I am currently in the process of reviewing security groups for one of our clients. There are many ways to configure security because every organization is different but these simple strategies should help. This was taken directly from the Maximo help documentation.
Creating security groups can be a modest to complicated task, depending on the number of sites in your company or facility, and depending on how fine-grained you want your security privileges. For a detailed discussion of how security works in the system, refer to the Security chapter in the System Administrator’s Guide.
A few items may be worth mentioning here, as an introduction.
The security architecture is designed to use sites as the first level of security for multisite implementations.
- If your system implementation has only one site, then for each group select the Authorize Group for All Sites? check box on the Sites tab.
- If your system implementation has multiple sites, then you should create groups to represent each of the sites, all sites, or some logical grouping of sites within a security group (for example, a security group for site 1, and a security group for sites 2 and 3).
- Do not include any other privileges for the site groups.
Note: If you select the Independent of Other Groups check box on the Groups tab, you must grant that group access to at least one site and one application unless the group is being used exclusively for system-level applications.
Applications, Storerooms, Labor, GL Components, Limits and Tolerance, and Restrictions
The above items represent other tabs in the Security Groups application. There are basically two strategies here:
- You can create groups that each reflect these privileges. For example, if your company or facility has four storerooms, you might create separate groups for each storeroom and a fifth group for all storerooms. You could then add those groups to a user’s profile as appropriate.
- You can create functional groups that combine some of the privileges. For example, you might create three different maintenance groups, each with differing levels of privileges for any or all of the properties covered by the different tabs. This strategy is good for defining groups in a very detailed manner, such that when you associate one group with a user it will encompass all or many of the privileges you want the user to have.
Of course, you can also create groups that use a mixture of these two approaches. It all depends on how you want to implement security.
The virtue of creating many groups is being able to combine them in many ways to fashion individual security profiles. A major attribute of a group is whether it is Independent of Other Groups. This attribute is a check box on the Group tab. By default the system has this check box cleared, meaning the group is non-independent and that you combine privileges when you combine groups. If you select the check box, the system will not combine privileges; the group is independent.
Basically, when you combine privileges, the highest privilege wins. If a user belongs to multiple groups that define the same privilege at different levels, the user possesses the highest privilege. For example, if group A has a PO limit of $5,000 and group B has a PO limit of $10,000, then a user who is a member of both groups A and B has a purchasing limit of $10,000.
Combining privileges becomes more useful as an implementation strategy when you have multiple sites. Typically, you set up groups that only define site access, for example, SITE1, SITE2, and SITE3. You define other groups to define application privileges, purchasing approval limits, and so forth. If you have a user for whom you have created a security profile that includes SITE1 and a number of other groups to define application privileges and so forth, and you want the user to have the same privileges at SITE2, you simply add SITE2 to the user’s profile. He or she will have the same rights in SITE2 and in SITE1.
On the other hand, you may want to define some groups as independent so that when you combine groups, a user has one set of privileges at one site and a different set of privileges at another site.
For detailed information on creating independent and non-independent groups, the rules for combining and merging groups, and the affect the application level (organization versus site, for example) has on merging groups, refer to the Security chapter in the System Administrator’s Guide.
Note: You can use the default group EVERYONE, to configure global settings which apply to all users of the system. This group always combines with other groups.
You can read more in the System Admin Guide under the Security section which also gives you great examples.