Maximo authorized user and the over deployment risk.
Maximo is licensed by authorized user, and the platform carries more than one class of user with very different rights. Over deployment happens when occasional and limited users are licensed as if they were full ones, or never removed at all. The count IBM presents is rarely the count you actually owe.
Maximo, the asset and work management platform, is licensed primarily by authorized user, a named entitlement assigned to a specific person rather than a floating or concurrent allowance. The metric is straightforward in principle and surprisingly slippery in practice, because Maximo has historically offered more than one class of authorized user. A full authorized user with broad access is a heavier entitlement than a user limited to a defined, narrower set of functions, and the platform is also accessed by people who only ever submit or view a request. Treating all of these as the same thing is the root of most Maximo over deployment.
The exact user types, their boundaries, and what each one is permitted to do are defined in the License Information document for the Maximo version and edition you hold. That document, not an internal assumption about who does what, is the reference that decides whether a given person needs a full authorized user or a lighter one. Reading it against the real access pattern is the difference between a defensible count and an inflated one.
Where the over deployment hides
- Occasional or request only users licensed as full authorized users rather than the limited type their access actually fits
- Leavers and role changes never removed from the authorized user list
- External contractors, vendors, and field staff added without mapping them to the correct user class
- Integration and service accounts counted as named human users
- Self service or work request access treated as a full entitlement when a lighter provision applies
Why the metric drifts
Maximo deployments grow alongside the operations they support. New sites, new contractors, and new integrations get added under whatever provisioning was convenient at the time, and the authorized user list accumulates entries that no longer match how anyone works. Because the entitlement is named rather than concurrent, every stale or misclassified entry sits on the books until someone reconciles it. An audit is usually the first time anyone counts the list against the License Information user definitions, and by then the gap can look large.
How we defend it
The defense reconciles the authorized user list against the actual access pattern and the user type definitions in your License Information terms. We map each person to the lightest user class their genuine usage supports, strike the leavers, duplicates, and non human accounts, and separate request only access from full authorized use. Where IBM has counted occasional users as full ones, we reclassify them with evidence. The corrected count reflects who really uses Maximo and how, supported by your own records, rather than the broad reading the opening finding applied.
Maximo authorized user findings come from treating every account as a full user. Map each person to the lightest user class their access supports under your License Information terms, strike the stale and non human accounts, and reclassify the occasional users so the count reflects real, current use.
Is your Maximo user list overstated?
Our Audit Defense engagement reconciles the authorized user list to real access, maps each person to the correct user class, and challenges any count that treats occasional users as full ones.
See Audit Defense →The IBM Audit Brief
Audit triggers, ILMT pitfalls, and settlement tactics for IBM software buyers.
Independent, buyer side IBM software audit defense and negotiation. Not affiliated with IBM Corporation.