User access to playbooks in Workflow Studio

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of User access to playbooks in Workflow Studio

    ServiceNow administrators manage user access to playbooks in Workflow Studio primarily through role assignments or delegated development permissions. These roles control what users can view and modify within Workflow Studio, including playbooks, activity definitions, and trigger definitions. Additionally, content filtering based on roles enables granular control over the playbook features and content accessible by different users.

    Show full answer Show less

    Key Features

    • Role-Based Access: Users gain access to playbooks by being assigned specific roles such as playbook.admin, pdauthor, pdcontentauthor, and others. Each role grants defined permissions ranging from viewing activities to creating, editing, or deleting playbooks, triggers, and activity definitions.
    • Delegated Development Permissions: Administrators can assign delegated development access by creating applications and designating users as developers with playbook-specific permissions. This approach allows controlled access to advanced Workflow Studio features typically reserved for admins.
    • Role-Based Content Filtering: Content filtering rules and definitions can be configured to restrict access to playbook content such as activity definitions based on assigned user roles. This ensures users only see and interact with appropriate content.
    • Activity Definition Access Control: Access to activity definitions is managed by specifying required roles. While both playbook.admin and pdcontentauthor roles can edit activity definitions, only playbook.admin can modify the required roles themselves.

    Key Outcomes

    • Fine-Grained Access Control: Administrators can precisely manage who can create, edit, view, and cancel playbooks and related components within Workflow Studio, improving security and governance.
    • Customizable User Experience: Role-based content filtering allows tailoring the Workflow Studio interface and content exposure to meet different user needs and responsibilities.
    • Delegated Administration: Delegated development permissions enable trusted users to contribute to playbook creation and management without granting full admin rights, enhancing collaboration while maintaining control.
    • Operational Efficiency: Roles like pdcancel and pdrestarter empower specific users to manage active playbooks (cancel or restart) without requiring broad administrative roles, allowing for quicker operational responses.

    Administrators can grant users access to playbooks by assigning delegated development permissions or directly assigning a user role. Administrators can also specify which features and content a user can access based on user roles.

    Access by user role

    Administrators can grant access to playbooks in Workflow Studio by directly assigning users the pd_author user role, which includes the role to view activity definitions.

    Table 1. Roles for playbooks in Workflow Studio
    Role Description Contains Roles
    playbook.admin Enables users to:
    • Create, update, and delete trigger definitions.
    • Launch Workflow Studio to create, activate, edit, and delete playbooks.
    • Create, edit, and delete activity definitions.
    • View the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience.
    • pd_author
    • pd_content_author
    • pd_trigger_author
    • pd_operator
    • pd_cancel
    pd_author Enables users to:
    • Launch Workflow Studio to create, activate, edit, and delete playbooks.
    • View all activity definitions.
    • View the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience.
    • pd_shared.user
    • playbook.write
    • playbook.activity_def_read
    pd_content_author Enables users to:
    • Create, edit, and delete activity definitions.
    • Create, edit, and delete trigger definitions.
    • View the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience.
    • pd_trigger_author
    • pd_shared.user
    • playbook.activity_def_read
    pd_trigger_author Enables users to create, update, and delete trigger definitions. none
    pd_operator Enables users to view process executions, activity executions, and execution logs only. none
    pd_shared.user Enables users to view the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience. none
    pd_shared.admin Enables users to edit the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience. pd_shared.user
    pd_cancel Enables users to cancel running playbooks without the playbook.admin role or write access to the parent record. For example if you want to grant an agent manager the ability to cancel playbooks, but not an agent. none
    pd_restarter Enables users to restart active playbooks. none
    playbook.write Enables users to:
    • Launch Workflow Studio to create, activate, edit, and delete playbooks.
    • View the Experience activity types (sys_pd_activity) and Experience activity properties (sys_pd_activity_type_prop) tables that are shared by Playbooks and Playbook Experience.
    		 pd_shared.user
    playbook.activity_def_read Enables users to view all activity definitions. none
    A visual representation of where roles are contained:
    • playbook.admin
      • pd_content_author
        • playbook.activity_def_read
        • pd_shared.user
        • pd_trigger_author
      • pd_operator
      • pd_cancel
      • pd_restarter
      • pd_author
        • playbook.write
          • pd_shared.user
          • sn_workflow_studio.workflow_studio_read
            Note:
            This role allows users to launch Workflow Studio, and is not managed by playbook administrators.
          • sn_diagram_builder.db_read
            Note:
            This role allows users to view playbooks in the diagram view in Workflow Studio, and is not managed by playbook administrators.
        • playbook.activity_def_read
      • pd_shared.admin
        • pd_shared.user
    • delegated_developer

    Delegated development access

    Administrators can grant users access to Workflow Studio playbooks by creating an application and assigning users as developers with the playbook delegated development permission. Delegated development allows administrators to control whether playbook authors can access features normally restricted to admin users. For more information, see Developer permissions.

    Role-based content filtering

    Specify the user roles necessary to access Workflow Studio playbook content. For example, activity definitions. Manage content filtering by creating content definitions and content filtering rules. For more information, see Content filtering for playbooks.

    Role-based activity definition access

    Manage activity definition access by specifying the Required Roles to access an activity definition. To learn more about activity definitions, see Activity definitions.


    Required roles field in an activity definition
    Note:
    Both playbook.admin and pd_content_author roles can edit activity definitions, but only the playbook.admin role can edit the Required Roles field.