Description
In Istanbul a user bypass Can Read or Cannot Read user criteria defined on an article, even if the Knowledge Base does not have any user criteria defined for Can Read or Can Contribute. So when a user navigates to the knowledge homepage, they are able to see the article.
Steps to Reproduce
- Navigate to Knowledge > Administration > User Criteria
- Create a new User Criteria record, and assign a user to it: Beth Anglin
- Deactivate all knowledge bases except for IT
- Within the active knowledge base, remove all existing User Criteria: Can Read and Can Contribute
- Within the articles, apply the User Criteria record from step 2 to the Cannot Read section on the article
- Impersonate Beth Anglin and navigate to Knowledge Homepage
While the user should not see the articles due to user criteria, the Knowledge Base user criteria is overriding the article user criteria.
Workaround
This is documented at https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/product/knowledge-management/task/t_SelectUCArticle.html. The table at the bottom of the document documents that article level user criteria is applicable only when the user does not have contribute access on the Knowledge Base but has read access on the Knowledge Base.
In other words, if a user has Contribute access to the Knowledge Base either through an explicit user criteria or because the Can Contribute list for the Knowledge Base is empty, the article level user criteria have no effect.
Related Problem: PRB826734