Enterprise Architecture Workspace access roles
Summarize
Summary of Enterprise Architecture Workspace access roles
The Enterprise Architecture Workspace provides role-based access controls to manage and configure various functional areas of enterprise architecture in ServiceNow. Access roles govern permissions for users and groups, enabling efficient administration, data management, approval workflows, and visualization capabilities within the workspace.
Show less
Key Roles and Access
- snapm.apmadmin: Full administrative privileges including setup and configuration across all functional areas; typically assigned to EA administrators and IT architect leads.
- snapm.apmanalyst: Manage portfolio records, approve or reject requests (requires membership in the Enterprise Architect group for approval actions); typical users are enterprise or solution architects.
- snapm.apmuser: Create and update portfolio data across business, information, technology portfolios, modeling, and certification; suitable for application owners and analysts.
- snapm.apmread: Read-only access to all workspace data and pages; ideal for business stakeholders, executives, and auditors.
Roles can include other roles to inherit permissions, and membership in the Enterprise Architect group is required for approval and governance actions beyond role assignment alone.
Enterprise Architect Group
This group adds a governance layer enabling users with the analyst role to approve and reject key requests related to Technology Reference Model (TRM) products, product lifecycles, and modeling diagrams. Group membership is managed through administration settings and is essential for unlocking approval capabilities.
Functional Area Capabilities
- Setup and Plugin Activation: Administrators can activate key plugins (EA Workspace, TPM, TRM, Read-only roles) and configure setup options like application categories, scoring profiles, TRM phases, modeling settings, and certification policies.
- Business Architecture: Manage business capabilities, units, goals, value streams, processes, and demands with full CRUD (create, read, update, delete) capabilities.
- Application Portfolio: Add and edit business applications, digital integrations, interfaces, services, product capabilities, AI systems, and generate roadmaps and diagrams.
- Information Portfolio: Manage data domains, architectural artifacts, decision records, and handle artifact versioning and sharing.
- Technology Portfolio Management (TPM): Track software and hardware lifecycle data, update lifecycle and risk details, and run TPM-related jobs and audits.
- Technology Reference Model (TRM): Approve TRM product requests, manage lifecycles, associate artifacts, view technical debt, and export catalog data (approval actions require Enterprise Architect group membership).
- Enterprise Modeling and Visualization: Create and manage architecture diagrams, including ArchiMate, AWS, CSDM, BPMN, and custom shape libraries; diagram approval requires Enterprise Architect group membership.
- Application Rationalization: Analyze and manage business applications with bubble chart and list views, lifecycle data, and demand management.
- Data Certification: Govern data accuracy through certification policies, task management, and review workflows; requires specific certification roles for policy creation.
- Dashboards: Access and filter dashboards for application assessments, portfolio health, and analytics.
- Total Cost of Ownership (TCO): Manage direct and indirect costs related to business applications, configure dashboard properties, and view cost records.
- Publishing Center: Publish TRM catalog data to knowledge bases and service portals, manage configurations and synchronization (requires both EA admin and knowledge admin roles).
- Architecture Analyzer: Explore architectural relationships on an interactive canvas, create and manage explorations, and download visualizations.
- AI Systems Integration: View AI governance data from AI Control Tower on business applications; full AI system record access requires additional AI Control Tower roles.
- My Entities: Personalized view and management of owned or managed records across all portfolio types.
Practical Implications for ServiceNow Customers
Understanding and assigning these roles appropriately ensures secure and effective use of the Enterprise Architecture Workspace. Customers can:
- Configure and govern enterprise architecture data and processes with clear role boundaries.
- Enable approval workflows by assigning users to both roles and the Enterprise Architect group.
- Leverage comprehensive portfolio management features spanning business, application, information, and technology domains.
- Utilize advanced modeling, certification, rationalization, and cost management tools.
- Integrate external AI governance data while maintaining role-based access control.
- Publish architecture catalogs for broader organizational consumption via service portals.
Proper role and group management is critical to unlocking functional capabilities while maintaining governance and compliance within the ServiceNow Enterprise Architecture Workspace.
