CM/Track: System Access for CM/Track Users (Customers)

In the following chapter you will find detailed information about how to configure your ConSol CM system to grant access to CM/Track (the ConSol CM portal) to your customers.

Precondition

CM/Track is not part of every default shipment of ConSol CM. When you (your company) have purchased the license, you will receive a .war file which has to be deployed in the application server. Some minor modifications then have to be made in CM configuration files in the application server in order to operate CM/Track. This is all are explained in the ConSol CM Setup Manual.

The default function set of CM/Track provides basic functionalities (e.g., viewing a ticket list, creating a new ticket, seeing ticket details) and the pages have a CM standard layout. In order to use CM/Track as a powerful portal for customer access to the system, the layout should be adapted to a company's CD (corporate design), a process called skinning. The forms and lists which are displayed for the customer might be modified and/or extended. Please contact our consulting team or your account manager if you would like to adjust CM/Track for your company in an optimal way.

To enable access to CM/Track, communication between ConSol CM and CM/Track has to be allowed using the following system properties cmas-restapi-core, csrf.request.filter.enabled, cmas-restapi-core, csrf.domain.white.list, and cmas-restapi-core, csrf.domain.allow.none.

CM/Track Technical Background

The portal CM/Track is based on the REST API of ConSol CM. Please refer to the ConSol CM REST API Documentation for details.

General Principle of System Access via CM/Track

A customer who wants, or should, have access to your ConSol CM system using the portal CM/Track has to have a login and a password. Both can be initially provided by the engineer who edits the customer data using the ConSol CM Web Client, or the values can be imported automatically into the database.

The fields for the login and password of customers are customer fields which are defined like any other customer field and which have special annotations. If you are not familiar with customer fields, please refer to section Customer Field Management and GUI Design for Customer Data.

The access permissions of the customer are defined by assigning a CM/Track user profile to the customer's account. The CM/Track user profiles are managed by the ConSol CM administrator using the Admin Tool.

Defining the User Profiles/Access Permissions for CM/Track

As one of the first steps, you have to define CM/Track user profiles, i.e., profiles of access permissions to CM/Track. A CM/Track user profile is defined like a regular engineer (please see section Engineers for details), but is marked as Track.

The following example shows some CM/Track user profiles in the Admin Tool. You reach this screen by opening the navigation group Access and Roles, navigation item Engineers.

Figure 518: ConSol CM Admin Tool - Access and Roles, Engineers: User profile name for CM/Track

One or more roles are then assigned to the user profile to define the access permissions to queues and customer groups. For example you can set up a user profile (engineer) track_reseller that has the role TrackReseller. This role has read/write/append permissions for the queues FAQs_active, Helpdesk_1st_Level, Helpdesk_2nd_Level, ServiceDesk, and SpecialTasks and has customer group permissions for one customer group.

Please note that

• always queue and customer group permissions have to be granted to allow ticket access via CM/Track for customers.
• you must assign matching queue and customer group permissions, i.e., assign queues where the respective customer groups have been assigned (see section Queues).
• read permissions for customer groups will be sufficient in most (standard) cases, since it is not possible to edit customer data using the portal.
• write permissions for the “own” customer group are required for the customer to be allowed to reset his password.

In our example, the role TrackReseller has read and write access to the Reseller customer group. You reach the following screens by opening the navigation group Access and Roles, navigation item Roles. In your system, it might be required to create different CM/Track roles with access to different customer groups. For a detailed introduction to role administration, please refer to section Roles.

Figure 519: ConSol CM Admin Tool - Access and Roles, Roles: User profile for CM/Track, queue permissions

Figure 520: ConSol CM Admin Tool - Access and Roles, Roles: User profile for CM/Track, customer group permissions

With this approach, a customer with the CM/Track user profile TrackReseller can only see and add comments to tickets from those queues. Another user profile might have access to Sales tickets and/or to an FAQ queue.

Defining the User Assignment Mode

The user assignment mode is defined for each customer group and defines the system behavior concerning the way of assigning a CM/Track user profile to a contact. Open the customer group edit panel: in the navigation group Customers, navigation item Customer Groups, select a group and click the Edit button. In the last line of the panel, the CM/Track user assignment can be made.

Figure 521: ConSol CM Admin Tool - Customers, Customer Groups: Defining the CM/Track user profile mode for a customer group

Three modes are available for the assignment mode of the CM/Track user profiles: 

• Fixed
  A CM/Track user profile (i.e., a ConSol CM engineer object which has been defined as CM/Track user profile, see section Defining the User Profiles/Access Permissions for CM/Track) is selected in the pull-down menu CM/Track user. This CM/Track user profile is used for all new contacts created in this customer group. The data fields which are potentially available in the Web Client to assign a CM/Track user profile to a contact (see section Granting Access to CM/Track for Customers) are not displayed in the Web Client.

