Maximo

 View Only
Expand all | Collapse all

ANYWHERE_TECHNICIAN gives access to app in Maximo

  • 1.  ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed September 29, 2021 08:45 AM
    Hi,

    In order to be able to log in WorkExecution , the user has to be in the security group "ANYWHERE_TECHNICIAN". Our issue is that this group gives access to a lot of unncessary application for a technician to see.

    For example, a technician has access to app like "Company", "Anywhere Administration", "Classification", etc... 

    There is like 12 apps or so that we want to hide to the user even if thoses apps are on readonly.

    How can I do this ?

    ------------------------------
    Mathieu Guilmette
    ------------------------------



    #MaximoAnywhere
    #AssetandFacilitiesManagement
    #Maximo


  • 2.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    User Group Leader
    Posted Thu September 30, 2021 04:09 AM
    Do you have a test/dev environment where you can try and remove some of the access to these applications in the Anywhere_technician security group and make sure it has no adverse effect?

    I dont believe removing access from these applications would cause any issues but you should go through a test cycle just to be sure

    ------------------------------
    Steve Lee
    Maximo Technical Sales Specialist
    IBM
    Leeds
    ------------------------------

    Original Message


  • 3.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 08:11 AM
    I'm assuming you're on the latest release (7.6.4) of Anywhere. I believe READ access is still required to the Anywhere Administration app (AWADMIN) to retrieve the apps now that it's stored inside the Maximo database. 

    The Work Order Tracking (WOTRACK) application is still required unless you switch the OSLCWODETAIL object structure and I'm not sure if there would be other issues with doing that. I'd recommend you leave this alone.

    The others you mentioned (Classification and Companies for example) at least now have the Maximo Anywhere (MAXANYWH) authorization associated to it now so you should be able to eliminate those without impacting the Anywhere applications. I believe these object structures were previously tied to the application so it was necessary to download the data but with the generic Maximo Anywhere app it's no longer required.

    ------------------------------
    Steven Shull
    ------------------------------

    Original Message


  • 4.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:12 AM
    Hi, I tried to remove the READ access for the Classification APP but the lookup download on anywhere failed on CLASSSTRUCTURE. They are all required. If I remove one, I won't be able to download its object in anywhere...

    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 5.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:18 AM
    Are you on Anywhere 7.6.4? If so, can you tell me what you see as the Authorization Name for the object structure OSLCCLASSIFICATION in the Object Structure application? That should say MAXANYWH.

    ------------------------------
    Steven Shull
    ------------------------------

    Original Message


  • 6.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 09:43 AM
    Yes we are on 764. Indeed the OSLCCLASSIFICATION Authorization name is MAXANYWH but it still fails on Lookup Data download if I remove the app autorization in the ANYWHERE_TECHNICIAN group

    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 7.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri October 01, 2021 09:27 AM
    Yeah you're right, I didn't see OSLCCLASSSTRUCTURE which is still set to Classification (ASSETCAT) instead of the MAXANYWH app. The object structure security, query definition, etc. functionality was added after Anywhere was developed so it has remnants where they had to do less than desirable configuration.

    It might be worth opening a case. Anywhere 7.6.4 only supports Maximo 7.6.0.8+ so they would be able to configure these using object structure authorization instead of applications if they wanted. Or at least switch them to the MAXANYWH app and use the query definition inside of the app instead. You should be able to grant access to Anywhere without having to give access to the core apps.

    ------------------------------
    Steven Shull
    ------------------------------

    Original Message


  • 8.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed October 06, 2021 12:59 AM
    Hi Steve,

    Would you be able to elaborate on the part about "generic Maximo Anywhere app"? Is there a single Anywhere app that has all the functionality of the individual apps?

    Thanks.
    Original Message


  • 9.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed October 06, 2021 09:09 AM
    Sadly no. Inside of core Maximo there is an app called Maximo Anywhere (MAXANYWH) most people don't notice that is used to tie to a lot of the lookup data but not all.  This isn't an app in the traditional sense. If you open it application designer you'll see nothing for example and it's not added to the Go To menu. It was a way to require authorization for the object structures that Anywhere needed that didn't require object structure security support since that wasn't always available on supported Maximo versions on the Anywhere releases. With Anywhere 7.6.4, it's required that you're on Maximo 7.6.0.8+ which supports object structure security which is a better approach, but even switching the apps on the lookup data to MAXANYWH would be preferable as it would prevent access to the core apps.

