Configure roles for the Service Mapping MCP tools

  • Release version: Australia
  • Updated May 27, 2026
  • 2 minutes to read

    • Configure the role containment chain and assign the required roles to users so they can connect to the Now Assist CMDB MCP Server and call the Service Mapping MCP tools.

    Before you begin

    Before activating the Now Assist CMDB MCP Server, confirm the following requirements are met.
    • Verify that Australia Patch 3 is installed.
    • You have the MCP Platform Manager version 1.4.0 (or later) plugin activated.
    • You have the Now Assist CMDB MCP Server (sn_cmdb_gen_ai.now_assist_cmdb_mcp_server) application installed.

    Role required: admin

    About this task

    For information about the Service Mapping tools, see Service Mapping MCP tools.

    The REST API ACL for the Service Mapping MCP tools enforces the sn_sm_gen_ai.sm_mcp_user role. This role is not automatically added to the standard Service Mapping role hierarchy after deployment. You must configure the containment records manually, because role hierarchy assignments cannot be included in a scoped update set.

    The following table describes the roles involved and the access each one grants.

    Role Type Granted rights
    service_mapping_user Standard Service Mapping role Read access to application service maps and topology data. Assigned to end users who query service data via the MCP Server.
    sn_sm_gen_ai.sm_mcp_user MCP access role Enforced by the REST API ACL on all five Service Mapping MCP tools. Users must have this role (directly or via containment) to call the tools.
    sn_mcp_server.viewer MCP platform role Grants the ability to discover and invoke tools on an MCP server. Required by sn_sm_gen_ai.sm_mcp_user.
    sn_sm_gen_ai.sm_mcp_admin MCP admin role Grants elevated access for administering the Service Mapping MCP tools.
    Figure 1. The role containment chain
    service_mapping_user contains sn_sm_gen_ai.sm_mcp_user, which contains sn_mcp_server.viewer. The sn_sm_gen_ai.sm_mcp_admin role separately contains sn_sm_gen_ai.sm_mcp_user.

    Procedure

    1. Configure the role containment chain.
      1. Navigate to All > User Administration > Roles and open the service_mapping_user role record.
      2. In the Contains Roles related list, add sn_sm_gen_ai.sm_mcp_user.
        The service_mapping_user role contains the sn_sm_gen_ai.sm_mcp_user role.
      3. Open the sn_sm_gen_ai.sm_mcp_user role record.
      4. In the Contains Roles related list, add sn_mcp_server.viewer.
        Users with the sn_sm_gen_ai.sm_mcp_user role can discover and invoke tools on the Now Assist CMDB MCP Server.
      5. Open the sn_sm_gen_ai.sm_mcp_admin role record.
      6. In the Contains Roles related list, verify that sn_sm_gen_ai.sm_mcp_user is present.
        If the role is not present, add it. This ensures that users with the admin role can also call the tools.
    2. Assign the required roles to each end user who needs to query application service data through Claude Desktop.
      1. Navigate to All > User Administration > Users and open the record of a user who needs access to the Service Mapping MCP tools.
      2. Scroll to the Roles related list and select Edit.
      3. Add the service_mapping_user role.
        This role inherits sn_sm_gen_ai.sm_mcp_user and sn_mcp_server.viewer through the containment chain you configured in the previous step. All three roles are required for end-to-end tool invocation.
      4. Select Save.

    Result

    The role hierarchy is configured and users are assigned the required roles. Users assigned the service_mapping_user role can connect an MCP-compatible AI client and call all five Service Mapping MCP tools. Users assigned sn_sm_gen_ai.sm_mcp_admin retain the same tool access plus elevated administrative rights.

    What to do next

    Activate the Now Assist CMDB MCP Server for Service Mapping tools