System roles
Administrators can control access to features and capabilities on a ServiceNow instance by assigning roles to users.
Your ServiceNow includes roles to grant access to the platform features and applications included a base system instance. Applications you install on your instance may include additional roles to control access to those installed features. For more information about roles, see Exploring user administration.
Base system roles
Base system roles are present in all ServiceNow instances and don’t require the installation of additional plugins.
| Role | Description |
|---|---|
| admin | The system administrator role. This role has access to all system features, functions, and data because administrators can override access control list (ACL) rules and pass all role checks. Avoid assigning this role to your users when more targeted roles are available. Warning: Grant this privilege carefully. If you have sensitive information, such as HR records, that you need to protect, you must create a custom admin role for that area. You must also train any users
authorized to see those records to act as the administrator. Also note the Special Administrative Roles. |
| agent_admin | Agent administrators can download and administer the system's built-in agent. They can manage MID Server-related scripts. |
| ais_admin | AI search administrators can query, create, update, and delete indexing and search settings and log messages through the AI Search application. |
| approval_admin | Approval administrators can view or modify approval requests not directly assigned to them. Use the approver_user role to enable approvers to only view or modify requests directly assigned to them. Use of this role requires a Fulfiller license. Use of the approver_user role requires an Approver license. |
| approver_user | Approver users can modify requests for approval routed to them. They also have all capabilities of requesters. Note: There’s a fee associated with this role. Don’t assign it to users without confirming your organization has the appropriate entitlement. |
| assignment_rule_admin | Assignment rule administrators can manage assignment rules. |
| asset | Asset users can manage hardware and software assets. |
| business_process_admin | Business process admins can create, read, update, and delete all records and their relationships in the business process. In the context of Governance, Risk, and Compliance (GRC), users with the sn_grc.admin role who manage GRC applications and their setup automatically gain access to this role. This access enables the GRC administrators to administer a business process and its records similar to other GRC tables. Important: This role is assigned to users who are administrators and have thorough information and training on business processes. |
| business_process_manager | Business process managers can create, read, and update any business process and manage the relationship of business processes with other records. This role is assigned to business process managers who are usually specialists and manage multiple business processes in the organization. These users generally work with other employees and are experts around business processes. In the context of GRC, users with the sn_grc.manager role automatically inherit this role that enables them to manage the business processes for the entire organization. |
| business_process_user | Business process users can update the business processes that a user owns and can also read any business process. This role must be assigned to the respective process owners who manage the business process that they own. This role can also be provided to users who are required to view the business processes in the organization and understand them better. In the context of GRC, users with the sn_risk.user role are automatically assigned this role as this role enables them to manage the business processes they own as well as read all business processes. |
| catalog | Catalog users can access service catalog requests. |
| catalog_admin | Catalog administrators can manage the Service Catalog application, including catalog categories and items. |
| catalog_editor | Catalog editors can create, modify, and publish items within categories that they’re assigned to. |
| catalog_item_designer | Catalog item designers can view the status of their category requests. This role is granted automatically to users when they make a request for an item designer category. |
| catalog_manager | Catalog managers can view and assign catalog editors to their categories. Can also create, modify, and publish items within their categories. |
| category_manager | Category managers can create, edit, and delete model categories. |
| cmdb_dedup_admin | CMDB de-duplication admins can review and remediate CMDB de-duplication tasks. |
| cmdb_ms_user | CMDB multiscource readers can access and run a multi-source CMDB query, but can't create a query. This role contains Contains cmdb_read role. |
| cmdb_ms_editor | Can create and run a query, has full read and write access, but can't do Recompute. Contains cmdb_ms_read role. |
| cmdb_ms_admin | Can create and run a query, and can modify CMDB 360 properties. Contains cmdb_ms_write role. |
| cmdb_read | Can read any CMDB table. Contained in admin and itil. |
| communication_manager | Manages communication for major incidents and is responsible for communicating with all stakeholders. |
| contract_manager | Can create, edit, and delete contracts through the Contract Management application. |
| data_classification_admin | Administers all aspects of the Data Classification application, data classification code setup and assignment, |
| data_classification_auditor | Audits Data Classification code assignments. |
| ecmdb_admin | Can administer the CMDB. |
| filter_admin | Can manage filters. |
| filter_global | Can create global filters. |
| filter_group | Can create filters that belong to groups of which the user is a member. |
| gauge_maker | Can create gauges from reports. Starting with Helsinki, reports are no longer made into gauges. |
| guided_tour_admin | Can manage and administer Guided Tour functionality. |
| image_admin | Can manage image files on the Images [db_image] table. |
| impersonator | Can impersonate users. This role doesn't allow impersonation of admin users. |
| import_admin | Can manage all aspects of import sets and imports. |
| import_scheduler | Can schedule imports. Warning: Grant this role carefully. The import_scheduler role is equivalent to giving the user the admin role, because the import_scheduler has the ability to execute scripts with administrator level
privileges. |
| import_set_loader | Can load import sets. |
| import_transformer | Can manage import set transform maps and run transforms. |
| incident_manager | Manages Incident properties and Major Incident trigger rules. |
| inventory_admin | Can create and delete stock information. Only users with the inventory_admin role can edit stock rules, stockrooms, and stockroom types. |
| inventory_user | Has access to stock information. Can create and manage transfer orders. |