    ------------------------------
    Steven Shull
    ------------------------------

    Original Message


  • 10.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    IBM Champion
    Posted Fri October 01, 2021 02:41 AM
    Ahh, the joy of it all, security and the ensuing panic that you have breached the IBM licencing terms.  Firstly, note that IBM defined the access for these groups and that you must belong to the appropriate Anywhere group as per Authorizations.

    If your license is for mobile-only, then they just need two be a member of the Everyone group plus the Anyway, but I'd add another which is the one that controls the sites they're allowed in.  Else it's at least an Express user + Anywhere User license.

    I've struggled with (grrrr) that read-only access is needed to those apps under the Administration module, thus in theory meaning, they should really have an Authorised license.

    As your tests have indicated, disabling read access has bad results even when you switch over to the other URL as Steven has indicated.  I haven't done that as yet.

    In my opinion, do not take it as fact, leave the Anywhere groups as is, after all, IBM did create them that way for a good reason.  In the end, if you do get audited, they should know about the Anywhere groups.

    ------------------------------
    ===============================
    Craig Kokay,
    Lead Senior Maximo/IoT Consultant
    ISW
    Sydney, NSW, Australia
    Ph: 0411-682-040
    =================================
    #IBMChampion2021
    ------------------------------

    Original Message


  • 11.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri October 01, 2021 08:49 AM
    Hi Craig,

    I understand the fact that we should leave the Anywhere group as is.

    If we put aside the licencing because we are ok, how can we hide those application for the user. There are 12 apps that the user can sees (in readonly) that we don't want to. I tried to add a data restriction on MAXAPPS and/or MAXMENU but it didn't work. How can we hide them ? 

    Thank you 


    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 12.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Wed October 06, 2021 01:29 AM
    Edited by System Tue August 22, 2023 04:44 PM

    MAM 7.6.1.2; Anywhere Work Technician 7.6.4:

    If I remember correctly, my organization went through a similar exercise in the spring. I wasn't directly involved, but I believe we had the same concerns as you. We wanted the ANYWHERE_TECHNICIAN security group to be a true "Anywhere-only" group. We didn't want the Anywhere-only users to have access to any other parts of Maximo -- for security reasons and licensing reasons. I don't have much more info than that; maybe the guidance we got from our implementation team wasn't perfect.
    (If needed, I could do more digging...there might be an IBM case somewhere.)

    If I understand correctly, we got rid of the Application security, and used Object Structure security instead. I think that's what @Steven Shull was referring to.

    For example, the OSLCWODETAIL object structure has INSERT, READ, and SAVE access:




    Here's a query where I attempt to get a complete picture of all the sig options that our ANYWHERE_TECHNICIAN group has.
    I'm not familiar with the security-related tables, so I might have missed something:

    select
        *
    from
        maximo.applicationauth
    where
        groupname = 'ANYWHERE_TECHNICIAN'
    order by
        groupname,
        app,
        optionname

    Hint: ALT+F1 doesn't help much in the detail tabs of the Security Groups application. Those fields/tables don't seem to directly reference the underlying tables where the sig options are stored.
    Instead, I did ALT+F1 in the Advanced Search window, which had some proper field/table names. That helped me figure out that I needed to query the APPLICATIONAUTH table. https://i.stack.imgur.com/SRF7B.png


    Here's the result from the query (hint: copy/paste it into Excel for better formatting).

