Managing access to knowledge bases and knowledge articles

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing access to knowledge bases and knowledge articles

    This guide explains how ServiceNow customers can control access to knowledge bases and knowledge articles by managing contribute and read permissions using user criteria and roles. As a knowledge administrator, knowledge base manager, or owner, you can assign user criteria at both the knowledge base and knowledge article levels to specify who can view or edit content. Effective access control ensures that knowledge is shared appropriately within your organization while protecting sensitive information.

    Show full answer Show less

    Key Features

    • Access Types:
      • Read access: Allows users to view knowledge articles.
      • Contribute access: Allows users to create, modify, or retire knowledge articles.
    • User Criteria for Access Control: Use defined user criteria such as Can Read, Cannot Read, Can Contribute, and Cannot Contribute to manage permissions. User criteria are preferred over roles for article-level control starting from Knowledge Management v3.
    • Role-based Security Override: You can override role-based restrictions by adding the system property glide.knowman.search.applyrolebasedsecurity set to false, enabling user criteria-only access control.
    • Special Privileges: Knowledge administrators, knowledge base owners, and managers have full contribute and read rights on relevant knowledge bases and articles, bypassing user criteria restrictions.
    • Explicit Roles Plugin: When installed, predefined user criteria based on explicit roles (e.g., sncinternal) are automatically added to knowledge bases to refine access control.
    • System Properties for Access Behavior: Properties such as glide.knowman.blockaccesswithnousercriteria and glide.knowman.applyarticlereadcriteria influence how access is granted when no user criteria are set or when article-level criteria apply.
    • User Criteria Diagnostics: A diagnostic tool helps verify which users have access to specific knowledge bases and articles, ensuring correct permissions configuration.

    Practical Application for ServiceNow Customers

    • Control Access at Knowledge Base Level: Assign user criteria to define who can read or contribute to entire knowledge bases.
    • Control Access at Article Level: Assign user criteria specifically to articles to restrict read access, useful for sensitive or specialized content.
    • Configure Access for Unauthenticated Users: Set the Service Portal pages for Knowledge Management to public if unauthenticated users need read access.
    • Manage Special Roles and Permissions: Leverage knowledge administrators, owners, and managers to maintain oversight and manage user criteria assignments.
    • Use System Properties to Fine-tune Access: Adjust system properties to suit your organizational security policies, especially regarding role-based security enforcement and article-level overrides.
    • Maintain Security During Upgrades: Use fix scripts to apply explicit role user criteria to existing knowledge bases when upgrading to newer product versions.

    Next Steps

    • Create and assign user criteria to knowledge bases and articles to implement your access control policies.
    • Utilize the User Criteria Diagnostics feature to validate and troubleshoot access permissions.
    • Review and configure relevant Knowledge Management system properties to align with your organization’s security requirements.
    • Consider enabling article versioning and ownership groups to enhance knowledge article management under controlled access.

    Determine whether certain users or categories of users can access knowledge bases and knowledge articles by controlling contribute and read access.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria to control contribute and read access at the knowledge base level, where:
    • Read access determines the ability to view knowledge articles in a knowledge base.
    • Contribute access determines the ability to create, modify, and retire knowledge articles in a knowledge base.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria, or roles, or both, to control read access at the knowledge article level.

    Try to use only user criteria, which were introduced in Knowledge Management v3, to control access to knowledge articles. Roles were used for this purpose in Knowledge Management v2. If no user criteria is selected for a knowledge base, all users can read and all users with roles can contribute to that knowledge base.

    Note:
    By default, when contribute access isn't provided for a knowledge base, a user must meet both roles and user criteria conditions for read access. However, you can override roles set for a knowledge article and provide access through user criteria only by setting the glide.knowman.search.apply_role_based_security system property to false. Because this property isn't available by default, you must add it. For more information, see Add a system property.

    User criteria for knowledge access

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you control access to knowledge bases or knowledge articles for a user through user criteria, which are described in the following table.

    Table 1. User criteria definitions
    User criteria Result
    Cannot Contribute Cannot contribute (that is can't create, modify, or retire) knowledge articles within a knowledge base. The Cannot Contribute user criteria is available only for knowledge bases.
    Can Contribute Can contribute (that is can view, create, modify, or retire) knowledge articles within a knowledge base. The Can Contribute user criteria is available only for knowledge bases.
    Cannot Read

    At the knowledge base level, cannot view knowledge articles within a knowledge base.

    At the knowledge article level, cannot view a knowledge article.
    Can Read

    At the knowledge base level, can view knowledge articles within a knowledge base.

    At the knowledge article level, can view a knowledge article.

    The access to knowledge base and its articles are defined based on the user criteria status for a user as described in the following table.

