Creator Studio roles and personas

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Creator Studio roles and personas

    Creator Studio roles control user permissions for creating, configuring, and collaborating on apps within ServiceNow's Creator Studio. Administrators assign these roles to ensure controlled access, preventing unplanned or redundant app creation in your instance. This helps maintain an organized app environment and supports effective app governance.

    Show full answer Show less

    Personas interacting with Creator Studio include low-code/citizen developers, App Engine admins, security admins, and system administrators. Each persona has distinct responsibilities and role assignments that align with their level of involvement and authority in app development and management.

    Roles and Their Capabilities

    • Creator Studio User (sncreatorstudio.user): Can create new apps and becomes the delegated app owner. This role grants delegated development permissions on the created apps.
    • Creator Studio Restricted User (sncreatorstudio.restricteduser): Cannot create apps but can request app creation and work on apps where they are designated as developers. They gain delegated developer access only on assigned apps.
    • App Engine Admin (appengineadmin): Manages app development lifecycle including approving app creation requests and collaboration requests. Requires membership in the appengineadmin group and holds roles enabling app approval and administration.
    • Security Admin: Manages platform-level roles and access control lists, crucial for updating Creator Studio roles and maintaining security compliance.
    • System Administrator: Has unrestricted access to all system features and data; should be assigned carefully, especially when sensitive data is involved.

    Additional roles such as admin and delegateddeveloper also provide access to Creator Studio functionalities.

    User Groups and Access Management

    User groups simplify access control by bundling users with similar permissions:

    • Creator Studio Users group: Members can create apps and have the sncreatorstudio.user role.
    • Creator Studio Restricted Users group: Members need to request app creation and have the sncreatorstudio.restricteduser role.

    Testing and Collaboration Considerations

    • Users with sncreatorstudio.user or sncreatorstudio.restricteduser roles cannot test apps on non-production Request App Workspace but can use app previews for testing.
    • Testing in production as a fulfiller requires additional roles beyond Creator Studio roles, which administrators must assign.
    • Collaboration roles are managed per app, requiring explicit invitations or requests to join app development efforts.
    • When Creator Studio is installed on non-production while production runs an older platform version, collaboration workflows may be affected. Assigning the catalogbuildereditor role to Creator Studio user groups ensures collaboration approval workflows work across different versions.

    Practical Implications for ServiceNow Customers

    By understanding and applying these roles and groups, administrators can:

    • Control who can create and manage apps to avoid app sprawl and ensure governance.
    • Enable low-code developers to contribute while maintaining oversight through app approvals.
    • Manage collaboration efficiently, ensuring appropriate access at the app level.
    • Navigate version mismatches between production and non-production instances to maintain collaboration workflows.
    • Assign necessary roles for testing and fulfilling app requests, ensuring smooth app lifecycle management.

    Roles control what everyone you work with can do in Creator Studio. Administrators assign roles to give team members permission to configure or use Creator Studio.

    The two roles for Creator Studio are used to restrict access from creating new apps, which helps make sure your instance isn't overfilled with redundant, unplanned, or unused apps.

    Personas that use Creator Studio

    Personas aren’t explicitly part of Creator Studio, but administrators assign roles to give team members permission to configure or use Creator Studio.

    Low-code/citizen developer
    Low-code/citizen developers are tech savvy and interested in creating apps. Though they might not have formal coding or app development training, citizen developers can submit ideas for new apps and, if approved, build them using Creator Studio.

    Low-code/citizen developers have either the sn_creatorstudio.user or sn_creatorstudio.restricted_user role.

    App Engine admin
    App Engine admins manage all processes related to app development in Creator Studio. They review new app ideas, handle app deployment, and manage collaborators, usually in the App Engine Management Center.

    App Engine admins have the app_engine_admin role and must be in the app_engine_admin group.

    Security admin
    The security admin creates and modifies roles and access control lists for apps. This role is set on the platform level, and it is required for making updates to roles in Creator Studio.
    System administrator
    The system administrator has access to all system features, functions, and data, regardless of security constraints. Grant this privilege carefully. If you have sensitive information, such as HR records, that you must protect, create a custom admin role for that area and train a person who is authorized to see those records to act as the administrator.

    Roles and what they can do in Creator Studio

    In addition to the roles in the following table, users with the admin and delegated_developer roles can also access Creator Studio.

    For complete details on which roles each role contains, see Components installed with Creator Studio.

    Table 1. Creator Studio roles
    Role Name Description
    Creator Studio User sn_creatorstudio.user
    • Users can create apps in Creator Studio.
    • The user is automatically delegated as the app owner. For more information, see Delegated development and deployment.
    • Contains sn_g_app_creator.app_creator.
    Note:
    This role gets assigned the delegated_developer role when they create or get access to an app.
    Creator Studio Restricted User sn_creatorstudio.restricted_user
    • Users can't create apps in Creator Studio.
    • Users can request apps to be created for them, and to work on an app.
    • Users can work on apps that they've been designated as developers for.
    • When assigned to work on an app, this user gets the delegated_developer role for that app.
    App Engine Admin app_engine_admin
    • Approve requests from restricted users to create an app.
    • Approve collaboration requests.
    • Contains sn_creator_studio.admin_write and sn_creator_studio.basic_write to enable admins to see the apps they need to approve.
    Note:

    To ensure that users can use the Collaboration Approval Workflow regardless of instance versions, admins must assign the catalog _builder_editor role to Creator Studio user groups.

    User groups and what they can do in Creator Studio

    Groups are a standard functionality that help you quickly control people's access to Creator Studio by adding them to a group.

    Table 2. Creator studio user groups
    Group Description
    Creator Studio Users
    • Users are automatically approved to create apps in Creator Studio.
    • Contains sn_creatorstudio.user.
    Creator Studio Restricted Users
    • Users in this group need to request applications be created in Creator Studio on their behalf.
    • Contains sn_creatorstudio.restricted_user.

    Developer roles and testing apps on instances

    If you have a Creator Studio role of sn_creatorstudio.user or sn_creatorstudio.restricted_user, you won't be able to test the apps you build on the non-production instance's Request App Workspace. You should be able to test the app on the non-production instance using Creator Studio's app previews. You will be able to test the apps as a fulfiller in the workspace on the app that's been deployed to production.

    Use case:

    Let's say that a user is in the Creator Studio Users group, so when that user builds an app, that user gets delegated development permissions for that app. That user can then publish a request form, and if there are no roles required for the form, that user can submit requests with the form.

    However, that user won't be able to fulfill requests or access the Request App Workspace because that user won't have the x_acme_user_app.agent role, and that user can't give that role to themself. Administrators must assign additional roles as necessary.

    Collaboration roles and instances on different versions

    As admins implement Creator Studio, they may have it installed on a non-production instance while their production instance is on a previous version of the ServiceNow AI Platform that doesn't have Creator Studio. This mis-match of instance versions affects the Collaboration Approval Workflow, which specifies the non-production instance as the source and the production instance as the controller. If the controller doesn't have the version of the collaboration plugin that supports Creator Studio, collaboration is unsupported.

    To ensure that users can use the Collaboration Approval Workflow regardless of instance versions, admins must assign the catalog _builder_editor role to Creator Studio user groups.

    Roles and app development collaboration

    Roles define user access to Creator Studio. Permission to work on individual apps is controlled on an app-by-app basis. That is, you must manage the collaborators for each app by inviting other citizen developers to work on the app with you, or request to join someone else's app. For more information, see Collaboration in Creator Studio.