Base system roles - Product Documentation: Vancouver

Base system roles

Administer the Now Platform > Configure Now Platform Core Features >

Base system roles

Administrators can assign one or more base system user roles to grant access to base system platform features and applications.

To learn more about managing per-user subscriptions, see ../../subscription-management/concept/managing-user-subscriptions-v2.html and contact your account representative.

Administrator [admin] The administrator role. This role has access to all system features, functions, and data because administrators can override access control list (ACL) rules and pass all role checks. Avoid assigning this role to your users when more targeted roles are available.

Contains Roles

List of roles contained within the role.

ais_admin announcement_admin catalog catalog_admin catalog_builder_editor catalog_lookup_admin catalog_template_editor chat_admin evam_admin image_admin import_admin import_scheduler import_set_loader import_transformer live_feed_admin ml_admin ml_labeler nlu_admin nlu_editor nlu_user pa_data_collector pa_viewer personalize_dictionary platform_ml_create platform_ml_read platform_ml_write search_application_admin search_relevancy_model_admin sn_ace.ace_user sn_employee.admin sn_hr_sp.admin sn_hr_sp.esc_admin sn_nlu_workbench.nlu_feedback_admin sn_templated_snip.template_snippet_admin sn_templated_snip.template_snippet_reader sn_templated_snip.template_snippet_writer sp_admin taxonomy_admin user_criteria_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Grant this privilege carefully. If you have sensitive information, such as HR records, that you must protect, create a custom admin role for that area. Train any users authorized to see those records to act as the administrator. Also note the Special Administrative Roles . Note: Users with roles related to the Key Management Framework can only be modified by admins with the kmf_admin role. For details on KMF roles, see Key Management Framework roles .

Agent administrator [agent_admin] Agent administrators can download and administer the built-in system agent. They can manage MID Server-related scripts.

Contains Roles

List of roles contained within the role.

agent_security_admin view_changer

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

AI search administrator [ais_admin] AI search administrators can query, create, update, and delete indexing and search settings and log messages through the AI Search application.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Application client company installer [app_client_company_installer] Users assigned the app_client_company_installer role can install applications containing the same company as the currently logged in instance. Assigning this role enables first-time installation of applications for the company associated with the current instance. Users with this role can’t install an application for another company.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Application client user [app_client_user] Application client users can install applications containing the same company as the currently logged in instance.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Approval administrator [approval_admin] Approval administrators can view or modify approval requests not directly assigned to them. Use the approver_user role to enable approvers to view or modify only requests directly assigned to them.

Fulfillers may approve within the product to which they are subscribed (ITSM Fulfiller approving within ITSM). This approval may be in the platform or via email. No additional entitlement is required.

Fulfillers may not approve beyond the product to which they are subscribed (ITSM Fulfiller approving within Procurement, GRC, etc.). This approval would need an additional approval entitlement for the user.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Approver users [approver_user] Approver users can modify requests for approval routed to them. They also have all the capabilities of requesters.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

There’s a fee associated with this role. Don’t assign it to users without confirming your organization has the appropriate entitlement.

Asset user [asset] Asset users can manage hardware and software assets.

Contains Roles

List of roles contained within the role.

inventory_user cmdb_query_builder canvas_user financial_mgmt_user cmdb_read contract_manager category_manager

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Assignment rule administrator [assignment_rule_admin] Assignment rule administrators can manage assignment rules.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Business process administrator [business_process_admin] Business process admins can create, read, update, and delete all records and their relationships in the business process.

In the context of Governance, Risk, and Compliance (GRC), users with the sn_grc.admin role who manage GRC applications and their setup automatically gain access to this role. This access enables the GRC administrators to administer a business process and its records similar to other GRC tables.

Contains Roles

List of roles contained within the role: business_process_manager

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

This role is assigned to users who are administrators and have thorough information and training on business processes. Avoid granting an admin role when more specialized roles are available.

Business process manager [business_process_manager] Business process managers can create, read, and update any business process and manage the relationship of business processes with other records. This role is assigned to business process managers who are usually specialists and manage multiple business processes in the organization. Assign this role to users who generally work with other employees and are experts around business processes.

In the context of GRC, users with the sn_grc.manager role automatically inherit this role that enables them to manage the business processes for the entire organization.

Contains Roles

List of roles contained within the role: business_process_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Business process user [business_process_user] Business process users can update the business processes that a user owns and can also read any business process. This role must be assigned to the respective process owners who manage the business process that they own. This role can also be provided to users who are required to view the business processes in the organization and understand them better.

In the context of GRC, users with the sn_risk.user role are automatically assigned this role. This role enables users to manage the business processes that they own as well as read all business processes.

Contains Roles

List of roles contained within the role: cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Catalog administrator [catalog_admin] Catalog administrators can manage the Service Catalog application, including catalog categories and items.

