Base system roles

Administrators can assign one or more base system user roles to grant access to base system platform features and applications.

The following standard roles are included in the base ServiceNow system with a new instance.

Note: The system does not support changing the name of any base system role. Changing the name of a base system role will prevent users and groups from accessing base system resources that depend on these roles.
Table 1. Base system roles
Role Description
admin

The administrator role. This role has special access to all system features, functions, and data because administrators can override ACL rules and pass all role checks. Consider these implications when using admin overrides on ACLs.

If you have sensitive information, such as HR records, that you need to protect, you must create a custom admin role for that area and train a person authorized to see those records to act as the administrator. Also note the Special Administrative Roles.

Warning: Grant this privilege carefully.
agent_admin Can manage MID Server-related scripts.
approval_admin Can approve or reject approvals.
approver_user Can modify requests for approval routed to them. They also have all capabilities of Requesters.
Note: There is a fee associated with this role. Do not assign it to users without confirming your organization has the appropriate entitlement.
assignment_rule_admin Can manage Assignment Rules.
asset Can manage hardware and software assets.
catalog Has access to service catalog requests.
catalog_admin Can manage the Service Catalog application, including catalog categories and items.
catalog_editor Can create, modify, and publish items within categories they are assigned to.
catalog_item_designer Can view the status of their category requests.
catalog_manager Can view and assign catalog editors to their categories. Can also create, modify, and publish items within their categories.
category_manager Can create, edit, and delete model categories.
contract_manager Can create, edit, and delete contracts through the Contract Management application.
ecmdb_admin Can administer the CMDB.
filter_admin Can manage filters.
filter_global Can create global filters.
filter_group Can create filters that belong to groups of which the user is a member.
gauge_maker Can create gauges from reports. Starting with Helsinki, reports are no longer made into gauges.
image_admin Can manage image files on the Images [db_image] table.
impersonator Can impersonate users. Does not allow impersonation of admin users.
import_admin Can manage all aspects of import sets and imports.
import_scheduler Can schedule imports.
import_set_loader Can load import sets.
import_transformer Can manage import set transform maps and run transforms.
inventory_admin Can create and delete stock information. Only users with the inventory_admin role can edit stock rules, stockrooms, and stockroom types.
inventory_user Has access to stock information. Can create and manage transfer orders.
itil Can perform standard actions for an ITIL helpdesk technician. Can open, update, close incidents, problems, changes, configuration management items. By default, only users with the itil role can have tasks assigned to them.
itil_admin Possesses more privileges than the itil role and is intended for team leads. This role has the ability to delete incidents, problems, changes, and other related entities when both the itil and itil_admin roles are assigned.
knowledge Can create, edit, and review knowledge base articles.
knowledge_admin Can manage the knowledge base.
list_updater Can use Update Entire List and Update Selected menu options on lists.
maint Reserved for ServiceNow use.
mid_server Role that any MID server user should be granted. This role gives the MID server access to the tables it ordinarily uses.
model_manager Can create new CMDB models. Model manager can control the base models and any model extensions that are not hardware, software, or consumables. Hardware and consumable models are controlled by the asset manager role (asset). Software models are control by the software asset manager role (sam).
nobody

The nobody role means that no user has access - not even admin or maint. Use the nobody role carefully. The nobody role takes precedence over the admin override option on ACLs, so even admins cannot have access. See Create an ACL rule.

Do not assign it to specific users. You can use this role in ACLs that control access to resources, such as UI pages, processors, script includes, and records.

Warning: Applying the nobody role may be irreversible if applied to some important system functions.
personalize Can configure forms, lists, rules, controls, scripts.
personalize_choices Can configure choices and predefined responses for non-journal fields designated as choice or suggestion fields.
personalize_control Can configure controls on lists, such as filters, links, and buttons.
personalize_dictionary Can configure dictionary entries and labels.
personalize_form Can configure forms.
personalize_list Can configure lists and list calculations.
personalize_responses Can configure predefined responses for journal fields designated as suggestion fields.
personalize_rules Can configure business rules and scripts. This role contains the following specialized roles for granting selective, administrative access to rules and scripts:
  • business_rule_admin
  • client_script_admin
  • ui_policy_admin
  • ui_action_admin
personalize_styles Can configure field styles.
personalize_ui Can configure forms and lists.
public No login is required to access features or functions with the public role.
release_admin Can edit Release history for a release.
report_admin Can manage reports.
report_global Can create global reports.
report_group Can create reports and share reports with groups that the user is a member of. Users with this role can edit reports shared by other users in the group.
report_publisher Can make reports available on a public page.
report_scheduler Can schedule a report to be emailed.
script_fix_admin Can manage fix scripts.
soap Can query, create, update, and delete records on all tables, as well as execute scripts.
soap_create Can create records on all tables and columns.
soap_delete Can delete records on all tables and columns.
soap_ecc Can query, create, and update on the ECC Queue table only.
soap_query Can query records on all tables and columns.
soap_query_update Can query and update records on all tables and columns.
soap_script Can execute business rule endpoint function via script.do.
soap_update Can update records on all tables and columns.
survey_admin Can manage survey masters, questions, and instances. Contains the assessment_admin role.
survey_reader Can read survey instances and responses.
task_editor Can edit protected task fields.
template_admin Can create and modify templates.
template_editor Can create templates for personal use, and modify or delete personal templates. Included in the itil role in the base system.
template_editor_global Can create templates for global use.
template_editor_group Can create templates for groups.
template_scheduler Can schedule template-based record creation.
text_search_admin Can customize Global Text Search groups and tables.
timecard_admin Can approve, modify, and delete the time cards of other users.
ts_admin Can administer Zing text indexing and search engine.
unlimited_createnow Role for CreateNow unlimited licensed users.
user Available for customer use, has no function in the base system.
user_admin Can administer users, groups, locations, and companies.
view_changer Can switch active views.
workflow_admin Can create, edit, publish or delete graphical workflows.
workflow_creator Can create new graphical workflows.
workflow_publisher Can publish graphical workflows.