Administrators can assign one or more base system user roles to grant access to base system platform features and applications.

To learn more about managing per-user subscriptions, see Managing per-user subscriptions in Subscription Management and contact your account representative.

Administrator [admin]

The administrator role. This role has access to all system features, functions, and data because administrators can override access control list (ACL) rules and pass all role checks. Avoid assigning this role to your users when more targeted roles are available.

Contains Roles
List of roles contained within the role.
  • ais_admin
  • announcement_admin
  • catalog
  • catalog_admin
  • catalog_builder_editor
  • catalog_lookup_admin
  • catalog_template_editor
  • chat_admin
  • evam_admin
  • image_admin
  • import_admin
  • import_scheduler
  • import_set_loader
  • import_transformer
  • live_feed_admin
  • ml_admin
  • ml_labeler
  • nlu_admin
  • nlu_editor
  • nlu_user
  • pa_data_collector
  • pa_viewer
  • personalize_dictionary
  • platform_ml_create
  • platform_ml_read
  • platform_ml_write
  • search_application_admin
  • search_relevancy_model_admin
  • sn_ace.ace_user
  • sn_employee.admin
  • sn_hr_sp.admin
  • sn_hr_sp.esc_admin
  • sn_nlu_workbench.nlu_feedback_admin
  • sn_templated_snip.template_snippet_admin
  • sn_templated_snip.template_snippet_reader
  • sn_templated_snip.template_snippet_writer
  • sp_admin
  • taxonomy_admin
  • user_criteria_admin
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Grant this privilege carefully. If you have sensitive information, such as HR records, that you must protect, create a custom admin role for that area. Train any users authorized to see those records to act as the administrator. Also note the Special Administrative Roles.
Note: Users with roles related to the Key Management Framework can only be modified by admins with the kmf_admin role. For details on KMF roles, see Roles installed with Key Management Framework.

Agent administrator [agent_admin]

Agent administrators can download and administer the built-in system agent. They can manage MID Server-related scripts.

Contains Roles
List of roles contained within the role.
  • agent_security_admin
  • view_changer
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

AI search administrator [ais_admin]

AI search administrators can query, create, update, and delete indexing and search settings and log messages through the AI Search application.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Application client company installer [app_client_company_installer]

Users assigned the app_client_company_installer role can install applications containing the same company as the currently logged in instance. Assigning this role enables first-time installation of applications for the company associated with the current instance. Users with this role can’t install an application for another company.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Application client user [app_client_user]

Application client users can install applications containing the same company as the currently logged in instance.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Approval administrator [approval_admin]

Approval administrators can view or modify approval requests not directly assigned to them. Use the approver_user role to enable approvers to view or modify only requests directly assigned to them.

Fulfillers may approve within the product to which they are subscribed (ITSM Fulfiller approving within ITSM). This approval may be in the platform or via email. No additional entitlement is required.

Fulfillers may not approve beyond the product to which they are subscribed (ITSM Fulfiller approving within Procurement, GRC, etc.). This approval would need an additional approval entitlement for the user.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Approver users [approver_user]

Approver users can modify requests for approval routed to them. They also have all the capabilities of requesters.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
There’s a fee associated with this role. Don’t assign it to users without confirming your organization has the appropriate entitlement.

Asset user [asset]

Asset users can manage hardware and software assets.

Contains Roles
List of roles contained within the role.
  • inventory_user
  • cmdb_query_builder
  • canvas_user
  • financial_mgmt_user
  • cmdb_read
  • contract_manager
  • category_manager
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Assignment rule administrator [assignment_rule_admin]

Assignment rule administrators can manage assignment rules.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Business process administrator [business_process_admin]

Business process admins can create, read, update, and delete all records and their relationships in the business process.

In the context of Governance, Risk, and Compliance (GRC), users with the sn_grc.admin role who manage GRC applications and their setup automatically gain access to this role. This access enables the GRC administrators to administer a business process and its records similar to other GRC tables.

Contains Roles
List of roles contained within the role: business_process_manager.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
This role is assigned to users who are administrators and have thorough information and training on business processes. Avoid granting an admin role when more specialized roles are available.

