How to Set Up CSM Security Groups, Teams, and Users

 This topic applies to: CSM authentication

Before you begin, note the following:

  • This topic describes one part of the process of setting up CSM authentication for use with Cherwell Asset Management. See CAM Authentication and Authorization for an overview of available authentication methods, and Checklist for Using CSM Authentication for a list of all tasks you need to complete before using CSM authentication.
  • This topic only discusses these terms and procedures in the context of CSM authentication for Cherwell Asset Management; for more information on Cherwell Service Management, see

After you've installed Cherwell Service Management and have a connection for use with Cherwell Asset Management, configure CSM by setting up CSM security groups, CSM users, and CSM teams.

CSM Security Groups

CSM security groups are similar to user policies in Cherwell Asset Management. Both manage user access to the product.

Set up one or more CSM security groups for the purpose of assigning CAM-specific rights to certain users. If you use LDAP/Active Directory plus Windows authentication, associate AD groups with CSM security groups that have CAM rights.

CSM Users

It's important to note that each CSM user can only belong to one CSM security group. Assign users to CSM security groups, and then assign CAM component-specific access rights.

CSM Teams

Using CSM teams is optional. If you plan to strictly control access to data created with Purchasing, you should set up one or more CSM user teams. If you don't need to fine-tune access to that data, you skip this section as well as step 7, below.

Within the context of Purchasing, a CSM user team functions the same as an access profile. The names of CSM user teams appear anywhere access profiles appear, and you can apply them to orders and contracts in the same way you do with access profiles. The difference is that you create the teams and assign users to those teams in Cherwell Service Management Administrator.

If you change to the CSM authentication method after using access profiles while configured for CAM authentication, create CSM teams for each existing access profile, then migrate orders and contracts from your existing access profiles to the new CSM team-based access profiles in Purchasing.

Configuring for CSM Authentication

For on-premises installations, the following procedure applies to sites using the CSM’s internal authentication login mode (the default). See the section at the end of this topic for additional steps to take if using another login mode.

  1. Start Cherwell Service Management Administrator and select the connection you use for CAM.
  2. Log in to a CSM account that has rights to generate the REST API key, create groups, and assign groups.
  3. Select Security in the left pane.
  4. Generate a REST API key.
    1. From the Pick a task screen, select Edit REST API client settings.
    2. Select the green plus sign and enter a name to use for the REST API client.
    3. Copy the string that's generated into the Client Key box. Later, paste this string in CAM's Change Authentication dialog box, in the API key text box.
  5. Create security groups for providing CAM-specific rights.
    • The CAM-specific rights are CAM Administration, CAM Purchasing, and CAM Reporting. When you select one of these from the Categories list box, the list updates with subcategories of the selected rights. Select what permissions users in this group should have, and then select Allow. Do this for each subcategory you want to include, then select Save.
    • Example: A security group that has only CAM Purchasing rights has permissions to only run Purchasing, but not CAM Administrator. A security group with CAM Administration rights and the top subcategory in its list: Configure all aspects of the CAM system (CAM system administrator): has permissions to run all Cherwell Asset Management applications.
  6. Add users to the security group(s).
  7. Optional: Add a CSM user team. (See the explanation of CSM teams above for help with determining if you need to perform this task.)
  8. Select Save, then exit the current screen.
    Eeach user can belong to multiple teams

    If you are changing to CSM authentication from an existing installation where you already used access profiles, you may want to give your CSM teams the same names as those existing access profiles. This makes that part of the change invisible to your Purchasing users; from their view, they simply apply the same access profiles to orders and contracts as before. You as an administrator still need to migrate access profiles from CAM to CSM, but the authentication method appears in parenthesis after each access profile name in Purchasing. This makes it easy to distinguish between access profiles with the same name using different authentication methods as you migrate from CAM to CSM authentication.

CSM authentication is configured for use with Cherwell Asset Management. From here, you can add or change users, security groups, and user teams in Cherwell Service Management Administrator as needed.

Using Non-default CSM Authentication Login Modes

If you're using Windows authentication:

  1. Create a CSM security group with CAM Administration rights.
  2. Import a Windows user.
  3. In CSM, assign the imported Windows user into the CSM security group with CAM Administration rights.
  4. In CAM, use the credentials for the CSDAdmin user to change the authentication method to CSM.