Base system roles

To learn more about managing per-user subscriptions, see Managing per-user subscriptions in Subscription Management and contact your account representative.

Important :

Avoid granting an admin role when more specialized roles are available.

Administrator [admin]

The administrator role. This role has access to all system features, functions, and data because administrators can override access control list (ACL) rules and pass all role checks. Avoid assigning this role to your users when more targeted roles are available.

Contains Roles

List of roles contained within the role.

ais_admin
announcement_admin
catalog
catalog_admin
catalog_builder_editor
catalog_lookup_admin
catalog_template_editor
chat_admin
evam_admin
image_admin
import_admin
import_scheduler
import_set_loader
import_transformer
live_feed_admin
ml_admin
ml_labeler
nlu_admin
nlu_editor
nlu_user
pa_data_collector
pa_viewer
personalize_dictionary
platform_ml_create
platform_ml_read
platform_ml_write
search_application_admin
search_relevancy_model_admin
sn_ace.ace_user
sn_employee.admin
sn_hr_sp.admin
sn_hr_sp.esc_admin
sn_nlu_workbench.nlu_feedback_admin
sn_templated_snip.template_snippet_admin
sn_templated_snip.template_snippet_reader
sn_templated_snip.template_snippet_writer
sp_admin
taxonomy_admin
user_criteria_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

Grant this privilege carefully. If you have sensitive information, such as HR records, that you must protect, create a custom admin role for that area. Train any users authorized to see those records to act as the administrator. Also note the Special Administrative Roles.

Remarque :

Users with roles related to the Key Management Framework can only be modified by admins with the kmf_admin role. For details on KMF roles, see Roles installed with Key Management Framework.

Agent administrator [agent_admin]

Agent administrators can download and administer the built-in system agent. They can manage MID Server-related scripts.

Contains Roles

List of roles contained within the role.

agent_security_admin
view_changer

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

AI search administrator [ais_admin]

AI search administrators can query, create, update, and delete indexing and search settings and log messages through the AI Search application.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Application client company installer [app_client_company_installer]

Users assigned the app_client_company_installer role can install applications containing the same company as the currently logged in instance. Assigning this role enables first-time installation of applications for the company associated with the current instance. Users with this role can’t install an application for another company.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Application client user [app_client_user]

Application client users can install applications containing the same company as the currently logged in instance.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Approval administrator [approval_admin]

Approval administrators can view or modify approval requests not directly assigned to them. Use the approver_user role to enable approvers to view or modify only requests directly assigned to them.

Fulfillers may approve within the product to which they are subscribed (ITSM Fulfiller approving within ITSM). This approval may be in the platform or via email. No additional entitlement is required.

Fulfillers may not approve beyond the product to which they are subscribed (ITSM Fulfiller approving within Procurement, GRC, etc.). This approval would need an additional approval entitlement for the user.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Approver users [approver_user]

Approver users can modify requests for approval routed to them. They also have all the capabilities of requesters.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: There’s a fee associated with this role. Don’t assign it to users without confirming your organization has the appropriate entitlement.

Asset user [asset]

Asset users can manage hardware and software assets.

Contains Roles

List of roles contained within the role.

inventory_user
cmdb_query_builder
canvas_user
financial_mgmt_user
cmdb_read
contract_manager
category_manager

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Assignment rule administrator [assignment_rule_admin]

Assignment rule administrators can manage assignment rules.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Business process administrator [business_process_admin]

Business process admins can create, read, update, and delete all records and their relationships in the business process.

In the context of Governance, Risk, and Compliance (GRC), users with the sn_grc.admin role who manage GRC applications and their setup automatically gain access to this role. This access enables the GRC administrators to administer a business process and its records similar to other GRC tables.

Contains Roles: List of roles contained within the role: business_process_manager.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: This role is assigned to users who are administrators and have thorough information and training on business processes. None.

Business process manager [business_process_manager]

Business process managers can create, read, and update any business process and manage the relationship of business processes with other records. This role is assigned to business process managers who are usually specialists and manage multiple business processes in the organization. Assign this role to users who generally work with other employees and are experts around business processes.

In the context of GRC, users with the sn_grc.manager role automatically inherit this role that enables them to manage the business processes for the entire organization.

