External content security for AI Search

Release version: Yokohama

Updated July 16, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of External content security for AI Search

AI Search ensures that user and group security access permissions from external documents are preserved and enforced during search operations. This allows ServiceNow customers to maintain precise control over who can access externally sourced content within AI Search results by mapping external users and groups to ServiceNow AI Platform users.

Show full answer Show less

Key Features

Preservation of Access Permissions: Access permissions specified on each external document during ingestion are maintained during indexing to enforce security at search time.
User and Group Mapping: Externally defined users and groups are mapped to ServiceNow AI Platform users via user mapping tables linked to indexed sources, enabling correct application of access controls.
Flexible Access Control: Permissions can be set globally or specifically for users and groups, with options to configure precedence and special access roles.
Security Enforcement at Query Time: AI Search compares mapped user aliases to document access permissions to determine if a search result should be visible to a ServiceNow user.

How It Works for ServiceNow Customers

During Document Ingestion: Specify access permissions for each external document, defining which external users or groups can or cannot access it.
User Mapping Configuration: Create tables that map external user and group aliases to ServiceNow AI Platform users and link these tables to external content indexed sources.
At Search Time: AI Search uses these mappings and permissions to filter search results so that users see only content they are authorized to access.

Practical Benefits

Enables secure integration of external content with AI Search while preserving original access controls.
Provides granular control over search result visibility based on existing external security models.
Supports compliance with organizational security policies by enforcing external content permissions within ServiceNow.
Facilitates seamless user experience by mapping external identities to ServiceNow users for consistent access management.

AI Search preserves user and group security access permissions specified for documents indexed from external sources. You can control access to external content search results by mapping these externally defined users and groups to ServiceNow AI Platform® users.

For an overview of AI Search content security, see Content security in AI Search.

Requirements

To use external content security, include the following two steps in your ingestion and indexing process for external documents:


Step	Description
Specify access permissions on each external document fed for ingestion	Access permissions for an external document can allow or deny access to the document globally (for all users), or can include lists of specific externally defined users and groups who are allowed or denied access to the document. AI Search preserves the external document's security access permissions during indexing. Additional information: For an overview of specifying access permissions on external documents, see Defining access permissions for external documents. To learn about the set of access permissions supported for external content security, see External content access permissions. For details on special access permissions granted by certain user roles, see Special external content access permissions by role. To learn how to reverse the default precedence of users.read and groups.deny access permissions for an external content indexed source, see Change the precedence of user read and group deny permissions for an external content indexed source.
Define user mappings in tables linked to external content indexed sources	A user mapping specifies externally defined user and group aliases for a ServiceNow AI Platform user. Link these user mappings to indexed sources for external content. AI Search uses an indexed source's user mappings in conjunction with indexed records' access permissions to determine ServiceNow AI Platform user access for search results from the indexed source. Additional information: For an overview of user mappings, see Mapping external users and groups to ServiceNow AI Platform users. To learn about the set of externally defined security principal types supported in user mappings, see External user mapping security principal types. For instructions on creating a table to store your user mappings, see Create a user mapping table. For instructions on linking your user mapping tables to external content indexed sources, see Link a user mapping table to an external content indexed source. To learn about importing user mappings via the AI Search External User Mapping API, see Importing user mappings. For instructions on viewing user mapping import history records to confirm that user mappings imported correctly, see View history records for user mapping import operations.

Security implementation for search queries

When a user's search query matches an indexed record created from an external document, AI Search performs these steps:

Examines the user mappings linked to the record's indexed source and retrieves the set of all externally defined users and groups aliased to the current ServiceNow AI Platform user's account.
Compares the mapped set of externally defined user and group aliases with the access permissions on the indexed search result record to see whether the ServiceNow AI Platform user should be allowed to view the search result.