Platform security granular admin roles

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 4 minutes de lecture

    • Use granular admin roles to verify access management by assigning roles that define user permissions and responsibilities.

    Conseil :
    Use the search field to filter the granular admin role by entering keywords related to the role name or product.
    Tableau 1. Platform Security granular admin roles
    Product Role required Role description

    Access Analyzer

    		 access_analyzer_admin Role required to access the Access analyzer to compare user records and access, simulate user access, and view access insights. To learn more, see Access Analyzer.

    Adaptive Authentication

    		 adaptive_auth_admin Role required to configure adaptive authentication policies. To learn more, see Adaptive authentication.

    Authentication Factors

    		 auth_factors_admin Role required to configure authentication for voice agent environments, with the factors that first identify the caller, then authenticate them before granting access.

    API Access Policies, API Auth Scopes, Processor Access Policies
    • api_service_admin
    • adaptive_auth_policy_admin
    		 Role required to enable users to configure non-oauth related functionality like REST or SOAP policies, inbound authentication profiles, token based auth, processors.

    Custom URL

    		 custom_url_admin Role required to configure custom URL, view datacenters jobs in read-only mode, and select portal and SSO records. To learn more, see Custom instance URLs.

    E-signature with SSO
    • sso_config_admin
    • script_include_admin
    • ui_page_admin
    		 Role required to configure E-signature with SSO (SAML or OIDC) only and not required if using local database login. To learn more, see E-signature for Multi-Provider SSO.

    Encryption

    		 security_admin Role required to perform security operations as an admin.

    Encryption

    		 sn_kmf.admin Role required to have admin and security admin access to be sn_kmf.admin. Can assign sn_kmf.cryptographic_manager or sn_kmf.cryptographic_auditor role to other users and has read, write, and execution permissions for key operations.

    Encryption

    		 sn_kmf.cryptographic_auditor Role required to have read permission for key operations.

    Encryption

    		 sn_kmf.cryptographic_manager Role required to have read, write, and execution permissions for key operations.

    Federated ID

    		 iamsync_admin Role required to manage the Federated ID and read or write Federated ID related property. To learn more, see Global Identity.

    Identity AI Agent

    		 ai_user_admin Role required to manage AI user identities within the instance. They can create,edit,delete AI users, and assign or remove roles associated with them.

    Identity AI Agent

    		 agent_role_config_admin Role required to configure and manage AI agent access during agentic workflow execution. You can mask roles for AI agents using the Agent Access Role Configurations table helping protect sensitive data and enforce role-based restrictions.

    Identity AI Agent

    		 agent_role_config_viewer Role required to view existing records on the Agent Access Role Configurations table.

    Identity and Access audit

    		 identity_access_audit_viewer
    It contains:
    • role_viewer
    • group_viewer
    		 Role required to view the User Trails, Group Trails, Role Trails, ACL Trails and Audit results.

    Identity and Access audit

    		 security_admin Role required to:
    • Configure Retention Period, Configure Tables & Fields.
    • Change identity security audit feature property.

    Identity Center

    		 user_login_history_viewer Role required to view login history details in the Identity Center, including login timestamps, browser information,IP address, and login status. Supports security investigations by enabling filtered views of login actions and helps identify suspicious activity. To learn more, see Identity Center for users.

    Identity Center

    		 privileged_role_config_admin Role required to grants full access to manage role configurations in the Identity Center, including adding, deleting, creating, reading, and viewing reports in the sys_icenter_role_config table. To learn more, see Identity Metrics for administrators.

    Identity Center

    		 role_viewer Role required to only view the records in the sys_icenter_role_config table. To learn more, see Identity Center for users.

    Instance operator

    		 instance_operator
    It contains:
    • identity_access_audit_viewer
    • user_role_history_viewer
    		 Role required to manage perform specific role related operations and know about identity access audits.

    Machine Identity Console

    		 mi_admin Role required to manage identities that interact with systems and data. To learn more, see Machine Identity Console.

    Password policy

    		 password_policy_admin Role required to configure password policy-related items. To learn more, see Local authentication

    Role delegation

    		 role_delegator_admin Role required for role delegation.

    Roles

    		 user_role_history_admin
    It contains:
    • user_role_history_viewer
    • role_viewer
    		 Role required to manage perform specific role related operations.

    SCIM

    		 scim_admin Role required to configure and manage SCIM provisioning, including creating customization properties, supported and extension schema, and ETL definitions for user and group data. To learn more, see System for Cross-domain Identity Management (SCIM).

    SCIM custom schema

    		 scim_config_admin Role required to configure SCIM custom schema and system properties. To learn more, see SCIM customization properties and schemas.

    SCIM Client

    		 scim_client_config_admin Role required to configure SCIM Client. To learn more, see SCIM Client.

    SCIM Provider

    		 scim_admin Role required to configure SCIM Provider. To learn more, see SCIM Provider.

    Self-Register to ServiceNow instance

    		 external_user_self_registration_admin Role required to on-board a large volume of external users to your instance. To learn more, see Self-register to ServiceNow instance.

    ServiceNow Vault

    		 sn_vault_console.vault_console_admin Role required to have a collection of Data Classification admin, Data Privacy admin, and CA Admin roles to execute a template flow and monitor sensitive data. To learn more, see Configuring ServiceNow Vault

    ServiceNow Vault

    		 sn_vault_console.vault_console_auditor Role required to have a collection of Data Discovery Auditor, Data Classification Auditor, Data Privacy Auditor, and Continuous Auth Auditor roles to view the policies and metrics related to ServiceNow Vault.

    SSO (SAML and OIDC)
    • sso_config_admin
    • business_rule_admin
    • script_include_admin
    		 Role required to configure SSO configuration (SAML or OIDC). To learn more, see Multi-Provider single sign-on (SSO).

    System OAuth

    		 oauth_admin Role required to configure all OAuth related functionality. To learn more, see OAuth Inbound and Outbound authentication.
    Remarque :
    You must assign the following roles for the following configurations:
    • The admin role for non out of the box properties.
    • The script_include_admin to change existing scripts (JWT, and so on).

    Time limited role

    		 user_admin Role required to assign a role to a user temporarily, usually if the user must perform a one-time action that is normally not permissible by their role.

    User Impersonation

    		 user_impersonation_history_viewer Role required to see the user impersonation history table.

    Security Center

    		 sn_vsc.security_center_admin Role required to access Security Center consoles and tools. Users with this role can also create and manage security tasks.