Great info.. Thanks for all the background. It all makes sense to me....
Original Message:
Sent: Mon March 24, 2025 11:13 PM
From: Alex Walter
Subject: MxLoader with MAS 9 ?
David,
IBM introduced a System Property mxe.int.enableosauth several versions ago. In prior versions, the default value was 0 which allows users with credentials to utilize any Object Structure, including the ones without Authorization Name values defined (like the old MXASSET object structure). For Object Structures with Authorization Name values defined, they would need explicit access via the Security Groups / Users applications to utilize the Object Structure. By setting this property to 1, users can no longer utilize Object Structures without Authorization Names. Likewise, they still need explicit security access granted for those with Authorization Name values.
In MAS 9, this System Property is now set to 1 as the default and is no longer able to be edited via the Maximo UI. This closes a security loophole, which when set to 0 allows any authenticated user with knowledge of the REST API to perform just about any operation in Maximo given that there are so many legacy Object Structures without Authorization Names (including ones to create custom unsecured Object Structures).
While understandable, this creates some more work on our part to make sure that appropriate groups are granted appropriate Object Structure security for performing operations in MxLoader and other such tools.
Generally, the MXAPI*** Object Structures will all be secured and can cover a vast majority of the data loading use cases without the need for additional configuration. But you're correct, these MXAPI*** Object Structures are set to be read-only in Maximo. You can imagine if users were to adjust those as they saw fit, then Maximo Mobile and other programs may stop functioning properly.
You can duplicate the Object Structures, but unfortunately this also carries forward the old Authorization Name values, which most of the time are not wanted. You can try to remove those Authorization Names, but will receive an error if they are in use by a Security Group (this seems like a bit of a bug, though I'm not sure what the solution should be).
Long story short, your observations are correct and I don't have much to offer in the way of a solution to make things less tedious for you. If I develop something, or figure something out, I'll post back here. Hopefully the above helps explain what you're seeing and why you're seeing it.
------------------------------
Alex Walter
CIO
A3J Group
Tampa FL
Original Message:
Sent: Fri March 21, 2025 08:40 AM
From: David Miller
Subject: MxLoader with MAS 9 ?
I am already using the REST Service and the API Authentication to connect. That was why I was asking if IBM is now suggesting we always use the API OSs. I do think I tried to use them before MAS and I ran into an issue doing data loading. I seem to recall that maybe they did not have all my custom fields on them and I did not want to touch the OOTB IBM API OSs as I thought they are used by Mobile and other internal IBM functions and we should not touch them. Is this correct or not? Does anyone know?
------------------------------
David Miller
Managing Partner - Maximo Consultant
Enterprise Integration Partners LLC
Original Message:
Sent: Fri March 21, 2025 08:13 AM
From: Jan-Willem Steur
Subject: MxLoader with MAS 9 ?
David,
Why don't you use the REST API approach? Just create a User specific API key (in the API Keys Graphite app in Manage) and use this approach. By default all MXAPIxxxxx Object Structures can be used then instead of the traditional Mxxxxxx OS's (e.g. using MXAPIASSET instead of MXASSET). This works fine and "First Time Right". When using the REST API key, just change your authentication to API and the service to REST:
------------------------------
Jan-Willem Steur
Manager Business Development
ZNAPZ b.v.
Breda
+31 6 25639950
Jan-Willem
Original Message:
Sent: Thu March 20, 2025 09:37 AM
From: David Miller
Subject: MxLoader with MAS 9 ?
So I am doing my first MxLoader to MAS 9 environment. I am using a NextGen version 8.4.2.
I have connectivity to Maximo working and I am connecting as MAXADMIN user on a default DEMODB. I see that I must do permissions to the OS on the Group. However if I log into Security Groups MAXADMIN and on Object Structures I will not see basic things like MXASSET even appear in the list. I do see MXAPIASSET.
If I try to run Mxlkoader sheet using MXASSET I get:
Bad Request
BMXAA9301E - The user of the transaction is not authorized for Object Structure MXASSET. Configure authorization in the object structure application and grant necessary access to the user.
If i change the Object in MxLoader to MXAPIASSET it will work to retrieve data.
Since we connect using REST API in Mxloader to MAS9 should we start using the API Object Structures in it and no longer use the traditional ones? DO we do that now for all API OSs?
Next I ran the Create Custom Object Structures Settings and it built 91 objects just fine. If I run Refresh Data Dictionary I get:
Bad Request
BMXAA9301E - The user of the transaction is not authorized for Object Structure MXL_MAXATTRIBUTECFG. Configure authorization in the object structure application and grant necessary access to the user.
Again, I do not see this OS in the list for the MAXADMIN group? In fact I see none of the built MXL_ OSs. How do I get to setup security to these new custom OS that were built?
Anybody know of a guide to using MxLoader with MAS 9. I am trying to follow this guide but they show MXASSET appearing in the list on MAXADMIN (funny the DESC says API MXASSET) but I do not see this. What am I missing???
Using MxLoader with Maximo Application Suite
Any help greatly appreciated,
------------------------------
David Miller
Managing Partner - Maximo Consultant
Enterprise Integration Partners LLC
------------------------------