knowledge roles role name description knowledge editor this is the base role for the knowledge application this essentially provides users the ability to create and update knowledge articles knowledge manager this role provides an expanded set of privileges for the knowledge application these users can skip workflow states and create/modify knowledge bases for the knowledge bases they are the manager for knowledge administrator this is the highest privileged role for the knowledge application and provides the ability to edit properties and other administration capabilities how knowledge's security works due to the large number of uses and processes that knowledge articles can be a part of, the security for knowledge articles is relatively complex as a result it uses a combination of information from the knowledge base, permissions and other values on the actual knowledge article record to understand who can read or edit the article knowledge base permission type security model why was it set up like this? create a knowledge base only users who have the knowledge administrator or administrator role can do this this was done as it it likely does not make that sense that people can create knowledge bases at random and should be done in a more controlled manner read a knowledge base there are essentially two levels of security to knowledge bases see all knowledge bases administrators or knowledge administrators basic knowledge base visibility to be able to see any knowledge base, users need the knowledge editor role in addition to this though, the user also has to fulfil one of the following conditions based on the knowledge base record they are the manager for that knowledge base they are the approver of the knowledge base if there is a role required for visibility, they have one of the roles listed there (if there are no roles listed there, they can see the knowledge base by default) | this was done to link to the visibility of the articles that will be created as part of this base this is to prevent people from making articles for knowledge bases where they are not allowed to read articles within it, as that would not logically make sense | \| update a knowledge base | only users who have the knowledge administrator role or administrators can do this | this was done as it it likely does not make that sense that people can update knowledge bases at random and should be done in a more controlled manner also, as this can potentially allow more or less users to view the articles, going through a proper process makes sense | \| delete a knowledge base | only users who have the knowledge administrator role or administrators can do this | this was done due to the potential impact to the system by deleting a knowledge base this has the potential to open up the visibility of knowledge articles records, so it was secured accordingly | knowledge article permission type security model why was it set up like this? create a knowledge article to be able to create a knowledge article, the knowledge editor role is required with only the knowledge editor role, it is only possible to be able to create articles that a user has visibility for if the user is a knowledge administrator or administrator though, the user can create a knowledge article in any knowledge base to ensure users only make articles in the knowledge bases that they are actually able to see read a knowledge article there are three different levels of security to knowledge articles, which all offer differing levels of visibility see all knowledge articles administrators or knowledge administrators only see specific articles for the next level of security, users need at least knowledge editor role however in addition to that, they need to fulfil one of the following conditions based on the record's details or related knowledge base they are the author of that article they are listed as an approver for that article they are an approver for that article they are the manager of the associated knowledge base they are an approver of the associated knowledge base they have the role required to view the associated knowledge base (if there are no roles listed here, they can see the knowledge article by default) only see specific published articles by default, there is one level of security for anyone that has the self service role this however restricts them only to seeing articles that are published and only if they have the role required to view the associated knowledge base (if there are no roles listed here, they can see the knowledge article by default) | as knowledge articles are often required to be visible by users from any part of a business, it made sense to make it open enough to make this possible that said, as a base they can only see published articles, as users should not be able to see articles that are in a draft state, as they may include incorrect information for the specific article visibility that are published however, this was set up to ensure that they users that should be able to read an article for a purpose (whether to approve or otherwise), can the differing level of visibility per knowledge base was set up, due to the fact that some knowledge bases may be set up only to provide work instructions for users, so ensuring that users only are provided information they should was a priority | \| update a knowledge article | there are essentially two different levels of security around updating knowledge articles it should be said however it is assumed the user has passed the read permission to be able to update, therefore these are conditions on top of the permissions above the different levels of ability to edit an article are as follows edit all articles within a knowledge base the user is a knowledge administrator, administrator or the manager of the associated knowledge base they can edit the article at any time and can also skip certain approval steps, despite the approval requirements of the associated knowledge base edit draft or articles that are peer reviewed within a knowledge base for a user to be able to edit an article, they need at a base the knowledge editor role it should be noted however, at a maximum they can only edit it when the status is peer review or draft in addition to this, if the associated knowledge base has a role required for editing, they require one of the roles here (otherwise they can edit any within the statuses mentioned above) | this was set up with the understanding that as different knowledge bases have different bases, it does not always make sense that a user with just a knowledge editor role can edit any of them therefore this ensures that if it is a hr knowledge base for example, hr users can editor them, whilst other people with the knowledge editor role but work in the it department, cannot edit these the reasoning behind cutting off editing rights are specific statuses was done due to the fact that once something has been peer reviewed and often approved, they should not be edited without following the proper process this is to archive, re draft and republished as required this is to prevent updates to published articles without anyone knowing however, it is often the case that something is small that can be done specifically, so allowing the manager or admin users to edit it, ensures that time is not wasted when it does not make sense | \| delete a knowledge article | only users who have the knowledge administrator role or administrators can do this | in the system it is never recommended to delete knowledge articles, therefore if someone wants to stop users from being able to view a knowledge article, they should just archive the knowledge article instead or change its knowledge base | recommended role allocation before allocating roles, remember to see what roles already include what roles automatically, as to not double up when managing the knowledge process, there are essentially four main "personas" that align with this process therefore this section details the four main personas and what makes sense for their role allocation naturally, this is the lowest level of security for each and can be changed, but these are what we recommend organisational knowledge manager description this is the user who controls the knowledge base for the whole organisation and therefore often will want to change classifications or knowledge bases as they expand their knowledge base usage organisation wide they are not technical however and only focus on knowledge for the organisation, but are the go to person for anything in the organisation for knowledge roles recommended knowledge administrator knowledge manager knowledge editor application administrator platform selfservice platform agent any process specific agent role they need for their job, e g itsm agent if they actively work on incidents or hr agent if they actively work on hr cases department lead description this is the lead for a department and manages the knowledge base just for their department no article should be published or archived with their approval and often write work instructions they need published immediately roles recommended knowledge manager knowledge editor platform selfservice platform agent any process specific agent role they need for their job, e g itsm agent if they actively work on incidents or hr agent if they actively work on hr cases note it is recommended they are also made the approver and manager of the knowledge base to ensure articles are approved when required and so they have special capabilities to expedite the workflow service desk / hr agent description these are the people who work day to day on the associated help desk, service desk or part of the hr team they often draft articles or create articles for known errors, work arounds or general information, but need to follow correct process roles recommended knowledge editor platform selfservice platform agent any process specific agent role they need for their job, e g itsm agent if they actively work on incidents or hr agent if they actively work on hr cases any other user in the organisation description these are the users who never need to write an article, approve an article or review an article they are a part of the organisation, but need to be provided information as it comes up for any issues or requests they raise they also may self serve through sofi or otherwise roles recommended platform selfservice