Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Roles installed with Security Incident Response

Log in to subscribe to topics and get notified when content changes.

Roles installed with Security Incident Response

When the Security Incident Response plugin is activated, the following roles are added. Determine which users should be assigned which roles and assign them.

When Security Incident Response is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users. To protect investigations and keep security incidents private, the sn_si.admin user has the option of restricting Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless they are expressly allowed entry. This is an optional procedure.
Table 1. Roles for Security Incident Response
Role title [name] Description Contains roles
security admin

[sn_si.admin]

Full control over all Security Incident Response data. Also administers territories and skills, as needed.
Note: In the base system, the administrator also has access to sn_si.admin. Security Incident Response can be restricted from the administrator as long as at least one other user is assigned the security administrator role.
  • catalog_admin
  • skill_admin
  • skill_model_admin
  • sn_si.analyst
  • sn_si.manager
  • sn_si.knowledge_admin
  • sn_si.manager
  • template_admin
  • template_editor_global
  • territory_admin
  • treemap_admin
  • user_admin
security analyst

[sn_si.analyst]

Tier 1 and 2 security analysts work on security incidents. They can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.
  • sn_si.basic
  • sn_vul.vulnerability_read (if the Vulnerability Response plugin is activated)
security basic

[sn_si.basic]

Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.
  • document_management_user
  • grc_user (if the GRC:Risk plugin is activated)
  • inventory_user
  • pa_viewer
  • service_fullfiller
  • skill_user
  • sn_si.read
  • task_activity_writer
  • task_editor
  • treemap_user
ciso

[sn_si.ciso]

View and manipulate the CISO dashboard. Also, if the Vulnerability Response plugin is activated, users with this role can add vulnerability significance definition treemaps to the dashboard.
  • pa_viewer
  • sn_si.read
external

[sn_si.external]

External users can view tasks assigned to them.
  • service_fulfiller
integration user

[sn_si.integration_user]

External tools can provide new security incident records and update security incident records.
  • import_transformer
knowledge admin

[sn_si.knowledge_admin]

Manage, update, and delete the information in the Security Incident knowledge base.
  • knowledge_admin
manager

[sn_si.manager]

Same access as security analysts.
  • sn_si.basic
read

[sn_si.read]

Read security incidents.
  • grc_compliance_reader (if the GRC:Risk plugin is activated)
special access

sn_si.special_access

Provides access to specific security incidents to users outside of the Security Operations organization. N/A
Feedback