Business process manager [business_process_manager]

Business process managers can create, read, and update any business process and manage the relationship of business processes with other records. This role is assigned to business process managers who are usually specialists and manage multiple business processes in the organization. Assign this role to users who generally work with other employees and are experts around business processes.

In the context of GRC, users with the sn_grc.manager role automatically inherit this role that enables them to manage the business processes for the entire organization.

Contains Roles
List of roles contained within the role - business_process_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Business process user [business_process_user]

Business process users can update the business processes that a user owns and can also read any business process. This role must be assigned to the respective process owners. This role can also be provided to users who are required to view the business processes in the organization and understand them better.

In the context of GRC, users with the sn_risk.user role are automatically assigned this role. This role enables users to manage the business processes that they own as well as read all business processes.

Contains Roles
List of roles contained within the role- cmdb_read.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Catalog administrator [catalog_admin]

Catalog administrators can manage the Service Catalog application, including catalog categories and items.

Contains Roles
List of roles contained within the role.
  • user_criteria_admin
  • catalog_builder_editor
  • catalog_template_editor
  • catalog
  • catalog_lookup_admin
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Catalog editor [catalog_editor]

Catalog editors can create, modify, and publish items within categories that they’re assigned to.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Catalog item designer [catalog_item_designer]

Catalog item designers can view the status of their category requests. This role is granted automatically to users when they make a request for an item designer category.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Catalog manager [catalog_manager]

Catalog managers can view and assign catalog editors to their categories. They can also create, modify, and publish items within their categories.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Catalog user [catalog]

Catalog users have read and some write access to all Service Catalog Requests, Tasks, and Items.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
  • Catalog Request Approvers > $1000
  • Catalog Request Approvers for Sales
  • Field Services
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Category manager [category_manager]

Category managers can create, edit, and delete model categories.

Contains Roles
List of roles contained within the role - model_manager.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CMDB administrator [sn_cmdb_admin]

The configuration management data base (CMDB) administrator is a key role required for interacting with the CMDB Workspace. CMDB administrators can access all CMDB data, tools, and UIs within the CMDB Workspace. Users with this role can set policies that an editor can't, such as class manager and app service requirements.

As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles
List of roles contained within the role.
  • canvas_admin
  • cmdb_ms_admin
  • data_manager_admin
  • sn_cmdb_editor
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

CMDB de-duplication administrator [cmdb_dedup_admin]

CMDB de-duplication admins can review and remediate CMDB de-duplication tasks.

Contains Roles
List of roles contained within the role - cmdb_read.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

CMDB editor [sn_cmdb_editor]

A key role required for interacting with CMDB Workspace. CMDB editors can create, edit, and delete CMDB records but can't change policies such as data manager, class manager within CMDB Workspace.

As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles
List of roles contained within the role.
  • cmdb_ms_editor
  • sn_cmdb_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CMDB multi-source administrator [cmdb_ms_admin]

The CMDB multi-source administrator can create and run a query and can modify CMDB 360 properties. Contains the cmdb_ms_write role.
Contains Roles
List of roles contained within the role - cmdb_ms_editor.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

CMDB multi-source editor [cmdb_ms_editor]

CMDB multi-source editors can create and query, read, and write CMDB records, but can't perform recomputing actions.

Contains Roles
List of roles contained within the role - cmdb_ms_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CMDB multi-source user [cmdb_ms_user]

CMDB multi-source users have read and execute access to the multi-source queries.

Contains Roles
List of roles contained within the role - cmdb_read.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CMDB reader [cmdb_read]

CMDB reader users can read data from the CMDB hierarchy.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CMDB user [sn_cmdb_user]

A key role required for interacting with CMDB Workspace. CMDB users have read-only access to CMDB data and basic UI within CMDB Workspace.

As you drill down in the CMDB Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles
List of roles contained within the role.
  • app_service_user
  • canvas_user
  • cmdb_ms_user
  • cmcb_query_builder
  • data_manager_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Contract manager [contract_manager]

Contract managers can create, edit, and delete contracts through the Contract Management application.

