Administer users and user access
IBM® Maximo® Application Suite users are created and managed at the suite-level and are made available for application-level access with application-specific role assignments such as administrator or user. If the application requires it, an application administrator can then set detailed application privileges in each individual application.
Overview
Maximo Application Suite user records are stored in the MongoDB collection User in the MongoDB core database. The internal user registry can be configured to use external authentication providers for user authentication.
From the Users section of the Suite administration page, you can complete the following tasks:
- Create user
User IDs are created in the MongoDB instance that is used by Maximo Application Suite and can be of three types:- Local users (Local) are managed and authenticated fully in Maximo Application Suite.
- LDAP users (LDAP) are created and managed by Maximo Application Suite, with the userid exactly matching a corresponding LDAP userid. User authentication is handled by the LDAP or SAML server.
- Synchronized LDAP/SAML users (External) are managed from the LDAP server that is used for synchronisation. All synchronized users are created read-only in the Maximo Application Suite.
- Delete user
The user ID is removed from the Maximo Application Suite user registry. If you are using LDAP or SAML authentication, the user account remains on the identity provider server but is no longer associated with a Maximo Application Suite account. If you use user registry syncronization, you must delete the user on the LDAP server, and then sync to remove the Maximo Application Suite user.
Users can self-manage their accounts from the Maximo Application Suite user interface to update the display name, change their password, and set preferred language and region.
Important: If SMTP is enabled for your Maximo Application Suite environment, an email is sent to the email address that is associated with the user ID when the user account is created. If the SMTP email security is set to email passwords to users, a second email is sent with the user's password. If SMTP has not been set up, an administrator must contact the user to inform them about password.
User entitlement and access
User access is granted through entitlements and associated access rights. A newly created user by default has limited application entitlement and user application access to the Maximo Monitor application, if deployed.
You can fine-tune the Maximo Application Suite access rights at user creation time or later by using a combination of the following user access dimensions:
- Entitlement
The user can be assigned a specific administration or application access right. - Access
Entitled users can be granted specific access rights at the administrator and application level.
For sample entitlement and access assignment combinations, see Sample user roles configurations.
Application Point cost and access type
Application Points (AppPoints) are used to track and enforce user entitlement and access across Maximo Application Suite. At creation time, you assign each user an entitlement level: none, limited, base, or premium. Each level is associated with an AppPoint cost.
| Entitlement level | Application | Administration |
|---|---|---|
| Self service | 0 | N/A |
| Limited | 5 | N/A |
| Base | 10 | 10 |
| Premium | 15 | 15 |
Access type
The AppPoints are deducted either permanently or per user session depending on the access type that you assign the user. For more information, see Understanding Application Points.
- Concurrent access type
The AppPoint cost is applied when the user is logged in to Maximo Application Suite. When a user starts a session, AppPoints corresponding to the assigned entitlement are checked out. When the user session ends, the AppPoints are returned. - Authorized access type
The AppPoints are reserved permanently from the organization pool when the user is created. With reserved AppPoints, the user can log in without depending on your organization’s current AppPoint balance and no additional AppPoints are checked out when the user logs in. If you change the user's access type to concurrent, the reserved AppPoints are returned to the pool. Administrator users have reserved access by default.
Administration entitlement and access
Administrative access to Maximo Application Suite and its applications is granted by using administration entitlement.
| Entitlement | Description |
|---|---|
| None | If no administration entitlement is granted, the user is a regular Maximo Application Suite user who no administration rights. If the user has an application entitlement other than None, the user can log in and access applications in Maximo Application Suite. |
| Base | Base administration entitlement gives the user application administrator rights for each application to which the user has access and for which the user was given certain administrative rights at the Maximo Application Suite level: workspace
management and user management. The base administrator user has access rights to the Suite administration page as set by the administration access selection. |
| Premium | Premium administration entitlement gives the user administrator rights at the Maximo Application Suite level. In addition, the user has all rights of the Base entitlement. |
Users who have an administration entitlement other than None can be granted combinations of Maximo Application Suite administration access.
| Access | Description |
|---|---|
| System configuration | Note: Requires premium administration entitlement. The user has edit access to the Catalog, Configurations, and License consumption sections of the Suite administration page. |
| User management | The user has edit access to the Users section of the Suite administration page and can grant users access to applications. |
Application entitlement and roles
The application entitlement entitles the user access to the applications and tools that make up Maximo Application Suite.
| Entitlement | Description |
|---|---|
| None | If no application entitlement is granted, the user does not have access to any applications. However, the user has access to the Maximo Application Suite user interface, and if the user has administrator entitlement, they also have access to the Suite administration page. |
| Self service | The Self service entitlement is used to grant minimal access to Maximo Manage. Further access is then granted in Maximo Manage by assigning users to one or more security groups. Depending on the authorization set by those groups, the user's application entitlement might be automatically upgraded. |
| Limited | With limited entitlement a user can work with the core Maximo Application Suite applications, which include:
|
| Base | With base entitlement the user has access to the following applications:
In addition, the user has the same application access as the Limited entitlement. |
| Premium | With premium entitlement the user has access to the following applications:
In addition, the user has the same application access as the Base entitlement. |
Note: The application roles are controlled by the applications and might differ from application to application. By default, users with administration entitlement are given the administrator role for all available applications. A user with no administration access is given the user role for the application that the user is entitled to.
The following example pertains to the Maximo Monitor application:
| Role | Description |
|---|---|
| None | If no role is granted, the user does not have access to the applications. |
| User | The user has regular user access rights to the application. |
| Administrator | The user has administrator user access rights to the application. Note: A user needs Administration Entitlement to be granted the administrator role. |
For more information about the available user roles for specific applications, see the corresponding documentation:
Sample user roles configurations
The following table lists generic Maximo Application Suite user roles and their accompanying entitlements and access settings:
| Role | Administration entitlement | Administration access | Application entitlement | Application role |
|---|---|---|---|---|
| Maximo Application Suite administrator The Maximo Application Suite administrator manages overarching system configuration settings from the Suite administration page. |
Premium | System configuration | None | None |
| Application administrator The application administrator administers one or more applications, adds and assigns users to these applications, and uses the application-specific user interfaces to manage further user privileges. |
Base | User management | Limited | Example: Maximo Monitor with Administrator role |
| Application user (Maximo Manage) The Maximo Manage application user has access to the Suite navigator and to Maximo Manage at the access level that is set by security groups in the application. |
None | None | Self service or higher | Example: Maximo Manage with User role |
| Application user The application user has access to the Suite navigator and to one or more applications at an access level that is set by the application. |
None | None | Limited | Example: Maximo Monitor with User role |