  Please be aware that the assignment mode Fixed cannot be changed anymore as soon as the customer group has contacts. If you select the Fixed mode for a customer group which already has some contacts, the CM/Track user profile of these contacts is not changed automatically. They need to be migrated to the new user profile using a task script.
  

• Manual
  Default. The assignment of a CM/Track user profile is done manually by an engineer in the Web Client as described in section Granting Access to CM/Track for Customers. The user profile can also be set using the REST API.
• None/Internal
  The association of a CM/Track user profile is not allowed in any client and can only be done by script, if desired. There will be no choice available in the Web Client, and an attempt to change it via REST API will also return a status message METHOD NOT ALLOWED.
  

Defining the Customer Fields for CM/Track Login and Password

The fields for login and password for a customer are regular customer fields at the contact level. Please see section Setting Up the Customer Data Model for an introduction to customer field management and GUI configuration for customer data.

Edit the fields which contain the customer data (if there are two levels: not the company level, but the contact level!) as demonstrated in the following example. You reach the following screen by opening the navigation group Customers, navigation item Data Models.

• One field for the login has to be created, annotation username = true.

  

  Figure 522: ConSol CM Admin Tool - Customers, Data Models: CM/Track - Annotation 'username' for login

  Assigning the annotation username to a customer field is only possible, if there is no previous assignment of this annotation. Otherwise it will be prohibited. When assigning it, a warning dialog must be confirmed before it is executed, since it can be a longer running operation. Un-assigning the annotation must be confirmed as well, because it cannot be undone: Un-assignment delete the username values unrecoverably from internal storage.

• One field for the password has to be created, annotation password = true. The annotation text-type = password guarantees that only stars/dots are displayed in the Web Client, not the clear text password.

  

  Figure 523: ConSol CM Admin Tool - Customers, Data Models: CM/Track - Annotation for password

  The annotation password requires confirmation when assigned.

  In case of an update from CM versions lower than 6.11 to 6.11 and up: When this annotation is set, the system reads the plain text passwords from the original field values, encrypts them and saves the encrypted values to the internal storage. Then the original field values are deleted and thus the plain text value cannot be recovered anymore.

  When trying to un-assign the password annotation the operation must be confirmed as well, since the encrypted passwords are deleted from the internal storage. After the annotation unassignment the password information is completely lost and cannot be recovered at all.

When a scenario from a CM version lower than 6.11 is imported into a system with CM 6.11 (or higher), a transformation of user names and passwords is performed automatically. This is described in detail in section Transformation of User Name and Password Fields During Import into CM 6.11 .

Granting Access to CM/Track for Customers

For all customer groups where the CM/Track user profile assignment mode is set to Manual, the engineer working with the Web Client can then assign a user name, initial password, and a CM/Track user profile to every customer who should have access to the portal CM/Track. The user name has to be unique. This is checked by the system. You cannot enter a name a second time if this has already been assigned to another customer. The password is stored as encrypted string in the CM database. This means that an engineer can set a new password, e.g., when a customer calls and asks for this, but it is never possible to read the password from the system.

You, as an administrator, can define if the CM/Track user names should be case sensitive. Use the CM system property cmas-core-security, policy.track.username.case.sensitive. This is a boolean variable. When it is set to true, the CM/Track user names are case sensitive. Please make sure that the database collation which is in use supports case sensitive strings!

The following example shows the customer data of an example contact in the ConSol CM Web Client. You reach this screen by opening a contact data set in edit mode.

Figure 524: ConSol CM Web Client - Contact page: CM/Track user data

Customer Login to the System

Then customers can log in to the system and see their tickets. Please refer to the ConSol CM User Manual, section CM/Track for a detailed explanation on how to work with ConSol CM as a customer.

There are two mechanisms for performing user authentication:

• simple authentication
• LDAP authentication

Please refer to section Authentication Methods for Customers in CM/Track for details.

Figure 525: ConSol CM/Track - Customer login

Figure 526: ConSol CM/Track - Ticket list

Extended Customer Permissions to See Company Tickets

In some cases it might be required that customers log in to the ConSol CM portal CM/Track and have to have access not only to their personal tickets but to all tickets of their company. In this case, the role for the CM/Track user (user profile) should be assigned the permission Access tickets of the own company under Track User Permissions. Please refer to the section Roles for a detailed explanation.

Configure CM/Track for Password Reset by Customers

CM/Track can be configured to display a hyperlink for customers where a customer can reset his password. This is based on the template track-password-reset-template. Please refer to section Password Reset Template for Customers Using CM/Track for a detailed explanation. The password reset in CM/Track is only possible when the DATABASE mode is used. It is not possible when LDAP authentication is in operation. See section Authentication Methods for Customers in CM/Track for the portal for an explanation of all possible authentication modes.

Please note that the From address of the email which is sent to a customer who has requested a new password can be set using the CM system property cmas-core-security, password.reset.mail.from.