Contains Roles
List of roles contained within the role.
  • canvas_user
  • financial_mgmt_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

CreateNow unlimited [unlimited_createnow]

Role for CreateNow unlimited licensed users.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Data classification administrator [data_classification_admin]

Data classification administrators manage all aspects of the Data Classification application, data classification code setup, and assignment.

Contains Roles
List of roles contained within the role - data_classification_auditor.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Data classification auditor [data_classification_auditor]

Data classification auditors audit Data Classification code assignments.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Enterprise CMDB administrator [ecmdb_admin]

Enterprise CMDB administrators can perform administrative tasks and access tables and records in Enterprise CMDB.

Contains Roles
List of roles contained within the role - cmdb_read.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Filter administrator [filter_admin]

Filter administrators can create, edit, and delete filter [sys_filter] records.

Contains Roles
List of roles contained within the role.
  • filter_global
  • filter_group
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Filter group user [filter_group]

Filter group users can create filters that belong to groups of which the user is a member.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Gauge maker [gauge_maker]

Gauge makers can create gauges from reports. Starting with Helsinki, reports are no longer made into gauges.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Global filter user [filter_global]

Global filter users can create global filter [sys_filter] records.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Global template editor [template_editor_global]

Users with the template_editor_global role can create templates for global use.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Group template editor [template_editor_group]

Users with the template_editor_group role can create templates for groups.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Guided tour administrator [guided_tour_admin]

Guided tour administrators can create, modify, and delete guided tour [sys_embedded_tour_guide] records.

Contains Roles
List of roles contained within the role - sn_tourbuilder.tour_admin.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Image administrator [image_admin]

Image administrators can create, modify, and delete image [db_image] records.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Impersonator [impersonator]

Impersonators can impersonate users.
Warning: This role doesn’t enable the impersonation of admin users.
Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
For details on impersonation, see Base system roles.

Import administrator [import_admin]

Import administrators can manage all aspects of import set [sys_import_set] records and imports.

Contains Roles
List of roles contained within the role.
  • import_set_loader
  • import_transformer
  • import_scheduler
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Import scheduler [import_scheduler]

Import schedulers can schedule imports.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Warning: Grant this role carefully. The import_scheduler can execute scripts with administrator level privileges.

Import set loader [import_set_loader]

Import set loader users can load import set [sys_import_set] records.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Import transformer [import_transformer]

Import transformer users can manage import set transform map [sys_transform_map] records and run transforms.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Inventory administrator [inventory_admin]

Inventory administrators administer stockrooms, stock models, stock rules.

Contains Roles
List of roles contained within the role.
  • inventory_user
  • canvas_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Inventory user [inventory_user]

Inventory users have access to stock information.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

ITIL

Information Technology Infrastructure Library (ITIL) users can open, update, close incidents, problems, changes, and configuration management items. This role is the base system technician role. Users with the ITIL role can have tasks assigned to them.

Contains Roles
List of roles contained within the role.
  • dependency_views
  • agent_workspace_user
  • sn_incident_write
  • sn_sow.sow_user
  • snc_platform_rest_api_access
  • cmdb_query_builder
  • sn_cmdb_editor
  • sn_problem_write
  • tracked_file_reader
  • sn_request_write
  • view_changer
  • viz_creator
  • template_editor
  • cmdb_read
  • app_service_user certification
  • sn_change_write
  • sn_sttrm_condition_read
  • email_composer
Groups
List of groups this role is assigned to by default.
  • Field Services
  • Catalog Request Approvers > $1000
  • Catalog Request Approvers for Sales
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

ITIL administrator [itil_admin]

ITIL administrators can delete incidents, problems, changes, and other related records. This role is intended for team leads.

Contains Roles
List of roles contained within the role.
  • sn_cmdb_admin
  • assessment_admin
  • sn_bm_client.benchmark_data_viewer
  • cmdb_read
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting admin roles when more specialized roles are available.

Knowledge [knowledge]

Knowledge users can write, edit, and review knowledge management articles.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Knowledge administrator [knowledge_admin]

Knowledge administrators can manage knowledge bases.

