Managing access to knowledge bases and knowledge articles

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing Access to Knowledge Bases and Knowledge Articles

    This guide explains how ServiceNow customers can control user access to knowledge bases and knowledge articles by managing contribute and read permissions. Knowledge administrators, knowledge base managers, and owners assign user criteria and roles to regulate who can view, create, modify, or retire knowledge articles at both the knowledge base and article levels.

    Show full answer Show less

    Key Features

    • Access Types:
      • Read access: Allows viewing knowledge articles.
      • Contribute access: Allows creating, modifying, and retiring knowledge articles.
    • User Criteria Controls: Use user criteria (introduced in Knowledge Management v3) primarily to control access, replacing older role-based controls from v2. User criteria include Can Read, Cannot Read, Can Contribute, and Cannot Contribute, which apply differently at the knowledge base and article levels.
    • Default Access Behavior: If no user criteria are set, all users can read and users with roles can contribute. System properties can override role-based restrictions to rely solely on user criteria if needed, but require manual configuration.
    • Special Privileges: Knowledge administrators, knowledge base owners, and managers have unrestricted contribute and read access to their knowledge bases and articles, with some restrictions when versioning is enabled. Members of ownership groups have full control over associated articles.
    • Explicit Roles Plugin: When activated, predefined user criteria for internal users (e.g., users with the sncinternal role) are automatically applied to knowledge bases, streamlining internal and external user access management.
    • Access Determination Logic: Access to knowledge bases and articles is determined through user criteria evaluation, combined with configurable system properties that dictate default access when criteria are not set. Flowcharts and tables define how contribute and read access are granted or denied based on these criteria.
    • User Criteria Diagnostics: A diagnostic feature is available to verify and troubleshoot user access to knowledge bases and articles, ensuring correct configuration of access controls.
    • Unauthenticated Users: To allow unauthenticated users to view knowledge articles, the Knowledge Management Service Portal pages must be configured with a public audience.

    Practical Application for ServiceNow Customers

    • As a knowledge administrator or manager, assign user criteria to knowledge bases to control who can read or contribute content, ensuring sensitive information is accessed only by appropriate users.
    • Use article-level user criteria to further restrict read access to specific knowledge articles within a knowledge base.
    • Leverage the glide.knowman.search.applyrolebasedsecurity system property to customize whether role-based security is enforced or overridden by user criteria.
    • Activate and configure the Explicit Roles plugin to simplify management of internal versus external user access rights.
    • Regularly use the User Criteria Diagnostics tool to confirm users have the intended access, helping maintain security and compliance.
    • When enabling access for unauthenticated users, ensure the relevant Service Portal pages are public to allow viewing without login.

    Conclusion

    Managing access through user criteria and roles enables precise control over knowledge base and article visibility and editing rights in ServiceNow. This capability helps organizations protect sensitive knowledge while empowering authorized users to contribute effectively. Proper configuration and diagnostic checks ensure access aligns with organizational policies and user needs.

    Determine whether certain users or categories of users can access knowledge bases and knowledge articles by controlling contribute and read access.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria to control contribute and read access at the knowledge base level, where:
    • Read access determines the ability to view knowledge articles in a knowledge base.
    • Contribute access determines the ability to create, modify, and retire knowledge articles in a knowledge base.

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you can assign user criteria, or roles, or both, to control read access at the knowledge article level.

    Try to use only user criteria, which were introduced in Knowledge Management v3, to control access to knowledge articles. Roles were used for this purpose in Knowledge Management v2. If no user criteria is selected for a knowledge base, all users can read and all users with roles can contribute to that knowledge base.

    Note:
    By default, when contribute access isn't provided for a knowledge base, a user must meet both roles and user criteria conditions for read access. However, you can override roles set for a knowledge article and provide access through user criteria only by setting the glide.knowman.search.apply_role_based_security system property to false. Because this property isn't available by default, you must add it. For more information, see Add a system property.

    User criteria for knowledge access

    As a knowledge administrator, manager of a knowledge base, or owner of a knowledge base, you control access to knowledge bases or knowledge articles for a user through user criteria, which are described in the following table.

    Table 1. User criteria definitions
    User criteria Result
    Cannot Contribute Cannot contribute (that is can't create, modify, or retire) knowledge articles within a knowledge base. The Cannot Contribute user criteria is available only for knowledge bases.
    Can Contribute Can contribute (that is can view, create, modify, or retire) knowledge articles within a knowledge base. The Can Contribute user criteria is available only for knowledge bases.
    Cannot Read

    At the knowledge base level, cannot view knowledge articles within a knowledge base.

    At the knowledge article level, cannot view a knowledge article.
    Can Read

    At the knowledge base level, can view knowledge articles within a knowledge base.

    At the knowledge article level, can view a knowledge article.

    The access to knowledge base and its articles are defined based on the user criteria status for a user as described in the following table.

    Table 2. Combining knowledge base and knowledge article user criteria
    Status Access
    The user matches both Can Contribute and Cannot Contribute at the knowledge base level The user is denied contribute access to the knowledge base and its articles.
    The user matches both Can Read and Cannot Read at the knowledge base level The user is denied read access to the knowledge base and its articles.
    The user matches Can Read at the knowledge base level and Cannot Read at the knowledge article level The user is denied read access to the knowledge article.
    The user matches Cannot Read and Can Read at the knowledge article level The user is denied read access to the knowledge article.

