CAM user roles

  • Release version: Zurich
  • Updated October 8, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CAM user roles

    The CAM (Continuous Authorization and Monitoring) application in ServiceNow assigns specific user roles to delegate permissions and responsibilities for managing information system authorization packages and security controls. Assigning appropriate roles ensures users can perform tasks aligned with their organizational duties, from system owners and security managers to auditors and readers. This role-based access control helps maintain security compliance and operational efficiency within the CAM environment.

    Show full answer Show less

    Key Roles and Permissions

    • Authorization Official: Approves and updates authorization packages at the operational risk level. Can activate/deactivate packages, generate key documents (SSP, SAR, POA&M), refresh risk summaries, and approve requests. Can update package fields like mission, business process, and roles.
    • Continuous Authorization and Monitoring Administrator: Full system administrator for CAM with create, read, update, and delete permissions across authorization boundaries, packages, controls, overlays, issues, tests, and POA&Ms. Can manage baseline controls and export OSCAL.
    • Executive Reader: Read-only access to all CAM modules, including authorization boundaries, packages, controls, tests, and POA&Ms. Can view refreshed risk summaries and information types.
    • Information Owner: Manages policies for information types within authorization packages. Can create, update, and delete information types and related assessment procedures, issues, test plans, and templates. Also updates POA&Ms.
    • Information System Security Manager (ISSM): Develops and maintains cybersecurity programs; can update authorization packages, generate documents, and manage controls and issues but with some read-only restrictions on specific package elements.
    • Information System Security Officer (ISSO): Maintains operational security posture; can activate/deactivate packages, manage baseline controls, generate documentation, update overlays, and manage tests and POA&Ms.
    • Reader: Read-only access to CAM workspace and modules including controls, assessments, and POA&Ms suitable for audit and compliance monitoring roles.
    • Scheduler: Technical role responsible for running scheduled jobs within the CAM application.
    • Security Control Assessor: Conducts assessments of security controls; can create, update, and delete assessment procedures, test plans, control objectives, and overlays, and update POA&Ms.
    • System Owner: Oversees procurement and maintenance of information systems; full access to authorization boundaries, packages, controls, overlays, tests, and POA&Ms, but cannot delete certain control-related records.
    • System User: Performs day-to-day operational work such as updating authorization boundaries, filters, elements, milestones, and acceptance tasks.

    Practical Application for ServiceNow Customers

    Assigning the correct CAM roles to users and groups is essential for secure and efficient management of system authorization workflows. These roles ensure that users have the appropriate level of access to create, review, update, or approve authorization packages and related security artifacts according to their responsibilities. For example, administrators can manage the full lifecycle of authorization packages, while readers and executives maintain visibility without modification rights. Security officers and assessors focus on control implementation and testing, while information owners govern policy and data classification.

    Understanding these roles helps ServiceNow customers tailor access controls to compliance needs, streamline authorization processes, and maintain continuous monitoring effectively in the CAM application.

    Assign users and groups with roles to prepare them to use the CAM application.

    Role permissions and responsibilities

    Role title [name] Description Contains roles
    Authorization Official

    (sn_irm_cont_auth.authorization_official)

    		 Responsible for accepting an information system into an operational environment at a known risk level.

    The Authorization Official is entitled to approve and update authorization packages.

    You can perform the following actions:
    • Activate/Deactivate Package
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Refresh Risk Summary

    • Approve the approval requests

    You can read the following:
    • Authorization Boundary (If Authorization official is named)
    • Authorization Package (If Authorization official is named)
    • System Elements
    • Information Types
    • Information Types Library
    • Control Objectives
    • Control Objective Requirements
    • Control Overlays
    • All Controls
    • Control Requirements
    • Assessment Procedures
    • POA&Ms
    You can update the following fields in the package:
    • Mission/Business process
    • Add comments
    • Name
    • Acronym
    • 800-53 version
    • System purpose
    • PTA/PIA section fields
    • Roles and responsibilities section (SCA, ISSO, ISSM, AODR)

      Active

    		 sn_irm_cont_auth.reader
    Continuous Authorization and Monitoring administrator

    (sn_irm_cont_auth.admin)

    		 Responsible for all system administration duties in the CAM application.
    You can create, read, update, and delete the following:
    • Authorization Boundary
    • Boundary Filter (You have access to create)
    • System Elements (You have access to create and read)
    • Delete Authorization Boundary
    • Authorization Package
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Information Types
    • Baseline Controls Add
    • Baseline Controls Mark as Common
    • Baseline Controls Mark as Not Applicable
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Back To Previous
    • Delete Authorization Pack
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Information Types Library
    • Control Objectives (You have access to create, read, and update)
    • Control Objectives Requirement (You have access to create, read, and update)
    • Control Overlays (You have access to create, read, and update)
    • Issues (You have access to create, read, and update)
    • All Engagements
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures

    You can update the POA&Ms.
    • sn_audit.manager
    • sn_irm_cont_auth.reader
    • sn_irm_cont_auth.scheduler
    • sn_compliance.admin
    • sn_audit.admin
    • sn_doc.admin
    • sn_risk.admin
    • sn_grc_workspace.state_model_admin
    • sn_grc_doc_design.admin
    • sn_irm_shared_cmn.word_template_creator
    Executive Reader