Contains Roles: List of roles contained within the role - business_process_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Business process user [business_process_user]

Business process users can update the business processes that a user owns and can also read any business process. This role must be assigned to the respective process owners. This role can also be provided to users who are required to view the business processes in the organization and understand them better.

In the context of GRC, users with the sn_risk.user role are automatically assigned this role. This role enables users to manage the business processes that they own as well as read all business processes.

Contains Roles: List of roles contained within the role- cmdb_read.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Catalog administrator [catalog_admin]

Catalog administrators can manage the Service Catalog application, including catalog categories and items.

Contains Roles

List of roles contained within the role.

user_criteria_admin
catalog_builder_editor
catalog_template_editor
catalog
catalog_lookup_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Catalog editor [catalog_editor]

Catalog editors can create, modify, and publish items within categories that they’re assigned to.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Catalog item designer [catalog_item_designer]

Catalog item designers can view the status of their category requests. This role is granted automatically to users when they make a request for an item designer category.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Catalog manager [catalog_manager]

Catalog managers can view and assign catalog editors to their categories. They can also create, modify, and publish items within their categories.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Catalog user [catalog]

Catalog users have read and some write access to all Service Catalog Requests, Tasks, and Items.

Contains Roles

List of roles contained within the role.

None

Groups

List of groups this role is assigned to by default.

Catalog Request Approvers > $1000
Catalog Request Approvers for Sales
Field Services

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Category manager [category_manager]

Category managers can create, edit, and delete model categories.

Contains Roles: List of roles contained within the role - model_manager.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

CMDB administrator [sn_cmdb_admin]

The configuration management data base (CMDB) administrator is a key role required for interacting with the CMDB Workspace and the Service Graph Workspace. CMDB administrators can access all CMDB data, tools, and UIs within the CMDB Workspace and Service Graph Workspace. Users with this role can set policies that an editor can't, such as class manager and app service requirements.

As you drill down in the CMDB Workspace or the Service Graph Workspace, there are some dashboards and list views that require specific roles in addition to the CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles

List of roles contained within the role.

canvas_admin
cmdb_ms_admin
data_manager_admin
sn_cmdb_editor

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

CMDB de-duplication administrator [cmdb_dedup_admin]

CMDB de-duplication admins can review and remediate CMDB de-duplication tasks.

Contains Roles: List of roles contained within the role - cmdb_read.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

CMDB editor [sn_cmdb_editor]

A key role required for interacting with CMDB Workspace and the Service Graph Workspace. CMDB editors can create, edit, and delete CMDB records but can't change policies such as data manager, class manager within CMDB Workspace or Service Graph Workspace.

As you drill down in the CMDB Workspace or Service Graph Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles

List of roles contained within the role.

cmdb_ms_editor
sn_cmdb_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

CMDB multi-source administrator [cmdb_ms_admin]

The CMDB multi-source administrator can create and run a query and can modify CMDB 360 properties. Contains the cmdb_ms_write role.

Contains Roles: List of roles contained within the role - cmdb_ms_editor.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

CMDB multi-source editor [cmdb_ms_editor]

CMDB multi-source editors can create and query, read, and write CMDB records, but can't perform recomputing actions.

Contains Roles: List of roles contained within the role - cmdb_ms_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

CMDB multi-source user [cmdb_ms_user]

CMDB multi-source users have read and execute access to the multi-source queries.

Contains Roles: List of roles contained within the role - cmdb_read.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

CMDB reader [cmdb_read]

CMDB reader users can read data from the CMDB hierarchy.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

CMDB user [sn_cmdb_user]

A key role required for interacting with CMDB Workspace and the Service Graph Workspace. CMDB users have read-only access to CMDB data and basic UI within CMDB Workspace and Service Graph Workspace.

As you drill down in the CMDB Workspace or in Service Graph Workspace, there are some dashboards and list views that require specific roles in addition to the key CMDB Admin, CMDB Editor, or CMDB User roles.

Contains Roles

List of roles contained within the role.

app_service_user
canvas_user
cmdb_ms_user
cmdb_query_builder
data_manager_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Contract manager [contract_manager]

Contract managers can create, edit, and delete contracts through the Contract Management application.

