Base system roles
-
- UpdatedAug 1, 2024
- 33 minutes to read
- Xanadu
- User Administration
Administrators can assign one or more base system user roles to grant access to base system platform features and applications.
To learn more about managing per-user subscriptions, see Managing per-user subscriptions in Subscription Management and contact your account representative.
Administrator [admin]
The administrator role. This role has access to all system features, functions, and data because administrators can override access control list (ACL) rules and pass all role checks. Avoid assigning this role to your users when more targeted roles are available.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Grant this privilege carefully. If you have sensitive information, such as HR records, that you must protect, create a custom admin role for that area. Train any users authorized to see those records to act as the
administrator. Also note the Special Administrative Roles.Note: Users with roles related to the Key Management Framework can only be modified by admins with the kmf_admin role. For details on KMF roles, see Roles installed with Key Management Framework.
Agent administrator [agent_admin]
Agent administrators can download and administer the built-in system agent. They can manage MID Server-related scripts.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
AI search administrator [ais_admin]
AI search administrators can query, create, update, and delete indexing and search settings and log messages through the AI Search application.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Application client company installer [app_client_company_installer]
Users assigned the app_client_company_installer role can install applications containing the same company as the currently logged in instance. Assigning this role enables first-time installation of applications for the company associated with the current instance. Users with this role can’t install an application for another company.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Application client user [app_client_user]
Application client users can install applications containing the same company as the currently logged in instance.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Approval administrator [approval_admin]
Approval administrators can view or modify approval requests not directly assigned to them. Use the approver_user role to enable approvers to view or modify only requests directly assigned to them.
Fulfillers may approve within the product to which they are subscribed (ITSM Fulfiller approving within ITSM). This approval may be in the platform or via email. No additional entitlement is required.
Fulfillers may not approve beyond the product to which they are subscribed (ITSM Fulfiller approving within Procurement, GRC, etc.). This approval would need an additional approval entitlement for the user.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Approver users [approver_user]
Approver users can modify requests for approval routed to them. They also have all the capabilities of requesters.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- There’s a fee associated with this role. Don’t assign it to users without confirming your organization has the appropriate entitlement.
Asset user [asset]
Asset users can manage hardware and software assets.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Assignment rule administrator [assignment_rule_admin]
Assignment rule administrators can manage assignment rules.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Business process administrator [business_process_admin]
Business process admins can create, read, update, and delete all records and their relationships in the business process.
In the context of Governance, Risk, and Compliance (GRC), users with the sn_grc.admin role who manage GRC applications and their setup automatically gain access to this role. This access enables the GRC administrators to administer a business process and its records similar to other GRC tables.
- Contains Roles
- List of roles contained within the role: business_process_manager.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- This role is assigned to users who are administrators and have thorough information and training on business processes. Avoid granting an admin role when more specialized roles are available.
Business process manager [business_process_manager]
Business process managers can create, read, and update any business process and manage the relationship of business processes with other records. This role is assigned to business process managers who are usually specialists and manage multiple business processes in the organization. Assign this role to users who generally work with other employees and are experts around business processes.
In the context of GRC, users with the sn_grc.manager role automatically inherit this role that enables them to manage the business processes for the entire organization.
- Contains Roles
- List of roles contained within the role - business_process_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Business process user [business_process_user]
Business process users can update the business processes that a user owns and can also read any business process. This role must be assigned to the respective process owners. This role can also be provided to users who are required to view the business processes in the organization and understand them better.
In the context of GRC, users with the sn_risk.user role are automatically assigned this role. This role enables users to manage the business processes that they own as well as read all business processes.
