Authorizations for security groups
A security group grants access to members of the group to start centers, applications, Work Centers, and object structures. The access options can be read, insert, save, and delete. You can use conditions to hide fields, tabs, and menus from group members, and you can set data restrictions on objects and attributes.
Start center access
You can specify a default start center for a security group to provide quick access to the tools and key performance indicators that members need. When users log in, they see a start center based on a template for their security group. If users belong to more than one security group, they can see tabs representing a start center page for each security group. You can grant users authorization to configure their start centers. You control the portlets that users can view and can configure.
Operational Dashboard access
Security permission scenarios | Description |
---|---|
Create private dashboard |
|
Create public dashboard |
|
Delete public dashboard |
|
Hide public dashboard |
|
Read public dashboard |
|
Work Center access
Security group templates are provided for Work Centers and Tools and Tasks application types. You can duplicate a template to create a user-defined Work Center security group, or you can apply the template to use the default security options provided for the Work Center. When a user logs in, the Work Center landing page opens and contains the Work Centers and Tools and Tasks that the user is authorized to access.
The Work Center landing page includes a link to the landing page for Maximo® Manage. If you want Work Center users to have access to standard Maximo Manage applications, they must also be members of a security group that grants access to these applications.
Application access levels
You can grant access for a security group to all options for an application or you can restrict access to only specific options. For example, in a security group for managers, you can grant access to read work order histories, costs, and warranties, but not to insert work orders or service requests. You must configure each application for read access so that users can select additional application access options.
When you specify an access option for an application, related options are set. Read access also grants the standard system options of clear, bookmark, next, previous, viewhist, and drilldown. Insert access for an application also grants save access. The following table describes the related options for each access option.
Standard options | Relationships between options |
---|---|
Standard prerequisite
|
Prerequisite
|
Standard also grants
|
Also grants
|
Standard also revokes
|
Also revokes
|
The relationships between options in individual applications can sometimes vary. Access options for applications are stored in the SIGOPTION table in the database. You can use an SQL editor to search the SIGOPTION table.
Object structure access
Object structure access authorizes group members to access specified object structure APIs to support the integration of data with external applications.
Conditional access
You can define conditions, either as expressions or as custom class files, and use them to control access to applications and to controls in applications. In the Security Groups application, you can use conditions, for example, to restrict access to application fields and tabs to certain users or to restrict a field to read-only access. Conditional access is granted in the security groups application. If a user is in multiple security groups, the highest level of access is granted when the security groups are combined.
Data restrictions
Data restrictions on objects and attributes limit the data that is available to group members, to hide records, or to make records read-only. Because these restrictions exist at the data-level, the restrictions apply to any user interface element or application that uses an object or attribute.
Data restrictions provide the following ways to restrict access to data for groups of users:
- You can make an object hidden or read-only, conditionally or unconditionally, for all Maximo Manage users, or for members of a specific security group.
- You can associate an object with a condition to qualify the data that is returned by the database. This configuration differs from data that is fetched from the database but is hidden in a certain condition. Qualified data restrictions apply only to primary level objects in lookup menus and dialog windows that are configured to allow them.
- You can set data restrictions for attributes within objects, either with or without an application specified.
- Data restrictions for a security group supersede any restrictions that you set in the Application Designer application.
- Data restrictions that you set in the Security Groups application apply wherever an attribute is used, while Application Designer configurations do not.
- Application Designer configurations are always for one application. Configurations that use data restrictions can apply to all applications that use the object or attribute or to one specific application.
- If you create a data restriction on an object, the restriction does not apply to views of that object. For the restriction to apply to all views of the object, you create a separate restriction for each view.