Contains Roles

List of roles contained within the role.

canvas_user
financial_mgmt_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

CreateNow unlimited [unlimited_createnow]

Role for CreateNow unlimited licensed users.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Data classification administrator [data_classification_admin]

Data classification administrators manage all aspects of the Data Classification application, data classification code setup, and assignment.

Contains Roles: List of roles contained within the role - data_classification_auditor.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Data classification auditor [data_classification_auditor]

Data classification auditors audit Data Classification code assignments.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Enterprise CMDB administrator [ecmdb_admin]

Enterprise CMDB administrators can perform administrative tasks and access tables and records in Enterprise CMDB.

Contains Roles: List of roles contained within the role - cmdb_read.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Filter administrator [filter_admin]

Filter administrators can create, edit, and delete filter [sys_filter] records.

Contains Roles

List of roles contained within the role.

filter_global
filter_group

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Filter group user [filter_group]

Filter group users can create filters that belong to groups of which the user is a member.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Gauge maker [gauge_maker]

Gauge makers can create gauges from reports. Starting with Helsinki, reports are no longer made into gauges.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Global filter user [filter_global]

Global filter users can create global filter [sys_filter] records.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Global template editor [template_editor_global]

Users with the template_editor_global role can create templates for global use.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Group template editor [template_editor_group]

Users with the template_editor_group role can create templates for groups. (Users must also be assigned the template_read_global role)

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Guided tour administrator [guided_tour_admin]

Guided tour administrators can create, modify, and delete guided tour [sys_embedded_tour_guide] records.

Contains Roles: List of roles contained within the role - sn_tourbuilder.tour_admin.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Image administrator [image_admin]

Image administrators can create, modify, and delete image [db_image] records.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Impersonator [impersonator]

Impersonators can impersonate users.

Avertissement :

This role doesn’t enable the impersonation of admin users.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: For details on impersonation, see Base system roles.

Import administrator [import_admin]

Import administrators can manage all aspects of import set [sys_import_set] records and imports.

Contains Roles

List of roles contained within the role.

import_set_loader
import_transformer
import_scheduler

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Import scheduler [import_scheduler]

Import schedulers can schedule imports.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: Avertissement :
Grant this role carefully. The import_scheduler can execute scripts with administrator level privileges.

Import set loader [import_set_loader]

Import set loader users can load import set [sys_import_set] records.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Import transformer [import_transformer]

Import transformer users can manage import set transform map [sys_transform_map] records and run transforms.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Inventory administrator [inventory_admin]

Inventory administrators administer stockrooms, stock models, stock rules.

Contains Roles

List of roles contained within the role.

inventory_user
canvas_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Inventory user [inventory_user]

Inventory users have access to stock information.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

ITIL

Information Technology Infrastructure Library (ITIL) users can open, update, close incidents, problems, changes, and read some rules, definitions, and CIs related to CMDB features. This role is the base system technician role. Users with the ITIL role can have tasks assigned to them.

Contains Roles

List of roles contained within the role.

agent_workspace_user
app_service_user
cmdb_query_builder
cmdb_read
dependency_views
email_composer
snc_platform_rest_api_access
sn_change_write
sn_comm_management.comm_plan_viewer
sn_gd_guidance.guidance_user
sn_incident_write
sn_nb_action.next_best_action_user
sn_problem_write
sn_request_write
sn_sow.sow_list
sn_sow.sow_user
sn_sttrm_condition_read
survey_reader
template_editor
tracked_file_reader
view_changer
viz_creator

Groups

List of groups this role is assigned to by default.

Field Services
Catalog Request Approvers > $1000
Catalog Request Approvers for Sales

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

ITIL administrator [itil_admin]

ITIL administrators can delete incidents, problems, changes, and other related records. This role is intended for team leads.

Contains Roles

List of roles contained within the role.

assessment_admin
sn_bm_client.benchmark_data_viewer
cmdb_read

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

Avoid granting admin roles when more specialized roles are available.

Knowledge [knowledge]

Knowledge users can write, edit, and review knowledge management articles.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Knowledge administrator [knowledge_admin]

Knowledge administrators can manage knowledge bases.

