I'm having a problem with knowledge in my instance that I know is not OOB behavior, but I can't put my finger on what is going on. 

In my PDI I followed these steps:

1. Create a knowledge base. Assign "users with 'itil' role" as a "Can Read" and "Can Contribute" role.
2. Put a knowledge article in there. Impersonate a non-itil user and create an incident.
3. Impersonate an admin user. Attach the knowledge article to the incident and update the record so the default comment gets added to "additional comments" that the knowledge article was added.
4. Impersonate user from step 2. Find your incident in Requests page of service portal. Click the link in additional comments to the knowledge article. You will see an error message that states "You do not have sufficient privileges...". This is what I expect.

In my enterprise instance and downstream development instances, the non-itil user is directed to the knowledge article on the kb_view.do page and can read it no problem. A few additional observations from my enterprise instance:

• The user can also access the knowledge article using the permalink
• The containing knowledge base has been published to the portal, but the non-itil user can not see or browse in it. They can therefore only access the article with a direct link.

Is there something I'm misunderstanding about the knowledge management process, or a place I haven't looked?

Thanks!