- Contains Roles
- List of roles contained within the role- cmdb_read.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Catalog administrator [catalog_admin]
Catalog administrators can manage the Service Catalog application, including catalog categories and items.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Catalog editor [catalog_editor]
Catalog editors can create, modify, and publish items within categories that they’re assigned to.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Catalog item designer [catalog_item_designer]
Catalog item designers can view the status of their category requests. This role is granted automatically to users when they make a request for an item designer category.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Catalog manager [catalog_manager]
Catalog managers can view and assign catalog editors to their categories. They can also create, modify, and publish items within their categories.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Catalog user [catalog]
Catalog users have read and some write access to all Service Catalog Requests, Tasks, and Items.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Category manager [category_manager]
Category managers can create, edit, and delete model categories.
- Contains Roles
- List of roles contained within the role - model_manager.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CMDB administrator [sn_cmdb_admin]
The configuration management data base (CMDB) administrator is a key role required for interacting with the CMDB Workspace. CMDB administrators can access all CMDB data, tools, and UIs within the CMDB Workspace. Users with this role can set policies that an editor can't, such as class manager and app service requirements.
As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the CMDB Admin, CMDB Editor, or CMDB User roles.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
CMDB de-duplication administrator [cmdb_dedup_admin]
CMDB de-duplication admins can review and remediate CMDB de-duplication tasks.
- Contains Roles
- List of roles contained within the role - cmdb_read.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
CMDB editor [sn_cmdb_editor]
A key role required for interacting with CMDB Workspace. CMDB editors can create, edit, and delete CMDB records but can't change policies such as data manager, class manager within CMDB Workspace.
As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CMDB multi-source administrator [cmdb_ms_admin]
The CMDB multi-source administrator can create and run a query and can modify CMDB 360 properties. Contains the cmdb_ms_write role.- Contains Roles
- List of roles contained within the role - cmdb_ms_editor.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
CMDB multi-source editor [cmdb_ms_editor]
CMDB multi-source editors can create and query, read, and write CMDB records, but can't perform recomputing actions.
- Contains Roles
- List of roles contained within the role - cmdb_ms_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CMDB multi-source user [cmdb_ms_user]
CMDB multi-source users have read and execute access to the multi-source queries.
- Contains Roles
- List of roles contained within the role - cmdb_read.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CMDB reader [cmdb_read]
CMDB reader users can read data from the CMDB hierarchy.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CMDB user [sn_cmdb_user]
A key role required for interacting with CMDB Workspace. CMDB users have read-only access to CMDB data and basic UI within CMDB Workspace.
As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Contract manager [contract_manager]
Contract managers can create, edit, and delete contracts through the Contract Management application.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
CreateNow unlimited [unlimited_createnow]
Role for CreateNow unlimited licensed users.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Data classification administrator [data_classification_admin]
Data classification administrators manage all aspects of the Data Classification application, data classification code setup, and assignment.
- Contains Roles
- List of roles contained within the role - data_classification_auditor.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Data classification auditor [data_classification_auditor]
Data classification auditors audit Data Classification code assignments.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Enterprise CMDB administrator [ecmdb_admin]
Enterprise CMDB administrators can perform administrative tasks and access tables and records in Enterprise CMDB.
- Contains Roles
- List of roles contained within the role - cmdb_read.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Filter administrator [filter_admin]
Filter administrators can create, edit, and delete filter [sys_filter] records.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Filter group user [filter_group]
Filter group users can create filters that belong to groups of which the user is a member.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Gauge maker [gauge_maker]
Gauge makers can create gauges from reports. Starting with Helsinki, reports are no longer made into gauges.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Global filter user [filter_global]
Global filter users can create global filter [sys_filter] records.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Global template editor [template_editor_global]
Users with the template_editor_global role can create templates for global use.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Group template editor [template_editor_group]
Users with the template_editor_group role can create templates for groups.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Guided tour administrator [guided_tour_admin]
Guided tour administrators can create, modify, and delete guided tour [sys_embedded_tour_guide] records.
- Contains Roles
- List of roles contained within the role - sn_tourbuilder.tour_admin.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Image administrator [image_admin]
Image administrators can create, modify, and delete image [db_image] records.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Impersonator [impersonator]
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- For details on impersonation, see Base system roles.
