The Key Management Framework (KMF) introduces specific roles for cryptographic module and key management-related configurations.

Important: To assign the KMF admin role, you must have the admin, security_admin, and sn_kmf_admin roles. Use the KMF admin role to assign other KMF roles. For details on assigning KMF roles, see Assign KMF roles.

KMF roles

KMF admin [sn_kmf.admin]

Assigns roles to other users to perform operations around the ServiceNow Key Management Framework.

Contains Roles

List of roles contained within the role.

None.

Groups

List of groups this role is assigned to by default.

None.

Special considerations

Important: Avoid granting an admin role when more specialized roles are available.
  • This role is assigned via the process shown in Assign KMF roles.
  • You must have this role to assign  KMF roles, and in addition can perform all the capabilities of the KMF cryptographic manager.

KMF cryptographic manager [sn_kmf.cryptographic_manager]

Create, read, and update operations on cryptographic modules (association of keys to cryptographic usage and algorithm configurations) and module access policies. Also, KMF cryptographic managers can perform key management (generate, rotate, revoke) and life cycle operations.

Contains Roles

List of roles contained within the role.

None.

Groups

List of groups this role is assigned to by default.

None.

Special considerations

None.

KMF cryptographic auditor [sn_kmf.cryptographic_auditor]

View cryptographic module information, key metadata, and life cycle-related details, as well as module access policy (MAP) information.

Contains Roles

List of roles contained within the role.

None.

Groups

List of groups this role is assigned to by default.

None.

Special considerations

None.

KMF cryptographic integrator [sn_kmf.cryptographic_integrator]

Integrate Key Management Framework with external keystores or systems.

Contains Roles

List of roles contained within the role.

None.

Groups

List of groups this role is assigned to by default.

None.

Special considerations

None.

KMF cryptographic operator [sn_kmf.cryptographic_operator]

Access part of the ServiceNow Key Management Framework key lifecycle: renewal, rotation, revocation.

Contains Roles

List of roles contained within the role.

None.

Groups

List of groups this role is assigned to by default.

None.

Special considerations

None.

Assign KMF roles

Assign KMF roles to admins, who in turn can assign other KMF roles.

Before you begin

Role required: admin and security_admin

You must elevate to the security_admin role before assigning the KMF admin role. For instructions, see Elevate to a privileged role

Procedure

  1. Elevate to the security admin role.
  2. Navigate to User Administration > Users and select the user you want to be the KMF admin.
  3. Verify that the user already has the admin and security_admin roles.
    If not, select Edit under the Roles related list and add admin and security _admin.
  4. Navigate to System Security > Key Management Administration.
  5. Select the user that you want to be KMF admin in the Available Users column and move them to the Selected User(s) column.

    KMF admin role

  6. Select Save.
  7. Navigate to User Administration > Users and select the user you just gave the sn_kmf.admin role to.
    The user has the sn_kmf.admin role in the Roles related list, and can assign other KMF roles.

    KMF admin role in the Roles related list

What to do next

If you have the KMF admin role, follow these steps for assigning other KMF roles:

  1. Navigate to User Administration > Users and select the user you want to have another KMF role, such as KMF Cryptographic Manager.
  2. In the Roles related list, select Edit and select the KMF roles you want to assign the users. All KMF roles start with sn_kmf.

    Assigning other KMF roles