You might sometimes need to create new CSM roles or modify the out-of-box CSM roles to satisfy custom business requirements. For example, a user might need a role to view all of the cases in the user's own account/sub-accounts but that user should not have the administrative capabilities of a customer administrator role. This article describes how to configure this capability.



This procedure requires five main steps:

  1. Create a role.
  2. Create a copy of CSQueryBRUtil.
  3. Create a new query business rule.
  4. Create new ACLs.
  5. Validation.

This section walks you through an example providing the detailed steps to accomplish this procedure.

  1. Create a new role with a specific name.

    The example in this procedure uses the customized_customer role. Make sure the new role includes the sn_esm_user role as a sub-role because the CSM security model is built on the base roles such as sn_esm_user and sn_esm_agent.


  2. Create a copy of CSQueryBRUtil.

    1. Go to the script include list.

    2. Create a copy file for CSQueryBRUtil in global scope, such as CSQueryBRUtilCopy.

    3. Add the logic in this new file.

      You need to implement the logic in the copy file because CSQueryBRUtil has been set to read-only to protect the out-of-box features.

  3. A role definition is needed, as mentioned previously.


  4. Update the following two methods in the CSQueryBRUtilCopy to let the new user role see the cases in the user's account.

    • addCaseQueryBR

    • canESMUserReadCase


  5. If other entities such as asset, product, or account need to be customized, follow the same pattern to modify the logic in “addAssetQueryBR”, “canESMUSerReadAsset”, etc.

    The two methods come in pairs to process the access control for the eight entities in the CSM application.

  6. Configure the before query business rule for the sn_customerservice_case table.

    1. Go to the Business Rules list and filter for Active=true.

    2. Search for “Case query for customer” and make a copy of it.

    3. Create a new QBR, as shown in the example.

  7. After adding the new QBR, deactivate the original “Case query for customer” rule.

    It is difficult to maintain two similar QBRs because users may have roles triggering multiple QBRs that do the same thing.

  8. Create proper ACLs for this new role. In this example, add one more ACL for sn_customerservice_case and for csm_order_case, respectively, to honor this new script include and the methods in it.

    For example:

  9. Perform validation.

    1. Add this customized role to a user, such as Jane Contact in Boxeo in the out-of-box demo data, to test the customization.

    2. Impersonate this user.

    3. From Service Portal, verify that the user can see the cases belong to Boxeo and its sub-accounts.


Note – The customization in this example is just for this specific use case where a customized role is needed to view all of the cases in a user's account and sub-accounts. If other roles with specific requirements need to be implemented, the approach is the same but would require different minor changes. 


Article Information

Last Updated:2019-08-02 21:13:44
ACL update.pngCreate a new role.pngCSQueryBRUtil - 2.pngCSQueryBRUtil - 3.pngCSQueryBRUtil -1.pngQBR update.pngResult.pngScreenshot 2018-05-04 11.22.28.png