Roles in CDM

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in CDM

    This document outlines the roles and permissions available in the Common Data Model (CDM) within ServiceNow, particularly relevant for releases up to Australia and noting that DevOps Config is being deprecated starting with the Washington D.C. release. Each role grants specific access and capabilities related to configuration data management, application services, policies, exporters, and encrypted data within CDM.

    Show full answer Show less

    Key Roles and Permissions

    • CDM Viewer [sncdm.cdmviewer]: Allows read-only access to configuration data, component libraries, changesets, snapshots, exporters, policies, and the Investigate page on Service Operations Workspace. Access is governed by user groups set in the Maintained by property.
    • CDM Editor [sncdm.cdmeditor]: Enables creation, updating, and deletion of configuration data, changesets, snapshots, component libraries, and shared components. Does not permit modifying applications, deployables, or snapshot validation settings. Requires membership in Maintained by groups for viewing config data.
    • CDM Exporter Editor [sncdm.cdmexportereditor]: Grants permissions to create, update, and delete exporters. Inherits CDM Viewer permissions.
    • CDM Policy Editor [sncdm.cdmpolicyeditor]: Allows creation, updating, and deletion of policies and mapping policies to deployables. Inherits CDM Viewer permissions and requires [snpace.admin].
    • CDM Secrets [sncdm.cdmsecrets]: Provides capabilities for reading, exporting, encrypting, decrypting, and editing encrypted data when combined with CDM Viewer or Editor roles.
    • Application Service Admin [sncdm.appserviceadmin]: Allows CDM Admins to create application services.
    • CDM Admin [sncdm.cdmadmin]: Comprehensive role allowing creation, updating, and deletion of applications, deployables, and configuration data, plus managing validation enforcement on deployables. Includes CDM Editor, Exporter Editor, Policy Editor, and Application Service Admin roles. Requires Model Manager and itil roles for certain operations.
    • CDM All App Access [sncdm.cdmallappaccess]: Enhances CDM Admin, Editor, or Viewer roles by overriding group-based restrictions, allowing users to access or modify applications and shared component libraries regardless of Maintained by or Authoring groups membership.

    Important Notes for ServiceNow Customers

    • The Maintained by group setting at the application level controls access to configuration data. Users must be members of these groups to view or edit unless they have the CDM All App Access role combined with other CDM roles.
    • Roles are hierarchical, with higher roles inheriting permissions from lower roles, allowing for tailored access control based on operational needs.
    • Starting with Washington D.C. release, DevOps Config functionality will be deprecated and hidden on new instances but remains supported for existing instances.
    • CDM Secrets role is only effective when paired with other core CDM roles (Viewer, Editor, or Admin) to handle encrypted data securely.

    List of roles and permissions in CDM.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.

    CDM roles

    CDM role hierarchy

    Role title [name] Permissions Contains roles

    CDM Viewer [sn_cdm.cdm_viewer]
    • Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property).
    • View the list and content of component libraries as well as the shared components contained within them.
    • View the list and content of changesets.
    • View the list and content of snapshots and validation results.
    • Export snapshots.
    • View exporters.
    • View policies and policy mappings.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    Note:
    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.
    • [sn_pace.policy_reader]
    • [itil]
    • [canvas_user]
    Event Management user [evt_mgmt_user]
    • View the contents of the snapshots.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    • View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.
    		 itil

    CDM Editor [sn_cdm.cdm_editor]
    • Create/update/delete config data within components and collections, including variables, overrides, and includes.
    • Create and commit changesets.
    • Validate snapshots.
    • Publish and unpublish snapshots.
    • Create, update, and delete config data withing CDM applications.
    • Add and manage component libraries.
    • Add and delete shared components in a component library.
    Note:
    The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables.

    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.

    cdm_viewer

    CDM Exporter Editor [sn_cdm.cdm_exporter_editor]

    		 Create/update/delete exporters.

    cdm_viewer

    CDM Policy Editor [sn_cdm.cdm_policy_editor]
    • Create/update/delete policies.
    • Map policies to deployables.
    • cdm_viewer
    • [sn_pace.admin]

    CDM Secrets [sn_cdm.cdm_secrets]
    • Read and export encrypted data (when granted to a user with the cdm_viewer role).
    • Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role).
    • Edit encrypted data (when granted to a user with the cdm_editor role).
    Note:
    The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.
    		 None

    Application Service Admin [sn_cdm.app_service_admin]

    		 Enables the CDM Admin to create an application service. None

    CDM Admin [sn_cdm.cdm_admin]
    • Create/update/delete applications.
    • Create/update/delete deployables.
    • Create/update/delete config data.
    • Change settings on deployables to enforce snapshot validation.
    • cdm_editor
    • cdm_exporter_editor
    • cdm_policy_editor
    • app_service_admin
    • Model_manager (for create/update/delete of application model)
    • [itil] (for create/update/delete of SDLC components)
    • [itil admin]

    CDM All App Access [sn_cdm.cdm_all_app_access]
    Note:
    The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles.
    • Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field).
    • Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library.
    • Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.
    		 None