Import administrator [import_admin]
Import administrators can manage all aspects of import set [sys_import_set] records and imports.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Import scheduler [import_scheduler]
Import schedulers can schedule imports.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Warning: Grant this role carefully. The import_scheduler can execute scripts with administrator level privileges.
Import set loader [import_set_loader]
Import set loader users can load import set [sys_import_set] records.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Import transformer [import_transformer]
Import transformer users can manage import set transform map [sys_transform_map] records and run transforms.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Inventory administrator [inventory_admin]
Inventory administrators administer stockrooms, stock models, stock rules.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Inventory user [inventory_user]
Inventory users have access to stock information.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
ITIL
Information Technology Infrastructure Library (ITIL) users can open, update, close incidents, problems, changes, and configuration management items. This role is the base system technician role. Users with the ITIL role can have tasks assigned to them.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
ITIL administrator [itil_admin]
ITIL administrators can delete incidents, problems, changes, and other related records. This role is intended for team leads.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting admin roles when more specialized roles are available.
Knowledge [knowledge]
Knowledge users can write, edit, and review knowledge management articles.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Knowledge administrator [knowledge_admin]
Knowledge administrators can manage knowledge bases.
- Contains Roles
- List of roles contained within the role - knowledge.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
List updater [list_updater]
List updater users can select the Update Entire List and Update Selected menu options on a list.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Maintenance
This role is reserved for ServiceNow use.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- This role can’t be assigned or impersonated, and is reserved for ServiceNow use.
MID server [mid_server]
MID server users can access to the tables that MID servers ordinarily use. This role should be granted to your MID servers.
- Contains Roles
- List of roles contained within the role - soap.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- This role should be assigned to user accounts created for MID servers to interact with your instance. For details, see Create the MID Server user and grant the role.
Model manager [model_manager]
Model managers can create, modify, and delete base model [cmdb_model] records.
- Contains Roles
- List of roles contained within the role - catalog_editor.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Personalize [personalize]
Users with the personalize role can personalize forms, lists, rules, controls, and scripts.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize choices [personalize_choices]
Users assigned to the personalize_choices role can personalize the choices for a list field.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize control [personalize_control]
Personalize control users can personalize controls on lists, such as filters, links, and buttons.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize dictionary [personalize_dictionary]
Users with the personalize_dictionary role can personalize dictionary entries and labels.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize form [personalize_form]
Users with the personalize_form role can personalize forms.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize list [personalize_list]
Users with the personalize_list role can personalize lists.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize responses [personalize_responses]
Users with the personalize_form role can personalize predefined responses for suggestion fields, such as the additional comments field.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize rules [personalize_rules]
Personalize rules users can personalize business rules and scripts. This role contains additional roles for granting selective, administrative access to rules and scripts.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting this role to users who don’t need access to all the roles contained in this role.
Personalize styles [personalize_styles]
Users with the personalize_styles role can personalize field styles.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Personalize UI [personalize_ui]
Users with the personalize_ui role can personalize forms and lists.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Platform Rest API access [snc_platform_rest_api_access]
- Table API
- Import Set API
- Aggregate API
- Attachment API
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Public [public]
No login is required to access features or functions with the public role.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Release administrator [release_admin]
Release administrators can edit the release history for a release.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Report administrator [report_admin]
Report administrators can manage, share, publish, and schedule all reports. Users assigned this role can access the
module and manage all report-related objects. The report_admin role inherits all other report roles.- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Report alias administrator [report_alias_admin]
Report alias administrators can maintain field and value aliases.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Report global [report_global]
Report global users can manage reports that are shared with everyone (listed in Global).
- Contains Roles
- List of roles contained within the role - report_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Report group [report_group]
Report group users can manage and share reports that are shared with them (listed in Group).
