CSM 10.5 Documentation

Home

Security Scenario

Below is an example security scenario. Remember that CSM is highly configurable, so individual Users/Customers, Security Groups, Roles, and Teams/Workgroups will vary.

Andrew, Gina, Sawyer, Tracy, and John work at the River T Corp. organization:

  • Andrew is a System Administrator and is assigned to the Admin User Security Group. As a member of this group, Andrew has security rights to access all data and functionality in the system. This means Andrew has Allow, Run, View, Add, Edit, and Delete rights for all CSM Administrator functionality (security, Blueprints, e-mail setup, etc.), CSM functionality (Dashboards, One-Step Actions, etc.), and Business Object data (Incidents, Problems, etc.). In short, Andrew is a superuser and has rights to do just about anything in CSM. Because Service Desk and Service Desk Manager are legal Roles for the Admin Security Group, Andrew can log in using either of those Roles, and therefore has access to different environments (Dashboards, Forms, etc.).

    Andrew is also a member of two User Teams (2nd Level Support and Knowledge Management), and can therefore share CSM Items (example: Dashboards), support processes (Queues and Knowledge Article publishing/approvals), and record ownership (if configured) with the other members of those Teams. Andrew can use either the Desktop Client to access data or the Browser Client to log in via his web browser.

    Andrew can also function as a Customer to other parts of the organization (example: HR). As a Customer, Andrew is a member of the Portal Customer Security Group and the Information Technology Customer Workgroup. See below for more details about Customers.

  • Gina is the Service Desk Manager and is assigned to the Service Desk Manager User Security Group. As a member of this Security Group, Gina has security rights to Allow, View, Add, Edit, and Delete most data in the system (Incidents, Problems, etc.) but has limited security rights to functionality (example: Gina can View, Add, Edit, and Delete Team and User Dashboards but cannot edit system security). Because Service Desk Manager is the only legal Role for the Service Desk Manager Security Group, Gina can log in using only that Role. Her default environment (Dashboards, Forms, etc.) is appropriate for her managerial Role.

    Gina is also a member of two User Teams (CAB and IT Management) and can therefore share CSM Items (example: Dashboards), support processes (example: Queues), and record ownership (if configured) with the other members of that Team. Gina can use either the Desktop Client to access data or the Browser Client to log in via her web browser.

    Gina can also function as a Customer to other parts of the organization (example: HR). As a Customer, Gina is a member of the Portal Workgroup Manager Security Group and the Information Technology Customer Workgroup. See below for more details about Customers.

  • Sawyer is a Service Desk Worker who reports to Gina and is assigned to the Service Desk User Security Group. As a member of this Security Group, Sawyer has limited security rights to both data and functionality. For example, Sawyer can View but cannot Add, Edit, or Delete Team Dashboards; Sawyer can, however, View, Add, Edit, and Delete User Dashboards. Because Service Desk is the only legal Role for the Service Desk Security Group, Sawyer can log in using only that Role. His default environment (Dashboards, Forms, etc.) is appropriate for his troubleshooting Role.

    Sawyer is also a member of the 1st Level Support User Team and can therefore share CSM Items (example: Dashboards), support processes (example: Queues), and record ownership (if configured) with other members of that Team. Sawyer can use either the Desktop Client to access data or the Browser Client to log in via his web browser.

    Sawyer can also function as a Customer to other parts of the organization (example: HR). As a Customer, Sawyer is a member of the Portal Customer Security Group and the Information Technology Customer Workgroup. See below for more details about Customers.

  • Tracy is a Shipping Specialist and a Customer, meaningshe is an employee but not a licensed CSM User. Tracy is a Customer who uses the CSM Customer Portal to find company information and log Incidents for a service or product (example: She can log an Incident that her printer is not working). Tracy logs in to the Customer Portal using her default assigned Portal Customer Security Group, which has very limited security rights. Tracy can view and edit her own records (example: Incidents) but has very limited access to functionality.

    Tracy is a member of the Shipping Customer Workgroup and can therefore share CSM Items and record ownership (if configured) with other members of that Workgroup.

  • John is the Production Manager and a Customer Manager, meaning he is an employee but not a licensed CSM User. John is Tracy's manager and also a Customer. John can log in to the Customer Portal to log Incidents using his default assigned Portal Workgroup Manager Security Group, which has very limited security rights. Like most Customers, John can view and edit his own records (example: Incidents) but has very little access to functionality; however, unlike Tracy, John is a manager, so he has extended rights to view and edit Tracy's records, as well.

    John is also a member of the Shipping Customer Workgroup and can therefore share CSM Items and record ownership (if configured) with other members of that Workgroup.

The following table provides a nice visual to see how the layers trickle down the security rights.

Person/ Security Needs Security Group Functionality Rights Business Object Rights Roles Team/Workgroup

Andrew

System Administrator

Admin

Full security rights for all.

Example: Allow, Run, View, Add, Edit, and Delete for all CSM Administrator functionality (security, Blueprints, e-mail setup, etc.) and all Cherwell Service Management functions (Calendars, Dashboards, One-Step Actions, etc.).

Full security rights for all.

Example: View, Add, Edit, and Delete Incident.

Service Desk

Service Desk Manager

Teams:

  • 2nd Level Support Knowledge Management

Gina

Service Desk Manager

Service Desk Supervisor

No security rights for system administrator functionality, nearly full security rights for CSM functionality.

Example: View, Add, Edit, and Delete Team Dashboards but does not have security rights to access system security.

Full security rights for all.

Example: View, Add, Edit, and Delete Incidents.

Service Desk Manager

Teams:

  • CAB
  • IT Management

Sawyer

Service Desk worker

Service Desk

No security rights for system administrator functionality, limited security rights for CSM functionality.

Example: View Team Dashboards but cannot Add, Edit, or Delete. View, Add, Edit, and Delete User Dashboards.

Limited security rights for some.

Example: View and Add Incidents but cannot Edit or Delete.

Service Desk

Team:

  • 1st Level Support

Tracy

Customer (employee but not a licensed Cherwell User; she logs service requests as a Customer)

Portal Customer

No security rights for system administrator functionality, very limited security rights for CSM functionality.

Example: View Dashboards but cannot Add, Edit, or Delete.

Limited security rights to most.

Example: View and Edit her own Incidents but cannot Delete.

Portal End-User

Workgroup:

  • Shipping

John

Customer Manager (employee but not a licensed Cherwell User; he logs service requests as a Customer)

Portal Workgroup Manager

No security rights for system administrator functionality, very limited security rights for CSM functionality.

Example: View Team Dashboards but cannot Add, Edit, or Delete.

Limited security rights to most.

Example: View and Edit his own Incidents, as well as Tracy's Incidents.

Portal End-User

Workgroup:

  • Shipping

Was this article useful?