Roles in CDM

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in CDM

    The roles in the Configuration Data Management (CDM) application define specific permissions for users to interact with configuration data, component libraries, snapshots, exporters, policies, and applications. Understanding these roles helps ServiceNow customers assign appropriate access levels to team members for managing and viewing configuration data effectively. Note that starting with the Washington DC release, DevOps Config is being deprecated and will no longer be installed on new instances, though it will continue to be supported.

    Show full answer Show less

    Key Roles and Their Permissions

    • CDM Viewer: Allows read-only access to configuration data within accessible applications, component libraries, changesets, snapshots, exporters, and policies. Also enables viewing the Investigate page for change requests in Service Operations Workspace. Requires membership in the "Maintained by" user group for application-level access.
    • Event Management User: Permits viewing snapshots, nodes, changesets, and the Investigate page regardless of group membership.
    • CDM Editor: Grants permissions to create, update, and delete configuration data, component libraries, shared components, and changesets. Can validate, publish, and unpublish snapshots. Does not allow creation or modification of applications, deployables, or enforcing validation settings on deployables. Requires membership in the "Maintained by" group for application-level access.
    • CDM Exporter Editor: Enables creation, update, and deletion of exporters.
    • CDM Policy Editor: Allows creating, updating, deleting policies, and mapping policies to deployables.
    • CDM Secrets: Provides capabilities to read/export encrypted data (with viewer role), and encrypt/decrypt or edit encrypted data (with editor role). This role is effective only when combined with cdmviewer, cdmeditor, or cdmadmin roles.
    • Application Service Admin: Enables creating application services, primarily for CDM Admins.
    • CDM Admin: The highest level role, able to create, update, and delete applications, deployables, and configuration data. Can modify deployable settings including enforcing snapshot validation. Includes roles of cdmeditor, cdmexportereditor, cdmpolicyeditor, and appserviceadmin.
    • CDM All App Access: Enhances cdmadmin, cdmeditor, and cdmviewer roles by removing the need for membership in "Maintained by" or "Authoring groups" to view, edit, or update applications and shared component libraries.

    Practical Implications for ServiceNow Customers

    • Assign roles based on the level of access users require, from read-only viewers to full administrators managing applications and deployables.
    • Use the "Maintained by" user group settings to control access tightly at the application level, except when the cdmallappaccess role is granted.
    • Leverage the CDM Secrets role carefully to manage sensitive encrypted data, ensuring it is always paired with a base role that permits viewing or editing.
    • Understand that the CDM Admin role consolidates multiple editor and admin capabilities, streamlining management for higher-level users.
    • Be aware of the deprecation of DevOps Config starting with the Washington DC release, and plan accordingly for future upgrades and support.

    List of roles and permissions in CDM.

    Important:
    Starting with the Washington DC release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer installed on new instances but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support Knowledge Base.

    CDM roles

    CDM role hierarchy

    Role title [name] Permissions Contains roles

    CDM Viewer [sn_cdm.cdm_viewer]
    • Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property).
    • View the list and content of component libraries as well as the shared components contained within them.
    • View the list and content of changesets.
    • View the list and content of snapshots and validation results.
    • Export snapshots.
    • View exporters.
    • View policies and policy mappings.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    Note:
    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.
    • [sn_pace.policy_reader]
    • [itil]
    • [canvas_user]
    Event Management user [evt_mgmt_user]
    • View the contents of the snapshots.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    • View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.
    		 itil

    CDM Editor [sn_cdm.cdm_editor]
    • Create/update/delete config data within components and collections, including variables, overrides, and includes.
    • Create and commit changesets.
    • Validate snapshots.
    • Publish and unpublish snapshots.
    • Create, update, and delete config data withing CDM applications.
    • Add and manage component libraries.
    • Add and delete shared components in a component library.
    Note:
    The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables.

    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.

    cdm_viewer

    CDM Exporter Editor [sn_cdm.cdm_exporter_editor]

    		 Create/update/delete exporters.

    cdm_viewer

    CDM Policy Editor [sn_cdm.cdm_policy_editor]
    • Create/update/delete policies.
    • Map policies to deployables.
    • cdm_viewer
    • [sn_pace.admin]

    CDM Secrets [sn_cdm.cdm_secrets]
    • Read and export encrypted data (when granted to a user with the cdm_viewer role).
    • Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role).
    • Edit encrypted data (when granted to a user with the cdm_editor role).
    Note:
    The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.
    		 None

    Application Service Admin [sn_cdm.app_service_admin]

    		 Enables the CDM Admin to create an application service. None

    CDM Admin [sn_cdm.cdm_admin]
    • Create/update/delete applications.
    • Create/update/delete deployables.
    • Create/update/delete config data.
    • Change settings on deployables to enforce snapshot validation.
    • cdm_editor
    • cdm_exporter_editor
    • cdm_policy_editor
    • app_service_admin
    • Model_manager (for create/update/delete of application model)
    • [itil] (for create/update/delete of SDLC components)
    • [itil admin]

    CDM All App Access [sn_cdm.cdm_all_app_access]
    Note:
    The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles.
    • Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field).
    • Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library.
    • Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.
    		 None