Contains Roles
List of roles contained within the role - knowledge.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

List updater [list_updater]

List updater users can select the Update Entire List and Update Selected menu options on a list.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Maintenance

This role is reserved for ServiceNow use.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
This role can’t be assigned or impersonated, and is reserved for ServiceNow use.

MID server [mid_server]

MID server users can access to the tables that MID servers ordinarily use. This role should be granted to your MID servers.

Contains Roles
List of roles contained within the role - soap.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
This role should be assigned to user accounts created for MID servers to interact with your instance. For details, see Create the MID Server user and grant the role.

Model manager [model_manager]

Model managers can create, modify, and delete base model [cmdb_model] records.

Contains Roles
List of roles contained within the role - catalog_editor.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Personalize [personalize]

Users with the personalize role can personalize forms, lists, rules, controls, and scripts.

Contains Roles
List of roles contained within the role.
  • personalize_control
  • personalize_rules
  • personalize_dictionary
  • personalize_choices
  • personalize_styles
  • personalize_responses
  • personalize_list
  • personalize_form
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize choices [personalize_choices]

Users assigned to the personalize_choices role can personalize the choices for a list field.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize control [personalize_control]

Personalize control users can personalize controls on lists, such as filters, links, and buttons.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize dictionary [personalize_dictionary]

Users with the personalize_dictionary role can personalize dictionary entries and labels.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize form [personalize_form]

Users with the personalize_form role can personalize forms.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize list [personalize_list]

Users with the personalize_list role can personalize lists.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize responses [personalize_responses]

Users with the personalize_form role can personalize predefined responses for suggestion fields, such as the additional comments field.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize rules [personalize_rules]

Personalize rules users can personalize business rules and scripts. This role contains additional roles for granting selective, administrative access to rules and scripts.

Contains Roles
List of roles contained within the role.
  • ui_action_admin
  • business_rule_admin
  • client_script_admin
  • ui_policy_admin
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting this role to users who don’t need access to all the roles contained in this role.

Personalize styles [personalize_styles]

Users with the personalize_styles role can personalize field styles.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Personalize UI [personalize_ui]

Users with the personalize_ui role can personalize forms and lists.

Contains Roles
List of roles contained within the role.
  • personalize_form
  • personalize_list
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Platform Rest API access [snc_platform_rest_api_access]

Allows access to Platform Rest APIs. This role is contained with in the ITIL [itil] role.
  • Table API
  • Import Set API
  • Aggregate API
  • Attachment API
Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Public [public]

No login is required to access features or functions with the public role.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Release administrator [release_admin]

Release administrators can edit the release history for a release.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Report administrator [report_admin]

Report administrators can manage, share, publish, and schedule all reports. Users assigned this role can access the Reports > Administration module and manage all report-related objects. The report_admin role inherits all other report roles.

Contains Roles
List of roles contained within the role.
  • gauge_maker
  • report_alias_admin
  • report_global
  • report_group
  • report_publisher
  • report_scheduler
  • viz_admin
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Report alias administrator [report_alias_admin]

Report alias administrators can maintain field and value aliases.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Report global [report_global]

Report global users can manage reports that are shared with everyone (listed in Global).

Contains Roles
List of roles contained within the role - report_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Report group [report_group]

Report group users can manage and share reports that are shared with them (listed in Group).

Contains Roles
List of roles contained within the role - report_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Report publisher [report_publisher]

Report publisher users can publish reports any that they can manage. Publishing a report creates a public link to that report. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles
List of roles contained within the role - report_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Report scheduler [report_scheduler]

Report scheduler users can schedule emailing of all reports that they can see, including reports they can’t manage. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles
List of roles contained within the role - report_user.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Report user [report_user]

Report users can create and view reports that have been shared with them. Users with this role can't share, edit, or delete reports that have been shared with them.

Contains Roles
List of roles contained within the role - viz_creator.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Script fix administrator [script_fix_admin]

Script fix administrators can manage fix scripts.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Search application administrator [search_application_admin]

Search application administrators can insert, update, and delete search user experience-related configuration tables:
  • sys_search_context_config
  • sys_search_source
  • m2m_search_context_config_search_source
  • sys_search_facet
  • sys_search_filter
Search application admin is granted the ais_admin role to enable AI search configuration.
Contains Roles
List of roles contained within the role.
  • ais_admin
  • personalize_dictionary
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

SOAP [soap]

users with the soap role can query, create, update, and delete records on all tables, as well as execute scripts.