The following roles help you to configure and use the Enterprise Architecture Workspace application. After access has been granted to a role, all the groups or users assigned to the role are granted access. Roles can contain other roles, and any access granted to a role is granted to any other role that includes it.
Enterprise Architecture Workspace roles
The following roles are available in Enterprise Architecture Workspace. After access is granted to a role, all users and groups assigned to that role inherit the permissions. Roles can contain other roles, and any access granted to a role is also granted to any role that includes it.
| Role | Description | Typical persona |
|---|---|---|
| sn_apm.apm_admin | Full administrative access to configure and manage Enterprise Architecture Workspace settings, including Setup page configuration for all functional areas. Includes all permissions of sn_apm.apm_analyst. | EA administrator, IT architect lead |
| sn_apm.apm_analyst | Create and manage key portfolio records such as business applications and digital integrations. Approve or reject requests when assigned to the Enterprise Architect group. Includes all permissions of sn_apm.apm_user. | Enterprise architect, solution architect |
| sn_apm.apm_user | Create and update portfolio data across business architecture, information portfolio, technology portfolio, modeling, and data certification. Includes all permissions of sn_apm.apm_read. | Application owner, business analyst, portfolio manager |
| sn_apm.apm_read | Read-only access to all pages and records in Enterprise Architecture Workspace. Cannot create or update data. For more information, see Business stakeholder role for Enterprise Architecture Workspace. | Business stakeholder, executive, auditor |
Users with Enterprise Architecture Workspace roles and certain platform roles, such as ITIL and other CMDB related roles, may be able to create or edit Business Application records by default.
Enterprise Architect group
The Enterprise Architect group is a platform user group that acts as a governance layer on top of the standard role hierarchy. It is configured intentionally to separate approval authority from general role access: users with the sn_apm.apm_analyst role can perform approvals and governance actions only when they are also members of this group. Assigning the role alone is not sufficient for these actions.
To add or modify members of the Enterprise Architect group, navigate to .
The following table lists the capabilities that require membership in the Enterprise Architect group.
| Functional area | Role also required | Capabilities unlocked by group membership |
|---|---|---|
| Technology Reference Model (TRM) | sn_apm.apm_analyst |
|
| Enterprise modeling and visualization | sn_apm.apm_analyst |
|
Installation and plugin activation
Plugin activation requires the global admin role.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Activate the EA Workspace plugin |
 |
|||||
|
Activate the Technology Portfolio Management (TPM) plugin |
|
|||||
|
Activate the Technology Reference Model (TRM) plugin |
|
|||||
|
Activate the Read only roles for Enterprise Architecture plugin |
|
Setup page
The Setup page provides configuration options for all functional areas in the workspace.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Configure application categories, category groups, and families |
|
|
||||
|
Configure application and capability indicators |
|
|
||||
|
Configure scoring profiles and attach profile indicators |
|
|
||||
|
Configure TRM phases and TRM categories |
|
|
||||
|
Configure information data domains |
|
|
||||
|
Configure architectural artifact categories |
|
|
||||
|
Configure demand actions |
|
|
||||
|
Configure modeling settings, including shape libraries, entities, relationships, and diagram actions |
|
|
||||
|
Configure total cost of ownership (TCO) sources, source cost types, and cost types; set TCO dashboard properties |
|
|||||
|
Configure Publishing Center for TRM catalog publishing; modify TRM catalog publishing configurations; associate service portals with a TRM catalog knowledge base |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Add and edit certification policies from the Setup page (legacy CMDB-based policies) |
|
|
|
|
Requires certification_admin |
Business architecture
Business architecture covers business capabilities, business units, departments, goals, value streams, value stream stages, business processes, and demands in the Portfolio List view.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Add and edit business capabilities and sub-capabilities |
