SNC Development

PRB632565: Knowledge v3 search results do not obey ACLs

Login

Number: KB0551111

Because Knowledge v3 does not use ACLs to restrict access, knowledge search includes results that are restricted via ACLs for the current user.

Steps to Reproduce

1. Create ACLs that prevent a certain user from accessing knowledge articles. 2. Log in as the restricted user.
3. Search for a restricted article.

The article appears in search results but you cannot view the full article. Workaround

Do not use ACLs to restrict articles when using Knowledge v3. In v3, security is handled strictly by user criteria:

http://wiki.servicenow.com/index.php?title=Migrating_to_Knowledge_Management_v3#Key_Differences

If you need to prevent certain users from seeing knowledge articles, move those articles to a separate knowledge base with more strict user criteria.

For more information, see: KB0550924: Understanding User Criteria and ACLs in Knowledge v3. Related Problem: PRB632565

Seen In Fixed In

Eureka Patch 8 Fuji Patch 3 Fuji Patch 6

There is no data to report.

Associated Community Threads

Community Thread

https://community.servicenow.com/issues/3611

Article Information
Last Updated:2015-08-24 01:35:20

Published:2015-08-24 Copy Permalink

Title Responses

Restricted KB articles still showing in Fuji

Upvotes

Home
Knowledge Management

125 views Description

PRB632565: Knowledge v3 search results do not obey ACLs

Login

Number: KB0551111

Because Knowledge v3 does not use ACLs to restrict access, knowledge search includes results that are restricted via ACLs for the current user.

Steps to Reproduce

1. Create ACLs that prevent a certain user from accessing knowledge articles. 2. Log in as the restricted user.
3. Search for a restricted article.

The article appears in search results but you cannot view the full article. Workaround

Do not use ACLs to restrict articles when using Knowledge v3. In v3, security is handled strictly by user criteria:

http://wiki.servicenow.com/index.php?title=Migrating_to_Knowledge_Management_v3#Key_Differences

If you need to prevent certain users from seeing knowledge articles, move those articles to a separate knowledge base with more strict user criteria.

For more information, see: KB0550924: Understanding User Criteria and ACLs in Knowledge v3. Related Problem: PRB632565

Seen In

Eureka Patch 8

Fuji Patch 3

Fuji Patch 6

Fixed In
There is no data to report.

Associated Community Threads

Community Thread

https://community.servicenow.com/issues/3611

Article Information
Last Updated:2015-08-24 01:35:20

Published:2015-08-24 Copy Permalink

Title Responses

Restricted KB articles still showing in Fuji

Upvotes

Home
Service Management Knowledge Management

Overview

Understanding User Criteria and ACLs in

Knowledge v3 286 views

Login

With the Fuji release, knowledge functionality is upgraded to Knowledge v3. Prior to Knowledge v3, ACLs and roles were used to determine who can view and create knowledge content. With Knowledge v3, this functionality was replaced with User Criteria.

User criteria allows knowledge managers to implement and modify security without a system administrator’s involvement, as well as define separate security configurations for different knowledge bases.

Refer to the ServiceNow product documentation for more information about these topics.

Knowledge v3 User Criteria

Basic Principles

Several basic principles apply to all instances when configuring user criteria in knowledge.

A knowledge manager can specify which users Can read and Can contribute to a knowledge base by creating and selecting user criteria.
A user must have at least one role to contribute. This requirement is independent of any user criteria selected for a knowledge base.

If no user criteria is selected for a knowledge base, all users can read and all users with roles can contribute to that knowledge base.
Selecting a single user criteria record in the Can read and Can contribute related lists restricts the audience and contributors of that knowledge base to those users.

Users included in the Can contribute user criteria can also read articles. You do not need to explicitly grant these users read- access.
Knowledge search results include articles from all knowledge bases the current user has access to. If user criteria prevents a user from viewing an article, that article does not appear in search results for that user.

User criteria records are shared between Knowledge and the Service Catalog.

ACLs in Knowledge v3

Knowledge v3 is intended to be used with user criteria alone. For best results, do not use ACLs to control access in Knowledge v3. Though ACLs control access in lists and forms, only user criteria is respected when you browse or search knowledge; ACLs are not. If you use ACLs to restrict content in Knowledge v3, these ACLs apply only when a user opens an article.

