Roles in CDM

Release version: Washingtondc

Updated February 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Roles in CDM IT Service Management

With the Washington DC release, DevOps Config is set for future deprecation; it will be hidden from new instances but will still receive support. Understanding the roles and permissions within CDM is crucial for effective configuration management.

Show full answer Show less

Key Features

CDM Viewer: Grants read access to configuration data and the ability to view component libraries, changesets, snapshots, validation results, and policies.
Event Management User: Similar to the CDM Viewer but allows viewing snapshots and changesets without membership in the Maintained by groups.
CDM Editor: Enables creation, updating, and deletion of config data, changesets, snapshots, and component libraries, but does not allow application deployment changes.
CDM Exporter Editor: Allows management of exporters.
CDM Policy Editor: Manages policies and their mappings to deployables.
CDM Secrets: Facilitates reading, exporting, and editing of encrypted data depending on role permissions.
Application Service Admin: Empowers the creation of application services.
CDM Admin: Full permissions to create/update/delete applications, deployables, and configuration data, including snapshot validation settings.
CDM All App Access: Overrides group permissions for viewing, editing, or managing applications and shared libraries based on the user's primary role.

Key Outcomes

By effectively assigning these roles, ServiceNow customers can ensure proper management of configuration data, maintain control over applications and deployables, and facilitate collaboration among team members while adhering to necessary security and access protocols. Understanding these roles enables better governance and operational efficiency within DevOps practices.

List of roles and permissions in CDM.

Important:

Starting with the Washington DC release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer installed on new instances but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support Knowledge Base.

CDM roles

CDM role hierarchy


Role title [name]	Permissions	Contains roles
CDM Viewer [sn_cdm.cdm_viewer]	Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property). View the list and content of component libraries as well as the shared components contained within them. View the list and content of changesets. View the list and content of snapshots and validation results. Export snapshots. View exporters. View policies and policy mappings. View the Investigate page for a change request (CHG) on the Service Operations Workspace. Note: If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.	[sn_pace.policy_reader] [itil] [canvas_user]
Event Management user [evt_mgmt_user]	View the contents of the snapshots. View the Investigate page for a change request (CHG) on the Service Operations Workspace. View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.	itil
CDM Editor [sn_cdm.cdm_editor]	Create/update/delete config data within components and collections, including variables, overrides, and includes. Create and commit changesets. Validate snapshots. Publish and unpublish snapshots. Create, update, and delete config data withing CDM applications. Add and manage component libraries. Add and delete shared components in a component library. Note: The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables. If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.	cdm_viewer
CDM Exporter Editor [sn_cdm.cdm_exporter_editor]	Create/update/delete exporters.	cdm_viewer
CDM Policy Editor [sn_cdm.cdm_policy_editor]	Create/update/delete policies. Map policies to deployables.	cdm_viewer [sn_pace.admin]
CDM Secrets [sn_cdm.cdm_secrets]	Read and export encrypted data (when granted to a user with the cdm_viewer role). Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role). Edit encrypted data (when granted to a user with the cdm_editor role). Note: The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.	None
Application Service Admin [sn_cdm.app_service_admin]	Enables the CDM Admin to create an application service.	None
CDM Admin [sn_cdm.cdm_admin]	Create/update/delete applications. Create/update/delete deployables. Create/update/delete config data. Change settings on deployables to enforce snapshot validation.	cdm_editor cdm_exporter_editor cdm_policy_editor app_service_admin Model_manager (for create/update/delete of application model) [itil] (for create/update/delete of SDLC components) [itil admin]
CDM All App Access [sn_cdm.cdm_all_app_access]	Note: The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles. Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field). Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library. Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.	None