The “Independent of Other Groups” checkbox in the security group application is one of the most misunderstood concepts in Maximo. What is the significance of this checkbox? How does it affect the security authorization of the group? Let’s have a look.
As the name suggests, the “Independent of Other Groups” checkbox on the main tab of the security group application specifies weather the group is independent of other groups or not. What that means is whether the authorization of this group can be merged with the authorizations of other groups. This is only applies to multisite implementations, for single site implementation this checkbox doesn’t have any significance. Lets understand how this works –
Scenario 1: Consider a multisite implementation; the user belongs to the 2 security groups with the following privileges:
Group 1: Site A and Work Order Tracking application
Group 2: Site B and Purchase Orders application
If these security groups are both independent then the user ends up with rights for Work Order Tracking on Site A and Purchase Orders on Site B. If however the security groups are non-independent then the privileges combine and the user ends up with both Work Order Tracking and Purchase Orders on Sites A and B. Basically you sum up the privileges and if any of them overlap you take the highest level.
Scenario 2: Consider a single site implementation; the user belongs to the 2 security groups with the following privileges:
Group 1: Site A (or all sites authorization) and Work Order Tracking application
Group 2: Site A (or all sites authorization) and Purchase Orders application
Since there is only one site, irrespective of whether these groups are independent or non-independent the user will have the rights to both Work Order Tracking and Purchase Orders on Sites A.
Scenario 3: Consider a single site implementation; the user belongs to the 2 security groups with the following privileges:
Group 1: NO SITE and Work Order Tracking application
Group 2: Site A (or all sites authorization) and Purchase Orders application
If these security groups are both independent then the user ends up with rights for only Purchase Orders on Site A. This is because the two groups are independent and group 1 doesn’t have authorization to any site hence user doesn’t have rights to Work Order Tracking in Site A. If however the security groups are non-independent then the privileges combine and the user ends up with both Work Order Tracking and Purchase Orders on Sites A.
NOTE: This is why the independent checkbox should not be checked for single site implementations.
Scenario 4: Consider a multisite implementation; the user belongs to the 2 security groups with the following privileges:
Group 1: Site A and Work Order Tracking application – Read, Route workflow Access
Group 2: Site B and Work Order Tracking application – Read, Change Status Access
If these security groups are both independent then the user ends up with rights for Work Order Tracking – Read, Route workflow Access on Site A and Work Order Tracking application – Read, Change Status Access on Site B. If however the security groups are non-independent then the privileges combine and the user ends up with Work Order Tracking – Read, Route workflow & Change Status Access on Sites A and B.
Scenario 5: Consider a multisite implementation; the user belongs to the 2 security groups with the following privileges:
Group 1: Site A and PO Limit of 10,000
Group 2: Site B and PO Limit of 50,000
If these security groups are both independent then the user ends up with PO Limit of 10,000 for Site A and PO Limit of 50,000 for Site B. If however the security groups are non-independent then the privileges combine and the user ends up PO Limit of 50,000 for both Sites A and B.
Note: Never change the MAXEVERYONE group to independent group as this group has a lot of conditional grants which will stop working if this group is made independent without granting access to all sites (similar to Scenario 3).
IBM Tech Note on why MAXEVERYONE shouldn’t be set as independent
A user belongs to 3 security groups:
Group 1 – Non-independent security group with access to Site A
Group 2 – Non independent security group with read, write access to Purchase Orders App.
Group 3 – Independent security group with read only access to Purchase Orders in Site A and B.
What happens when these combine?
In this case the user will have access to the following :
1. Site A : Read & write access to PO
2. Site B : Read access to PO
Excellent Information, Thanks for posting.
I have only one question here.
If the user is part of only one Independent and non Independent group, I hope the non Independent group acts like Independent group because there is no second non independent group exists for this user.
Is this correct?
Yes that’s correct. Since one is independent, the other non independent don’t have any other group to merge with.
Hi PK,
I have an issue where any security group that has “Authorize group for all sites” checked doesn’t show up. It seems as if i do not have access even when i am assigned to those groups and logged in as MAXADMIN. Please help.
Thanks,
Priya