Adding Role Based Restrictions on Knowledge v3 Category Editing

nullreturned · ‎11-14-2017

It seems that a rather large challenge for Organizations and Knowledge Management is the open nature of Knowledge Base Categories and users who can Contribute to those Knowledge Bases. Out of the box, anyone with Contribute rights to that Knowledge Base can add or modify Categories as they see fit. Many group do not want this, and this can either cause contention or the complete locking down of all Category Editing. At Acorio, we've come up with a viable solution to restrict Knowledge Base Category editing based on a role, (coupled with CanContribute) which has been attached to this Document.

Here is an explanation of this modification:

First we created a new Role within ServiceNow called "knowledge_category_editor", which will be used to define users with the ability to edit Knowledge Base Categories. It has been kept within the naming scheme of ServiceNow's out of the box roles.

Next we created a new system property called "acorio.knowledge.category.edit.role", which will hold the name of the role(s) that would be required to edit Knowledge Base categories. By default, we've set this property to the role listed above. We've also ensured this System Property is apart of the out of the box "Knowledge Other" Category, so it will appear under the Properties page for Knowledge Management. Lastly, even without specifying them the knowledge_manager and knowledge_admin roles will always be able to edit those categories as normal, whether they are listed in the System Property or not.

We then needed a method for accessing the availability of this role on the Client Side, as the Knowledge v3 uses a specific UI Macro to invoke and create the Category dialogue window. This was done with a simple Display Business Rule, setting a new Scratchpad value (g_scratchpad.cannotEditCategories) to the String of either "True" or "False" depending if the current user has the required role. By design, this will still allow Admins, as they have every role.

Lastly, we took the UI Macro "kb_category_reference_lookup", and renamed it to "kb_category_reference_lookup_original" to ensure there were no collisions with naming and calling it. We then duplicated the UI Macro, returning the new version to the original name. In this new version, we inserted the following code after line 38:

               var disableCategoryEditing = kb_knowledge_base_gr.disable_category_editing;
               if ( disableCategoryEditing == 'false' ) {
                       disableCategoryEditing = g_scratchpad.cannotEditCategories;
               }

The purpose of this code was to rationalize two things. First, we don't care about the new roled function if Category editing has been disabled from a Knowledge Base level. If Category Editing is not disabled, we will then check our new g_scratchpad variable to see if from the roled perspective Category editing should be disabled. We then had to use this new variable, which we do so by replacing the line:

               dialog.setPreference('disable_editing', kb_knowledge_base_gr.disable_category_editing);

with:

               dialog.setPreference('disable_editing', disableCategoryEditing);

And that should do it. As mentioned, I've included the Update Set export and this should function well with out of the box Knowledge Management v3. Of course, every environment is different so please deploy in a sub-prod instance and test before deploying to Production. This is a freely shared set of updates, so while I do not warranty this work, I will help as much as possible within reason. Thanks and hopefully this helps!

Dave Smith1 · ‎11-16-2017

Damien, this is exceptional - nice clear instructions and explanations!

Just a couple of questions to clarify:

I take it that - in order to amend a category, I need to hold a role mention in "acorio.knowledge.category.edit.role" plus be a contributor for that KB? I presume holding that role doesn't mean I can amend categories in KBs where I'm not on the CanContribute list.
Does knowledge_manager and/or knowledge_admin bypass this rule, or are those roles also encompassed and must be added to acorio.knowledge.category.edit.role? (i.e.: where in the processing chain does the check take place?)

nullreturned · ‎11-16-2017

Dave,

To answer your questions:

1.) Yes, this does not overcome the CanContribute security. It only tightens it farther.

2.) It did not originally, but I have uploaded a new version of the XML which will always include knowledge_manager and knowledge_admin as roles that can edit categories. So the system property only needs to specify outside roles from those two.

I've updated the document above to reflect all of this. Hopefully this helps!

Dave Smith1 · ‎11-17-2017

Splendid, thanks. So it looks like we now have a 6-tier hierarchy of users:

blocked.... basically, not on the CanRead list, KB is invisible to them.
CanRead = those that can view articles, possibly comment/like
CanContribute = those that can author articles. Authors are automatically readers.
CanContribute + {nominated role} = authors that can also alter/amend categories for the KB
knowledge_manager = as above, but can also approve/reject submitted content (and amend settings for the KB they're managing)
knowledge_admin = as above, but can also create/manipulate any KBs.

It would be nice if this could be absorbed in as another category - CanAuthor and CanOrganise, for example, so the latter permitted category manipulation and possibly placement of content within categories. Not sure if that's over-complicating the model!

Nice work nonetheless, Damien - and thanks for the fast response!

Aanchal Mehndi1 · ‎11-21-2017

Hi Damian,

My requirement is to restrict all users from editing categories except knowledge base owner and knowledge admin.

I have added condition which checks if logged in user is not same as knowledge base owner

g_scratchpad.cannotEditCategories= current.kb_knowledge_base.owner.getDisplayValue() != gs.getUserDisplayName();

When i am logging in with knowledge base owner, ui macro is not getting displayed properly, though in logs scratchpad is giving false. PFA screenshot below.

Kindly help !

nullreturned · ‎11-21-2017

Aanchal,

You instead want it to be:

g_scratchpad.cannotEditCategories = String( current.kb_knowledge_base.owner != gs.getUserID() && !gs.hasRole('knowledge_admin') );

The issue is that you want a string in that g_scratchpad value, not a Boolean. The line above will take into account both the knowledge_admin role as well as the logged in user being the Knowledge Base owner.

-Damian

Chalan B L · ‎12-06-2018

Duplicating a "UI Macro" is not recommended rit because every time upgrade happens this role logic will break !!!!

So this is only solution for this kind of requirement

nullreturned · ‎01-03-2019

Chalan,

Well, this should come up in the Skip log, and it can be merged as required. As this was written on previous versions of ServiceNow, there has been some slight changes in London. But using the same basic code changes, the same results can be achieved.