Maximo Anywhere

Expand all | Collapse all

ANYWHERE_TECHNICIAN gives access to app in Maximo

  • 1.  ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed September 29, 2021 08:45 AM
    Hi,

    In order to be able to log in WorkExecution , the user has to be in the security group "ANYWHERE_TECHNICIAN". Our issue is that this group gives access to a lot of unncessary application for a technician to see.

    For example, a technician has access to app like "Company", "Anywhere Administration", "Classification", etc... 

    There is like 12 apps or so that we want to hide to the user even if thoses apps are on readonly.

    How can I do this ?

    ------------------------------
    Mathieu Guilmette
    ------------------------------


  • 2.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    User Group Leader
    Posted Thu September 30, 2021 04:09 AM
    Do you have a test/dev environment where you can try and remove some of the access to these applications in the Anywhere_technician security group and make sure it has no adverse effect?

    I dont believe removing access from these applications would cause any issues but you should go through a test cycle just to be sure

    ------------------------------
    Steve Lee
    Maximo Technical Sales Specialist
    IBM
    Leeds
    ------------------------------



  • 3.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 08:11 AM
    I'm assuming you're on the latest release (7.6.4) of Anywhere. I believe READ access is still required to the Anywhere Administration app (AWADMIN) to retrieve the apps now that it's stored inside the Maximo database. 

    The Work Order Tracking (WOTRACK) application is still required unless you switch the OSLCWODETAIL object structure and I'm not sure if there would be other issues with doing that. I'd recommend you leave this alone.

    The others you mentioned (Classification and Companies for example) at least now have the Maximo Anywhere (MAXANYWH) authorization associated to it now so you should be able to eliminate those without impacting the Anywhere applications. I believe these object structures were previously tied to the application so it was necessary to download the data but with the generic Maximo Anywhere app it's no longer required.

    ------------------------------
    Steven Shull
    ------------------------------



  • 4.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:12 AM
    Hi, I tried to remove the READ access for the Classification APP but the lookup download on anywhere failed on CLASSSTRUCTURE. They are all required. If I remove one, I won't be able to download its object in anywhere...

    ------------------------------
    Mathieu Guilmette
    ------------------------------



  • 5.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:18 AM
    Are you on Anywhere 7.6.4? If so, can you tell me what you see as the Authorization Name for the object structure OSLCCLASSIFICATION in the Object Structure application? That should say MAXANYWH.

    ------------------------------
    Steven Shull
    ------------------------------



  • 6.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:43 AM
    Yes we are on 764. Indeed the OSLCCLASSIFICATION Authorization name is MAXANYWH but it still fails on Lookup Data download if I remove the app autorization in the ANYWHERE_TECHNICIAN group

    ------------------------------
    Mathieu Guilmette
    ------------------------------



  • 7.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri October 01, 2021 09:27 AM
    Yeah you're right, I didn't see OSLCCLASSSTRUCTURE which is still set to Classification (ASSETCAT) instead of the MAXANYWH app. The object structure security, query definition, etc. functionality was added after Anywhere was developed so it has remnants where they had to do less than desirable configuration.

    It might be worth opening a case. Anywhere 7.6.4 only supports Maximo 7.6.0.8+ so they would be able to configure these using object structure authorization instead of applications if they wanted. Or at least switch them to the MAXANYWH app and use the query definition inside of the app instead. You should be able to grant access to Anywhere without having to give access to the core apps.

    ------------------------------
    Steven Shull
    ------------------------------



  • 8.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed October 06, 2021 12:59 AM
    Hi Steve,

    Would you be able to elaborate on the part about "generic Maximo Anywhere app"? Is there a single Anywhere app that has all the functionality of the individual apps?

    Thanks.



  • 9.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed October 06, 2021 09:09 AM
    Sadly no. Inside of core Maximo there is an app called Maximo Anywhere (MAXANYWH) most people don't notice that is used to tie to a lot of the lookup data but not all.  This isn't an app in the traditional sense. If you open it application designer you'll see nothing for example and it's not added to the Go To menu. It was a way to require authorization for the object structures that Anywhere needed that didn't require object structure security support since that wasn't always available on supported Maximo versions on the Anywhere releases. With Anywhere 7.6.4, it's required that you're on Maximo 7.6.0.8+ which supports object structure security which is a better approach, but even switching the apps on the lookup data to MAXANYWH would be preferable as it would prevent access to the core apps.

    ------------------------------
    Steven Shull
    ------------------------------



  • 10.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri October 01, 2021 02:41 AM
    Ahh, the joy of it all, security and the ensuing panic that you have breached the IBM licencing terms.  Firstly, note that IBM defined the access for these groups and that you must belong to the appropriate Anywhere group as per Authorizations.

    If your license is for mobile-only, then they just need two be a member of the Everyone group plus the Anyway, but I'd add another which is the one that controls the sites they're allowed in.  Else it's at least an Express user + Anywhere User license.

    I've struggled with (grrrr) that read-only access is needed to those apps under the Administration module, thus in theory meaning, they should really have an Authorised license.

    As your tests have indicated, disabling read access has bad results even when you switch over to the other URL as Steven has indicated.  I haven't done that as yet.

    In my opinion, do not take it as fact, leave the Anywhere groups as is, after all, IBM did create them that way for a good reason.  In the end, if you do get audited, they should know about the Anywhere groups.

    ------------------------------
    ===============================
    Craig Kokay,
    Lead Senior Maximo/IoT Consultant
    ISW
    Sydney, NSW, Australia
    Ph: 0411-682-040
    =================================
    #IBMChampion2021
    ------------------------------



  • 11.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri October 01, 2021 08:49 AM
    Hi Craig,

    I understand the fact that we should leave the Anywhere group as is.

    If we put aside the licencing because we are ok, how can we hide those application for the user. There are 12 apps that the user can sees (in readonly) that we don't want to. I tried to add a data restriction on MAXAPPS and/or MAXMENU but it didn't work. How can we hide them ? 

    Thank you 



    ------------------------------
    Mathieu Guilmette
    ------------------------------



  • 12.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo