List of roles and permissions in CDM.

Important: DevOps Config is now deprecated and no longer supported or available for new activation.

CDM roles

CDM role hierarchy

Role title [name] Permissions Contains roles

CDM Viewer [sn_cdm.cdm_viewer]
  • Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property).
  • View the list and content of component libraries as well as the shared components contained within them.
  • View the list and content of changesets.
  • View the list and content of snapshots and validation results.
  • Export snapshots.
  • View exporters.
  • View policies and policy mappings.
  • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
Note: If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.
  • [sn_pace.policy_reader]
  • [itil]
  • [canvas_user]
Event Management user [evt_mgmt_user]
  • View the contents of the snapshots.
  • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
  • View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.
 itil

CDM Editor [sn_cdm.cdm_editor]
  • Create/update/delete config data within components and collections, including variables, overrides, and includes.
  • Create and commit changesets.
  • Validate snapshots.
  • Publish and unpublish snapshots.
  • Create, update, and delete config data withing CDM applications.
  • Add and manage component libraries.
  • Add and delete shared components in a component library.
Note: The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables.

If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.

cdm_viewer

CDM Exporter Editor [sn_cdm.cdm_exporter_editor]

 Create/update/delete exporters.

cdm_viewer

CDM Policy Editor [sn_cdm.cdm_policy_editor]
  • Create/update/delete policies.
  • Map policies to deployables.
  • cdm_viewer
  • [sn_pace.admin]

CDM Secrets [sn_cdm.cdm_secrets]
  • Read and export encrypted data (when granted to a user with the cdm_viewer role).
  • Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role).
  • Edit encrypted data (when granted to a user with the cdm_editor role).
Note: The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.
 None

Application Service Admin [sn_cdm.app_service_admin]

 Enables the CDM Admin to create an application service. None

CDM Admin [sn_cdm.cdm_admin]
  • Create/update/delete applications.
  • Create/update/delete deployables.
  • Create/update/delete config data.
  • Change settings on deployables to enforce snapshot validation.
  • cdm_editor
  • cdm_exporter_editor
  • cdm_policy_editor
  • app_service_admin
  • Model_manager (for create/update/delete of application model)
  • [itil] (for create/update/delete of SDLC components)
  • [itil admin]

CDM All App Access [sn_cdm.cdm_all_app_access]
Note: The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles.
  • Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field).
  • Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library.
  • Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.
 None