Maximo’s REST API is a powerful tool for exchanging data with external applications, but it's important to ensure that access is granted only to those who need it. In this article, we'll explore best practices for enhancing security in Maximo’s REST API, specifically focusing on object structure security, minimum privilege security models, security group creation, and the use of API keys for integration.
Object structure security is a key component of securing Maximo’s REST API. By default, user-created object structures and the majority of out-of-the-box object structures in Maximo are open and available for use by authenticated Maximo users. This means that any user with credentials that can log into the system can access data exposed by object structures via the REST API. To address this vulnerability, it is important to turn on the "mxe.int.enableosauth" system property. This property enforces explicitly granted object structure access, meaning that users can only access the object structures that have been granted to them. This feature allows administrators to manage security with security groups in Maximo and ensures that users can only access the data to which they have been granted access.
Implementing a minimum or least privilege security model is a best practice for enhancing security in Maximo. Instead of using one user with administrator-level access, dedicated users with limited access can be created for each integration, using security groups to control access privileges. By creating a separate security group for each integration and granting them only the necessary access to perform their tasks, the risk of unauthorized access is minimized. In practice, an integration user will not have any front-end Maximo application and only access Maximo via the API. The object structures granted will be mostly at a read-only level, with a select few being granted save, insert, and delete access.
Using API keys for integration is a secure option and works with SOAP, REST APIs, and other APIs that Maximo has. API keys are a better alternative than using usernames and passwords as they are more secure. API keys are the only method to authenticate with the Manage API once you move to Maximo Application Suite. They also have the advantage of working whether you are using NATIVE, LDAP, or SAML authentication. When using API keys, it is important to ensure that they are created and distributed in a secure manner. Additionally, API keys should be revoked when they are no longer needed.
select * from applicationauth
where app in ( select intobjectname from MAXINTOBJECT )
and optionname in ('READ','SAVE','INSERT','DELETE')
Implementing best practices for securing Maximo’s REST API with object structure security is critical to prevent security vulnerabilities and ensure that access is granted only to those who need it. By understanding object structure security, executing a minimum or at least privilege security model, creating security groups, and using API keys for integration, you can ensure that only authorized users can access the system and minimize the risk of unauthorized access. Following these best practices and security features enables a secure and robust system that minimizes the risk of data breaches and unauthorized access.
An important consideration is the need to periodically review and update your security settings. As business and IT requirements change, it's important to revisit your security settings to ensure they are still appropriate for your needs. Regular security audits can help identify vulnerabilities and provide recommendations for improving security.
