There are two ways to restrict access to knowledge base articles:
This article details how to manage access by using the Can Read and Cannot Read settings.
This is done by adding and removing groups and individual users to these settings.
You can test visibility from the classic user interface via the related links at the bottom of form. Read more about this test: User criteria diagnostics for Knowledge Management | ServiceNow Docs.
The two knowledge bases have two different user criteria.
The IT Library allows all users to view an article. The DIT Internal Library allows only users who are DIT employees to view an article.
This chart illustrates how permissions are inherited. All users can access the IT Library, including the two main subsets, CAS-authenticated users and DIT employees.
Individual articles can be restricted to subsets of these groups, but the settings cannot supersede the user criteria set at the knowledge base level.
This chart demonstrates that you cannot restrict an article to subsets of DIT employees. In this example, you cannot restrict an article so that only the DIT Security department can read it because that would supersede the knowledge base level user criteria settings.
IMPORTANT: DIT employees can always read an article in the IT Library and DIT Internal knowledge bases, regardless of the restrictions you set. This is because the DIT Internal knowledge base level user criteria includes the ServiceNow group All DIT People in the Can Read setting and all DIT employees have the knowledge role in ServiceNow.
The setting is maxed at 50.
If you need more than 50 users, please contact the Knowledge Management team directly with your request by contacting the Service Desk.
Groups should be created when you plan to repeatedly restrict access to or from the same group of people.
For example, if you want to restrict access to several articles so that only English professors can read an article, you would create a group called “English Professors” in Grouper.
While all users can pick existing user criteria, creating a new group or editing a group requires the user_criteria_admin role.
I want to restrict access to an article so that only UMD IT managers can read an article.
Because UMD IT managers can all log into CAS, you can put the article in the IT Library. Then, add the UMD IT managers to the Can Read criteria, either as a group or a list of users. This will allow those users (and DIT employees) to read the article.
I want to restrict access so that only the DIT Security team can read and write to several articles.
You should not use the Can Read and Cannot Read settings for this. All DIT employees can read knowledge articles in the IT Library and DIT Internal Library. You cannot restrict access to a subset of this group, as the knowledge base level user criteria will override the article settings.
I want to restrict access to a couple articles so that a group of people from outside the University of Maryland as well as the DIT employees.
You can only restrict articles to people who can log in to the University CAS system. If the people outside of UMD cannot log in to CAS, you cannot do this.
If they can, put the article in the IT Library. Then, create a group in Grouper. Add that group to the Can Read setting of the articles.