    GROUPNAME APP OPTIONNAME APPLICATIONAUTHID   CONDITIONNUM  
    ANYWHERE_TECHNICIAN   AWADMIN AWBLINDCOUNT   20484 BLINDCOUNT
    ANYWHERE_TECHNICIAN AWADMIN AWDELPROPD 20470 AWDELPROPD
    ANYWHERE_TECHNICIAN AWADMIN AWGLOBPROP 20460
    ANYWHERE_TECHNICIAN AWADMIN AWMAXANYWH 20497 AWMAXANYWH
    ANYWHERE_TECHNICIAN AWADMIN AWPHSICAL 20507 AWPHSICAL
    ANYWHERE_TECHNICIAN AWADMIN NEXT 20433
    ANYWHERE_TECHNICIAN AWADMIN PREVIOUS 20442
    ANYWHERE_TECHNICIAN AWADMIN READ 20451
    ANYWHERE_TECHNICIAN MAXANYWH ASSIGNWF 27009
    ANYWHERE_TECHNICIAN MAXANYWH HELPWF 27029
    ANYWHERE_TECHNICIAN MAXANYWH HISTORYWF 26999
    ANYWHERE_TECHNICIAN MAXANYWH INSERT 20407
    ANYWHERE_TECHNICIAN MAXANYWH READ 20296
    ANYWHERE_TECHNICIAN MAXANYWH ROUTEWF 26979
    ANYWHERE_TECHNICIAN MAXANYWH SAVE 20391
    ANYWHERE_TECHNICIAN MAXANYWH STOPWF 26989
    ANYWHERE_TECHNICIAN MAXANYWH VIEWWF 27019
    ANYWHERE_TECHNICIAN MXAPILABOR DELETE 32913
    ANYWHERE_TECHNICIAN MXAPILABOR INSERT 32914
    ANYWHERE_TECHNICIAN MXAPILABOR READ 32916
    ANYWHERE_TECHNICIAN MXAPILABOR SAVE 32915
    ANYWHERE_TECHNICIAN MXAPILABORCRAFTRATE DELETE 32888
    ANYWHERE_TECHNICIAN MXAPILABORCRAFTRATE INSERT 32889
    ANYWHERE_TECHNICIAN MXAPILABORCRAFTRATE READ 32891
    ANYWHERE_TECHNICIAN MXAPILABORCRAFTRATE SAVE 32890
    ANYWHERE_TECHNICIAN MXAPILOCATIONMETER DELETE 32878
    ANYWHERE_TECHNICIAN MXAPILOCATIONMETER INSERT 32877
    ANYWHERE_TECHNICIAN MXAPILOCATIONMETER READ 32880
    ANYWHERE_TECHNICIAN MXAPILOCATIONMETER SAVE 32879
    ANYWHERE_TECHNICIAN MXAPIPERUSER DELETE 32909
    ANYWHERE_TECHNICIAN MXAPIPERUSER INSERT 32910
    ANYWHERE_TECHNICIAN MXAPIPERUSER READ 32912
    ANYWHERE_TECHNICIAN MXAPIPERUSER SAVE 32911
    ANYWHERE_TECHNICIAN MXAPISR LOGCOMMENTS 32870
    ANYWHERE_TECHNICIAN MXAPISR READCOMMENTS 32871
    ANYWHERE_TECHNICIAN MXAPIWO ASSIGNLAB 32900
    ANYWHERE_TECHNICIAN MXAPIWO CREATECHG 32898
    ANYWHERE_TECHNICIAN MXAPIWO CREATEJP 32894
    ANYWHERE_TECHNICIAN MXAPIWO CREATEPROB 32892
    ANYWHERE_TECHNICIAN MXAPIWO CREATEWO 32905
    ANYWHERE_TECHNICIAN MXAPIWO DELETE 32906
    ANYWHERE_TECHNICIAN MXAPIWO FNSHASSN 32903
    ANYWHERE_TECHNICIAN MXAPIWO INTRPTASSN 32895
    ANYWHERE_TECHNICIAN MXAPIWO READ 32908
    ANYWHERE_TECHNICIAN MXAPIWO REMOVESP 32902
    ANYWHERE_TECHNICIAN MXAPIWO REMOVEWP 32899
    ANYWHERE_TECHNICIAN MXAPIWO REPDOWN 32893
    ANYWHERE_TECHNICIAN MXAPIWO SAVE 32907
    ANYWHERE_TECHNICIAN MXAPIWO STARTASSN 32904
    ANYWHERE_TECHNICIAN MXAPIWO STARTTIMER 32896
    ANYWHERE_TECHNICIAN MXAPIWO STATUS 32897
    ANYWHERE_TECHNICIAN MXAPIWO STOPTIMER 32901