Contains Roles

List of roles contained within the role.

user_criteria_admin catalog_builder_editor catalog_template_editor catalog catalog_lookup_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Catalog editor [catalog_editor] Catalog editors can create, modify, and publish items within categories that they’re assigned to.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Catalog item designer [catalog_item_designer] Catalog item designers can view the status of their category requests. This role is granted automatically to users when they make a request for an item designer category.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Catalog manager [catalog_manager] Catalog managers can view and assign catalog editors to their categories. Can also create, modify, and publish items within their categories.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Catalog user [catalog] Catalog users have read and some write access to all Service Catalog Requests, Tasks, and Items.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

Catalog Request Approvers > $1000 Catalog Request Approvers for Sales Field Services

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Category manager [category_manager] Category managers can create, edit, and delete model categories.

Contains Roles

List of roles contained within the role: model_manager

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CMDB administrator [sn_cmdb_admin] CMDB administrators can access all CMDB data, tools, and UIs. Users with this role can set policies such as class manager, app service requirement, that an editor can’t.

Contains Roles

List of roles contained within the role.

canvas_admin cmdb_ms_admin data_manager_admin sn_cmdb_editor

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

CMDB de-duplication administrator [cmdb_dedup_admin] CMDB de-duplication admins can review and remediate CMDB de-duplication tasks.

Contains Roles

List of roles contained within the role: cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

CMDB editor [sn_cmdb_editor] CMDB editors can create, edit, and delete CMDB records but can't change policies such as data manager, class manager.

Contains Roles

List of roles contained within the role.

cmdb_ms_editor sn_cmdb_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CMDB multi-source administrator [cmdb_ms_admin] Can create and run a query, and can modify CMDB 360 properties. Contains cmdb_ms_write role. Contains Roles

List of roles contained within the role: cmdb_ms_editor

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

CMDB multi-source editor [cmdb_ms_editor] CMDB multi-source editors can create and query, read, and write CMDB records, but can't perform recompute action.

Contains Roles

List of roles contained within the role: cmdb_ms_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CMDB multi-source user [cmdb_ms_user] CMDB multi-source users have read and execute access to the multi-source queries.

Contains Roles

List of roles contained within the role: cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CMDB reader [cmdb_read] CMDB reader users can read data from the CMDB hierarchy.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CMDB user [sn_cmdb_user] CMDB users have read-only access to CMDB data and basic UI.

Contains Roles

List of roles contained within the role.

app_service_user canvas_user cmdb_ms_user cmcb_query_builder data_manager_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Contract manager [contract_manager] Contract managers can create, edit, and delete contracts through the Contract Management application.

Contains Roles

List of roles contained within the role.

canvas_user financial_mgmt_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

CreateNow unlimited [unlimited_createnow] Role for CreateNow unlimited licensed users.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Data classification administrator [data_classification_admin] Data classification administrators manage all aspects of the Data Classification application, data classification code setup, and assignment.

Contains Roles

List of roles contained within the role: data_classification_auditor

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Data classification auditor [data_classification_auditor] Data classification auditors audit Data Classification code assignments.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Enterprise CMDB administrator [ecmdb_admin] Enterprise CMDB administrators can perform administrative tasks and access tables and records in Enterprise CMDB.

Contains Roles

List of roles contained within the role: cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Filter administrator [filter_admin] Filter administrators can create, edit, and delete filter [sys_filter] records.

Contains Roles

List of roles contained within the role.

filter_global filter_group

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Filter group user [filter_group] Filter group users can create filters that belong to groups of which the user is a member.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Gauge maker [gauge_maker] Gauge makers can create gauges from reports. Starting with Helsinki , reports are no longer made into gauges.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Global filter user [filter_global] Global filter users can create global filter [sys_filter] records.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Global template editor [template_editor_global] Users with the template_editor_global role can create templates for global use.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Group template editor [template_editor_group] Users with the template_editor_group role can create templates for groups.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Guided tour administrator [guided_tour_admin] Guided tour administrators can create, modify, and delete guided tour [sys_embedded_tour_guide] records.

Contains Roles

List of roles contained within the role: sn_tourbuilder.tour_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Image administrator [image_admin] Image administrators can create, modify, and delete image [db_image] records.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Impersonator [impersonator] Impersonators can impersonate users. Warning: This role doesn’t enable the impersonation of admin users.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

For details on impersonation, see Impersonate a user .

Import administrator [import_admin] Import administrators can manage all aspects of import set [sys_import_set] records and imports.

Contains Roles

List of roles contained within the role.

import_set_loader import_transformer import_scheduler

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Import scheduler [import_scheduler] Import schedulers can schedule imports.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Warning: Grant this role carefully. The import_scheduler can execute scripts with administrator level privileges.