|
|
|
|
||
|
Add and edit business units |
|
|
|
|
||
|
Add and edit departments; add users to departments |
|
|
|
|
||
|
Add and edit goals; add quantitative and qualitative targets; create sub-goals |
|
|
|
|
||
|
Add and edit value streams; add application models to value streams |
|
|
|
|
||
|
Add and edit value stream stages; associate business processes with value stream stages; add or remove business capabilities from value stream stages |
|
|
|
|
||
|
Add and edit business processes |
|
|
|
|
||
|
Add and edit demands |
|
|
|
|
||
|
Create demands from the Business Portfolio view and Application Rationalization views |
|
|
|
|
||
|
Export business portfolio data |
|
|
|
|
||
|
View all business architecture records |
|
|
|
|
|
Application portfolio
The application portfolio covers business applications, application services, digital integrations, digital interfaces, and product capabilities.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Add new business applications |
|
|
|
|||
|
Add and edit digital integrations; associate artifacts and information objects with digital integrations |
|
|
|
|||
|
Add and edit digital interfaces; manage Agile Development components, information objects, and credentials; relate a digital interface to an API |
|
|
|
|||
|
Update business application details |
|
|
|
|
||
|
Associate and unassign business capabilities, product capabilities, architectural artifacts, information objects, and TRM products with business applications |
|
|
|
|
||
|
Create diagrams and unified maps from a business application |
|
|
|
|
||
|
View the business application roadmap |
|
|
|
|
||
|
Add and edit application services |
|
|
|
|
||
|
Add and edit product capabilities; view all product capabilities |
|
|
|
|
||
|
View and manage AI systems and AI portfolio items associated with business applications |
|
|
|
|
||
|
Run the job to generate model IDs for business applications |
|
|
|
|
||
|
View all business applications, application services, digital integrations, digital interfaces, and associated records |
|
|
|
|
|
Information portfolio
The information portfolio covers data domains, information objects, architectural artifacts, and architectural decision records (ADRs).
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Add and edit data domains and information objects |
|
|
|
|
||
|
Create and edit architectural artifacts; add versions, related entities, and associated records |
|
|
|
|
||
|
Share architectural artifacts with users and groups; manage access permissions for architectural artifacts |
|
|
|
|
||
|
Request approval for an artifact version; download and delete architectural artifact versions |
|
|
|
|
||
|
Create and edit architectural decision records (ADRs); add pages, subpages, and versions to ADRs |
|
|
|
|
||
|
Tag users and records in an ADR document; request approval for an ADR |
|
|
|
|
||
|
Associate architectural artifacts with business applications, capabilities, business processes, digital integrations, and TRM products |
|
|
|
|
||
|
View all data domains, information objects, architectural artifacts, artifact versions, and ADRs |
|
|
|
|
|
Technology Portfolio Management (TPM)
Technology Portfolio Management tracks software and hardware lifecycle data for business applications and application services.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Activate the TPM plugin |
|
|||||
|
Update the system property to gather software from CMDB |
|
|||||
|
Update TPM lifecycle data for a business application or application service |
|
|
|
|
||
|
View technology lifecycle data and technology risk information |
|
|
|
|
||
|
View technology portfolio audit risk details and update verification status |
|
|
|
|
||
|
Run the job to populate TPM lifecycle data |
|
|
|
|
||
|
Run the scheduled job to update TPM data |
|
|
|
|
||
|
Run the scheduled job to generate TPM risk; restart the TPM scheduled job |
|
|
|
|
||
|
View TPM logs; run the job to populate TPM lifecycle identifiers |
|
|
|
|
||
|
View technology portfolio data, lifecycle timelines, and risk information |
|
|
|
|
|
Technology Reference Model (TRM)
The Technology Reference Model provides a structured catalog of approved technologies and their lifecycle phases.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Activate the TRM plugin |
|
|||||
|
Approve or reject TRM product requests |
|
|
|
Must be in the Enterprise Architect group |
||
|
