Security Scenario
Below is an example security scenario. Remember that CSM is highly configurable, so individual Users/Customers, Security Groups, Roles, and Teams/Workgroups will vary.
Andrew, Gina, Sawyer, Tracy, and John work at the River T Corp. organization:
- Andrew is a System Administrator and is
assigned to the Admin User Security Group. As a member of this group, Andrew
has security rights to access all data and functionality in the system. This
means Andrew has Allow, Run, View, Add, Edit, and Delete rights for all
CSM Administrator functionality (security, Blueprints, e-mail setup, etc.),
CSM functionality (Dashboards,
One-Step Actions, etc.), and Business Object data (Incidents, Problems, etc.). In
short, Andrew is a
superuser
and has rights to do just about anything in
CSM. Because Service Desk and Service Desk Manager are legal Roles for
the Admin Security Group, Andrew can log in using either of those Roles, and
therefore has access to different environments (Dashboards, Forms, etc.).
Andrew is also a member of two User Teams (2nd Level Support and Knowledge Management), and can therefore share CSM Items (example: Dashboards), support processes (Queues and Knowledge Article publishing/approvals), and record ownership (if configured) with the other members of those Teams. Andrew can use either the Desktop Client to access data or the Browser Client to log in via his web browser.
Note: Andrew can also function as a Customer to other parts of the organization (example: HR). As a Customer, Andrew is a member of the Portal Customer Security Group and the Information Technology Customer Workgroup. See below for more details about Customers. - Gina is the Service Desk Manager
and is assigned to the Service Desk Manager User Security Group. As
a member of this Security Group, Gina has security rights to Allow, View, Add,
Edit, and Delete most data in the system (Incidents, Problems, etc.) but has
limited security rights to functionality (example: Gina can View, Add, Edit,
and Delete Team and User Dashboards but cannot edit system security). Because
Service Desk Manager is the only legal Role for the Service Desk Manager
Security Group, Gina can log in using only that Role. Her default environment
(Dashboards, Forms, etc.) is appropriate for her managerial Role.
Gina is also a member of two User Teams (CAB and IT Management) and can therefore share CSM Items (example: Dashboards), support processes (example: Queues), and record ownership (if configured) with the other members of that Team. Gina can use either the Desktop Client to access data or the Browser Client to log in via her web browser.
Note: Gina can also function as a Customer to other parts of the organization (example: HR). As a Customer, Gina is a member of the Portal Workgroup Manager Security Group and the Information Technology Customer Workgroup. See below for more details about Customers. - Sawyer is a Service Desk Worker
who reports to Gina and is assigned to the Service Desk User
Security Group. As a member of this Security Group, Sawyer has limited security
rights to both data and functionality. For example, Sawyer can View but cannot
Add, Edit, or Delete Team Dashboards; Sawyer can, however, View, Add, Edit, and
Delete User Dashboards. Because Service Desk is the only legal Role for the
Service Desk Security Group, Sawyer can log in using only that Role. His
default environment (Dashboards, Forms, etc.) is appropriate for his
troubleshooting Role.
Sawyer is also a member of the 1st Level Support User Team and can therefore share CSM Items (example: Dashboards), support processes (example: Queues), and record ownership (if configured) with other members of that Team. Sawyer can use either the Desktop Client to access data or the Browser Client to log in via his web browser.
Note: Sawyer can also function as a Customer to other parts of the organization (example: HR). As a Customer, Sawyer is a member of the Portal Customer Security Group and the Information Technology Customer Workgroup. See below for more details about Customers. - Tracy is a Shipping Specialist and a
Customer, meaningshe is an employee but not a licensed
CSM User. Tracy is a Customer who uses the
CSM Customer Portal to find company information and log Incidents for a
service or product (example: She can log an Incident that her printer is not
working). Tracy logs in to the Customer Portal using her default assigned
Portal Customer Security Group, which has very limited security rights. Tracy
can view and edit her own records (example: Incidents) but has
very
limited access to functionality.
Tracy is a member of the Shipping Customer Workgroup and can therefore share CSM Items and record ownership (if configured) with other members of that Workgroup.
- John is the Production Manager and a Customer
Manager, meaning he is an employee but not a licensed
CSM User. John is Tracy's manager and also a Customer. John can log in
to the Customer Portal to log Incidents using his default assigned Portal
Workgroup Manager Security Group, which has very limited security rights. Like
most Customers, John can view and edit his own records (example: Incidents) but
has
very
little access to functionality; however, unlike Tracy, John is a
manager, so he has extended rights to view and edit Tracy's records, as well.
John is also a member of the Shipping Customer Workgroup and can therefore share CSM Items and record ownership (if configured) with other members of that Workgroup.
The following table provides a nice visual to see how the layers trickle down the security rights.
| Person/ Security Needs | Security Group | Functionality Rights | Business Object Rights | Roles | Team/Workgroup |
|---|---|---|---|---|---|
|
Andrew System Administrator |
Admin |
Full security rights for all. Example: Allow, Run, View, Add, Edit, and Delete for all CSM Administrator functionality (security, Blueprints, e-mail setup, etc.) and all Cherwell Service Management functions (Calendars, Dashboards, One-Step Actions, etc.). |
Full security rights for all. Example: View, Add, Edit, and Delete Incident. |
Service Desk Service Desk Manager |
Teams:
|
|
Gina Service Desk Manager |
Service Desk Supervisor |
No security rights for system administrator functionality, nearly full security rights for CSM functionality. Example: View, Add, Edit, and Delete Team Dashboards but does not have security rights to access system security. |
Full security rights for all. Example: View, Add, Edit, and Delete Incidents. |
Service Desk Manager |
Teams:
|
|
Sawyer Service Desk worker |
Service Desk |
No security rights for system administrator functionality, limited security rights for CSM functionality. Example: View Team Dashboards but cannot Add, Edit, or Delete. View, Add, Edit, and Delete User Dashboards. |
Limited security rights for some. Example: View and Add Incidents but cannot Edit or Delete. |
Service Desk |
Team:
|
|
Tracy Customer (employee but not a licensed Cherwell User; she logs service requests as a Customer) |
Portal Customer |
No security rights for system administrator functionality, very limited security rights for CSM functionality. Example: View Dashboards but cannot Add, Edit, or Delete. |
Limited security rights to most. Example: View and Edit her own Incidents but cannot Delete. |
Portal End-User |
Workgroup:
|
|
John Customer Manager (employee but not a licensed Cherwell User; he logs service requests as a Customer) |
Portal Workgroup Manager |
No security rights for system administrator functionality, very limited security rights for CSM functionality. Example: View Team Dashboards but cannot Add, Edit, or Delete. |
Limited security rights to most. Example: View and Edit his own Incidents, as well as Tracy's Incidents. |
Portal End-User |
Workgroup:
|