IBM Maximo EVERYONE Security Group Explained

The EVERYONE Security Group Explained

Updated March 15, 2019

In Maximo, security group configuration is very important and when your security access is not behaving as expected, it can cause serious disruptions. Most often, issues with security groups can be chalked up to a logical error. However, in newer versions of Maximo security access issues might be also caused by the EVERYONE group settings. The EVERYONE group, introduced in Maximo version 7, differs from typical security groups in that it does not conform to the regular security group behavior.

Unlike all other security groups, the EVERYONE group always acting as a non-independent group. That happens even if the “Independent of Other Groups?” checkbox is checked, as described in this post from the IBM Knowledge Center. After reading the IBM post, one could assume that behavior of this group would not change regardless if the “Independent of Other Groups?” checkbox is checked or not. Unfortunately, this is not the case. IBM actually recommends in this Technote that the “Independent of Other Groups?” checkbox is never checked specifically due to the unpredictable behavior this change causes.

Even if you are already following the recommendations made by IBM “Independent of Other Groups?” checkbox you might still be experiencing unexpected result. That’s because the EVERYONE group has one more trick up its sleeve. If your user belongs to the EVERYONE group and another security group, the conditions applied to the permissions in the EVERYONE group will override the lack of conditions applied to the permissions in the other group. This is very significant as it goes against the logic of all other security groups where in the case of permission overlap, the user is given the most permissive option. There are also a few eccentricities when it comes to overlaps with independent and non-independent security groups. Below are examples to illustrate these differences:

Everyone Group Combination chart 1: Non-independant
Figure 1: EVERYONE group combined with a Non-Independent group. Notice that Condition1 overwrites the lack of condition in Purchase Requisitions but Condition2 ORs with Condition3 for the case of condition overlap in Work Order Tracking.
Everyone Group Combination chart 2: Independent
Figure 2: EVERYONE group combined with an Independent group. Notice that Condition1 overwrites the lack of conditions in Purchase Requisitions and Condition2 overwrites Condition3 in Work Order Tracking.

In short, the EVERYONE group essentially acts as a Non-Independent group regardless of if the “Independent of Other Groups?” checkbox is checked. However, IBM recommends this checkbox should never be checked due to unpredictable behavior caused by it. Also, conditions applied to permissions on the EVERYONE group are treated as global.

About the Author

Myles Vivian

Myles Vivian is an application consultant at Ontracks. He mostly spends his days performing large scale data migrations, configuring system infrastructure, writing automation scripts and writing Maximo blog posts. For the past year, he has also been involved with helping members of the IBM team develop their open source project called the maximodev-cli.