    ANYWHERE_TECHNICIAN MXAPIWODETAIL APPR 32887
    ANYWHERE_TECHNICIAN MXAPIWODETAIL ASSIGNLAB 32925
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CANCEL 32886
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CLOSE 32883
    ANYWHERE_TECHNICIAN MXAPIWODETAIL COMP 32884
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CREATECHG 32923
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CREATEJP 32919
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CREATEPROB 32917
    ANYWHERE_TECHNICIAN MXAPIWODETAIL CREATEWO 32930
    ANYWHERE_TECHNICIAN MXAPIWODETAIL DELETE 32931
    ANYWHERE_TECHNICIAN MXAPIWODETAIL FNSHASSN 32928
    ANYWHERE_TECHNICIAN MXAPIWODETAIL INIT 32885
    ANYWHERE_TECHNICIAN MXAPIWODETAIL INTRPTASSN 32920
    ANYWHERE_TECHNICIAN MXAPIWODETAIL LOGCOMMENTS 32872
    ANYWHERE_TECHNICIAN MXAPIWODETAIL READ 32933
    ANYWHERE_TECHNICIAN MXAPIWODETAIL READCOMMENTS 32873
    ANYWHERE_TECHNICIAN MXAPIWODETAIL REMOVESP 32927
    ANYWHERE_TECHNICIAN MXAPIWODETAIL REMOVEWP 32924
    ANYWHERE_TECHNICIAN MXAPIWODETAIL REPDOWN 32918
    ANYWHERE_TECHNICIAN MXAPIWODETAIL SAVE 32932
    ANYWHERE_TECHNICIAN MXAPIWODETAIL STARTASSN 32929
    ANYWHERE_TECHNICIAN MXAPIWODETAIL STARTTIMER 32921
    ANYWHERE_TECHNICIAN MXAPIWODETAIL STATUS 32922
    ANYWHERE_TECHNICIAN MXAPIWODETAIL STOPTIMER 32926
    ANYWHERE_TECHNICIAN MXAPIWODETAIL UNDOAPPR 32882
    ANYWHERE_TECHNICIAN MXAPIWODETAIL WSCH 32881
    ANYWHERE_TECHNICIAN OSLCAMCREW READ 32866
    ANYWHERE_TECHNICIAN OSLCANYWHEREAPP READ 32854
    ANYWHERE_TECHNICIAN OSLCANYWHEREPROPERTY READ 32853
    ANYWHERE_TECHNICIAN OSLCANYWHEREPROPVAL READ 32852
    ANYWHERE_TECHNICIAN OSLCANYWHERERESRC READ 32851
    ANYWHERE_TECHNICIAN OSLCANYWHERERESRVAL READ 32850
    ANYWHERE_TECHNICIAN OSLCASSET READ 32869
    ANYWHERE_TECHNICIAN OSLCCLASSSTRUCTURE READ 32857
    ANYWHERE_TECHNICIAN OSLCCRAFT READ 32864
    ANYWHERE_TECHNICIAN OSLCFAILURELIST READ 32856
    ANYWHERE_TECHNICIAN OSLCINVENTORY READ 32859
    ANYWHERE_TECHNICIAN OSLCITEM READ 32862
    ANYWHERE_TECHNICIAN OSLCLABOR READ 32865
    ANYWHERE_TECHNICIAN OSLCMAXUSER READ 32858
    ANYWHERE_TECHNICIAN OSLCMAXUSER SAVE 32849
    ANYWHERE_TECHNICIAN OSLCOPERLOC READ 32868
    ANYWHERE_TECHNICIAN OSLCOPERSROOM READ 32867
    ANYWHERE_TECHNICIAN OSLCPERSON READ 32855
    ANYWHERE_TECHNICIAN OSLCSERVICEADDRESS READ 32860
    ANYWHERE_TECHNICIAN OSLCTOOLITEM READ 32861
    ANYWHERE_TECHNICIAN OSLCVENDOR READ 32863
    ANYWHERE_TECHNICIAN OSLCWODETAIL INSERT 32876
    ANYWHERE_TECHNICIAN OSLCWODETAIL READ 32875
    ANYWHERE_TECHNICIAN OSLCWODETAIL SAVE 32874


