The purpose of this article is to make practical sense of configuring the Maximo Security model using Person Groups to provide filtered or restricted data for various business groups such as Mechanical, Engineering, HR, or to use the vendor field to filter data for external vendors maintaining their own assets. This approach is based on the team DawnBIT’s experience with Maximo.

1. How does Maximo handle a user’s access profile?

Maximo uses a two-step security process consisting of ‘authentication’ and ‘authorization’:

  • In the first step, users are authenticated to determine whether they can log into Maximo.
  • In the second step, they are authorized for specific applications and functions.

Note: A user must be a member of a security group (MAXGROUP) to be authorized. Authorization is group-based, not individual-based, meaning that a user’s access is determined by the group they belong to, although they can belong to multiple security groups.

2. How does Maximo handle Group Security access profiles?

Maximo authorizes security groups (MAXGROUP) using various security-related objects, such as:

  • SITEAUTH: Access to sites within an organization.
  • MAXAPPS: Access to applications, and select actions are granted using SIGOPTION objects, where conditional access rules can be applied.
  • LOCAUTH: Storeroom-level access.
  • SECURITYRESTRICT: Object and attribute-level data restrictions (e.g., SECURITYRESTRICT.OBJECTNAME and SECURITYRESTRICT.ATTRIBUTENAME).
  • COLLECTIONAUTH.COLLECTIONNUM: Manages collections of assets, locations, and classification items.
  • Other options like LABAUTH for labor authorizations and LIMITTOLERANCE for limits and tolerances are also available.

3. How does Maximo define various levels of objects to handle Multi-Org and Multi-Site setups?

Maximo defines 12 data filter levels for its objects:

LevelDescriptionExample
SYSTEMA system-level object with restrictions applied at the object or application level.
SYSTEMORGA system-level object assignable to an organization.orgid is null or orgid = …
SYSTEMSITEA system-level object assignable to a site.siteid is null or siteid = …
SYSTEMORGSITEA system-level object assignable to both an organization and a site.(siteid is null or siteid = …)
SYSTEMAPPFILTERA system-level object that can filter by site and organization in the context of an application.
ORGAn organization-level object.orgid = …
ORGSITEAn organization-level object assignable to a site.(siteid is null or siteid = …)
ORGAPPFILTERAn organization-level object with application filtering.
SITEA site-level object.siteid = …
SITEAPPFILTERA site-level object with application filtering (reserved for future use).
ITEMSETAn item set-level object.
COMPANYSETA company set-level object.

4. Can Maximo be configured to restrict data for internal departments like Mechanical, Engineering, HR, and for asset-maintaining companies to access their data only?

Yes, Maximo provides enough options through Security Groups (MAXGROUP) to restrict data for both internal departments and external asset-maintaining vendors.

5. Can Person Groups in Maximo be used to restrict data for internal departments or asset-maintaining companies?

While Person Groups (PERSONGROUP) can represent individuals with similar responsibilities, they are not directly tied to security groups (MAXGROUP). Therefore, using Person Groups to restrict data would require creating a tight coupling with Security Groups, which limits Maximo’s configuration flexibility. Hard-coding security configurations is not recommended.

Conclusion: Using Person Groups for data restriction outside of the MAXGROUP structure is not practical because it assumes that Security Groups and their functions are fixed, which is rarely the case in dynamic business environments.

6. Can the vendor field (COMPANIES.COMPANY) be used in Maximo to restrict data for asset-maintaining companies?

No, similar to Person Groups, using fields outside the Security Group (MAXGROUP) and related objects is not a viable solution.

7. Can such a configured system be replicated as a ‘product’ for other clients?

No, each Maximo implementation must be reconfigured based on the specific requirements of the client, so a pre-configured system cannot be replicated as a product.