Managing access to knowledge bases and knowledge articles

  • Release version: Yokohama
  • Updated January 30, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing access to knowledge bases and knowledge articles

    This documentation explains how to control user access to knowledge bases and knowledge articles within ServiceNow’s Knowledge Management. Access is managed by assigninguser criteriaorrolesto determine who canreadorcontribute(create, modify, retire) content. Knowledge administrators, knowledge base managers, and owners have the authority to configure these access controls at both the knowledge base and article levels.

    Show full answer Show less

    Key Features

    • Read vs. Contribute Access: Read access allows viewing articles; contribute access allows editing and managing articles.
    • User Criteria: Preferred method to control access, introduced in Knowledge Management v3, replacing roles for article-level access control.
    • Default Access: If no user criteria is assigned, all users can read, and all users with roles can contribute.
    • Role Override Option: The system property glide.knowman.search.applyrolebasedsecurity can be added to disable role-based security and rely solely on user criteria.
    • User Criteria Types:
      • Cannot Contribute: Denies contribute permissions at knowledge base level.
      • Can Contribute: Grants contribute permissions at knowledge base level.
      • Cannot Read: Denies read permission at knowledge base or article level.
      • Can Read: Grants read permission at knowledge base or article level.
    • Special User Privileges: Knowledge administrators, owners, and managers have override access to contribute and read, with some restrictions (e.g., managers cannot modify draft articles by other authors if versioning is enabled).
    • Explicit Roles Plugin: If activated, predefined user criteria based on internal/external roles are automatically added to knowledge bases for access control.
    • Access Determination Logic: Flowcharts and system properties govern how contribute and read permissions are evaluated, including scenarios for unauthenticated users and interactions between knowledge base-level and article-level criteria.
    • User Criteria Diagnostics: After configuring user criteria, use this feature to verify user access to knowledge bases and articles.

    Practical Implications for ServiceNow Customers

    By managing user criteria and roles effectively, you can precisely control who can view or edit knowledge content, ensuring sensitive information is protected and editing rights are correctly assigned. Enabling or disabling system properties allows you to tailor access behavior to your organization’s security policies. Using the User Criteria Diagnostics tool helps verify access setups, reducing misconfigurations.

    For unauthenticated users, ensure portal pages are set to public if you want open access to knowledge articles.

    Next Steps

    • Create and assign user criteria to knowledge bases and articles to enforce your organization’s access policies.
    • Evaluate and configure relevant system properties to align with your security requirements.
    • Use User Criteria Diagnostics to confirm effective access control.
    • Leverage explicit roles if your instance uses the Explicit Roles plugin for streamlined internal/external access distinctions.

    Determine whether certain users or categories of users can access knowledge bases and knowledge articles by controlling contribute and read access.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria to control contribute and read access at the knowledge base level, where:
    • Read access determines the ability to view knowledge articles in a knowledge base.
    • Contribute access determines the ability to create, modify, and retire knowledge articles in a knowledge base.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria, or roles, or both, to control read access at the knowledge article level.

    Try to use only user criteria, which were introduced in Knowledge Management v3, to control access to knowledge articles. Roles were used for this purpose in Knowledge Management v2. If no user criteria is selected for a knowledge base, all users can read and all users with roles can contribute to that knowledge base.

    Note:
    By default, when contribute access isn't provided for a knowledge base, a user must meet both roles and user criteria conditions for read access. However, you can override roles set for a knowledge article and provide access through user criteria only by setting the glide.knowman.search.apply_role_based_security system property to false. Because this property isn't available by default, you must add it. For more information, see Add a system property.

    User criteria for knowledge access

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you control access to knowledge bases or knowledge articles for a user through user criteria, which are described in the following table.

    Table 1. User criteria definitions
    User criteria Result
    Cannot Contribute Cannot contribute (that is can't create, modify, or retire) knowledge articles within a knowledge base. The Cannot Contribute user criteria is available only for knowledge bases.
    Can Contribute Can contribute (that is can view, create, modify, or retire) knowledge articles within a knowledge base. The Can Contribute user criteria is available only for knowledge bases.
    Cannot Read

    At the knowledge base level, cannot view knowledge articles within a knowledge base.

    At the knowledge article level, cannot view a knowledge article.
    Can Read

    At the knowledge base level, can view knowledge articles within a knowledge base.

    At the knowledge article level, can view a knowledge article.

    The access to knowledge base and its articles are defined based on the user criteria status for a user as described in the following table.

