Authentication of Maximo Anywhere users

To log in to a Maximo Anywhere app, users must be authenticated by using the credentials they use to access Maximo® Asset Management.

You define users for the Maximo Anywhere apps in the provider application, Maximo Asset Management. Maximo Asset Management supports native authentication and application server security. With native authentication, users are authenticated against records in the Maximo database. With application server security, the Maximo server is configured to refer authentication requests to an external directory server that implements Lightweight Directory Access Protocol (LDAP). If Maximo Asset Management is configured for application server security, you must also configure Maximo Anywhere to use this method.

To log in to a Maximo Anywhere app, users must enter the user name and password that they use in Maximo Asset Management. Credentials must be validated by the Maximo server before the app can communicate with the server. For offline work, credentials can be validated locally. The process of authentication can vary depending on factors such as connectivity, password change, and encryption of the local data store.

Connectivity

When users first log in to the app, credentials must be validated by the server. If authentication and related validations succeed, a data store is created on the device.

The login credentials are stored on the device in the form of a local key. If the app is disconnected, this key is used to validate credentials locally. If data encryption is enabled, the key is also used to authorize access to the local data store.

During subsequent login procedures, the following rules apply:

  • If the app is disconnected, users must log in to the device by using the credentials that they last used to log in to the app.
  • If the app is connected, users must log in by using the credentials that are current on the server.

Password change

The local key is automatically updated when users change their password from the device or when users log in to the app by using a password that was changed in Maximo Asset Management or the LDAP system. Because users can change their password in an external system, the password that is encoded in the local key can be different from the password that is current on the server.

The option to change password from the device is available only if Maximo Asset Management is configured for native authentication.

Encryption of the local data store

If the local data store is encrypted, the local key is used to authorize access to the local data store whether the app is connected or disconnected.

If the app is connected, users must log in to the server by using the credentials that are current on the server. If the password on the server is different from the password that is encrypted in the local key, users must also provide the encrypted password to recover the local data store. If users cannot provide the encrypted password, they must either reset the app or abandon the attempt to log in. When the app is reset, all data for the app, including data for the current user and other users, is cleared from the device. Any unsynchronized data is lost.

Security and startup processes related to server authentication

When a user is authenticated by the server, the following security controls are invoked:

  • The server verifies whether a user is blocked or inactive.
  • The server provides information about security authorizations for a user based on the security groups to which the user is assigned.
  • The app verifies whether a user belongs to the a Maximo Anywhere security group that is authorized to use the app.

If a user is blocked, inactive, or not authorized to use the app, login fails.

A first-time login also includes the following startup processes:

  • Retrieval of system data that is required for the app.
  • Retrieval of user information, including the time zone, default insert site, organization, and person ID.
  • Synchronization of server and device times.

Successful completion of these processes is required for the app to function. If one or more of these processes cannot be completed during a first-time login, the app cannot be initialized and login fails.