Components installed with ITSM Roles - Change Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Components installed with ITSM Roles - Change Management

    The ITSM Roles — Change Management plugin (com.snc.itsm.roles.changemanagement) installs several user roles and updates Security Access Control Lists (ACLs) to support the security model for Change Management and related ITSM applications. This plugin integrates revised scripts and files that enhance security controls for managing change requests and associated processes.

    Show full answer Show less

    Key Roles Installed and Their Access

    • Change read (snchangeread): Grants read-only access to the Change Management application and all change requests, including the CAB workbench. This role depends on several other roles like cmdbread and appserviceuser to provide comprehensive visibility.
    • Change write (snchangewrite): Provides write access to Change Management records and includes the snchangeread role and template editor capabilities.
    • Incident read (snincidentread): Allows read access to Incident Management records and the major incident workbench. This role offers broader visibility than an ESS user who can only see incidents they submit.
    • Incident write (snincidentwrite): Enables write access to incidents, inheriting all read privileges plus template editing.
    • Problem read (snproblemread): Grants read-only access to Problem Management records.
    • Problem write (snproblemwrite): Provides write access to Problem Management records, including read access and template editing.
    • Request read (snrequestread): Allows read access to requests or requested items, limited to users who are also approvers. This role should be assigned cautiously due to expected future updates and is recommended for users with the businessstakeholder role.
    • Request write (snrequestwrite): Grants write access to requests and requested items, including dependencies such as comment writing, workspace views, and CMDB query capabilities.
    • Request comment write (snrequestcommentwrite): Enables writing comments on requested items; however, it requires corresponding write access to the table itself.
    • Service Desk Agent (snservicedeskagent): Intended for tier 1 service desk agents to gather and verify information and provide quick resolutions. It includes write access roles for incidents, problems, changes, and requests.

    Additional Roles from ITSM Gen AI Plugin

    With the installation of the ITSM Gen AI plugin (com.sn.itsm.gen.ai), two additional roles become available:

    • knowledgeuser
    • nowassistpaneluser

    Practical Implications for ServiceNow Customers

    By installing the ITSM Roles — Change Management plugin, customers can precisely control access to Change Management and related ITSM modules through predefined roles that align with common job functions. This granular role assignment supports compliance with organizational security policies while enabling appropriate access for users involved in change, incident, problem, and request processes. Understanding the dependencies and scope of each role helps administrators assign permissions safely and effectively, ensuring users have the necessary rights to perform their tasks without overexposure.

    Several user roles are installed with the activation of the ITSM Roles — Change Management plugin (com.snc.itsm.roles.change_management). Security ACLs to support the security model for Change Management and related functionality are also installed.

    When you install the ITSM Roles — Change Management plugin (com.snc.itsm.roles.change_management), the plugin updates the Security Access Control Lists (ACLs), integrating revised scripts, and other files to overhaul the security model for these applications.

    Note:
    The Application Files table lists the components that are installed with this application. For instructions on how to access this table, see Find components installed with an application.

    Roles installed

    Role title [name] Description Contains roles
    Change read

    [sn_change_read]

    		 Read access to the Change Management application and related records.
    Note:
    A user with the sn_change_read role can view all change requests as well as the CAB workbench.
    • sn_cmdb_user
    • dependency_views
    • view_changer
    • cmdb_read
    • app_service_user
    • cmdb_query_builder_read
    Change write

    [sn_change_write]

    		 Write access to the Change Management application and related records.
    • sn_change_read
    • template_editor
    • cmdb_query_builder
    Incident read

    [sn_incident_read]

    		 Read access to the Incident Management application and related records.
    Note:
    An ESS user (user with no role) can view only those incidents that they create or someone else creates on their behalf. A user with the sn_incident_read role can view all incidents as well as the major incident workbench.
    • dependency_views
    • agent_workspace_user
    • view_changer
    • cmdb_read
    • cmdb_query_builder_read
    Incident write

    [sn_incident_write]

    		 Write access to the Incident Management application and related records.
    • sn_incident_read
    • template_editor
    Problem read

    [sn_problem_read]

    		 Read access to the Problem Management application and related records. NA
    Problem write

    [sn_problem_write]

    		 Write access to the Problem Management application and related records.
    • sn_problem_read
    • template_editor
    sn_request_read Read access to the Request (sc_request) or Requested Item (sc_req_item) only for a user who is also an approver of the request or requested item.
    Note:
    As there are future updates expected for the sn_request_read role, do not assign it to users without the business_stakeholder role.
    		 NA
    sn_request_write Write access to the Request (sc_request) or Requested Item (sc_req_item).
    • task_editor
    • dependency_views
    • agent_workspace_user
    • view_changer
    • cmdb_read
    • cmdb_query_builder_read
    • sn_request_read
    sn_request_comment_write Write access to the comments for the Requested Item (sc_req_item).
    Note:
    The sn_request_comment_write role alone does not give access to comments write, you will need write access for the table.
    		 NA
    [sn_service_desk_agent] Enables gathering, and verifying information, as well as delivering quick resolutions for tier 1 service desk agents. This user role is available when the ITSM Roles plugin (com.snc.itsm.roles) is installed.
    • sn_incident_write
    • sn_problem_write
    • sn_change_write
    • sn_request_write
    • tracked_file_reader
    With the installation of the ITSM Gen AI (com.sn.itsm.gen.ai) plugin, the following roles are also available:
    • knowledge_user
    • now_assist_panel_user