    Users with special knowledge privileges

    Users with special knowledge privileges aren't evaluated based on user criteria and have knowledge bases and knowledge articles access as described in the following table.

    Table 3. Access of users with special privileges to knowledge bases and knowledge articles
    User Access
    Knowledge administrator
    • Contribute to and read all knowledge bases and their articles.
    • Modify the definition of all knowledge bases and assign user criteria to them.
    Note:
    This access doesn't apply to scoped knowledge bases. For more information, see Scoped knowledge bases.
    Owner of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Manager of a knowledge base
    • Contribute to and read that knowledge base.
    • Modify the definition of that knowledge base and assign user criteria to it.
    Note:
    If the article versioning feature is enabled, the manager of a knowledge base can’t modify knowledge articles of other authors that are in the Draft state. For more information, see Article versioning.
    Members of an ownership group associated with a knowledge article Read, modify, approve, and retire that knowledge article (see Ownership groups).

    Explicit roles and user criteria

    Explicit roles (snc_external and snc_internal) are added to your instance when your administrator installs a plugin, such as the Customer Service plugin (com.sn_customerservice), that also activates the Explicit Roles plugin (com.glide.explicit_roles). If you create a knowledge base with the Explicit Roles plugin (com.glide.explicit_roles) activated, the application automatically adds the following predefined user criteria at the knowledge base level:

    • Users with 'snc_internal' role – Added to the Can Read user criteria enabling only users with the snc_internal role have read access to the knowledge base.
    • Users with snc_internal' and another role – Added to the Can Contribute user criteria enabling only users with the snc_internal role and at least one additional role have contribute access to the knowledge base.

    When you upgrade to product versions (from Rome onwards) that offer the Explicit Roles plugin (com.glide.explicit_roles), the predefined user criteria Users with 'snc_internal' role and Users with 'snc_internal' and another role aren't automatically added to any existing knowledge bases created prior to the activation of the Explicit Roles plugin. To add these predefined user criteria to an existing knowledge base, run the Fix unsecured knowledge bases fix script. For more information about explicit roles and fix scripts, see Explicit Roles and Fix scripts.

    Determining contribute access to a knowledge base and its articles using user criteria

    The flowchart in this section illustrates the user criteria checks that determine contribute access at the knowledge base and article levels.
    Note:
    In order for an unauthenticated user to view knowledge articles within the knowledge base, ensure that the audience for the Knowledge Management Service Portal pages is set to public; that is, the page can be accessed without the need for authentication. For more information, see Create and edit a page using the Service Portal Designer.
    Figure 1. Contribute access to a knowledge base and its article flowchart
    Flowchart showing how contribute access to a knowledge base and its article using user criteria is evaluated

    When either Cannot Contribute isn’t set or a user doesn’t match Cannot Contribute and additionally Can Contribute is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine contribute access, as explained in the following table.

    Table 4. Contribute access to a knowledge base when user criteria for a knowledge base aren't set
    Property value Result
    true No user has contribute access to the knowledge base except users with special knowledge privileges.
    false All users, including unauthenticated users, with at least one role can contribute to the knowledge base.

    If the Explicit Roles plugin (com.glide.explicit_roles) is activated, users who have at least one role other than snc_internal can contribute to the knowledge base.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine contribute access to an article in the knowledge base, as explained in the following table.

    Table 5. Contribute access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default contribute permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has contribute access to every article in the knowledge base.

    Determining read access to articles in a knowledge base using user criteria

    The following flowchart illustrates the user criteria checks that determine read access to a knowledge article.

    Figure 2. Read access to a knowledge article flowchart
    Flowchart showing how read access to a knowledge article using user criteria is evaluated.

    When either Cannot Read isn’t set or a user doesn’t match Cannot Read and additionally Can Read is not set, the glide.knowman.block_access_with_no_user_criteria property value is further evaluated to determine read access, as explained in the following table.

    Table 6. Read access when user criteria for a knowledge base aren't set
    Property value Result
    true No user has read access except users with special knowledge privileges and users who have contribute access to the knowledge base.
    false All users, including unauthenticated users, have read access to the knowledge base and the article-level user criteria are further evaluated.

    To check knowledge bases accessible to unauthenticated users, use the User Criteria Diagnostics feature. For more information, see Configure access to knowledge bases for unauthenticated users.

    When a user has contribute access to a knowledge base, the glide.knowman.apply_article_read_criteria property is evaluated to determine read access to an article in the knowledge base, as explained in the following table.

    Table 7. Read access to an article when a user has contribute access to a knowledge base
    Property value Result
    true Article-level read access overrides the default read permission granted by contribute access at the knowledge base level.
    false Contribute access at the knowledge base level takes precedence over article-level user criteria and the user has read access to every article in the knowledge base.
    Important:
    After you add user criteria, you can use the user criteria diagnostics feature to verify the access that users have to a knowledge base or a knowledge article. For more information, see User criteria diagnostics for Knowledge Management.