Access roles

Enterprise Architecture Workspace roles

The following roles are available in Enterprise Architecture Workspace. After access is granted to a role, all users and groups assigned to that role inherit the permissions. Roles can contain other roles, and any access granted to a role is also granted to any role that includes it.

Table 1. Enterprise Architecture Workspace roles
Role	Description	Typical persona
sn_apm.apm_admin	Full administrative access to configure and manage Enterprise Architecture Workspace settings, including Setup page configuration for all functional areas. Includes all permissions of sn_apm.apm_analyst.	EA administrator, IT architect lead
sn_apm.apm_analyst	Create and manage key portfolio records such as business applications and digital integrations. Approve or reject requests when assigned to the Enterprise Architect group. Includes all permissions of sn_apm.apm_user.	Enterprise architect, solution architect
sn_apm.apm_user	Create and update portfolio data across business architecture, information portfolio, technology portfolio, modeling, and data certification. Includes all permissions of sn_apm.apm_read.	Application owner, business analyst, portfolio manager
sn_apm.apm_read	Read-only access to all pages and records in Enterprise Architecture Workspace. Cannot create or update data. For more information, see Business stakeholder role for Enterprise Architecture Workspace.	Business stakeholder, executive, auditor

Users with Enterprise Architecture Workspace roles and certain platform roles, such as ITIL and other CMDB related roles, may be able to create or edit Business Application records by default.

Note:

The global admin role continues to function through role inheritance. However, Enterprise Architecture now uses feature-specific granular admin roles. Use sn_apm.apm_admin instead of admin for application-level administration wherever possible. For more information, see Granular admin role changes in Enterprise Architecture.

Enterprise Architect group

The Enterprise Architect group is a platform user group that acts as a governance layer on top of the standard role hierarchy. It is configured intentionally to separate approval authority from general role access: users with the sn_apm.apm_analyst role can perform approvals and governance actions only when they are also members of this group. Assigning the role alone is not sufficient for these actions.

To add or modify members of the Enterprise Architect group, navigate to All > Enterprise Architecture > Administration > Services Approval Group > Enterprise Architect Group.

The following table lists the capabilities that require membership in the Enterprise Architect group.

Table 2. Capabilities requiring Enterprise Architect group membership
Functional area	Role also required	Capabilities unlocked by group membership
Technology Reference Model (TRM)	sn_apm.apm_analyst	Approve or reject TRM product requests Approve or reject TRM product lifecycle requests Create TRM product lifecycles View and update pending TRM requests
Enterprise modeling and visualization	sn_apm.apm_analyst	Approve or reject modeling diagram requests View shape library configurations, entity configurations, and modeling configuration and relationship definitions
Technology Reference Model (TRM) — data access	Group membership only	Read data from the following TRM standards tables: TRM Standards phase (sn_apm_trm_standards_phase) TRM standards product lifecycle (sn_apm_trm_standards_product_lifecycle) TRM standards technical debt (sn_apm_trm_standards_technical_debt)
Application portfolio	Group membership	Retire a business application
Architectural artifacts	Group membership	Approve or reject architectural artifact version approval requests. EA group members receive approval requests by email and can approve or reject directly from the notification. Owner permission on the following architecture document types: Application Architecture Technology Architecture Business Architecture Data Architecture
Architecture Review Board (ARB)	Group membership	Request an ARB architecture review
Publishing Center / TRM Catalog	sn_apm.apm_admin + knowledge_admin + sp_admin	Create, publish, and manage TRM Publishing Configurations Note: sp_admin is required in addition to sn_apm.apm_admin and knowledge_admin for EA group members accessing the Publishing Center.
Administration	Group membership	Access the Services Approval Group module to view and manage EA workflow groups Configure the EA approval group using the Configure Enterprise Architecture Group step in APM Guided Setup

Installation and plugin activation

Plugin activation requires the global admin role.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Activate the EA Workspace plugin
Activate the Technology Portfolio Management (TPM) plugin
Activate the Technology Reference Model (TRM) plugin
Activate the Read only roles for Enterprise Architecture plugin

Setup page

The Setup page provides configuration options for all functional areas in the workspace.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Configure application categories, category groups, and families
Configure application and capability indicators
Configure scoring profiles and attach profile indicators
Configure TRM phases and TRM categories
Configure information data domains
Configure architectural artifact categories
Configure demand actions
Configure modeling settings, including shape libraries, entities, relationships, and diagram actions
Configure total cost of ownership (TCO) sources, source cost types, and cost types; set TCO dashboard properties
Configure Publishing Center for TRM catalog publishing; modify TRM catalog publishing configurations; associate service portals with a TRM catalog knowledge base						Requires sn_apm.apm_admin and knowledge_admin
Add and edit certification policies from the Setup page (legacy CMDB-based policies)						Requires certification_admin

