Roles in CDM

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in CDM

    This document outlines the roles and permissions in the Common Data Model (CDM) for ServiceNow, relevant as of the Yokohama release (updated January 30, 2025). It also notes the upcoming deprecation of DevOps Config starting with the Washington DC release, which will no longer be installed on new instances but remains supported for existing ones.

    Show full answer Show less

    Roles and Permissions

    • CDM Viewer (sncdm.cdmviewer): Allows read-only access to configuration data across accessible applications, viewing component libraries, changesets, snapshots, validation results, exporters, policies, and the Investigate page for change requests. Requires membership in the Maintained by group if set at the application level.
    • Event Management user (evtmgmtuser): Permits viewing snapshot contents, changesets, nodes, and the Investigate page for change requests without requiring membership in Maintained by groups.
    • CDM Editor (sncdm.cdmeditor): Enables creation, updating, and deletion of config data within components and collections, as well as managing changesets, validating, publishing/unpublishing snapshots, and managing component libraries and shared components. Does not grant application or deployable creation rights or permission to change Enforce validation settings. Requires Maintained by group membership if set.
    • CDM Exporter Editor (sncdm.cdmexportereditor): Grants permissions to create, update, and delete exporters.
    • CDM Policy Editor (sncdm.cdmpolicyeditor): Allows creation, updating, deletion of policies, and mapping policies to deployables.
    • CDM Secrets (sncdm.cdmsecrets): Enables reading and exporting encrypted data when combined with the CDM Viewer role; editing and permanent encryption/decryption when combined with the CDM Editor role. Effective only when paired with other core CDM roles.
    • Application Service Admin (sncdm.appserviceadmin): Authorizes creation of application services by the CDM Admin.
    • CDM Admin (sncdm.cdmadmin): Provides full administrative capabilities including creating, updating, and deleting applications, deployables, and config data, plus enforcing snapshot validation on deployables. Includes all permissions of CDM Editor, Exporter Editor, Policy Editor, and Application Service Admin roles.
    • CDM All App Access (sncdm.cdmallappaccess): Extends access privileges across applications and shared component libraries, overriding Maintained by group restrictions when combined with CDM Admin, Editor, or Viewer roles. Allows broader update, deletion, editing, and viewing rights depending on the other CDM roles held.

    Practical Implications for ServiceNow Customers

    Understanding these roles helps customers assign appropriate permissions for managing configuration data, policies, exporters, and encrypted secrets within the CDM framework. The hierarchical and combinational nature of roles like CDM All App Access enables flexible access control while maintaining governance through user groups. Customers can tailor access to match operational responsibilities, ensuring secure and efficient configuration management aligned with organizational policies.

    List of roles and permissions in CDM.

    Important:
    Starting with the Washington DC release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer installed on new instances but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support Knowledge Base.

    CDM roles

    CDM role hierarchy

    Role title [name] Permissions Contains roles

    CDM Viewer [sn_cdm.cdm_viewer]
    • Read config data from any application that they have access to (governed through user groups that are set by the Maintained by property).
    • View the list and content of component libraries as well as the shared components contained within them.
    • View the list and content of changesets.
    • View the list and content of snapshots and validation results.
    • Export snapshots.
    • View exporters.
    • View policies and policy mappings.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    Note:
    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.
    • [sn_pace.policy_reader]
    • [itil]
    • [canvas_user]
    Event Management user [evt_mgmt_user]
    • View the contents of the snapshots.
    • View the Investigate page for a change request (CHG) on the Service Operations Workspace.
    • View snapshots, nodes, and changesets, regardless of whether this user is a member of Maintained by groups set at the application level.
    		 itil

    CDM Editor [sn_cdm.cdm_editor]
    • Create/update/delete config data within components and collections, including variables, overrides, and includes.
    • Create and commit changesets.
    • Validate snapshots.
    • Publish and unpublish snapshots.
    • Create, update, and delete config data withing CDM applications.
    • Add and manage component libraries.
    • Add and delete shared components in a component library.
    Note:
    The cdm_editor role doesn’t grant permission to create/update/delete an application and its deployables, or to change the Enforce validation setting on deployables.

    If the Maintained by group is set at the application level to view config data, then this user must be a member of the group.

    cdm_viewer

    CDM Exporter Editor [sn_cdm.cdm_exporter_editor]

    		 Create/update/delete exporters.

    cdm_viewer

    CDM Policy Editor [sn_cdm.cdm_policy_editor]
    • Create/update/delete policies.
    • Map policies to deployables.
    • cdm_viewer
    • [sn_pace.admin]

    CDM Secrets [sn_cdm.cdm_secrets]
    • Read and export encrypted data (when granted to a user with the cdm_viewer role).
    • Permanently encrypt / decrypt data (when granted to a user with the cdm_editor role).
    • Edit encrypted data (when granted to a user with the cdm_editor role).
    Note:
    The cdm_secrets role is effective only with the cdm_viewer, cdm_editor, or cdm_admin role.
    		 None

    Application Service Admin [sn_cdm.app_service_admin]

    		 Enables the CDM Admin to create an application service. None

    CDM Admin [sn_cdm.cdm_admin]
    • Create/update/delete applications.
    • Create/update/delete deployables.
    • Create/update/delete config data.
    • Change settings on deployables to enforce snapshot validation.
    • cdm_editor
    • cdm_exporter_editor
    • cdm_policy_editor
    • app_service_admin
    • Model_manager (for create/update/delete of application model)
    • [itil] (for create/update/delete of SDLC components)
    • [itil admin]

    CDM All App Access [sn_cdm.cdm_all_app_access]
    Note:
    The cdm_all_app_access role is effective only with the cdm_admin, cdm_editor, or cdm_viewer roles.
    • Users with the cdm_all_app_access and cdm_admin role can update or delete an application or shared component library regardless of whether they’re a member of the user groups that maintain the application (Maintained by field) or library (Authoring groups field).
    • Users with the cdm_all_app_access and cdm_editor role can edit an application or shared component library regardless of being a member of any of the user groups that maintain the application or library.
    • Users with the cdm_all_app_access and cdm_viewer role can view an application regardless of being a member of any of the user groups that maintain the application.
    		 None