Contains Roles: List of roles contained within the role - knowledge.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

List updater [list_updater]

List updater users can select the Update Entire List and Update Selected menu options on a list.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Maintenance

This role is reserved for ServiceNow use.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: This role can’t be assigned or impersonated, and is reserved for ServiceNow use.

MID server [mid_server]

MID server users can access to the tables that MID servers ordinarily use. This role should be granted to your MID servers.

Contains Roles: List of roles contained within the role - soap.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: This role should be assigned to user accounts created for MID servers to interact with your instance. For details, see Create the MID Server user and grant the role.

Model manager [model_manager]

Model managers can create, modify, and delete base model [cmdb_model] records.

Contains Roles: List of roles contained within the role - catalog_editor.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Personalize [personalize]

Users with the personalize role can personalize forms, lists, rules, controls, and scripts.

Contains Roles

List of roles contained within the role.

personalize_control
personalize_rules
personalize_dictionary
personalize_choices
personalize_styles
personalize_responses
personalize_list
personalize_form

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Personalize choices [personalize_choices]

Users assigned to the personalize_choices role can personalize the choices for a list field.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize control [personalize_control]

Personalize control users can personalize controls on lists, such as filters, links, and buttons.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize dictionary [personalize_dictionary]

Users with the personalize_dictionary role can personalize dictionary entries and labels.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize form [personalize_form]

Users with the personalize_form role can personalize forms.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize list [personalize_list]

Users with the personalize_list role can personalize lists.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize responses [personalize_responses]

Users with the personalize_form role can personalize predefined responses for suggestion fields, such as the additional comments field.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize rules [personalize_rules]

Personalize rules users can personalize business rules and scripts. This role contains additional roles for granting selective, administrative access to rules and scripts.

Contains Roles

List of roles contained within the role.

ui_action_admin
business_rule_admin
client_script_admin
ui_policy_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

Avoid granting this role to users who don’t need access to all the roles contained in this role.

Personalize styles [personalize_styles]

Users with the personalize_styles role can personalize field styles.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Personalize UI [personalize_ui]

Users with the personalize_ui role can personalize forms and lists.

Contains Roles

List of roles contained within the role.

personalize_form
personalize_list

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Platform Rest API access [snc_platform_rest_api_access]

Allows access to Platform Rest APIs. This role is contained with in the ITIL [itil] role.

Table API
Import Set API
Aggregate API
Attachment API

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Public [public]

No login is required to access features or functions with the public role.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Release administrator [release_admin]

Release administrators can edit the release history for a release.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Report administrator [report_admin]

Report administrators can manage, share, publish, and schedule all reports. Users assigned this role can access the Reports > Administration module and manage all report-related objects. The report_admin role inherits all other report roles.

Contains Roles

List of roles contained within the role.

gauge_maker
report_alias_admin
report_global
report_group
report_publisher
report_scheduler
viz_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Report alias administrator [report_alias_admin]

Report alias administrators can maintain field and value aliases.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Report global [report_global]

Report global users can manage reports that are shared with everyone (listed in Global).

Contains Roles: List of roles contained within the role - report_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Report group [report_group]

Report group users can manage and share reports that are shared with them (listed in Group).

Contains Roles: List of roles contained within the role - report_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Report publisher [report_publisher]

Report publisher users can publish reports any that they can manage. Publishing a report creates a public link to that report. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles: List of roles contained within the role - report_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Report scheduler [report_scheduler]

Report scheduler users can schedule emailing of all reports that they can see, including reports they can’t manage. Users with this role must also have another role that grants permission to create, edit, and share reports.

Contains Roles: List of roles contained within the role - report_user.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Report user [report_user]

Report users can create and view reports that have been shared with them. Users with this role can't share, edit, or delete reports that have been shared with them.

Contains Roles: List of roles contained within the role - viz_creator.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Script fix administrator [script_fix_admin]

Script fix administrators can manage fix scripts.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Search application administrator [search_application_admin]

Search application administrators can insert, update, and delete search user experience-related configuration tables:

sys_search_context_config
sys_search_source
m2m_search_context_config_search_source
sys_search_facet
sys_search_filter

Search application admin is granted the ais_admin role to enable AI search configuration.