Import set loader [import_set_loader] Import set loader users can load import set [sys_import_set] records.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Import transformer [import_transformer] Import transformer users can manage import set transform map [sys_transform_map] records and run transforms.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Inventory administrator [inventory_admin] Inventory administrators administer stockrooms, stock models, stock rules.

Contains Roles

List of roles contained within the role.

inventory_user canvas_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Inventory user [inventory_user] Inventory users have access to stock information.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

ITIL [itil] ITIL users can open, update, close incidents, problems, changes, and configuration management items. This role is the base system technician role. Users with the itil role can have tasks assigned to them.

Contains Roles

List of roles contained within the role.

dependency_views agent_workspace_user sn_incident_write sn_sow.sow_user snc_platform_rest_api_access cmdb_query_builder sn_cmdb_editor sn_problem_write tracked_file_reader sn_request_write view_changer viz_creator template_editor cmdb_read app_service_user certification sn_change_write sn_sttrm_condition_read email_composer

Groups

List of groups this role is assigned to by default.

Field Services Catalog Request Approvers > $1000 Catalog Request Approvers for Sales

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

ITIL administrator [itil_admin] ITIL administrators can delete incidents, problems, changes, and other related records. This role is intended for team leads.

Contains Roles

List of roles contained within the role.

sn_cmdb_admin assessment_admin sn_bm_client.benchmark_data_viewer cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting admin roles when more specialized roles are available.

Knowledge [knowledge] Knowledge users can write, edit, and review knowledge management articles.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Knowledge administrator [knowledge_admin] Knowledge administrators can manage knowledge bases.

Contains Roles

List of roles contained within the role: knowledge

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

List updater [list_updater] List updater users can select the Update Entire List and Update Selected menu options on a list.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Maintenance [maint] This role is reserved for ServiceNow use.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

This role can’t be assigned or impersonated, and is reserved for ServiceNow use.

MID server [mid_server] MID server users can access to the tables that MID servers ordinarily use. This role should be granted to your MID servers.

Contains Roles

List of roles contained within the role: soap

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

This role should be assigned to user accounts created for MID servers to interact with your instance. For details, see Create the MID Server user and grant the role .

Model manager [model_manager] Model managers can create, modify, and delete base model [cmdb_model] records.

Contains Roles

List of roles contained within the role: catalog_editor

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Nobody [nobody] The nobody role means that nobody has access, not even admin, or maint users.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Danger Applying the nobody role may be irreversible if applied to important system functions.

Personalize [personalize] Users with the personalize role can personalize forms, lists, rules, controls, and scripts.

Contains Roles

List of roles contained within the role.

personalize_control personalize_rules personalize_dictionary personalize_choices personalize_styles personalize_responses personalize_list personalize_form

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize choices [personalize_choices] Users assigned to the personalize_choices role can personalize the choices for a list field.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize control [personalize_control] Personalize control users can personalize controls on lists, such as filters, links, and buttons.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize dictionary [personalize_dictionary] Users with the personalize_dictionary role can personalize dictionary entries and labels.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize form [personalize_form] Users with the personalize_form role can personalize forms.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize list [personalize_list] Users with the personalize_list role can personalize lists.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize responses [personalize_responses] Users with the personalize_form role can personalize predefined responses for suggestion fields, such as the additional comments field.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize rules [personalize_rules] Personalize rules users can personalize business rules and scripts. This role contains additional roles for granting selective, administrative access to rules and scripts.

Contains Roles

List of roles contained within the role.

ui_action_admin business_rule_admin client_script_admin ui_policy_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting this role to users who don’t need access to all the roles contained in this role.

Personalize styles [personalize_styles] Users with the personalize_styles role can personalize field styles.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Personalize UI [personalize_ui] Users with the personalize_ui role can personalize forms and lists.

Contains Roles

List of roles contained within the role.

personalize_form personalize_list

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Platform Rest API access [snc_platform_rest_api_access] Allows access to Platform Rest APIs. This role is contained with in the ITIL [itil] role. Table API Import Set API Aggregate API Attachment API

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Public [public] No login is required to access features or functions with the public role.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Release administrator [release_admin] Release administrators can edit the release history for a release.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Report administrator [report_admin] Report administrators can manage, share, publish, and schedule all reports. Users assigned this role can access the Reports > Administration module and manage all report-related objects. The report_admin role inherits all other report roles.

Contains Roles

List of roles contained within the role.

gauge_maker report_alias_admin report_global report_group report_publisher report_scheduler viz_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Report alias administrator [report_alias_admin] Report alias administrators can maintain field and value aliases.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Report global [report_global] Report global users can manage reports that are shared with everyone (listed in Global).

Contains Roles

List of roles contained within the role: report_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Report group [report_group] Report group users can manage and share reports that are shared with them (listed in Group).

