How the EVERYONE Security Group Changes Everything
In Maximo, security group configuration is very important and when your security access is not behaving as expected, it can cause serious disruptions. Most often, issues with security groups can be chalked up to a logical error. However, in newer versions of Maximo security access issues might be also caused by the EVERYONE group settings. The EVERYONE group, introduced in Maximo version 7, differs from typical security groups in that it does not conform to the regular security group behavior.
Unlike all other security groups, the EVERYONE group always acting as a non-independent group. That happens even if the “Independent of Other Groups?” checkbox is checked, as described in this post from the IBM Knowledge Center. After reading the IBM post, one could assume that behavior of this group would not change regardless if the “Independent of Other Groups?” checkbox is checked or not. Unfortunately, this is not the case. IBM actually recommends in this Technote that the “Independent of Other Groups?” checkbox is never checked specifically due to the unpredictable behavior this change causes.
Even if you are already following the recommendations made by IBM “Independent of Other Groups?” checkbox you might still be experiencing unexpected result. That’s because the EVERYONE group has one more trick up its sleeve. If your user belongs to the EVERYONE group and another security group, the conditions applied to the permissions in the EVERYONE group will override the lack of conditions applied to the permissions in the other group. This is very significant as it goes against the logic of all other security groups where in the case of permission overlap, the user is given the most permissive option. Below is an example describing this behavior:
In short, the EVERYONE group acts as a Non-Independent group regardless of if the “Independent of Other Groups?” checkbox is checked. However, IBM recommends this checkbox should never be checked due to unpredictable behavior caused by it. Also, conditions applied to permissions on the EVERYONE group are treated as global.