Technical Blog Post
Maximo Security Groups and Conditions
Recently I have had a few people ask me how Maximo security works when users belong to multiple security groups with different conditions on each of the security groups.
To start I would like to go over some of the fundamentals of how Maximo decides what applications and options a user is allowed to access once they are logged into the product. What the user sees is determined by the security groups they belong to and how the security rights from each group combine to give the user a security profile.
Security groups can be either Independent of other groups or non-independent. Independent groups add together but do not combine. You get the highest privileges available from each of the independent groups you belong to. Non independent security groups combine to use parts from different groups and this is commonly used when granting permissions to sites.
For example if the user belongs to the 2 security groups with the following privileges:
Group 1 : Site A and Work Order Tracking application
Group 2: Site B and Purchase Orders application
If these security groups are both independent then the user ends up with rights for Work Order Tracking on Site A and Purchase Orders on Site B. Basically you sum up the privileges and if any of them overlap you take the highest level. If however the security groups are non-independent then the privileges combine and the user ends up with both Work Order Tracking and Purchase Orders on Sites A and B.
If you have multiple independent security groups then the resulting user security profile can be difficult to determine. This can be complicated further if you have conditions set on your user privileges by adding specific conditions per security group. You can for example allow edit privileges on a work order only if the work order priority is set to a certain value. Conditions set on security groups "OR" together not "AND". By this I mean that if either condition is true then you have privileges. You do not have to have both conditions true in order to have permission. This is especially apparent when you have one or more groups with conditions combined with a group that does not have conditions on it.
The design is that if you find one security group that has no condition, stop looking and grant it. If you have multiple groups with conditions, OR them. This is across all conditional behavior - data restrictions or options. For non-independent groups when multiple groups combine if there is any group with no condition, always grant. If all the groups have a condition OR them.
To try to simplify user security you may want to limit the number of security groups that you grant to your users. This may require making the security groups that you do use more specific to both the sites and applications you want to grant access to. If this is not possible and you have conditions on your security groups then you may have to duplicate certain security groups and modify the conditions in order to end up with the desired security profile for the user.