- Contains Roles
- List of roles contained within the role - report_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Report publisher [report_publisher]
Report publisher users can publish reports any that they can manage. Publishing a report creates a public link to that report. Users with this role must also have another role that grants permission to create, edit, and share reports.
- Contains Roles
- List of roles contained within the role - report_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Report scheduler [report_scheduler]
Report scheduler users can schedule emailing of all reports that they can see, including reports they can’t manage. Users with this role must also have another role that grants permission to create, edit, and share reports.
- Contains Roles
- List of roles contained within the role - report_user.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Report user [report_user]
Report users can create and view reports that have been shared with them. Users with this role can't share, edit, or delete reports that have been shared with them.
- Contains Roles
- List of roles contained within the role - viz_creator.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Script fix administrator [script_fix_admin]
Script fix administrators can manage fix scripts.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Search application administrator [search_application_admin]
- sys_search_context_config
- sys_search_source
- m2m_search_context_config_search_source
- sys_search_facet
- sys_search_filter
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
SOAP [soap]
users with the soap role can query, create, update, and delete records on all tables, as well as execute scripts.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP create [soap_create]
Users with the soap_create role can create records in all tables and columns.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP delete [soap_delete]
Users with the soap_delete role can delete records in all tables and columns.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP ECC [soap_ecc]
Users with the soap_ecc role can query, create, and update on the external communication channel (ECC) Queue table only.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP query [soap_query]
Users with the soap_query role can query records on all tables and columns.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP query update [soap_query_update]
Users with the soap_query_update role can query and update all tables and columns.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP script [soap_script]
Users with the soap_script role can execute business rule endpoint functions via script.do.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
SOAP update [soap_update]
Users with the soap_update role can update records on all tables and columns.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Survey administrator [survey_admin]
Survey administrators can see all surveys, definitions, questions, and instances created by them and others. Users with this role can use all modules in the Survey application menu.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Survey creator [survey_creator]
Survey creators can manage survey definitions, questions, and instances created by them.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default - Survey Creators.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Survey reader [survey_reader]
Survey readers can view surveys and related information, such as survey responses, survey groups, scorecards, and reports. Users with this role can't change or modify surveys or survey responses.
- Contains Roles
- List of roles contained within the role - sn_bm_client.benchmark_data_viewer.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Task editor [task_editor]
Task editors can edit protected task fields.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Template editor [template_editor]
Template editors can create templates for personal use, and modify or delete personal templates. This role is included in the itil role in the base system.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Template scheduler [template_scheduler]
Template schedulers can schedule template-based record creation.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Text search administrator [text_search_admin]
Text search administrators can customize Global Text Search groups and tables.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Timecard administrator [timecard_admin]
Timecard administrators can access all timecard records.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Timecard approver [timecard_approver]
Timecard approvers approve or reject time cards for users.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Timecard user [timecard_user]
Timecard users can create time cards themselves, and view their own time cards.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
User [user]
The user role has no functionality and doesn’t grant access to any assets on your instance. Users with this role are counted as licensed fulfillers.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
User administrator [user_admin]
User administrators can administer users, groups, locations, skills, and companies.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
View changer [view_changer]
View changers can switch active views.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Workflow administrator [workflow_admin]
Workflow administrators can create, edit, publish, or delete graphical workflows.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
Workflow creator [workflow_creator]
Workflow creators can create graphical workflows.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Workflow publisher [workflow_publisher]
Workflow creators can publish graphical workflows.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Workflow report viewer [workflow_report_viewer]
Workflow report viewers can access the workflow scratchpad for reports.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- None
Zing text search administrator [ts_admin]
Users with the ts_admin role can administer the Zing text indexing and search engine.
- Contains Roles
- List of roles contained within the role.
- Groups
- List of groups this role is assigned to by default.
- Elevated
- Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
- Special considerations
- Avoid granting an admin role when more specialized roles are available.