Business architecture

Business architecture covers business capabilities, business units, departments, goals, value streams, value stream stages, business processes, and demands in the Portfolio List view.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Add and edit business capabilities and sub-capabilities
Add and edit business units
Add and edit departments; add users to departments
Add and edit goals; add quantitative and qualitative targets; create sub-goals
Add and edit value streams; add application models to value streams
Add and edit value stream stages; associate business processes with value stream stages; add or remove business capabilities from value stream stages
Add and edit business processes
Add and edit demands
Create demands from the Business Portfolio view and Application Rationalization views
Export business portfolio data
View all business architecture records

Application portfolio

The application portfolio covers business applications, application services, digital integrations, digital interfaces, and product capabilities.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Add new business applications
Add and edit digital integrations; associate artifacts and information objects with digital integrations
Add and edit digital interfaces; manage Agile Development components, information objects, and credentials; relate a digital interface to an API
Update business application details
Associate and unassign business capabilities, product capabilities, architectural artifacts, information objects, and TRM products with business applications
Create diagrams and unified maps from a business application
View the business application roadmap
Add and edit application services
Add and edit product capabilities; view all product capabilities
View and manage AI systems and AI portfolio items associated with business applications
Run the job to generate model IDs for business applications
View all business applications, application services, digital integrations, digital interfaces, and associated records

Information portfolio

The information portfolio covers data domains, information objects, architectural artifacts, and architectural decision records (ADRs).


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Add and edit data domains and information objects
Create and edit architectural artifacts; add versions, related entities, and associated records
Share architectural artifacts with users and groups; manage access permissions for architectural artifacts
Request approval for an artifact version; download and delete architectural artifact versions
Create and edit architectural decision records (ADRs); add pages, subpages, and versions to ADRs
Tag users and records in an ADR document; request approval for an ADR
Associate architectural artifacts with business applications, capabilities, business processes, digital integrations, and TRM products
View all data domains, information objects, architectural artifacts, artifact versions, and ADRs

Technology Portfolio Management (TPM)

Technology Portfolio Management tracks software and hardware lifecycle data for business applications and application services.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Activate the TPM plugin
Update the system property to gather software from CMDB
Update TPM lifecycle data for a business application or application service
View technology lifecycle data and technology risk information
View technology portfolio audit risk details and update verification status
Run the job to populate TPM lifecycle data
Run the scheduled job to update TPM data
Run the scheduled job to generate TPM risk; restart the TPM scheduled job
View TPM logs; run the job to populate TPM lifecycle identifiers
View technology portfolio data, lifecycle timelines, and risk information

Technology Reference Model (TRM)

The Technology Reference Model provides a structured catalog of approved technologies and their lifecycle phases.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Activate the TRM plugin
Approve or reject TRM product requests						Must be in the Enterprise Architect group
Approve or reject TRM product lifecycle requests; create TRM product lifecycles						Must be in the Enterprise Architect group
View and update pending TRM requests						Must be in the Enterprise Architect group
View all TRM products, grouped by category or individually
View all TRM phases and categories
Request a new TRM product; request a TRM product lifecycle change
Create TRM product lifecycle requests
Associate architectural artifacts with TRM products
View, create, add, and remove business capabilities and business applications associated with TRM products
View TRM technical debt; run the job to generate TRM technical debts
Export TRM product catalog data
View TRM products, categories, phases, technical debt, and lifecycle timelines
Run the scheduled job to sync TRM product names with linked SAM software product names						Requires the admin role. Run on demand from All > System Definition > Scheduled Jobs.

Enterprise modeling and visualization

Enterprise modeling and visualization lets users create, manage, and publish architecture diagrams.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Approve or reject modeling diagram requests						Must be in the Enterprise Architect group
View shape library configurations, entity configurations, modeling configuration, and relationship definitions						Must be in the Enterprise Architect group
Create empty diagrams and synchronize them with the ServiceNow database
Create business capability maps (BC maps), business application maps (BA maps), and business process maps (BP maps)
Create ArchiMate diagrams, AWS architecture diagrams, and CSDM diagrams
Add, remove, group, ungroup, expand, collapse, and delete shapes
Add related records to shapes; add labels to connector lines
Reorder shapes in a category; show or hide the Shapes panel; toggle between grid and list view; filter shapes
Save a diagram as new; duplicate a diagram
Submit a diagram for approval; synchronize a diagram and individual shapes
Share a diagram; download a diagram; add or edit diagram version details; delete a diagram
Create and manage custom shape libraries, custom shape elements, and custom shape actions; store images in the database for custom shapes
Modify BPMN diagrams
Set relationship type on a connector; set connector line style, arrowhead style, and icon for non-ArchiMate and mixed connectors; swap connector direction; add a label to a connector						Requires Owner or Editor access to the diagram
Align shapes to a common edge or center; distribute shapes at equal spacing						Requires Owner or Editor access to the diagram. Not available in business capability map diagrams.
View diagrams and diagram details

