Roles in CDM

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in CDM

    This document outlines the roles and permissions within the Configuration Data Model (CDM) in the Zurich release. It provides a clear understanding of which roles grant access to specific CDM functionalities, enabling ServiceNow customers to manage configuration data, policies, exporters, and application services effectively. Note that DevOps Config is deprecated and no longer available for new activation.

    Show full answer Show less

    Key Roles and Their Permissions

    • CDM Viewer [sncdm.cdmviewer]: Grants read-only access to configuration data across accessible applications, including component libraries, changesets, snapshots, exporters, policies, and the Investigate page on Service Operations Workspace. Access is controlled by membership in the "Maintained by" user groups. Includes roles: policyreader, itil, canvasuser, and evtmgmtuser (the latter with broader snapshot and changeset viewing capabilities).
    • CDM Editor [sncdm.cdmeditor]: Allows creating, updating, and deleting configuration data in components and collections, managing changesets, validating and publishing snapshots, and managing component libraries and shared components. Does not permit managing applications, deployables, or enforcement settings. Requires membership in "Maintained by" groups for application-level data access. Includes the cdmviewer role.
    • CDM Exporter Editor [sncdm.cdmexportereditor]: Enables creation, updating, and deletion of exporters. Includes the cdmviewer role.
    • CDM Policy Editor [sncdm.cdmpolicyeditor]: Enables creation, updating, and deletion of policies and mapping them to deployables. Includes the cdmviewer and snpace.admin roles.
    • CDM Secrets [sncdm.cdmsecrets]: Provides capabilities to read, export, edit, encrypt, and decrypt encrypted data, contingent on also having cdmviewer, cdmeditor, or cdmadmin roles.
    • Application Service Admin [sncdm.appserviceadmin]: Allows CDM Admins to create application services.
    • CDM Admin [sncdm.cdmadmin]: Grants comprehensive administrative capabilities including creating, updating, and deleting applications, deployables, and configuration data, as well as enforcing snapshot validation on deployables. It aggregates cdmeditor, cdmexportereditor, cdmpolicyeditor, and appserviceadmin roles, plus additional management roles like modelmanager and itil for SDLC components.
    • CDM All App Access [sncdm.cdmallappaccess]: Extends permissions of cdmadmin, cdmeditor, and cdmviewer roles to override group membership restrictions on applications and shared component libraries, allowing broader access to view, edit, update, or delete regardless of user group membership.

    Practical Implications for ServiceNow Customers

    • Understanding these roles helps manage who can view, create, update, or delete configuration data and related entities in CDM, thereby maintaining data integrity and security.
    • Role assignment must consider group memberships, especially for roles that require membership in "Maintained by" groups to access application-level configuration data.
    • The CDM Admin role consolidates broad permissions needed for full lifecycle management of applications and deployables within CDM.
    • The CDM All App Access role is crucial for users needing unrestricted access across applications and component libraries, bypassing standard group restrictions.
    • The CDM Secrets role should be granted carefully as it enables access to sensitive encrypted data and operations.

    List of roles and permissions in CDM.

    Important:
    DevOps Config is now deprecated and no longer supported or available for new activation.

    CDM roles

    CDM role hierarchy

    Role title [name] Permissions Contains roles

    CDM Viewer [sn_cdm.cdm_viewer]
    • Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property).
    • View the list and content of component libraries as well as the shared components contained within them.
    • View the list and content of changesets.
    • View the list and content of snapshots and validation results.
    • Export snapshots.
    • View exporters.
    • View policies and policy mappings.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    Note:
    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.
    • [sn_pace.policy_reader]
    • [itil]
    • [canvas_user]
    Event Management user [evt_mgmt_user]
    • View the contents of the snapshots.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    • View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.
    		 itil

    CDM Editor [sn_cdm.cdm_editor]
    • Create/update/delete config data within components and collections, including variables, overrides, and includes.
    • Create and commit changesets.
    • Validate snapshots.
    • Publish and unpublish snapshots.
    • Create, update, and delete config data withing CDM applications.
    • Add and manage component libraries.
    • Add and delete shared components in a component library.
    Note:
    The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables.

    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.

    cdm_viewer

    CDM Exporter Editor [sn_cdm.cdm_exporter_editor]

    		 Create/update/delete exporters.

    cdm_viewer

    CDM Policy Editor [sn_cdm.cdm_policy_editor]
    • Create/update/delete policies.
    • Map policies to deployables.
    • cdm_viewer
    • [sn_pace.admin]

    CDM Secrets [sn_cdm.cdm_secrets]
    • Read and export encrypted data (when granted to a user with the cdm_viewer role).
    • Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role).
    • Edit encrypted data (when granted to a user with the cdm_editor role).
    Note:
    The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.
    		 None

    Application Service Admin [sn_cdm.app_service_admin]

    		 Enables the CDM Admin to create an application service. None

    CDM Admin [sn_cdm.cdm_admin]
    • Create/update/delete applications.
    • Create/update/delete deployables.
    • Create/update/delete config data.
    • Change settings on deployables to enforce snapshot validation.
    • cdm_editor
    • cdm_exporter_editor
    • cdm_policy_editor
    • app_service_admin
    • Model_manager (for create/update/delete of application model)
    • [itil] (for create/update/delete of SDLC components)
    • [itil admin]

    CDM All App Access [sn_cdm.cdm_all_app_access]
    Note:
    The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles.
    • Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field).
    • Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library.
    • Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.
    		 None