Managing access to knowledge bases and knowledge articles

Release version:
Xanadu
Yokohama
Washington DC
Vancouver
UpdatedAug 1, 2024
7 minutes to read

Xanadu
Knowledge Management

Determine whether certain users or categories of users can access knowledge bases and knowledge articles by controlling contribute and read access.

As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria to control contribute and read access at the knowledge base level, where:

Read access determines the ability to view knowledge articles in a knowledge base.
Contribute access determines the ability to create, modify, and retire knowledge articles in a knowledge base.

As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria, or roles, or both, to control read access at the knowledge article level.

Try to use only user criteria, which were introduced in Knowledge Management v3, to control access to knowledge articles. Roles were used for this purpose in Knowledge Management v2. If no user criteria is selected for a knowledge base, all users can read and all users with roles can contribute to that knowledge base.

Note: By default, when contribute access isn't provided for a knowledge base, a user must meet both roles and user criteria conditions for read access. However, you can override roles set for a knowledge article and provide access through user criteria only by setting the glide.knowman.search.apply_role_based_security system property to false. Because this property isn't available by default, you must add it. For more information, see Add a system property.

User criteria for knowledge access

As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you control access to knowledge bases or knowledge articles for a user through user criteria, which are described in the following table.

Search:

Table 1. User criteria definitions
User criteria	Result
Cannot Contribute	Cannot contribute (that is can't create, modify, or retire) knowledge articles within a knowledge base. The Cannot Contribute user criteria is available only for knowledge bases.
Can Contribute	Can contribute (that is can view, create, modify, or retire) knowledge articles within a knowledge base. The Can Contribute user criteria is available only for knowledge bases.
Cannot Read	At the knowledge base level, cannot view knowledge articles within a knowledge base. At the knowledge article level, cannot view a knowledge article.
Can Read	At the knowledge base level, can view knowledge articles within a knowledge base. At the knowledge article level, can view a knowledge article.

The access to knowledge base and its articles are defined based on the user criteria status for a user as described in the following table.

Search:

Table 2. Combining knowledge base and knowledge article user criteria
Status	Access
The user matches both Can Contribute and Cannot Contribute at the knowledge base level	The user is denied contribute access to the knowledge base and its articles.
The user matches both Can Read and Cannot Read at the knowledge base level	The user is denied read access to the knowledge base and its articles.
The user matches Can Read at the knowledge base level and Cannot Read at the knowledge article level	The user is denied read access to the knowledge article.
The user matches Cannot Read and Can Read at the knowledge article level	The user is denied read access to the knowledge article.

Users with special knowledge privileges

Users with special knowledge privileges aren't evaluated based on user criteria and have knowledge bases and knowledge articles access as described in the following table.

Search:

Table 3. Access of users with special privileges to knowledge bases and knowledge articles
User	Access
Knowledge administrator	Contribute to and read all knowledge bases and their articles. Modify the definition of all knowledge bases and assign user criteria to them. Note: This access doesn't apply to scoped knowledge bases. For more information, see Scoped knowledge bases.
Owner of a knowledge base	Contribute to and read that knowledge base. Modify the definition of that knowledge base and assign user criteria to it.
Manager of a knowledge base	Contribute to and read that knowledge base. Modify the definition of that knowledge base and assign user criteria to it. Note: If the article versioning feature is enabled, the manager of a knowledge base can’t modify knowledge articles of other authors that are in the Draft state. For more information, see Article versioning.
Members of an ownership group associated with a knowledge article	Read, modify, approve, and retire that knowledge article (see Ownership groups).

Explicit roles and user criteria

Explicit roles (snc_external and snc_internal) are added to your instance when your administrator installs a plugin, such as the Customer Service plugin (com.sn_customerservice), that also activates the Explicit Roles plugin (com.glide.explicit_roles). If you create a knowledge base with the Explicit Roles plugin (com.glide.explicit_roles) activated, the application automatically adds the following predefined user criteria at the knowledge base level:

Users with 'snc_internal' role – Added to the Can Read user criteria enabling only users with the snc_internal role have read access to the knowledge base.
Users with snc_internal' and another role – Added to the Can Contribute user criteria enabling only users with the snc_internal role and at least one additional role have contribute access to the knowledge base.

When you upgrade to product versions (from Rome onwards) that offer the Explicit Roles plugin (com.glide.explicit_roles), the predefined user criteria Users with 'snc_internal' role and Users with 'snc_internal' and another role aren't automatically added to any existing knowledge bases created prior to the activation of the Explicit Roles plugin. To add these predefined user criteria to an existing knowledge base, run the Fix unsecured knowledge bases fix script. For more information about explicit roles and fix scripts, see Explicit Roles and Fix scripts.

Determining contribute access to a knowledge base and its articles using user criteria

The flowchart in this section illustrates the user criteria checks that determine contribute access at the knowledge base and article levels.

Note: In order for an unauthenticated user to view knowledge articles within the knowledge base, ensure that the audience for the Knowledge Management Service Portal pages is set to public; that is, the page can be accessed without the need for authentication. For more information, see Create and edit a page using the Service Portal Designer.

Flowchart showing how contribute access to a knowledge base and its article using user criteria is evaluated — Figure 1. Contribute access to a knowledge base and its article flowchart

When either Cannot Contribute isn’t set or a user doesn’t match Cannot Contribute and additionally Can Contribute is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine contribute access, as explained in the following table.

Table 4. Contribute access to a knowledge base when user criteria for a knowledge base aren't set
Property value	Result
true	No user has contribute access to the knowledge base except users with special knowledge privileges.
false	All users, including unauthenticated users, with at least one role can contribute to the knowledge base. If the Explicit Roles plugin (com.glide.explicit_roles) is activated, users who have at least one role other than snc_internal can contribute to the knowledge base. To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine contribute access to an article in the knowledge base, as explained in the following table.

Table 5. Contribute access to an article when a user has contribute access to a knowledge base
Property value	Result
true	Article-level read access overrides the default contribute permission granted by contribute access at the knowledge base level.
false	Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has contribute access to every article in the knowledge base.

Determining read access to articles in a knowledge base using user criteria

The following flowchart illustrates the user criteria checks that determine read access to a knowledge article.

Flowchart showing how read access to a knowledge article using user criteria is evaluated. — Figure 2. Read access to a knowledge article flowchart

When either Cannot Read isn’t set or a user doesn’t match Cannot Read and additionally Can Read is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine read access, as explained in the following table.

Table 6. Read access when user criteria for a knowledge base aren't set
Property value	Result
true	No user has read access except users with special knowledge privileges and users who have contribute access to the knowledge base.
false	All users, including unauthenticated users, have read access to the knowledge base and the article-level user criteria are further evaluated. To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine read access to an article in the knowledge base, as explained in the following table.

Table 7. Read access to an article when a user has contribute access to a knowledge base
Property value	Result
true	Article-level read access overrides the default read permission granted by contribute access at the knowledge base level.
false	Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has read access to every article in the knowledge base.

Important: After you add user criteria, you can use the user criteria diagnostics feature to verify the access that users have to a knowledge base or a knowledge article. For more information, see User criteria diagnostics for Knowledge Management.

Xanadu Now Platform Capabilities

Filters

Versions

Products