    Does that help you at all?
    If I recall, it was a lot of work moving from Application security to Object Structure security. Maybe that could save you or someone else some time.

    We've been using those security settings in Anywhere Work Technician since May of this year. We haven't had any issues with them.
    Note: We only use the Anywhere Work Technician app -- we're not using any of the other Anywhere apps at the moment.




    #AssetandFacilitiesManagement
    #MaximoAnywhere
    #Maximo


  • 13.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu September 30, 2021 01:15 PM
    Mathieu,

    The ANYWHERE_TECHNICIAN security group only requires read access to the various applicaiton MBO's in order to gain access to the main object. Without this capability the user cannot get the data necessary for Anywhere to work.  This does not mean the user has app access in core Maximo in the same user experience.  To be sure. the user would be able to log in and view content in the given application (e.g. Companies) but any other application action does NOT have to be granted in order for Maximo Anywhere to function as designed per-se.  

    As the Steves (😜) point out removal of app actions should not have any adverse effects and in my experience I have taken to setting up the groups so they ONLY have the read access on additionData objects.  The only application access beyond read is for WOTRACK, (and unless you clone your app and point it to your PLUSxWO clone,) you will not be able to do anything in any other WO application to affect WORKORDER object actions (e.g. SAVE, DELETE, etc.)

    So to go back to you main point, you state that you want to "hide" applications from the user.  If you want to make the menu choice in core Maximo be unavailable to those users then I have an alternative question for you:  Why (if those users are supposed to be using the mobile product) do you NEED to hide those apps in the browser version from those users?  Are they still using the browser based application?  If so why?;  and again if so, you can create a conditional expression(s) to hide the application menu access for uses in the Anywhere_technician group.  The problem with that is if the users also happen to be in other groups that should have other application access.  You code will need to see if that is the only group to which the user belongs.  Hope this helps.

    ------------------------------
    Bradley K. Downing , MBA
    Solutions Engineer
    IBM
    Bakersfield CA
    ------------------------------

    Original Message


  • 14.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Thu November 04, 2021 01:23 PM
    No Sure if this is a dead thread or not now, but yes the information provided above i believe is correct, you need to enable object structure security and change the object structure authorizations accordingly in order to hide the apps from a user that logging into the desktop version would otherwise see.

    The impact of this is usually on other integrations you might have already built, because suddenly these may need new authorizations and security group changes.

    @Bradley Downing i believe this is where the IBM licensing gets sticky, if you give anywhere technician out of the box to a user, it has full access to WOTRACK.  They are licensed with an anywhere license, however if they log into the browser/desktop version of maximo, they see Work Order Tracking and can create and manage work orders.  This is where the stickiness is, because its unclear whether it would make the client out of compliance because they are using an anywhere license in the Maximo desktop app.  Hope that makes sense from a license compliance standpoint.  I think in the future with MAS points this issue goes away, but its very real for a number of my clients today., and the easiest way to avoid compliance issues is to hide the apps.

    ------------------------------
    Nicky Rhodes
    ------------------------------

    Original Message


  • 15.  RE: ANYWHERE_TECHNICIAN gives access to app in Maximo

    Posted Fri November 26, 2021 11:15 AM
    Just thought i would follow up on this, turns out at least in 7.6.1.2, you dont have to globally enable object structure security to get a solution here.  I have a working setup now, essentially by changing the authorization on each OSLC object structure to a new one (by clicking the "use object structure for authorization name", granting access to those object structures in security groups for the Anywhere app.  

    Note that you'll have to recreate any lookup data queries and app queries because the app attached to the query changes when you enable these options on the object structure.  Now the native apps such as work order tracking appear if a user logs in.

    ------------------------------
    Nicky Rhodes
    ------------------------------

    Original Message