Application rationalization

Application rationalization helps users assess and manage business applications through bubble chart and list views.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Analyze business applications in the bubble chart view by capability
Create demands from the bubble chart view and list view
Set the planned disposition of a business application
Add and edit business application lifecycle data
Edit business application details from the bubble chart and list views
Edit demands and projects associated with a business application
Update the system property to change the number of bubbles displayed
Apply filters on the application rationalization view
Export application rationalization list data
View application rationalization data in bubble chart and list views

Data certification

Data certification provides a governance mechanism to promote that architecture data is accurate and complete.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Create data certification policies using the certification policy wizard						Requires system admin, CMDB admin, and sn_apm.apm_analyst
Publish draft certification policies
Run data certification policies
Activate and deactivate certification policies; delete certification policies
Track certification progress across policies
Review and certify data certification tasks assigned to them						User must be assigned a certification task
Fail records that do not meet certification standards						User must be assigned a certification task
Reassign certification tasks to other users or groups; request reassignment						User must be assigned a certification task
Submit completed certification reviews						User must be assigned a certification task
View certification policies and certification status

Dashboards

Dashboards provide visibility into application health, assessment scores, and portfolio performance.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
View and monitor the Applications Assessment dashboard
View and monitor the Application 360 dashboard
View the workspace home dashboard and portfolio overview and health section
Apply filters on the portfolio overview and health view
View dashboards

Total Cost of Ownership (TCO)

Total Cost of Ownership tracks and manages direct and indirect costs associated with business applications.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Activate the App TCO plugin
Create TCO sources, TCO source cost types, and TCO cost types
Set properties for TCO dashboards
View all TCO records for business applications
create TCO records
View TCO records

Publishing Center

The Publishing Center lets administrators publish TRM catalog data to a knowledge base for consumption through a service portal.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
Create and modify TRM catalog publishing configurations						Requires sn_apm.apm_admin and knowledge_admin
Configure TRM data to publish; manage article configurations						Requires sn_apm.apm_admin and knowledge_admin
Associate portals with a TRM catalog knowledge base						Requires sn_apm.apm_admin and knowledge_admin
Enable automatic synchronization of published catalogs						Requires sn_apm.apm_admin and knowledge_admin
Publish and republish TRM catalogs to the knowledge base						Requires sn_apm.apm_admin and knowledge_admin
Retire and archive published TRM catalogs; view publishing run logs						Requires sn_apm.apm_admin and knowledge_admin
Access published TRM catalog content through the service portal

Architecture Analyzer

The Architecture Analyzer lets users explore and visualize relationships between architectural entities on an interactive canvas.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
create explorations on the Architecture Analyzer canvas
Add entities to the canvas by selecting entity type and specific record
Add upstream and downstream related entities to a selected entity on the canvas
Show or hide the left navigation pane and the Add to canvas panel
Clear all entities from the canvas
Download an exploration canvas as an image
Rename an exploration; delete an exploration
View existing explorations

AI systems — AI Control Tower integration

The AI systems integration surfaces AI governance data from AI Control Tower directly on business application records. Viewing full AI system records in AI Control Tower requires roles from the AI Control Tower application in addition to EA Workspace roles.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
View the AI systems tab on a business application record
View AI system details including lifecycle phase, state, lifecycle status, and risk classification
Add an existing AI Control Tower AI system to a business application
Remove an AI system association from a business application
Open and view the full AI system record in the AI Control Tower workspace						Requires sn_ai_governance.ai_governance_workspace_user (AI Control Tower role)
View full AI system governance details in AI Control Tower, including related models, datasets, prompts, approval history, and lifecycle tasks						Requires sn_aig.ai_steward or sn_aig.ai_asset_owner (AI Control Tower roles)
Manage AI system associations with business applications from the AI Control Tower side						Requires sn_aig.ai_steward or sn_aig.ai_asset_owner (AI Control Tower roles)
View the AI systems tab on a business application record

My Entities

My Entities provides a personalized view of the records you own or manage, across all portfolio types.


Capability	admin	sn_apm.apm_admin	sn_apm.apm_analyst	sn_apm.apm_user	sn_apm.apm_read	Notes
View and manage your business capabilities, business processes, and business applications
View and manage your application services, information objects, and architectural artifacts
View and manage your TRM products, digital integrations, and digital interfaces
View your assigned entities