Manage Who Can Read and Cannot Read A Knowledge Base Article


In this article

There are two ways to restrict access to knowledge base articles:

  1. By managing the user criteria for the knowledge base. (For more information on how to do this, refer to the More information and resources section of this article.)
  2. By managing the user criteria for a knowledge article by using the Can Read and Cannot Read settings.

This article details how to manage access by using the Can Read and Cannot Read settings.
This is done by adding and removing groups and individual users to these settings.

Who can manage these settings?

Edit Can Read and Cannot Read settings

  1. Open a knowledge article in ServiceNow.
  2. In the Article Security Tab, unlock the Can Read or Cannot Read settings.
  3. Search for and add or remove users and groups to restrict read access. Groups that are created in Grouper can be found by searching in the User Criteria Records. Users may need to be added directly to the User Criteria table by clicking New and then completing the form.
  4. Click Submit to save your changes.

How can I test these settings?

You can test visibility from the classic user interface via the related links at the bottom of form. Read more about this test: User criteria diagnostics for Knowledge Management | ServiceNow Docs.

How does it work?

The two knowledge bases have two different user criteria.

The IT Library allows all users to view an article. The DIT Internal Library allows only users who are DIT employees to view an article.

IT Library is all users and DIT Internal is DIT Employees

This chart illustrates how permissions are inherited. All users can access the IT Library, including the two main subsets, CAS-authenticated users and DIT employees.

Individual articles can be restricted to subsets of these groups, but the settings cannot supersede the user criteria set at the knowledge base level.

Cannot create a subgroup within DIT Employees

This chart demonstrates that you cannot restrict an article to subsets of DIT employees. In this example, you cannot restrict an article so that only the DIT Security department can read it because that would supersede the knowledge base level user criteria settings.

IMPORTANT: DIT employees can always read an article in the IT Library and DIT Internal knowledge bases, regardless of the restrictions you set. This is because the DIT Internal knowledge base level user criteria includes the ServiceNow group All DIT People in the Can Read setting and all DIT employees have the knowledge role in ServiceNow.

How many individual users can be added to a Can Read or Cannot Read setting?

The setting is maxed at 50.

If you need more than 50 users, please contact the Knowledge Management team directly with your request by contacting the Service Desk.

When should I create a group for the Can Read or Cannot Read setting?

Groups should be created when you plan to repeatedly restrict access to or from the same group of people.

For example, if you want to restrict access to several articles so that only English professors can read an article, you would create a group called “English Professors” in Grouper.

While all users can pick existing user criteria, creating a new group or editing a group requires the user_criteria_admin role.

What are some example cases?

Case study 1: Restrict to only UMD IT managers

What are you trying to do?

I want to restrict access to an article so that only UMD IT managers can read an article.

How can I do this?

Because UMD IT managers can all log into CAS, you can put the article in the IT Library. Then, add the UMD IT managers to the Can Read criteria, either as a group or a list of users. This will allow those users (and DIT employees) to read the article.

UMD IT Managers fit within CAS-Authenticated Users between the permissions of IT Library and DIT Internal

Case study 2: Restrict to only DIT Security team

What are you trying to do?

I want to restrict access so that only the DIT Security team can read and write to several articles.

How can I do this?

You should not use the Can Read and Cannot Read settings for this. All DIT employees can read knowledge articles in the IT Library and DIT Internal Library. You cannot restrict access to a subset of this group, as the knowledge base level user criteria will override the article settings.

Case study 3: Restrict to outside UMD and DIT employees

What are you trying to do?

I want to restrict access to a couple articles so that a group of people from outside the University of Maryland as well as the DIT employees.

How can I do this?

You can only restrict articles to people who can log in to the University CAS system. If the people outside of UMD cannot log in to CAS, you cannot do this.

If they can, put the article in the IT Library. Then, create a group in Grouper. Add that group to the Can Read setting of the articles.

More information and resources