On this page
- Administrator [admin]
- Agent administrator [agent_admin]
- AI search administrator [ais_admin]
- Application client company installer [app_client_company_installer]
- Application client user [app_client_user]
- Approval administrator [approval_admin]
- Approver users [approver_user]
- Asset user [asset]
- Assignment rule administrator [assignment_rule_admin]
- Business process administrator [business_process_admin]
- Business process manager [business_process_manager]
- Business process user [business_process_user]
- Catalog administrator [catalog_admin]
- Catalog editor [catalog_editor]
- Catalog item designer [catalog_item_designer]
- Catalog manager [catalog_manager]
- Catalog user [catalog]
- Category manager [category_manager]
- CMDB administrator [sn_cmdb_admin]
- CMDB de-duplication administrator [cmdb_dedup_admin]
- CMDB editor [sn_cmdb_editor]
- CMDB multi-source administrator [cmdb_ms_admin]
- CMDB multi-source editor [cmdb_ms_editor]
- CMDB multi-source user [cmdb_ms_user]
- CMDB reader [cmdb_read]
- CMDB user [sn_cmdb_user]
- Contract manager [contract_manager]
- CreateNow unlimited [unlimited_createnow]
- Data classification administrator [data_classification_admin]
- Data classification auditor [data_classification_auditor]
- Enterprise CMDB administrator [ecmdb_admin]
- Filter administrator [filter_admin]
- Filter group user [filter_group]
- Gauge maker [gauge_maker]
- Global filter user [filter_global]
- Global template editor [template_editor_global]
- Group template editor [template_editor_group]
- Guided tour administrator [guided_tour_admin]
- Image administrator [image_admin]
- Impersonator [impersonator]
- Import administrator [import_admin]
- Import scheduler [import_scheduler]
- Import set loader [import_set_loader]
- Import transformer [import_transformer]
- Inventory administrator [inventory_admin]
- Inventory user [inventory_user]
- ITIL
- ITIL administrator [itil_admin]
- Knowledge [knowledge]
- Knowledge administrator [knowledge_admin]
- List updater [list_updater]
- Maintenance
- MID server [mid_server]
- Model manager [model_manager]
- Personalize [personalize]
- Personalize choices [personalize_choices]
- Personalize control [personalize_control]
- Personalize dictionary [personalize_dictionary]
- Personalize form [personalize_form]
- Personalize list [personalize_list]
- Personalize responses [personalize_responses]
- Personalize rules [personalize_rules]
- Personalize styles [personalize_styles]
- Personalize UI [personalize_ui]
- Platform Rest API access [snc_platform_rest_api_access]
- Public [public]
- Release administrator [release_admin]
- Report administrator [report_admin]
- Report alias administrator [report_alias_admin]
- Report global [report_global]
- Report group [report_group]
- Report publisher [report_publisher]
- Report scheduler [report_scheduler]
- Report user [report_user]
- Script fix administrator [script_fix_admin]
- Search application administrator [search_application_admin]
- SOAP [soap]
- SOAP create [soap_create]
- SOAP delete [soap_delete]
- SOAP ECC [soap_ecc]
- SOAP query [soap_query]
- SOAP query update [soap_query_update]
- SOAP script [soap_script]
- SOAP update [soap_update]
- Survey administrator [survey_admin]
- Survey creator [survey_creator]
- Survey reader [survey_reader]
- Task editor [task_editor]
- Template editor [template_editor]
- Template scheduler [template_scheduler]
- Text search administrator [text_search_admin]
- Timecard administrator [timecard_admin]
- Timecard approver [timecard_approver]
- Timecard user [timecard_user]
- User [user]
- User administrator [user_admin]
- View changer [view_changer]
- Workflow administrator [workflow_admin]
- Workflow creator [workflow_creator]
- Workflow publisher [workflow_publisher]
- Workflow report viewer [workflow_report_viewer]
- Zing text search administrator [ts_admin]