You can specify access permissions for externally defined users and groups when ingesting external documents. AI Search preserves these permissions during indexing so that user content security filters can operate on them at search time.

For details on including access permissions for externally defined users and groups in ingested external documents, see the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

External content access permissions

External content security includes permissions that describe user and group access for an external document. When indexing an external document, AI Search stores these permissions so that content security filters can limit user access to the indexed search result.

Access permissions

AI Search supports the following access permissions on ingested external documents.

Security principalDescription
everyone

Boolean option that indicates whether access to the external document is allowed for all users. AI Search applies this global access permission to the indexed record created from the document.

Set this permission for an ingested document via the [array].principals.everyone request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

When set to true, this permission overrides all groups and users permissions.

This permission is mutually exclusive with none. Only one of these two permissions can be set to true for any external document.
groups.deny

List of externally defined groups that are denied access to the external document. Now Platform users mapped to any of these external groups can't view the indexed search result record created from the document.

Set this permission for an ingested document via the [array].principals.groups.deny request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

This permission takes precedence over groups.read. If the same group has both read and deny access permissions for a document, AI Search denies members of the group access to the indexed record.

By default, users.read takes precedence over this permission. To reverse this precedence order for an indexed source, see Change the precedence of user read and group deny permissions for an external content indexed source.
groups.read

List of externally defined groups that are allowed access to the external document. Now Platform users mapped to any of these external groups can view the indexed search result record created from the document.

Set this permission for an ingested document via the [array].principals.groups.read request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

groups.deny permission takes precedence over this permission. If the same group has both read and deny access permissions for a document, AI Search denies members of the group access to the indexed record.
none

Boolean option indicating whether access to the external document is denied for all users. AI Search applies this global denial permission to the indexed record created from the document.

Set this permission for an ingested document via the [array].principals.none request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

When set to true, this permission overrides all groups and users permissions.

This permission is mutually exclusive with none. Only one of these two permissions can be set to true for any external document.
users.deny

List of externally defined users that are denied access to the external document. Now Platform users mapped to any of these external users can't view the indexed search result record created from the document.

Set this permission for an ingested document via the [array].principals.users.deny request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

This permission takes precedence over users.read. If the same user has both read and deny access permissions for a document, AI Search denies that user access to the indexed record.
users.read

List of externally defined users that are allowed access to the external document. Now Platform users mapped to any of these external users can view the indexed search result record created from the document.

Set this permission for an ingested document via the [array].principals.users.read request body parameter in a request to the POST /ais/external_content/ingestDocument/{schema_table_name} endpoint of the External Content Ingestion API.

users.deny takes precedence over this permission. If the same user has both read and deny access permissions for a document, AI Search denies that user access to the indexed record.

By default, this permission takes precedence over groups.deny. To reverse this precedence order for an indexed source, see Change the precedence of user read and group deny permissions for an external content indexed source.

Precedence order for principal permissions

The precedence order for [array].principals permissions on an ingested external document depends on the value of the user_read_takes_precedence_over_group_deny attribute for the document's indexed source.

Attribute value Precedence order for principal permissions
true
From highest precedence to lowest:
  1. everyone and none
  2. users.deny
  3. users.read
  4. groups.deny
  5. groups.read
Note: This is the default attribute value for external content indexed sources.
false
From highest precedence to lowest:
  1. everyone and none
  2. users.deny and groups.deny
  3. users.read and groups.read
Note: For instructions on setting this attribute value, see Change the precedence of user read and group deny permissions for an external content indexed source.

For details on how content security permissions from certain user roles interact with these external content security principals, see Special external content access permissions by role.

Special external content access permissions by role

Certain user roles provide special access permissions for external content indexed records.

Role Permissions

AI Search administrator [ais_admin]
An AI Search administrator can access all external content indexed records in a search application.
Note: To bypass all search source and content security filtering in the Search Preview UI, you also need the impersonator and AI Search high security administrator [ais_high_security_admin] roles. For details on this procedure, see Diagnose search result access issues using the Search Preview UI.
Guest user [public] Non-authenticated guest users can only access external content indexed records that have the everyone permission set to true.
Self-registered external user [snc_external]

Self-registered external users that belong to groups can access external content indexed records based on their group memberships. External users that don't belong to any group can only access external content indexed records that have the everyone permission set to true.

For more details on self-registered external users, see Self-register to ServiceNow instance.

Change the precedence of user read and group deny permissions for an external content indexed source

Make external group deny access permissions take precedence over external user read access permissions for all external documents ingested through an indexed source.

Before you begin

The External Content for AI Search plugin (com.glide.ais.external_content) must be activated in your instance.

The source table for the indexed source must be an external content schema table.

Role required: ais_admin

About this task

By default, external user read access permissions (users.read) on an external document take precedence over external group deny access permissions (groups.deny) on the same document.

For example, suppose you ingest external content through an indexed source with a user mapping that maps Now Platform user beth.anglin@example.com to external user ad\beth-anglin and external group report-users. If an external document grants read access to ad\beth-anglin and denies access to report-users, AI Search allows beth.anglin@example.com to view the indexed search result record for the external document.

To reverse this default behavior for an indexed source, making external group deny permissions take precedence over external user read permissions for all of its indexed records, change the value of the indexed source's user_read_takes_precedence_over_group_deny attribute. In the preceding example, making this change would prevent beth.anglin@example.com from viewing the indexed search result record for the external document.

Procedure

  1. Navigate to All > AI Search > AI Search Index > Indexed Sources.
  2. If the Advanced Configuration related list doesn't appear on the form, follow the steps in Add a related list to a form, selecting the AI Search Indexed Source Attribute->Indexed Source list in the slushbucket.
  3. In the Advanced Configuration related list, select New.
  4. On the Indexed Source Attribute form, enter the following field values.
    Field Value
    Attribute user_read_takes_precedence_over_group_deny
    Value false

    For a description of the field values, see Indexed Source Attribute form.

  5. Select Submit.
    The attribute and value appear in the Advanced Configuration related list.

Result

The change in permission preference takes effect for search results from the external content indexed source.