With the introduction of the Maximo Application Suite (MAS) and its suite of multiple products that a user can access under its single portfolio, multiple security changes impact upgrading Maximo Manage customers. Notable security changes in MAS include:
- Authentication moving from Maximo to MAS Level
- New Field Mapping for LDAP to MAS
- New MAS Administrator role
- MAS end user log in
- MAS end user log out
Authentication Moving from Maximo to MAS Level
In Maximo 7.6.1.2 and prior versions, Maximo users authenticated to the Maximo server to gain access. Starting with MAS, the authentication moves from the Maximo level to the MAS or Suite level. This enables a user to access any of the products within the Suite that they have access to – without having to sign into individual products. For example, after authenticating to MAS, a user can access Maximo, Asset Health, Monitor and/or Predict via a Single Sign On (SSO).
With this change, many clients will have to update their SSO configurations to move from Maximo to MAS.
New Field Mapping for LDAP to MAS
With the new MAS Authentication, IBM provides a page of fields to map the SSO System to MAS. Clearly understanding the field definition and mapping is critical to ensuring the correct user information is brought over to MAS.
New MAS Administrator Role
A new MAS Administrator role is required to manage users, assign application points, and maintain MAS environment. This is a requirement of the MAS system, which includes unique licensing requirements.
The new MAS Administrator may be required to gather system logs for functional, performance or security troubleshooting. Therefore, they should have some familiarity with OpenShift and the ability to understand logs for detailed information.
At least one user is required for the MAS Administrator. The MAS Administrator requires 15 Application points for licensing and is an authorized (named) user.
The Maximo Administrator role remains as-is for the Manage application. This role will continue to be responsible for the Maximo Manage security groups and users, and other configurable settings including cron tasks, comm templates, and more.
MAS End User Log In
In prior releases of Maximo, a user would sign in and their default Maximo Start Center or application would display.
With MAS, the user first signs into the Suite and then the Suite navigator displays. On this page, the user can see all the Suite applications they have access to. In the example below, the user has access to multiple Suite applications including Maximo Manage, Health, Monitor, Predict, and Visual Inspection.
To access Maximo Manage, the user would select the Manage card or link, which would then bring them to their default Maximo Manage Start Center or application.
MAS End User Log Out
In addition to the new login navigation, the MAS Application point (AppPoint) licensing model also requires users to take a more active role in their use of MAS.
As detailed in this previous blog on the types of users, application access and AppPoint requirements, clients have a pool of licensed AppPoints that their users pull from. For example, user Wilson is assigned 15 points as a Premium, Authorized User. Each time Wilson signs into MAS, 15 points are subtracted from the available pool of points.
- When Wilson completes his work in MAS and logs out of the system, those 15 points are returned to the pool for other users to consume.
- However, if Wilson does not sign out of MAS after completing his work – those 15 points remain in use – even if he is not active. They are then not available to someone who may need the points/access to perform their work.
Therefore, it is important for users to sign out of MAS/Maximo after their work is completed, so points are available for all users.
Additionally, recent MAS updates have been made in this area enabling clients to sign out users in cases of inactivity. MAS administrators can now specify how long a web browser session can be idle before that session is automatically logged out. By default, this is set to 30 minutes, but it can be changed to a lower time value depending on the users and usage of your system.
When a user logs in, they consume points, and those points are removed from the pool. When they log out, those points are returned to the pool for other users.
MAS Password Requirements for Direct Authentication
For clients authenticating directly to MAS (e.g., users who are not using a corporate Single Sign On (SSO) for authentication), the original user MAS password requirements were 15 characters, using a combination of letters, numbers, and special characters.
With MAS 8.9 released in November 2022, MAS administrators can define the password requirements including password length, and number of uppercase, lowercase, special and numeric characters as shown below. The administrator can also require the user to change his password on his initial log in to MAS.
If the user is required to change their password on the initial log-in – or at any other time they choose, the specific password requirements defined by the MAS administrator will display to them. This will include the total number of characters, along with any other specific maximum or minimum character requirements.
Interested in learning more about these MAS Security changes and other MAS updates? Contact Maven today at MAS@mavenasset.com.