    Table 2. Combining knowledge base and knowledge article user criteria
    Status Access
    The user matches both Can Contribute and Cannot Contribute at the knowledge base level The user is denied contribute access to the knowledge base and its articles.
    The user matches both Can Read and Cannot Read at the knowledge base level The user is denied read access to the knowledge base and its articles.
    The user matches Can Read at the knowledge base level and Cannot Read at the knowledge article level The user is denied read access to the knowledge article.
    The user matches Cannot Read and Can Read at the knowledge article level The user is denied read access to the knowledge article.

    Users with special knowledge privileges

    Users with special knowledge privileges aren't evaluated based on user criteria and have knowledge bases and knowledge articles access as described in the following table.

    Table 3. Access of users with special privileges to knowledge bases and knowledge articles
    User Access
    Knowledge administrator
    • Contribute to and read all knowledge bases and their articles.
    • Modify the definition of all knowledge bases and assign user criteria to them.
    Note:
    This access doesn't apply to scoped knowledge bases. For more information, see Scoped knowledge bases.
    Owner of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Manager of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Note:
    If the article versioning feature is enabled, the manager of a knowledge base can’t modify knowledge articles of other authors that are in the Draft state. For more information, see Article versioning.
    Members of an ownership group associated with a knowledge article Read, modify, approve, and retire that knowledge article (see Ownership groups).

    Explicit roles and user criteria

    Explicit roles (snc_external and snc_internal) are added to your instance when your administrator installs a plugin, such as the Customer Service plugin (com.sn_customerservice), that also activates the Explicit Roles plugin (com.glide.explicit_roles). If you create a knowledge base with the Explicit Roles plugin (com.glide.explicit_roles) activated, the application automatically adds the following predefined user criteria at the knowledge base level:

    • Users with 'snc_internal' role – Added to the Can Read user criteria enabling only users with the snc_internal role have read access to the knowledge base.
    • Users with snc_internal' and another role – Added to the Can Contribute user criteria enabling only users with the snc_internal role and at least one additional role have contribute access to the knowledge base.

    When you upgrade to product versions (from Rome onwards) that offer the Explicit Roles plugin (com.glide.explicit_roles), the predefined user criteria Users with 'snc_internal' role and Users with 'snc_internal' and another role aren't automatically added to any existing knowledge bases created prior to the activation of the Explicit Roles plugin. To add these predefined user criteria to an existing knowledge base, run the Fix unsecured knowledge bases fix script. For more information about explicit roles and fix scripts, see Explicit Roles and Fix scripts.

    Determining contribute access to a knowledge base and its articles using user criteria

    The flowchart in this section illustrates the user criteria checks that determine contribute access at the knowledge base and article levels.
    Note:
    In order for an unauthenticated user to view knowledge articles within the knowledge base, ensure that the audience for the Knowledge Management Service Portal pages is set to public; that is, the page can be accessed without the need for authentication. For more information, see Create and edit a page using the Service Portal Designer.
    Figure 1. Contribute access to a knowledge base and its article flowchart
    Flowchart showing how contribute access to a knowledge base and its article using user criteria is evaluated

    When either Cannot Contribute isn’t set or a user doesn’t match Cannot Contribute and additionally Can Contribute is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine contribute access, as explained in the following table.

    Table 4. Contribute access to a knowledge base when user criteria for a knowledge base aren't set
    Property value Result
    true No user has contribute access to the knowledge base except users with special knowledge privileges.
    false All users, including unauthenticated users, with at least one role can contribute to the knowledge base.

    If the Explicit Roles plugin (com.glide.explicit_roles) is activated, users who have at least one role other than snc_internal can contribute to the knowledge base.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine contribute access to an article in the knowledge base, as explained in the following table.

    Table 5. Contribute access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default contribute permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has contribute access to every article in the knowledge base.

    Determining read access to articles in a knowledge base using user criteria

    The following flowchart illustrates the user criteria checks that determine read access to a knowledge article.

    Figure 2. Read access to a knowledge article flowchart
    Flowchart showing how read access to a knowledge article using user criteria is evaluated.

    When either Cannot Read isn’t set or a user doesn’t match Cannot Read and additionally Can Read is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine read access, as explained in the following table.

    Table 6. Read access when user criteria for a knowledge base aren't set
    Property value Result
    true No user has read access except users with special knowledge privileges and users who have contribute access to the knowledge base.
    false All users, including unauthenticated users, have read access to the knowledge base and the article-level user criteria are further evaluated.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine read access to an article in the knowledge base, as explained in the following table.

    Table 7. Read access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default read permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has read access to every article in the knowledge base.
    Important:
    After you add user criteria, you can use the user criteria diagnostics feature to verify the access that users have to a knowledge base or a knowledge article. For more information, see User criteria diagnostics for Knowledge Management.