Contains Roles

List of roles contained within the role: report_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Report publisher [report_publisher] Report publisher users can publish reports any that they can manage. Publishing a report creates a public link to that report. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles

List of roles contained within the role: report_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Report scheduler [report_scheduler] Report scheduler users can schedule emailing of all reports that they can see, including reports they can’t manage. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles

List of roles contained within the role: report_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Report user [report_user] Report users can create and view reports that have been shared with them. Users with this role can't share, edit, or delete reports that have been shared with them.

Contains Roles

List of roles contained within the role: viz_creator

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Script fix administrator [script_fix_admin] Script fix administrators can manage fix scripts.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Search application administrator [search_application_admin] Search application administrators can insert, update, and delete search user experience-related configuration tables: sys_search_context_config sys_search_source m2m_search_context_config_search_source sys_search_facet sys_search_filter Search application admin is granted the ais_admin role to enable AI search configuration.

Contains Roles

List of roles contained within the role.

ais_admin personalize_dictionary

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

SOAP [soap] users with the soap role can query, create, update, and delete records on all tables, as well as execute scripts.

Contains Roles

List of roles contained within the role.

soap_create soap_delete soap_ecc soap_query soap_script soap_update

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP create [soap_create] Users with the soap_create role can create records in all tables and columns.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP delete [soap_delete] Users with the soap_delete role can delete records in all tables and columns.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP ECC [soap_ecc] Users with the soap_ecc role can query, create, and update on the ECC Queue table only.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP query [soap_query] Users with the soap_query role can query records on all tables and columns.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP query update [soap_query_update] Users with the soap_query_update role can query and update all tables and columns.

Contains Roles

List of roles contained within the role.

soap_query soap_update

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP script [soap_script] Users with the soap_script role can execute business rule endpoint functions via script.do .

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

SOAP update [soap_update] Users with the soap_update role can update records on all tables and columns.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Survey administrator [survey_admin] Survey administrators can see all surveys, their definitions, question, instances created by them and others. Users with this role can use all modules in the Survey application menu.

Contains Roles

List of roles contained within the role.

assessment_admin sn_bm_client.benchmark_data_viewer sn_publications_recipients_list_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Survey creator [survey_creator] Survey creators can manage survey definitions, questions, and instances created by them.

Contains Roles

List of roles contained within the role.

sn_bm_client.benchmark_data_viewer sn_publications_recipients_list_user

Groups

List of groups this role is assigned to by default: Survey Creators

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Survey reader [survey_reader] Survey readers can view surveys and related information, such as survey responses, survey groups, scorecards, and reports. Users with this role can't change or modify surveys or survey responses.

Contains Roles

List of roles contained within the role: sn_bm_client.benchmark_data_viewer

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Task editor [task_editor] Task editors can edit protected task fields.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Template editor [template_editor] Template editors can create templates for personal use, and modify or delete personal templates. This role is included in the itil role in the base system.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Template scheduler [template_scheduler] Template schedulers can schedule template-based record creation.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Text search administrator [text_search_admin] Text search administrators can customize Global Text Search groups and tables.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Timecard administrator [timecard_admin] Timecard administrators can access all timecard records.

Contains Roles

List of roles contained within the role.

timecard_approver timecard_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Timecard approver [timecard_approver] Timecard approvers approve or reject time cards for users.

Contains Roles

List of roles contained within the role.

pa_viewer timecard_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Timecard user [timecard_user] Timecard users can create time cards themselves, and view their own time cards.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

User [user] The user role has no functionality and doesn’t grant access to any assets on your instance. Users with this role are counted as licensed fulfillers.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

User administrator [user_admin] User administrators can administer users, groups, locations, skills, and companies.

Contains Roles

List of roles contained within the role.

fsm_skill_admin skill_admin territory_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

View changer [view_changer] View changers can switch active views.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Workflow administrator [workflow_admin] Workflow administrators can create, edit, publish, or delete graphical workflows.

Contains Roles

List of roles contained within the role.

activity_creator itom_admin workflow_creator workflow_publisher

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Workflow creator [workflow_creator] Workflow creators can create graphical workflows.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Workflow publisher [workflow_publisher] Workflow creators can publish graphical workflows.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Workflow report viewer [workflow_report_viewer] Workflow report viewers can access the workflow scratchpad for reports.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

None

Zing text search administrator [ts_admin] Users with the ts_admin role can administer the Zing text indexing and search engine .

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles .

No

Special considerations

Avoid granting an admin role when more specialized roles are available.

Special administrative roles Certain roles grant specific administrative rights without the full privileges of the admin role. For example, an administrator can grant a user the right to change UI policy but not client scripts. Read-only role The read-only role (snc_read_only) restricts a user or a group of users to read-only access on the tables to which the user already has access. Application specific roles Applications you install on your instance may include additional roles. Follow the links in this section to see roles installed along with applications.

Parent Topic: Creating roles