Roles installed with Key Management Framework
The Key Management Framework (KMF) introduces specific roles for cryptographic module and key management-related configurations.
KMF roles are required to use the Key Management Framework. Users without KMF roles are not able to access lists, tables, and modules used to configure key management.
To assign the KMF admin role, you must have the admin, security_admin, and sn_kmf.admin roles. Use the KMF admin role to assign other KMF roles. For details on assigning KMF roles, see Assign Key Management Framework roles.
The sn_kmf.admin role is also required to modify any group record that includes the sn_kmf.cryptographic_manager role. This requirement applies to all updates to the group record, not only to role assignment operations.
KMF admin [sn_kmf.admin]
Assigns roles to other users to perform operations around the ServiceNow Key Management Framework.
Contains Roles
List of roles contained within the role.
None.
Groups
List of groups this role is assigned to by default.
None.
Special considerations
- This role is assigned via the process shown in Assign Key Management Framework roles.
- Users with this role must also have the admin and security_admin
- You must have this role to assign KMF roles, and in addition can perform all the capabilities of the KMF cryptographic manager.
KMF cryptographic manager [sn_kmf.cryptographic_manager]
Create, read, and update operations on cryptographic modules (association of keys to cryptographic usage and algorithm configurations) and module access policies. Also, KMF cryptographic managers can perform key management (generate, rotate, revoke) and life cycle operations.
Contains Roles
List of roles contained within the role.
None.
Groups
List of groups this role is assigned to by default.
None.
Special considerations
This role can only be assigned to a user by a KMF admin.
KMF cryptographic auditor [sn_kmf.cryptographic_auditor]
View cryptographic module information, key metadata, and life cycle-related details, as well as module access policy (MAP) information.
Contains Roles
List of roles contained within the role.
None.
Groups
List of groups this role is assigned to by default.
None.
Special considerations
This role can only be assigned to a user by a KMF admin.
KMF cryptographic integrator [sn_kmf.cryptographic_integrator]
Integrate Key Management Framework with external keystores or systems.
Contains Roles
List of roles contained within the role.
None.
Groups
List of groups this role is assigned to by default.
None.
Special considerations
This role can only be assigned to a user by a KMF admin.
KMF cryptographic operator [sn_kmf.cryptographic_operator]
Access part of the ServiceNow Key Management Framework key lifecycle: renewal, rotation, revocation.
Contains Roles
List of roles contained within the role.
None.
Groups
List of groups this role is assigned to by default.
None.
Special considerations
None.
Assign KMF roles
Assign KMF roles to admins, who in turn can assign other KMF roles.
Before you begin
Role required: admin and security_admin
You must elevate to the security_admin role before assigning the KMF admin role. For instructions, see Elevate to a privileged role
Procedure
-
Select the user that you want to be KMF admin in the Available Users column and move them to the Selected User(s) column.
-
Navigate to and select the user you just gave the sn_kmf.admin role to.
The user has the sn_kmf.admin role in the Roles related list, and can assign other KMF roles.
What to do next
If you have the KMF admin role, follow these steps for assigning other KMF roles:
- Navigate to and select the user you want to have another KMF role, such as KMF Cryptographic Manager.
- In the Roles related list, select Edit and select the KMF roles you want to assign the users. All KMF roles start with
sn_kmf.