Approve or reject TRM product lifecycle requests; create TRM product lifecycles |
|
|
|
Must be in the Enterprise Architect group |
||
|
View and update pending TRM requests |
|
|
|
Must be in the Enterprise Architect group |
||
|
View all TRM products, grouped by category or individually |
|
|
|
|
||
|
View all TRM phases and categories |
|
|
|
|
||
|
Request a new TRM product; request a TRM product lifecycle change |
|
|
|
|
||
|
Create TRM product lifecycle requests |
|
|
|
|
||
|
Associate architectural artifacts with TRM products |
|
|
|
|
||
|
View, create, add, and remove business capabilities and business applications associated with TRM products |
|
|
|
|
||
|
View TRM technical debt; run the job to generate TRM technical debts |
|
|
|
|
||
|
Export TRM product catalog data |
|
|
|
|
||
|
View TRM products, categories, phases, technical debt, and lifecycle timelines |
|
|
|
|
|
Enterprise modeling and visualization
Enterprise modeling and visualization lets users create, manage, and publish architecture diagrams.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Approve or reject modeling diagram requests |
|
|
|
Must be in the Enterprise Architect group |
||
|
View shape library configurations, entity configurations, modeling configuration, and relationship definitions |
|
|
|
Must be in the Enterprise Architect group |
||
|
Create empty diagrams and synchronize them with the ServiceNow database |
|
|
|
|
||
|
Create business capability maps (BC maps), business application maps (BA maps), and business process maps (BP maps) |
|
|
|
|
||
|
Create ArchiMate diagrams, AWS architecture diagrams, and CSDM diagrams |
|
|
|
|
||
|
Add, remove, group, ungroup, expand, collapse, and delete shapes |
|
|
|
|
||
|
Add related records to shapes; add labels to connector lines |
|
|
|
|
||
|
Reorder shapes in a category; show or hide the Shapes panel; toggle between grid and list view; filter shapes |
|
|
|
|
||
|
Save a diagram as new; duplicate a diagram |
|
|
|
|
||
|
Submit a diagram for approval; synchronize a diagram and individual shapes |
|
|
|
|
||
|
Share a diagram; download a diagram; add or edit diagram version details; delete a diagram |
|
|
|
|
||
|
Create and manage custom shape libraries, custom shape elements, and custom shape actions; store images in the database for custom shapes |
|
|
|
|
||
|
Modify BPMN diagrams |
|
|
|
|
||
|
View diagrams and diagram details |
|
|
|
|
|
Application rationalization
Application rationalization helps users assess and manage business applications through bubble chart and list views.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Analyze business applications in the bubble chart view by capability |
|
|
|
|
||
|
Create demands from the bubble chart view and list view |
|
|
|
|
||
|
Set the planned disposition of a business application |
|
|
|
|
||
|
Add and edit business application lifecycle data |
|
|
|
|
||
|
Edit business application details from the bubble chart and list views |
|
|
|
|
||
|
Edit demands and projects associated with a business application |
|
|
|
|
||
|
Update the system property to change the number of bubbles displayed |
|
|
|
|
||
|
Apply filters on the application rationalization view |
|
|
|
|
||
|
Export application rationalization list data |
|
|
|
|
||
|
View application rationalization data in bubble chart and list views |
|
|
|
|
|
Data certification
Data certification provides a governance mechanism to promote that architecture data is accurate and complete.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Create data certification policies using the certification policy wizard |
|
|
|
|
Requires system admin, CMDB admin, and sn_apm.apm_analyst |
|
|
Publish draft certification policies |
|
|||||
|
Run data certification policies |
|
|||||
|
Activate and deactivate certification policies; delete certification policies |
|
|||||
|
Track certification progress across policies |
|
|||||
|
Review and certify data certification tasks assigned to them |
|
|
|
|
User must be assigned a certification task |
|
|
Fail records that do not meet certification standards |
|
|
|
|
User must be assigned a certification task |
|
|
Reassign certification tasks to other users or groups; request reassignment |
|
|
|
|
User must be assigned a certification task |
|
|
Submit completed certification reviews |
|
|
|
|
User must be assigned a certification task |
|
|
View certification policies and certification status |
|
|
|
|
|
Dashboards
