Security groups overview

You use security groups to grant read, insert, save, or delete access to the applications, actions, and data that users can access. Predefined security groups are provided to enable basic functionality, but until you create security groups and add users to them, users cannot access sites, start centers, applications, and work centers.

All users are added to the DEFLTREG group and to the group that is specified by the value of the NEWUSERGROUP varname in the MAXVARS table. The default value of the NEWUSERGROUP varname is MAXEVERYONE. Users that are upgraded from is are assigned to groups that are defined by the values of the NEWUSERGROUP and ALLUSERGROUP varnames in the MAXVARS table.

Security groups can provide broad authorizations to many applications, or you can take a modular approach by adding users to multiple groups that grant fewer access privileges. You can specify different levels of authorization, which can be a combination of read, insert, save and delete, or all levels.

When you add users to multiple groups, authorizations are combined across the groups in most cases. However, if you specify that a security group is independent of other groups, the privileges do not combine with privileges from other groups.

In multisite implementations, the security architecture is designed to use sites as the first level of security. If your company has multiple sites, you can create a group for each site. You can then create functional groups such as adminstration or maintenance, to grant functional privileges. Combined membership of site groups and functional groups provides users with modular sets of security privileges. If you create an independent group, you must grant access to at least one site and one application because privileges cannot be combined with other groups.

To enable access to work centers, you must create a separate security group for each work center. A template is provided for each work center group that enables default privileges for the work center. You can apply the template, or you can duplicate it to create a user-defined group where you can modify the default privileges.

If you are using in authentication, you create security groups in the Security Groups application. If you manage users in an LDAP user registry, you create groups in the user registry and synchronize the data to Maximo® Application Suite so that it can be synchronized to in . Map your LDAP groups to in security groups before you synchronize them to the suite. You can configure more access privileges for the imported security groups in the Security Groups application.

You can configure the following authorizations and restrictions for security groups:
Sites
Grant access to all sites, individually-selected sites, or no site. If site access is not authorized for a group, members must be also members of a group that grants site access.
Applications
Grant access to applications, including work centers, and configure signature options for individual applications.
Object structures
Grant access to object structure APIs to enable users to exchange data with work centers and external applications.
Storerooms
Grant access to users to perform inventory transactions with all storerooms or in specific storerooms.
Labor
Grant access to all labor records, sets of labor records, or to individual labor records.
General Ledger Components
Grant access to all general ledger components or to individual records.
Limits and Tolerances
Specify approval limits on the value of purchase orders, purchase requests, material requisitions, invoices, and contracts. You can also specify the amount that invoices, taxes, and services can deviate from an initial agreement.
Data restrictions
Restrict access to data in applications and fields. You can also specify conditions when data restrictions apply. You define conditional expressions in the Expression Manager application.