Securing the CSM Database

Cherwell® Service Management uses two accounts for database access: an application-level account and an administrator user account. These two accounts are configured when a 2-tier database connection is created to control the level of database access given for the application.

Create the following two accounts before you run the scripts in this procedure:
  • CSMAdminUser (administrator account)
  • CSMUser (application-level user)

The application and administrator accounts control different aspects of CSM.

By configuring each account separately, CSM uses the appropriate security context for advanced operations that CSM Portal and technician users do not typically perform. These advanced actions usually occur during Blueprint publishes, system restore, and system upgrade. For a multi-tenant environment (multiple databases on a single database server), do not share database accounts if access to these databases is restricted between instances of CSM. Integrated security for connections is not recommended.

Note: When configuring connection options, do not use a single sa account for both account values.

To grant the appropriate permissions, run scripts against the target database for the CSMAdminUser and CSMUser accounts.

  1. On the command line, navigate to the target database.
  2. Run the following script to grant permission to create tables and perform DDL operations to an Administrator user named CSMAdminUser.
                                        DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    GO
    
    GRANT VIEW SERVER STATE TO [CSMAdminUser]
    GO
    
    CREATE USER [CSMAdminUser] FOR LOGIN [CSMAdminUser] WITH DEFAULT_SCHEMA=[dbo]
    GO
    
    EXEC sp_addrolemember N'db_owner', N'CSMAdminUser'
    GO
                                    
  3. Run the following script to grant permission to access table data to an application-level User named CSMUser.
                                        CREATE USER [CSMUser] FOR LOGIN [CSMUser] WITH DEFAULT_SCHEMA=[dbo]
    GO
    
    EXEC sp_addrolemember N'db_datareader', N'CSMUser'
    GO
    
    EXEC sp_addrolemember N'db_datawriter', N'CSMUser'
    GO