- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2025 04:30 PM
I am setting up a Coveo Integration through API Oauth. The goal is to allow a crawling user accessed by Coveo to scrape knowledge articles and catalog items to be referenced in another app/interface. I was able to set up the Application Registry as well as the crawler user and Coveo was able to connect through the provided credentials.
My issue is that I am now stuck in an ACL nightmare of trying to give read only access. I have tried:
- snc_read_only combined with knowledge_admin and catalog_admin but cannot see all articles, only a random few.
- building the required read only ACL as outlined by Coveo, did not work, could not even connect to system
- one thing that did work was giving the coveo user account the admin role, but obviously this is not the correct solution.
- I tried adding the coveo user account to the user criteria and still did not give it access to read articles.
What roles can I give read only access to coveo that will allow it to read all knowledge articles regardless of user criteria and acls?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2025 04:46 AM
Hi @shelbyadams ,
This is a common challenge when setting up Coveo crawling in ServiceNow, especially around ACLs and read access.
Why the issue happens:
Knowledge articles and catalog items often have complex ACLs and user criteria controlling who can view them. The snc_read_only role is very limited and usually can’t bypass user criteria or certain ACLs. Giving admin bypasses everything, which is why it works but isn’t recommended for security reasons.
Recommended approach to give Coveo read-only access to all knowledge articles:
Create a dedicated Role for Coveo
Create a custom role like x_coveo_crawler (or similar).
Assign this role only to the Coveo crawler user.
Adjust Knowledge Base User Criteria:
Modify or create user criteria on your Knowledge Bases to include this Coveo crawler user or role, so it’s explicitly allowed to see the articles.
This step is critical because user criteria often restrict access regardless of roles.
Update ACLs if necessary:
Check your ACLs on kb_knowledge and related tables.
You can either:
Add an additional condition to allow your x_coveo_crawler role read access.
Or create specific ACLs with read access for this role without impacting other users.
Test Access Using the “Preview as” Feature:
In ServiceNow, impersonate the Coveo user and confirm they can see the articles. This helps debug if any ACL or user criteria is blocking access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2025 04:46 AM
Hi @shelbyadams ,
This is a common challenge when setting up Coveo crawling in ServiceNow, especially around ACLs and read access.
Why the issue happens:
Knowledge articles and catalog items often have complex ACLs and user criteria controlling who can view them. The snc_read_only role is very limited and usually can’t bypass user criteria or certain ACLs. Giving admin bypasses everything, which is why it works but isn’t recommended for security reasons.
Recommended approach to give Coveo read-only access to all knowledge articles:
Create a dedicated Role for Coveo
Create a custom role like x_coveo_crawler (or similar).
Assign this role only to the Coveo crawler user.
Adjust Knowledge Base User Criteria:
Modify or create user criteria on your Knowledge Bases to include this Coveo crawler user or role, so it’s explicitly allowed to see the articles.
This step is critical because user criteria often restrict access regardless of roles.
Update ACLs if necessary:
Check your ACLs on kb_knowledge and related tables.
You can either:
Add an additional condition to allow your x_coveo_crawler role read access.
Or create specific ACLs with read access for this role without impacting other users.
Test Access Using the “Preview as” Feature:
In ServiceNow, impersonate the Coveo user and confirm they can see the articles. This helps debug if any ACL or user criteria is blocking access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2025 03:07 PM
thank you, this is a very helpful breakdown of where I can start my troubleshooting. I made me realize that I needed to have field level ACLs for knowledge and that I needed user criteria ACLs as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2025 09:45 PM
@shelbyadams , welcome😊
