Security groups overview

You use security groups to grant read, insert, save, or delete access to the applications, actions, and data that users can access. Predefined security groups are provided to enable basic functionality, but until you create security groups and add users to them, users cannot access sites, start centers, applications, and work centers.

All users are automatically added to the predefined DEFLTREG and EVERYONE security groups to enable initial login and minimum system functionality. The predefined MAXADMIN security group enables members to create security groups and user records after installation. Security groups can provide broad authorizations to many applications, or you can take a modular approach by adding users to multiple groups that grant fewer access privileges. You can specify different levels of authorization, which can be a combination of read, insert, save and delete, or all levels.

When you add users to multiple groups, authorizations are combined across the groups in most cases. However, if you specify that a security group is independent of other groups, the privileges do not combine with privileges from other groups.

In multisite implementations, the security architecture is designed to use sites as the first level of security. If your company has multiple sites, you can create a group for each site. You can then create functional groups such as adminstration or maintenance, to grant functional privileges. Combined membership of site groups and functional groups provides users with modular sets of security privileges. If you create an independent group, you must grant access to at least one site and one application because privileges cannot be combined with other groups.

To enable access to work centers, you must create a separate security group for each work center. A template is provided for each work center group that enables default privileges for the work center. You can apply the template, or you can duplicate it to create a user-defined group where you can modify the default privileges.

If you are using Maximo Asset Management authentication, you create security groups in the Security Groups application. If you are using the application server for LDAP authentication, users and security groups are managed on the directory server and you schedule a cron task to synchronize this information into the Maximo® database. You configure access privileges for the imported security groups in the Security Groups application.

You can configure the following authorizations and restrictions for security groups:

Sites: Grant access to all sites, individually-selected sites, or no site. If site access is not authorized for a group, members must be also members of a group that grants site access.
Applications: Grant access to applications, including work centers, and configure signature options for individual applications.
Object structures: Grant access to object structure APIs to enable users to exchange data with work centers and external applications.
Storerooms: Grant access to users to perform inventory transactions with all storerooms or in specific storerooms.
Labor: Grant access to all labor records, sets of labor records, or to individual labor records.
General Ledger Components: Grant access to all general ledger components or to individual records.
Limits and Tolerances: Specify approval limits on the value of purchase orders, purchase requests, material requisitions, invoices, and contracts. You can also specify the amount that invoices, taxes, and services can deviate from an initial agreement.
Data restrictions: Restrict access to data in applications and fields. You can also specify conditions when data restrictions apply. You define conditional expressions in the Expression Manager application.