Dashboards provide visibility into application health, assessment scores, and portfolio performance.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
View and monitor the Applications Assessment dashboard |
|
|
|
|||
|
View and monitor the Application 360 dashboard |
|
|
|
|||
|
View the workspace home dashboard and portfolio overview and health section |
|
|
|
|
||
|
Apply filters on the portfolio overview and health view |
|
|
|
|
||
|
View dashboards |
|
|
|
|
|
Total Cost of Ownership (TCO)
Total Cost of Ownership tracks and manages direct and indirect costs associated with business applications.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Activate the App TCO plugin |
|
|||||
|
Create TCO sources, TCO source cost types, and TCO cost types |
|
|||||
|
Set properties for TCO dashboards |
|
|||||
|
View all TCO records for business applications |
|
|
|
|
||
|
create TCO records |
|
|
|
|
||
|
View TCO records |
|
|
|
|
|
Publishing Center
The Publishing Center lets administrators publish TRM catalog data to a knowledge base for consumption through a service portal.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
Create and modify TRM catalog publishing configurations |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Configure TRM data to publish; manage article configurations |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Associate portals with a TRM catalog knowledge base |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Enable automatic synchronization of published catalogs |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Publish and republish TRM catalogs to the knowledge base |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Retire and archive published TRM catalogs; view publishing run logs |
|
|
|
|
Requires sn_apm.apm_admin and knowledge_admin |
|
|
Access published TRM catalog content through the service portal |
|
|
|
|
|
Architecture Analyzer
The Architecture Analyzer lets users explore and visualize relationships between architectural entities on an interactive canvas.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
create explorations on the Architecture Analyzer canvas |
|
|
|
|
||
|
Add entities to the canvas by selecting entity type and specific record |
|
|
|
|
||
|
Add upstream and downstream related entities to a selected entity on the canvas |
|
|
|
|
||
|
Show or hide the left navigation pane and the Add to canvas panel |
|
|
|
|
||
|
Clear all entities from the canvas |
|
|
|
|
||
|
Download an exploration canvas as an image |
|
|
|
|
||
|
Rename an exploration; delete an exploration |
|
|
|
|
||
|
View existing explorations |
|
|
|
|
|
AI systems — AI Control Tower integration
The AI systems integration surfaces AI governance data from AI Control Tower directly on business application records. Viewing full AI system records in AI Control Tower requires roles from the AI Control Tower application in addition to EA Workspace roles.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
View the AI systems tab on a business application record |
|
|
|
|
||
|
View AI system details including lifecycle phase, state, lifecycle status, and risk classification |
|
|
|
|
||
|
Add an existing AI Control Tower AI system to a business application |
|
|
|
|
||
|
Remove an AI system association from a business application |
|
|
|
|
||
|
Open and view the full AI system record in the AI Control Tower workspace |
|
|
|
|
Requires sn_ai_governance.ai_governance_workspace_user (AI Control Tower role) |
|
|
View full AI system governance details in AI Control Tower, including related models, datasets, prompts, approval history, and lifecycle tasks |
|
|
|
|
Requires sn_aig.ai_steward or sn_aig.ai_asset_owner (AI Control Tower roles) |
|
|
Manage AI system associations with business applications from the AI Control Tower side |
|
|
|
|
Requires sn_aig.ai_steward or sn_aig.ai_asset_owner (AI Control Tower roles) |
|
|
View the AI systems tab on a business application record |
|
|
|
|
|
My Entities
My Entities provides a personalized view of the records you own or manage, across all portfolio types.
| Capability | admin | sn_apm.apm_admin | sn_apm.apm_analyst | sn_apm.apm_user | sn_apm.apm_read | Notes |
|---|---|---|---|---|---|---|
|
View and manage your business capabilities, business processes, and business applications |
|
|
|
|
||
|
View and manage your application services, information objects, and architectural artifacts |
|
|
|
|
||
|
View and manage your TRM products, digital integrations, and digital interfaces |
|
|
|
|
||
|
View your assigned entities |
|
|
|
|
|