Restricting access to knowledge article templates
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2025 12:07 PM
I have several article templates (let's use u_kb_template_test for example) and need to restrict access to who can create an article using them.
A user in the 'test_expert' role should be able to navigate to All -> Self-Service -> Knowledge -> Create an Article and select "Test" from the list of available article templates. Either "any user" or "any user with role test_reader" (for example) should be able to read the article. Users with a variety of roles can create articles, so they should be able to see other templates (like FAQ, for example) but not "Test".
I navigated to u_kb_template_test.list -> table context menu -> Configure -> Security Rules and created an ACL with the following properties:
- Type: record
- Operation: read
- Decision Type: Deny Unless
- Active: true
- Admin overrides: true
- Name: Test [u_kb_template_test] (nothing in the fields selection)
- Role: test_expert
Impersonating a user without the test_expert role, I could still see the template in the list (though I could not create an article using it).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2025 01:49 AM
You're almost there in setting up the restriction, but there are a few important clarifications and adjustments needed to properly control who can see and use a specific knowledge article template like u_kb_template_test.
First, setting an ACL on the template table itself (like u_kb_template_test) only restricts direct access to that table, not whether the template appears in the dropdown when users click “Create an Article.” This means that even if users without the test_expert role can't open the template record directly, they might still see it listed in the template dropdown.
To control what appears in the article creation interface, you should use a client-side method. One practical approach is writing a client script on the kb_knowledge form. This script can check if the current user has the test_expert role and, if not, hide the "Test" template from the list of available templates. The script loops through the dropdown options and removes the one that matches the restricted template label.
While that handles visibility in the UI, it's also important to secure it on the backend. You can create a field-level write ACL on the article_template field of the kb_knowledge table. The script in the ACL should check if the template being set is u_kb_template_test and whether the user has the test_expert role. If they don’t, the ACL should return false, blocking the assignment even through background scripts or API usage.
To ensure that articles created with this template are readable by all users or a specific role like test_reader, adjust the read ACLs on the kb_knowledge table accordingly or configure the knowledge base access settings. You can also use script logic in the ACL to allow users who have either the test_reader or test_expert roles to read these articles.
Putting this together, you’ll use a client script to hide the template from unauthorized users, a write ACL to block backend misuse, and appropriate read ACLs to ensure visibility of published content is open as needed. This layered approach ensures both UI-level control and backend security.
