User Management in MAS v9.0
LDAP, SCIM, APIs, and User Synchronization Explained
The introduction of IBM Maximo Application Suite (MAS) v9.0 has redefined the landscape of user management within the Maximo ecosystem. With MAS now acting as a unified suite housing applications like Manage, Monitor, Health, and more, the shift from application-specific identity management to centralized suite-level provisioning brings new capabilities, integration options, and best practices for modern organizations. In this blog, we will explore: MAS v9.0 user management architecture, LDAP versus SCIM for identity provisioning, how the MAS Admin API supports password resets and entitlements, and automation strategies for User Synchronization (UserSynch).
Note: We will have an updated version for MAS 9.1 that introduces changes in this area.
User Management in MAS v9.0
In MAS v7.6, user management occurred entirely within Maximo. With MAS v9.0, user provisioning and entitlements are now handled at the suite level, while some elements (such as security group assignments in Manage), still remain within the individual applications.
This dual-tier model means:
- MAS controls user creation, entitlements, and application access.
- Manage (Maximo) still handles security group membership.
- MAS v9.1 is expected to consolidate more of this functionality into the suite-level administration.
Administrators can still create users manually via the UI or CSV import, but for enterprise-scale environments, automated user synchronization is key, and that’s where LDAP and SCIM come in.
LDAP vs. SCIM: Which Should You Use?
MAS v9.0 supports both LDAP (Lightweight Directory Access Protocol) and SCIM (System for Cross-domain Identity Management) for user synchronization. The following chart below demonstrates the differences between LDAP and SCIM:
| Feature | LDAP | SCIM |
| Common Use Case | On-premise Active Directory environments | Cloud-based identity providers (e.g., Microsoft Entra) |
| Configuration | Requires XML configuration and cron tasks | UI-driven with real-time or scheduled provisioning |
| Sync Frequency | Scheduled via cron task | On-demand or timed provisioning |
| Delay Risk | Potential sync delays | Near real-time provisioning |
| Modern Architecture | No | Yes |
Key Insight: Organizations transitioning to the cloud and managing users through Microsoft Entra (formerly Azure AD) should consider using SCIM. It aligns with MAS’s OpenShift-based cloud architecture, offering better flexibility, UI-based configuration, and faster user updates.
MAS API: Beyond User Creation
MAS Admin APIs in v9.0 enable powerful automation capabilities including:
- Password resets
- Profile updates
- Entitlement alignment
- IDP (Identity Provider) management
Example Use Case:
Resetting passwords in non-production environments was a challenge due to MAS’s separation from Maximo’s internal password store. The solution involved using the MAS Admin API to reset passwords in bulk via scripts, removing the need to manually reset users one at a time.
The API enables integration with custom tools, scheduled jobs, or button-triggered actions to send password tokens, update entitlements, or assign roles—all without requiring UI interaction.
📈 Aligning Entitlements Automatically
User entitlements in MAS determine application access and license usage. When users are provisioned via SCIM or LDAP, they’re often assigned a default entitlement (e.g., Self-Service). However, once security groups are assigned in Manage, these default roles may become outdated.
With MAS APIs, organizations can:
- Query user profiles and their current group memberships.
- Compare entitlements to recommended license levels (e.g., Premium, Limited).
- Automatically update user entitlements to match their actual roles.
This ensures accurate licensing, better security control, and reduced administrative overhead.
Automating User Synchronization (UserSynch)
UserSynch ensures that fields not included in standard SCIM sync (e.g., supervisor or employee ID) are populated in Maximo. For example:
- The manager field from Entra is used to populate the supervisor field in Maximo.
- The employee number is used to automatically create a labour code for the user.
These enhancements were achieved through automation scripts triggered by cron tasks in Manage. The script reads user data, calls the MAS API, and updates corresponding Maximo fields—all seamlessly.
Two Approaches for Implementing UserSynch
| Approach | Details |
| Automation Scripts | Script-driven logic using Maximo cron tasks. Simple, centralized, but might be considered a customization by some organizations |
| Integration Components | Uses Maximo’s out-of-the-box tools (Enterprise Services, Publish Channels, External Systems, End Points, etc.) |
Automation scripts provide a simpler setup and centralized logic but may be harder to maintain if scripts grow complex.
Integration components require more configuration across several applications but are modular and often preferred for long-term maintainability.
Best practice: Keep the solution configurable in the UI where possible (especially with SCIM mappings), so that adding new fields doesn’t require re-coding.
🤔 Final Thoughts
MAS v9.0 introduces a modern, centralized, and flexible approach to user management that aligns with the needs of cloud-native enterprises. Whether you’re using LDAP or SCIM, integrating via APIs, or building automation with scripts, there are powerful tools available to streamline identity provisioning, licensing, and access control.
Key Takeaways:
- SCIM is ideal for cloud environments using Microsoft Entra.
- MAS Admin API empowers automation for password resets and entitlements.
- UserSynch can be implemented via scripts or integration frameworks.
- Flexibility and configurability are crucial for long-term sustainability.
If you’re planning a MAS upgrade or need help designing your user provisioning and synchronization strategy, MRM-EAM Consulting can help. We specialize in secure, scalable, and cloud-aligned Maximo implementations tailored to your environment.
Contact us at info@mrm-eam.com to learn how we can help optimize your MAS deployment.