CPQ: User Access Control

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • View access types, access areas, and user roles that can be managed via the User Access utility.

    Note:
    This feature must be enabled by support request. Create a support case by using the ServiceNow Support portal. For step-by-step instructions, see Create a case on Now Support for CPQ (Logik.ai) Customers.

    Use the User Access utility to manage access to CPQ Admin. Admin users have full admin access unless their access level is modified via CSV import.

    For basic user access in CPQ, see User access.

    Access levels

    • NONE
    • READ
    • EDIT
    • ADMIN

    Access areas

    • END_USER
    • CONFIG

      Users with ADMIN can use the Matrix Loader, including product filters and the catalog enrichment script MANAGED_TABLES.

    • TRANSACTION

      Users with ADMIN can use the Matrix Loader.

    • MANAGED_TABLES
    • TABLE
      Applies permissions for an individual table listed in addition to any MANAGED_TABLES access level. Examples:
      • EX: MANAGED_TABLES: NONE + TABLE “myTable” Edit = ability to edit “myTable” only
      • EX: MANAGED_TABLES: READ + TABLE “myTable” Edit = ability to read all tables and edit "myTable"
    • DEPLOY
      • Applies all blueprint, transaction, product catalog enrichment, and product filter deploys
      • Roles are either NONE or ADMIN UTILITIES
    • UTILITIES
      • Logs, user access, runtime clients, admin API keys, external connections, settings, webhooks, connections
      • Products (for Ecommerce tenants)

    Tables

    User access can be limited to specific tables via CSV or API.

    Note:
    These are additive permissions with the overall tables permission set, so if the user has read access for all tables, the individual permission of NONE would have no effect.

    User roles

    • END_USER: This is the only permission for the runtime
    • CONFIG_NONE / CONFIG_READ / CONFIG_EDIT / CONFIG_ADMIN
      • READ correlates to GET endpoints
      • EDIT additionally correlates to POST PUT PATCH DELETE endpoints
      • ADMIN additionally correlates to Matrix Loader endpoints
    • TRANSACTION_NONE / TRANSACTION_READ / TRANSACTION_EDIT / TRANSACTION_ADMIN
      • READ correlates to GET endpoints
      • EDIT additionally correlates to POST PUT PATCH DELETE endpoints
      • ADMIN additionally correlates to Matrix Loader endpoints
    • MANAGED_TABLES_NONE / MANAGED_TABLES_READ / MANAGED_TABLES_EDIT / MANAGED_TABLES_ADMIN
      • READ correlates to GET endpoints
      • EDIT additionally correlates to POST PUT PATCH DELETE endpoints
      • ADMIN additionally correlates to Matrix Loader endpoints
    • DEPLOY_NONE / DEPLOY_ADMIN (no EDIT or READ): ADMIN everything deployment related, including Product Filter Rules and Product Catalog Enrichment Deployments
    • UTILITIES_NONE / UTILITIES_READ / UTILITIES_ADMIN (no EDIT)
      • READ correlates to GET endpoints
      • ADMIN correlates to everything else

    Modifying access controls

    Admin users can modify access via CSV upload (Admin > Utilities > User Access). The User Access list shows existing users.

    Admin: User Access Control

    Steps:

    1. Hover a tooltip to view a userʼs access.

      Admin: User Access Control

    2. Create a CSV file to add users, make changes to users, or delete users. (See below for sample CSV files.)

      Admin: User Access Control

    3. Import the CSV file.

      Admin: User Access Control

      You will receive a message confirming success or failure.

      Admin: User Access Control

    Changes to user list are now made.

    Admin: User Access Control

    Sample CSVs

    Default all-access admin CSV:

    name,userName,area,access,action
User,email@example.com,DEPLOY,ADMIN,
User,email@example.com,UTILITIES,ADMIN,
User,email@example.com,CONFIG,ADMIN,
User,email@example.com,TRANSACTION,ADMIN,
User,email@example.com,MANAGED_TABLES,ADMIN,

    Example complex-access CSV:

    name,userName,area,access,action
User 1,user.one@example.com,DEPLOY,ADMIN
User 2,user.two@example.com,UTILITIES,ADMIN
User 2,user.two@example.com,CONFIG,ADMIN
User 2,user.two@example.com,TRANSACTION,ADMIN
User 3,user.three@example.com,END_USER,END_USER
User 4,user.four@example.com,END_USER,END_USER,DELETE
User 5,user.five@example.com,CONFIG,ADMIN
User 5,user.five@example.com,TRANSACTIONS,ADMIN
User 5,user.five@example.com,MANAGED_TABLES,READ
User 5,user.five@example.com,UTILITIES,ADMIN
User 5,user.five@example.com,DEPLOY,ADMIN
User 6,user.six@example.com,CONFIG,ADMIN

    CSV adding user to the table "sampleTable":

    name,userName,area,access,variableName,action
John Smith,john.smith@example.com,CONFIG,ADMIN,,UPSERT
John Smith,john.smith@example.com,TRANSACTIONS,ADMIN,,UPSERT
John Smith,john.smith@example.com,TABLE,ADMIN,sampleTableName,UPSERT
Jane Doe,jane.doe@example.com,MANAGED_TABLES,READ,,DELETE
Jane Doe,jane.doe@example.com,UTILITIES,,NONE