Recommendations for Adopting Knowledge v3

Follow these recommendations when configuring Knowledge v3:

Remove custom ACLs from the kb_knowledge table and replace them with user criteria. Mixing ACLs and user criteria may result in unexpected behavior.
Do not restrict access to knowledge bases for the purpose of targeting search results. Instead, create categories within the knowledge base to allow users to filter content when browsing or searching knowledge.

Example Use Cases

Several use cases are available describing pre-Fuji knowledge configurations that use ACLs, and how to migrate these configurations to Knowledge v3 using user criteria.

Example 1

“ACME North America has a knowledge base with articles visible to users based on the department that they work in. If the user is part of the HR department, there are articles that only they can see. Everyone can read IT department articles but only the IT department and Knowledge department can write them. Additionally there are articles that all users can read. “

You can implement this configuration in Knowledge v3:

1. Createtheseknowledgebases: Company Knowledge Base

HR Knowledge Base

IT Knowledge Base
2. Createausercriteriarecordwiththefollowingvalues.

Name: ACME North America

Company: ACME North America.
3. Createasecondusercriteriarecordwiththefollowingvalues.

Name ACME North America Knowledge Department Company: ACME North America
Department: Knowledge Department
Match All: Selected

4. Createathirdusercriteriarecordwiththefollowingvalues. Name: ACME North America IT Department Company: ACME North America
Department: IT Department

Match All: Selected
5. Configuretheusercriteriafortheknowledgebasesusingthetablebelow.

Using this configuration the Company Knowledge Base articles are visible to all users, the HR Knowledge Base is completely private to the HR department, and the IT Knowledge Base is available to all users but maintained only by the IT and Knowledge departments.

Example 2

“ACME Europe has a knowledge base where some articles are visible only to internal users. On each knowledge article record, Knowledge department members can control if the article is for internal or external users. ACME Europe users can see all articles. Only the Knowledge department can create articles.”

You can implement this configuration in Knowledge v3:

1. Createtheseknowledgebases: Internal Knowledge Articles

External Knowledge Articles 2. Createtheseusergroups:

Internal Users

External Users
3. Specifyifeachuserisinternalorexternalbyaddingthatusertotheappropriategroup. 4. Createausercriteriarecordwiththesevalues:

Name: ACME Europe

Company: ACME Europe
5. Createasecondusercriteriarecordwiththesevalues:

Name: ACME Europe Knowledge Department Company: ACME Europe
Department: Knowledge Department
Match All: Selected

6. Createathirdusercriteriarecordwiththesevalues: Name: Internal users

Groups: Internal Users
7. Createafourthusercriteriarecordwiththesevalues:

Name: External Users

Groups: External Users
8. Configuretheusercriteriafortheknowledgebasesusingthetablebelow.

Number: KB0550924

Knowledge base

Can read

Can contribute

Internal Knowledge Articles

ACME Europe and Internal Users

ACME Europe Knowledge Department

External Knowledge Articles

ACME Europe and External Users

ACME Europe Knowledge Department

Using this configuration the Knowledge department does not need to indicate if each article is internal or external. Access is managed automatically by publishing to the correct knowledge base.

Article Information

Last Updated:2015-08-12 07:22:29 Published:2015-08-12

Copy Permalink

These links may be helpful. With the new V3 in Fuji – ACL’s have been replaced with User Criteria Records.

User Criteria – ServiceNow Wiki

Getting familiar with Knowledge Management v3 in Fuji

ServiceNow KB: Understanding User Criteria and ACLs in Knowledge v3 (KB0550924)

ACLs in Knowledge v3

Knowledge v3 is intended to be used with user criteria alone. For best results, do not use ACLs to control access in Knowledge v3. Though ACLs control access in lists and forms, only user criteria is respected when you browse or search knowledge; ACLs are not. If you use ACLs to restrict content in Knowledge v3, these ACLs apply only when a user opens an article.

ServiceNow KB: PRB632565: Knowledge v3 search results do not obey ACLs (KB0551111)

Re: Restricted KB articles still showing in Fuji

Migrating to Knowledge Management v3 – ServiceNow Wiki

2 Key Differences

These key differences exist between the legacy and v3 knowledge management functionality.