Contains Roles

List of roles contained within the role.

ais_admin
personalize_dictionary

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

SOAP [soap]

users with the soap role can query, create, update, and delete records on all tables, as well as execute scripts.

Contains Roles

List of roles contained within the role.

soap_create
soap_delete
soap_ecc
soap_query
soap_script
soap_update

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

SOAP create [soap_create]

Users with the soap_create role can create records in all tables and columns.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

SOAP delete [soap_delete]

Users with the soap_delete role can delete records in all tables and columns.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

SOAP ECC [soap_ecc]

Users with the soap_ecc role can query, create, and update on the external communication channel (ECC) Queue table only.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

SOAP query [soap_query]

Users with the soap_query role can query records on all tables and columns.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

SOAP query update [soap_query_update]

Users with the soap_query_update role can query and update all tables and columns.

Contains Roles

List of roles contained within the role.

soap_query
soap_update

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

SOAP script [soap_script]

Users with the soap_script role can execute business rule endpoint functions via script.do.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

SOAP update [soap_update]

Users with the soap_update role can update records on all tables and columns.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Survey administrator [survey_admin]

Survey administrators can see all surveys, definitions, questions, and instances created by them and others. Users with this role can use all modules in the Survey application menu.

Contains Roles

List of roles contained within the role.

assessment_admin
sn_bm_client.benchmark_data_viewer
sn_publications_recipients_list_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Survey creator [survey_creator]

Survey creators can manage survey definitions, questions, and instances created by them.

Contains Roles

List of roles contained within the role.

sn_bm_client.benchmark_data_viewer
sn_publications_recipients_list_user

Groups

List of groups this role is assigned to by default - Survey Creators.

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Survey reader [survey_reader]

Survey readers can view surveys and related information, such as survey responses, survey groups, scorecards, and reports. Users with this role can't change or modify surveys or survey responses.

Contains Roles: List of roles contained within the role - sn_bm_client.benchmark_data_viewer.
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Task editor [task_editor]

Task editors can edit protected task fields.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Template editor [template_editor]

Template editors can create templates for personal use, and modify or delete personal templates. This role is included in the itil role in the base system.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Template scheduler [template_scheduler]

Template schedulers can schedule template-based record creation.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Text search administrator [text_search_admin]

Text search administrators can customize Global Text Search groups and tables.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.

Timecard administrator [timecard_admin]

Timecard administrators can access all timecard records.

Contains Roles

List of roles contained within the role.

timecard_approver
timecard_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Timecard approver [timecard_approver]

Timecard approvers approve or reject time cards for users.

Contains Roles

List of roles contained within the role.

pa_viewer
timecard_user

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None

Timecard user [timecard_user]

Timecard users can create time cards themselves, and view their own time cards.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

User [user]

The user role has no functionality and doesn’t grant access to any assets on your instance. Users with this role are counted as licensed fulfillers.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

User administrator [user_admin]

User administrators can administer users, groups, locations, skills, and companies.

Contains Roles

List of roles contained within the role.

fsm_skill_admin
skill_admin
territory_admin

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

View changer [view_changer]

View changers can switch active views.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Workflow administrator [workflow_admin]

Workflow administrators can create, edit, publish, or delete graphical workflows.

Contains Roles

List of roles contained within the role.

activity_creator
itom_admin
workflow_creator
workflow_publisher

Groups

List of groups this role is assigned to by default.

None

Elevated

Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.

No

Special considerations

None.

Workflow creator [workflow_creator]

Workflow creators can create graphical workflows.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Workflow publisher [workflow_publisher]

Workflow creators can publish graphical workflows.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Workflow report viewer [workflow_report_viewer]

Workflow report viewers can access the workflow scratchpad for reports.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None

Zing text search administrator [ts_admin]

Users with the ts_admin role can administer the Zing text indexing and search engine.

Contains Roles: List of roles contained within the role.; None
Groups: List of groups this role is assigned to by default.; None
Elevated: Whether the role is an elevated role. Elevated roles aren’t assigned to users or groups, and must be used by elevation. For details, see Elevated privilege roles.; No
Special considerations: None.