had to restore a DB backup…

        Final solution is 2 steps.
        1. Create a custom OS that is just based on the AppAuth MBO. Pull out the MAXADMIN settings WHERE optionname = ‘SAVE’ … As you see on front end of Maximo you must create a SAVE option for all your apps before you can check the INSERT, DELETE etc… Make it a Sync-Add option (dont use AddChange as it will break existing records,)
        2. Create a second sheet that uses same custom object and and pull all the options. Make it a Sync-Add option (dont use AddChange as it will break existing records,)

        The second sheet will throw many error as it hits these Object Structure and Work Center records..

        I found I still had to go in and manually fix all the Work Center options that were missed and the corresponding Object Structure permissions on the Work Center Apps… ESPECIALLY all the MXAPI**** options…

        If anyone finds better way to move all the MAXADMIN options from one new env to another new env I would love to hear as I am sure I am not doing it right but it worked (somewhat). Still had to do some manual. I am convinced there are bugs in Maximo with some options not able to be updated..

        Hope this helps anyone esle.

        Miller

  6. How do I filter the Security App report in Excel to make it easier to read? Your note said, “The report can easily get too big if more than 20 security groups are defined so I decided to accept a list of security groups as filter so I can analyze smaller sets of data separately.”

  7. is it correct that when you mark an application read only but grant access to dialog boxes, data are still editable withing the dialogs? (7609)

  8. Thanks for this Bruno, I am running a MaxTECH User Group meeting at the next MUWG in Dallas, and the topic of my presentation is called “Get a Grip on your Maximo Security Groups”. I hope I can include a reference to these reports and give you credit for this approach.
    Once I have completed my presentation, I will send you a copy for your reference.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top