    (sn_irm_cont_auth.executive_read)

    		 Read-only access to all modules of the CAM application.
    You can read the following:
    • Authorization Boundary
    • Boundary Filter
    • System Elements
    • Authorization Package
    • Information Types
    • Refresh Risk Summary
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures
    • POA&Ms
    		 sn_irm_cont_auth.reader. Users with this role can access CAM Workspace.
    Information Owner

    (sn_irm_cont_auth.information_owner)

    		 Responsible for statutory, management, or operational authority and the establishment of policies and procedures governing its generation, collection, processing, dissemination, and disposal. The user can also update information types of an authorization package.
    You can create, read, update, and delete the following:
    • PIA Take Response
    • PIA View Response
    • Information Types (You have access to create and delete)
    • Refresh Risk Summary
    • Assessment Procedures
    • Issues (You have access to create, read, and update)
    • Test Plans (You have access to create, read, and update)
    • Test Templates (You have access to create, read, and update)
    You can read the following:
    • Authorization Boundary
    • System Elements
    • Authorization Package
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • All Engagements
    • Control Tests
    • All Controls
    • Control Requirement

    You can update the POA&Ms.
    • sn_audit.user
    • sn_irm_cont_auth.reader
    Information System Security Manager

    (sn_irm_cont_auth.info_system_sec_manager)

    		 Responsible for conducting information system security management activities. They develop and maintain the system-level cybersecurity program.

    Can update the authorization package.

    You can create, read, update, and delete the following:
    • Activate/Deactivate Package
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Authorization Package (You can only read and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create, read, and update)
    • Issues (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    You can read the following:
    • Authorization Boundary
    • System Elements
    • Information Types
    • Information Types Library
    • Assessment Procedures

    You can update the POA&Ms.
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    • sn_risk.user
    Information System Security Officer

    (sn_irm_cont_auth.info_system_sec_officer)

    		 Responsible for ensuring that the appropriate operational security posture is maintained for an information system.

    Can update the authorization package.

    You can create, read, update, and delete the following:
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Baseline Controls Add
    • Baseline Controls Mark as Not Applicable
    • Baseline Controls Mark as Common
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Assessment Procedures
    • Information Types Library (You can only read and update)
    • Authorization Package (You can only read and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create)
    • Test Plans (You can only create, read, and update)
    • Test Templates (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    You can update the following:
    • POA&Ms
    • Authorization Boundary
    You can read the following:
    • System Elements
    • Information Types
    • All Engagements
    • Control Tests
    • sn_risk.user
    • sn_compliance.user sn_irm_cont_auth.reader
    Reader

    (sn_irm_cont_auth.reader)

    		 Read-only role. Users with this role can access CAM Workspace.
    You can read the following:
    • Information Types
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures
    • POA&Ms
    • sn_vul.read_all
    • sn_si.read
    • sn_audit.reader
    • sn_incident_read
    • sn_grc_workspace.task_reader
    • sn_change_read
    • sn_compliance.reader
    • sn_grc_workspace.user
    Scheduler

    (sn_irm_cont_auth.scheduler)

    		 Responsible for running all scheduled jobs for the application. This role is for a technical user. sn_irm_cont_auth.system_owner
    Security Control Assessor

    (sn_irm_cont_auth.sec_control_assessor)

    		 Responsible for conducting a thorough assessment of the management, operational, and technical security controls of an information system.
    You can create, read, update, and delete the following:
    • Refresh Risk Summary
    • PIA Take Response
    • PIA View Response
    • Assessment Procedures
    • Authorization Package (You can only read and update)
    • All Engagements (You can only read and update)
    • Control Tests (You can only read and update)
    • Test Plans (You can only create, read, and update)
    • Test Templates (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create, read, and update)
    You read the following:
    • Authorization Boundary
    • System Elements
    • Information Types
    • Information Types Library

    You can update the POA&Ms.
    • sn_audit.manager
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    System Owner

    (sn_irm_cont_auth.system_owner)

    		 Responsible for procuring, developing, integrating, modifying, operating, and maintaining an information system.
    You can create, read, update, and delete the following:
    • Authorization Boundary
    • Boundary Filter
    • System Elements
    • Delete Authorization Boundary
    • Authorization Package
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Information Types
    • Baseline Controls Mark as Common
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Assessment Procedures
    • Control Objectives (You don’t access to delete)
    • Control Objectives Requirement (You don’t access to delete)
    • Test Plans (You don’t access to delete)
    • Test Templates (You don’t access to delete)
    • All Controls (You don’t access to delete)
    • Control Requirement (You don’t access to delete)
    You can read the following:
    • Information Types Library
    • All Engagements
    • Control Tests

    You can create the Control Overlays.

    You can update the POA&Ms.
    • sn_audit.user
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    • sn_risk.user
    System User

    (sn_irm_cont_auth.system_user)

    		 Responsible for performing actual work in the system. They can update authorization boundaries, filter, elements, milestones, and acceptance tasks.
    • business user
    • sn_audit.user
    • sn_irm_cont_auth.reader