| itil | Can perform standard actions for an ITIL helpdesk technician. Can open, update, close incidents, problems, changes, configuration management items. By default, only users with the itil role can have tasks assigned to them. |
| itil_admin | Possesses more privileges than the itil role and is intended for team leads. This role has the ability to delete incidents, problems, changes, and other related entities when both the itil and itil_admin roles
are assigned. In addition, the itil_admin role grants full control of the CMDB. The itil_admin role includes all of the permissions granted to the sn_cmdb_admin role, which provides full access to CMDB data, tools, and UIs. |
| knowledge | Can create, edit, and review knowledge base articles. |
| knowledge_admin | Can manage the knowledge base. |
| list_updater | Can use Update Entire List and Update Selected menu options on lists. |
| maint | Reserved for ServiceNow use. |
| mid_server | Role that any MID server user should be granted. This role gives the MID server access to the tables it ordinarily uses. |
| model_manager | Can create CMDB models. Model manager can control the base models and any model extensions that aren’t software or consumables. Consumable models are controlled by the asset manager role (asset). Software models are control by the software asset manager role (SAM). |
| major_incident_manager | Initiates the major incident process by assessing and approving major incident candidates or creating a major incident. Maintains the ownership and accountability for the life cycle of the incident. Identifies the users and groups to be involved in the resolution activities and sets up communication channels. |
| nobody | The nobody role means that no user has access - not even admin or maint. Use the nobody role carefully. The nobody role takes precedence over the admin override option on ACLs, so even admins can’t have access. See Create an ACL rule. Don’t assign it to specific users. You can use this role in ACLs that control access to resources, such as UI pages, processors, script includes, and records. Warning: Applying the nobody role may be irreversible if applied to some important system functions. |
| personalize | Can configure forms, lists, rules, controls, scripts. |
| personalize_choices | Can configure choices and predefined responses for non-journal fields designated as choice or suggestion fields. |
| personalize_control | Can configure controls on lists, such as filters, links, and buttons. |
| personalize_dictionary | Can configure dictionary entries and labels. |
| personalize_form | Can configure forms. |
| personalize_list | Can configure lists and list calculations. |
| personalize_responses | Can configure predefined responses for journal fields designated as suggestion fields. |
| personalize_rules | Can configure business rules and scripts. This role contains the following specialized roles for granting selective, administrative access to rules and scripts:
|
| personalize_styles | Can configure field styles. |
| personalize_ui | Can configure forms and lists. |
| public | No login is required to access features or functions with the public role. |
| release_admin | Can edit Release history for a release. |
| report_admin | Can manage reports. |
| report_global | Can create global reports. |
| report_group | Can create reports and share reports with groups that the user is a member of. Users with this role can edit reports shared by other users in the group. |
| report_publisher | Can make reports available on a public page. |
| report_scheduler | Can schedule a report to be emailed. |
| script_fix_admin | Can create and manage fix scripts but can’t run fix scripts. |
| search_application_admin | Can query, create, update, and delete records on search UX-related tables. Contains the ais_admin role. |
| sn_appclient.app_client_company_installer | Can install applications containing the same company as the currently logged in instance. User role that enables first-time installation of applications for the company associated with the current instance. A user with this role can’t install an application for another company. |
| sn_appclient.app_client_user | Can install applications containing the same company as the currently logged in instance. |
| sn_cmdb_admin | Provides full access to CMDB data, tools, and UIs. A CMDB Admin, for example, sets policies in the CI Class Manager and application service requirements. CMDB Admin provides the highest level of access to the CMDB. |
| sn_cmdb_editor | Provides access to CMDB records. A CMDB Editor can't change policies such as in the CMDB Data Manager or in the CI Class Manager. |
| sn_cmdb_user | Provides read-only access to CMDB data and to basic UIs such as CMDB reports and dashboards. |
| soap | Can query, create, update, and delete records on all tables, as well as execute scripts. |
| soap_create | Can create records on all tables and columns. |
| soap_delete | Can delete records on all tables and columns. |
| soap_ecc | Can query, create, and update on the ECC Queue table only. |
| soap_query | Can query records on all tables and columns. |
| soap_query_update | Can query and update records on all tables and columns. |
| soap_script | Can execute business rule endpoint function via script.do. |
| soap_update | Can update records on all tables and columns. |
| survey_admin | Can see all Surveys, their definitions, questions, instances created by them and others. Survey administrators can use all modules in the Survey application menu. |
| survey_reader | Users with survey reader role can view surveys and related information, such as survey responses, survey groups, scorecards, and reports. Survey_reader can’t change or modify a survey or survey responses. |
| task_editor | Can edit protected task fields. |
| template_editor | Can create templates for personal use, and modify or delete personal templates. Included in the itil role in the base system. |
| template_editor_global | Can create templates for global use. |
| template_editor_group | Can create templates for groups. |
| template_scheduler | Can schedule template-based record creation. |
| text_search_admin | Can customize Global Text Search groups and tables. |
| timecard_admin | Can approve, modify, and delete the time cards of other users. |
| ts_admin | Can administer Zing text indexing and search engine. |
| unlimited_createnow | Role for CreateNow unlimited licensed users. |
| upgrade_app | Can upgrade installed applications containing the same company as the currently logged in instance. Can’t perform first-time installations of applications published to the Application Client page. |
| user | Available for customer use, has no function in the base system. |
| user_admin | Can administer users, groups, locations, and companies. |
| view_changer | Can switch active views. |
| workflow_admin | Can create, edit, publish, or delete graphical workflows. |
| workflow_creator | Can create new graphical workflows. |
| workflow_publisher | Can publish graphical workflows. |
Application-specific roles
Applications you install on your instance may include additional roles. Follow the links in this section to see roles documentation on roles installed along with applications.
| Product | Application |
|---|---|
| Platform Capabilities | Advanced Work Assignment |