Table definitions

Seven tables, one ownership chain.

Two tables are native ServiceNow CMDB objects. Four are custom extensions that carry the PAM-specific attributes. One is the junction table that keeps usage rights and rotation rights separately recorded.

Native CMDB tables

Already exist in most ServiceNow instances — this model adds no new fields to either.

cmdb_ci_business_app native
PKsys_idguid
namestring
FKowned_bysys_user
criticalitychoice
cmdb_ci_appl_instance native
PKsys_idguid
FKbusiness_appcmdb_ci_business_app
environmentenum(prod/non-prod)
FKsupport_groupsys_user_group

Identity and group tables

Also native, but the model depends on a specific convention: one group per application-instance pairing.

sys_user_group native
PKsys_idguid
namestring
FKbusiness_appcmdb_ci_business_app
FKappl_instancecmdb_ci_appl_instance
sys_user native
PKsys_idguid
namestring
job_code_typeenum(rtb/ctb)
FKmanagersys_user
sys_user_grmember native
PKsys_idguid
FKusersys_user
FKgroupsys_user_group

Custom PAM extension tables

Built to carry the affiliation tag and separate the permission grant from the vault's own internal safe object.

u_pam_safe custom
PKsys_idguid
safe_namestring
FKappl_instancecmdb_ci_appl_instance
FKservice_ownersys_user
pam_platform_refstring (vault safe id)
u_pam_account custom
PKsys_idguid
account_namestring
FKsafeu_pam_safe
platform_typeenum(win/unix/db/ldap)
FKreconciliation_accountsys_user (service acct)
u_pam_safe_permission custom
PKsys_idguid
FKsafeu_pam_safe
FKgranteesys_user / sys_user_group
permission_levelenum(use_retrieve/reconcile)
Why u_pam_safe_permission is its own table rather than a field on the safe itself — the safe can have many grantees at different permission levels simultaneously. Modeling this as a junction table is what lets the catalog request workflow assign use_retrieve to a group and reconcile to a single service owner without a schema change every time a new grant type is needed.