    Table 2. Combining knowledge base and knowledge article user criteria
    Status Access
    The user matches both Can Contribute and Cannot Contribute at the knowledge base level The user is denied contribute access to the knowledge base and its articles.
    The user matches both Can Read and Cannot Read at the knowledge base level The user is denied read access to the knowledge base and its articles.
    The user matches Can Read at the knowledge base level and Cannot Read at the knowledge article level The user is denied read access to the knowledge article.
    The user matches Cannot Read and Can Read at the knowledge article level The user is denied read access to the knowledge article.

    Users with special knowledge privileges

    Users with special knowledge privileges aren't evaluated based on user criteria and have knowledge bases and knowledge articles access as described in the following table.

    Table 3. Access of users with special privileges to knowledge bases and knowledge articles
    User Access
    Knowledge administrator
    • Contribute to and read all knowledge bases and their articles.
    • Modify the definition of all knowledge bases and assign user criteria to them.
    Note:
    This access doesn't apply to scoped knowledge bases. For more information, see Scoped knowledge bases.
    Owner of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Manager of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Note:
    If the article versioning feature is enabled, the manager of a knowledge base can’t modify knowledge articles of other authors that are in the Draft state. For more information, see Article versioning.
    Members of an ownership group associated with a knowledge article Read, modify, approve, and retire that knowledge article (see Ownership groups).

    Explicit roles and user criteria

    Explicit roles (snc_external and snc_internal) are added to your instance when your administrator installs a plugin, such as the Customer Service plugin (com.sn_customerservice), that also activates the Explicit Roles plugin (com.glide.explicit_roles). If you create a knowledge base with the Explicit Roles plugin (com.glide.explicit_roles) activated, the application automatically adds the following predefined user criteria at the knowledge base level:

    • Users with 'snc_internal' role – Added to the Can Read user criteria enabling only users with the snc_internal role have read access to the knowledge base.
    • Users with snc_internal' and another role – Added to the Can Contribute user criteria enabling only users with the snc_internal role and at least one additional role have contribute access to the knowledge base.

    When you upgrade to product versions (from Rome onwards) that offer the Explicit Roles plugin (com.glide.explicit_roles), the predefined user criteria Users with 'snc_internal' role and Users with 'snc_internal' and another role aren't automatically added to any existing knowledge bases created prior to the activation of the Explicit Roles plugin. To add these predefined user criteria to an existing knowledge base, run the Fix unsecured knowledge bases fix script. For more information about explicit roles and fix scripts, see Explicit Roles and Fix scripts.

    Determining contribute access to a knowledge base and its articles using user criteria

    The flowchart in this section illustrates the user criteria checks that determine contribute access at the knowledge base and article levels.
    Note:
    In order for an unauthenticated user to view knowledge articles within the knowledge base, ensure that the audience for the Knowledge Management Service Portal pages is set to public; that is, the page can be accessed without the need for authentication. For more information, see Create and edit a page using the Service Portal Designer.
    Figure 1. Contribute access to a knowledge base and its article flowchart
    Flowchart showing how contribute access to a knowledge base and its article using user criteria is evaluated

    When either Cannot Contribute isn’t set or a user doesn’t match Cannot Contribute and additionally Can Contribute is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine contribute access, as explained in the following table.

    Table 4. Contribute access to a knowledge base when user criteria for a knowledge base aren't set
    Property value Result
    true No user has contribute access to the knowledge base except users with special knowledge privileges.
    false All users, including unauthenticated users, with at least one role can contribute to the knowledge base.

    If the Explicit Roles plugin (com.glide.explicit_roles) is activated, users who have at least one role other than snc_internal can contribute to the knowledge base.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine contribute access to an article in the knowledge base, as explained in the following table.

    Table 5. Contribute access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default contribute permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has contribute access to every article in the knowledge base.

    Determining read access to articles in a knowledge base using user criteria

    The following flowchart illustrates the user criteria checks that determine read access to a knowledge article.

    Figure 2. Read access to a knowledge article flowchart
    Flowchart showing how read access to a knowledge article using user criteria is evaluated.

    When either Cannot Read isn’t set or a user doesn’t match Cannot Read and additionally Can Read is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine read access, as explained in the following table.

    Table 6. Read access when user criteria for a knowledge base aren't set
    Property value Result
    true No user has read access except users with special knowledge privileges and users who have contribute access to the knowledge base.
    false All users, including unauthenticated users, have read access to the knowledge base and the article-level user criteria are further evaluated.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine read access to an article in the knowledge base, as explained in the following table.

    Table 7. Read access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default read permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has read access to every article in the knowledge base.
    Important:
    After you add user criteria, you can use the user criteria diagnostics feature to verify the access that users have to a knowledge base or a knowledge article. For more information, see User criteria diagnostics for Knowledge Management.