Issue with Knowledge Blocks Access Control - Need Help Overcoming "Can Contribute" Rule

PrathviC · ‎07-16-2024

Hi everyone,

I'm encountering a critical issue with the functionality of Knowledge Blocks due to the rules governing their access. Here’s my situation:

I have a knowledge base (KB001) where the "Can contribute" section/tab is assigned to an assignment group named GlobalGrp.
Knowledge Blocks have been enabled in KB001.
I created a Knowledge Block (KB1) with the "CAN READ" section mapped to an assignment group (SubGrp1) and left the "CANNOT READ" section empty. KB1 is published.
I created a knowledge article (KA1) and added KB1 to it. KA1 is saved and published.

According to my understanding, only users in the SubGrp1 group should see the contents of KB1 in KA1. Other users should not see KB1’s contents.

However, when I tested:

User 1, belonging to SubGrp1, can see KB1’s content in KA1.
User 2, not in SubGrp1, can also see KB1’s content in KA1.

Upon reviewing the ServiceNow documentation ( https://docs.servicenow.com/bundle/washingtondc-servicenow-platform/page/product/knowledge-managemen...

I found these rules:

Rule 1: Users meeting any "Can Contribute" criteria at the knowledge base level can read all Knowledge Block content, regardless of "Can read" or "Cannot read" settings at the block level.
Rule 2: Users meeting any "Cannot read" criteria at the block level cannot read the block content, regardless of "Can read" settings.

In my case, since SubGrp1 is part of GlobalGrp mapped in the "Can contribute" section of the knowledge base, all users can see KB1’s content in KA1, regardless of its specific permissions.

This issue prevents us from effectively using the "Can read" and "Cannot read" conditions of Knowledge Blocks. Has anyone encountered this problem before? How can we overcome this issue or possibly override Rule 1?

Your guidance and suggestions would be greatly appreciated. Thank you!

Please let me know if there are any questions

Gorden McGregor · 3 hours ago

I do not profess to be anything of a guru, I am just looking for information. Not sure if you're still troubleshooting this. I saw this on another thread, and when I read yours I went back to grab it. It looks to be the same thing. Where everyone in the contribute group can see it, as opposed to being restricted based on user.

Hope this helps:

need to enable the sys property glide.knowman.apply_article_read_criteria this will cause the articles can read/cannot read to override the knowledge base can read/can contribute

ChiranjeeviR · 2 hours ago

Hi @PrathviC ,

There is no out-of-the-box method to override this behavior or change the evaluation order.

Recommended approaches:

Separate Restricted Content into a Different Knowledge Base
- Create a dedicated Knowledge Base for restricted content.
- Configure Can Read and Can Contribute criteria specifically for SubGrp1.
- Store sensitive Knowledge Blocks in this Knowledge Base.
Use Cannot Read User Criteria
- Configure appropriate Cannot Read criteria on the Knowledge Block to explicitly deny access where possible.
- Note that this may require additional maintenance for large user populations.
Review Knowledge Base Access Model
- If granular content-level security is required, reconsider assigning broad groups to the Knowledge Base Can Contribute field.
- Align Knowledge Base permissions with the intended audience for the Knowledge Blocks.

Please mark as Correct Answer/Helpful, if applicable.