Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Customizing CSM roles - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Customizing CSM roles
KB0685767

Customizing CSM roles


5398 Views Last updated : Oct 18, 2022 public Copy Permalink
KB Summary by Now Assist

Issue

For the latest information, see Creating custom CSM user roles.

Overview

You might sometimes need to create new CSM roles or modify the out-of-box CSM roles to satisfy custom business requirements. For example, a user might need a role to view all of the cases in the user's own account/sub-accounts but that user should not have the administrative capabilities of a customer administrator role. This article describes how to configure this capability.

Resolution

The solution for this issue requires five main steps:

  1. Create a role.
  2. Create a copy of CSQueryBRUtil.
  3. Create a new query business rule.
  4. Create new ACLs.
  5. Validation.

This section walks you through an example providing the detailed steps to accomplish this procedure.

  1. Create a new role with a specific name.

    The example in this procedure uses the customized_customer role. Make sure the new role includes the sn_esm_user role as a sub-role because the CSM security model is built on the base roles such as sn_esm_user and sn_esm_agent.

    Screenshot of the dialog where you can create a new role 

  2. Create a copy of CSQueryBRUtil.

    1. Go to the script include list.

    2. Create a copy file for CSQueryBRUtil in global scope, such as CSQueryBRUtilCopy.

    3. Add the logic in this new file.

      You need to implement the logic in the copy file because CSQueryBRUtil has been set to read-only to protect the out-of-box features.

  3. A role definition is needed, as mentioned previously.

     Screenshot of the new business rule record

  4. Update the following two methods in the CSQueryBRUtilCopy to let the new user role see the cases in the user's account.

    • addCaseQueryBR

      Source code of the new business rule

    • canESMUserReadCase

      Source code of the CSQueryBRUtil business rule, with the hasRole condition highlighted 

  5. If other entities such as asset, product, or account need to be customized, follow the same pattern to modify the logic in "addAssetQueryBR", "canESMUSerReadAsset", etc.

    The two methods come in pairs to process the access control for the eight entities in the CSM application.

  6. Configure the before query business rule for the sn_customerservice_case table.

    1. Go to the Business Rules list and filter for Active=true.

    2. Search for "Case query for customer" and make a copy of it.

    3. Create a new QBR, as shown in the example.

      QBR_update.jpg

  7. After adding the new QBR, deactivate the original "Case query for customer" rule.

    It is difficult to maintain two similar QBRs because users may have roles triggering multiple QBRs that do the same thing.

  8. Create proper ACLs for this new role. In this example, add one more ACL for sn_customerservice_case and for csm_order_case, respectively, to honor this new script include and the methods in it.

    For example:

    View of the new ACL record

  9. Perform validation.

    1. Add this customized role to a user, such as Jane Contact in Boxeo in the out-of-box demo data, to test the customization.

    2. Impersonate this user.

    3. From Service Portal, verify that the user can see the cases belong to Boxeo and its sub-accounts.

       View of the service portal

Note – The customization in this example is just for this specific use case where a customized role is needed to view all of the cases in a user's account and sub-accounts. If other roles with specific requirements need to be implemented, the approach is the same but would require different minor changes. 


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

Attachments

Attachments

  • service_portal.jpg
  • ACL_update.jpg
  • QBR_update.jpg
  • CSQueryBRUtil_-_3.jpg
  • CSQueryBRUtil_-_2.jpg
  • CSQueryBRUtil_-1.jpg
  • Create_a_new_role.jpg
  • Screenshot 2018-05-04 11.22.28.png
  • CSQueryBRUtil - 3.png
  • CSQueryBRUtil - 2.png
  • QBR update.png
  • CSQueryBRUtil -1.png
  • Create a new role.png
  • ACL update.png

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.