Contains Roles
List of roles contained within the role.
  • soap_create
  • soap_delete
  • soap_ecc
  • soap_query
  • soap_script
  • soap_update
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP create [soap_create]

Users with the soap_create role can create records in all tables and columns.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP delete [soap_delete]

Users with the soap_delete role can delete records in all tables and columns.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP ECC [soap_ecc]

Users with the soap_ecc role can query, create, and update on the external communication channel (ECC) Queue table only.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP query [soap_query]

Users with the soap_query role can query records on all tables and columns.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP query update [soap_query_update]

Users with the soap_query_update role can query and update all tables and columns.

Contains Roles
List of roles contained within the role.
  • soap_query
  • soap_update
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP script [soap_script]

Users with the soap_script role can execute business rule endpoint functions via script.do.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

SOAP update [soap_update]

Users with the soap_update role can update records on all tables and columns.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Survey administrator [survey_admin]

Survey administrators can see all surveys, definitions, questions, and instances created by them and others. Users with this role can use all modules in the Survey application menu.

Contains Roles
List of roles contained within the role.
  • assessment_admin
  • sn_bm_client.benchmark_data_viewer
  • sn_publications_recipients_list_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Survey creator [survey_creator]

Survey creators can manage survey definitions, questions, and instances created by them.

Contains Roles
List of roles contained within the role.
  • sn_bm_client.benchmark_data_viewer
  • sn_publications_recipients_list_user
Groups
List of groups this role is assigned to by default - Survey Creators.
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Survey reader [survey_reader]

Survey readers can view surveys and related information, such as survey responses, survey groups, scorecards, and reports. Users with this role can't change or modify surveys or survey responses.

Contains Roles
List of roles contained within the role - sn_bm_client.benchmark_data_viewer.
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Task editor [task_editor]

Task editors can edit protected task fields.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Template editor [template_editor]

Template editors can create templates for personal use, and modify or delete personal templates. This role is included in the itil role in the base system.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Template scheduler [template_scheduler]

Template schedulers can schedule template-based record creation.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Text search administrator [text_search_admin]

Text search administrators can customize Global Text Search groups and tables.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Timecard administrator [timecard_admin]

Timecard administrators can access all timecard records.

Contains Roles
List of roles contained within the role.
  • timecard_approver
  • timecard_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Timecard approver [timecard_approver]

Timecard approvers approve or reject time cards for users.

Contains Roles
List of roles contained within the role.
  • pa_viewer
  • timecard_user
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Timecard user [timecard_user]

Timecard users can create time cards themselves, and view their own time cards.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

User [user]

The user role has no functionality and doesn’t grant access to any assets on your instance. Users with this role are counted as licensed fulfillers.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

User administrator [user_admin]

User administrators can administer users, groups, locations, skills, and companies.

Contains Roles
List of roles contained within the role.
  • fsm_skill_admin
  • skill_admin
  • territory_admin
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

View changer [view_changer]

View changers can switch active views.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Workflow administrator [workflow_admin]

Workflow administrators can create, edit, publish, or delete graphical workflows.

Contains Roles
List of roles contained within the role.
  • activity_creator
  • itom_admin
  • workflow_creator
  • workflow_publisher
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.

Workflow creator [workflow_creator]

Workflow creators can create graphical workflows.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Workflow publisher [workflow_publisher]

Workflow creators can publish graphical workflows.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Workflow report viewer [workflow_report_viewer]

Workflow report viewers can access the workflow scratchpad for reports.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
None

Zing text search administrator [ts_admin]

Users with the ts_admin role can administer the Zing text indexing and search engine.

Contains Roles
List of roles contained within the role.
None
Groups
List of groups this role is assigned to by default.
None
Elevated
Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.
No
Special considerations
Avoid granting an admin role when more specialized roles are available.