Determine whether certain users or categories of users can access knowledge bases and
knowledge articles by controlling contribute and read access.
At the knowledge base level, you can assign user criteria to control contribute and read
access, where:
Read access determines the ability to view knowledge articles in a knowledge base.
Contribute access determines the ability to create, modify, and retire knowledge
articles in a knowledge base. Contribute access to a knowledge base also provides read
access to all articles in the knowledge base.
At the knowledge article level, you can assign user criteria and roles, or both, to control
read access. Contribute access to a knowledge base also provides read access to all articles
in the knowledge base even when read access is denied at the knowledge article level. If a
user doesn't have contribute access to a knowledge base, both roles and user criteria are
evaluated to determine read access to a knowledge article.
Try to use only user criteria, which were introduced in Knowledge Management v3, to
control access to knowledge articles. Roles were used for this purpose in Knowledge Management v2.
Note: By default, when contribute access isn't provided for a knowledge base, a user must meet
both roles and user criteria conditions for read access. However, you can override roles set
for a knowledge article and provide access through user criteria only by setting the
glide.knowman.search.apply_role_based_security system property to
false . Because this property isn't available by default, you must add
it. For more information, see
Add a system property .
User criteria for knowledge access
You control access to knowledge bases or knowledge articles for a user through user
criteria, which are described in the following table.
Table 1. User criteria definitions
User criteria
Result
Cannot Contribute
Cannot contribute (that is can't create, modify, or retire) knowledge articles
within a knowledge base. The Cannot Contribute user criteria is available only for
knowledge bases.
Can Contribute
Can contribute (that is can view, create, modify, or retire) knowledge articles
within a knowledge base. The Can Contribute user criteria is available only for
knowledge bases.
Cannot Read
At the knowledge base level, cannot view knowledge articles within a knowledge
base.
At the knowledge article level, cannot view a knowledge article.
Can Read
At the knowledge base level, can view knowledge articles within a knowledge
base.
At the knowledge article level, can view a knowledge article.
Table 2. Combining knowledge base and knowledge article user criteria
Status
Access
The user matches both Can Contribute and Cannot Contribute at the knowledge
base level
The user is denied contribute access to the knowledge base and its
articles.
The user matches both Can Read and Cannot Read at the knowledge base
level
The user is denied read access to the knowledge base and its articles.
The user matches Can Read at the knowledge base level and Cannot Read at the
knowledge article level
The user is denied read access to the knowledge article.
The user matches Cannot Read and Can Read at the knowledge article
level
The user is denied read access to the knowledge article.
Users with special knowledge privileges
Users with special knowledge privileges aren't evaluated based on user criteria and have
knowledge bases and knowledge articles access as described in the following table.
Table 3. Access of users with special privileges to knowledge bases and knowledge articles
User
Access
Knowledge administrator
Contribute to and read all knowledge bases and their articles.
Modify the definition of all knowledge bases and assign user criteria to
them.
Owner of a knowledge base
Contribute to and read that knowledge base.
Modify the definition of that knowledge base and assign user criteria to
it.
Manager of a knowledge base
Contribute to and read that knowledge base.
Modify the definition of that knowledge base and assign user criteria to
it.
Note: If the article versioning feature is enabled, the manager of a knowledge base
can’t modify knowledge articles of other authors that are in the
Draft state. For more information, see
Article versioning .
Members of an ownership group associated with a knowledge article
Read, modify, and retire that knowledge article.
Explicit roles and user criteria
Explicit roles (snc_external and snc_internal) are added to your instance when you install
a plugin, such as the Customer Service plugin (com.sn_customerservice), that also activates
the Explicit Roles plugin. If you create a knowledge base with the Explicit Roles plugin
activated, the application automatically adds the following predefined user criteria at the
knowledge base level:
Users with 'snc_internal' role – Added to the Can Read user
criteria. Assigning this criteria means only users with the snc_internal role have read
access to the knowledge base.Users with snc_internal' and another role – Added to the Can
Contribute user criteria. Assigning this criteria means only users with the snc_internal
role and at least one additional role have contribute access to the knowledge base.
When you upgrade to product versions that offer the Explicit Roles plugin, the predefined
user criteria Users with 'snc_internal' role and Users
with 'snc_internal' and another role aren't automatically added to any
existing knowledge bases created prior to the activation of the Explicit Roles plugin. To
add these predefined user criteria to an existing knowledge base, run the Fix
unsecured knowledge bases fix script. For more information about explicit roles
and fix scripts, see Explicit Roles and Fix scripts .
Knowledge access using user criteria
The flowchart in this section illustrates the user criteria checks that determine
contribute access to a knowledge base.
Note: In order for an unauthenticated user to view
knowledge articles within the knowledge base, ensure that the audience for the Knowledge
Management Service Portal pages is set to public; that is, the page can be accessed
without the need for authentication. For more information, see
Create and edit a page using the
Service Portal Designer
Figure 1. Contribute access to a knowledge base flowchart
When either Cannot Contribute isn’t set or a user doesn’t match Cannot Contribute and
additionally Can Contribute is not set, the
glide.knowman.block_access_with_no_user_criteria property value is
further evaluated to determine contribute access, as explained in the following table.
Table 4. Contribute access to a knowledge base when user criteria for a knowledge base aren't
set
Property value
Result
true
No user has contribute access to the knowledge base except users with special
knowledge privileges .
false
Users with at least one role can contribute to the knowledge base. Note: If the
Explicit Roles plugin is activated, users who have at least one role other than
snc_internal can contribute to the knowledge base.
The following flowchart illustrates the user criteria checks that determine read access to
a knowledge article.
Figure 2. Read access to a knowledge article flowchartWhen either Cannot Read isn’t set or a user doesn’t match Cannot Read and additionally Can
Read is not set, the glide.knowman.block_access_with_no_user_criteria
property value is further evaluated to determine read access, as explained in the following
table.
Table 5. Read access when user criteria for a knowledge base aren't set
Property value
Result
true
No user has read access except users with special
knowledge privileges and users who have contribute access to the knowledge
base.
false
All users, including unauthenticated users, have read access to the knowledge
base and the article-level user criteria are further evaluated.
Important: After you add user criteria, you can use the user criteria
diagnostics feature to verify the access that users have to a knowledge base or a
knowledge article. For more information, see
User criteria diagnosis for Knowledge Management .
