locked
Permissions for knowledge articles RRS feed

  • Question

  • Hi,

    I need to configure a role that is the only users that can read some of the
    knowledge articles. I have created a couple of knowledge articles and
    included them into a group. Then I created a role and did not select that
    group, but they could see the articles any way.

    This is how I configure the roles

    Operator role
    Access to the following MPs; default MP, Knowledge Management Library,
    Incident Configuration Management, Incident Management Library, Service
    Manager Core Library
    Only Tier 1
    Groups; Global Settings and All users
    All tasks
    All views
    Only the default incident template

    The group I have created where the "secret" knowledge articles are included
    is named "Contoso - Group - Secret Knowledge".

    How do I configure a role to not see the knowledge articles in the
    "Contoso - Group - Secret Knowledge"?
    Where are knowledge stored? I cant select a MP when creating them
    How do I know which management packs to select when creating a new role?

    Thanks

    --
    Anders Bengtsson
    Microsoft MVP - Ops Mgr
    www.contoso.se

    Friday, August 7, 2009 4:22 PM
    Answerer

Answers

  • RE: Any more ideas? The result should be a normal end user role, then a couple of different roles where I can select (add them to different groups) depending on what level of security access them are (how trusted they are :) ).
    Answer: No, unfortunately sorry I dont have any other ideas until 419688 is fixed.  Even when it is fixed, my proposal above is not really an ideal solution because you need to create an AD user group which contains all users in the organization execpt those that are going to have scoped access to knowledge.  AD doesnt really support a notion of exclusion of certain objects from groups unfortunately.

    RE: Is it possible to store knowledge in management packs at all, if I author a new management pack?
    Answer: No, sorry Service Manager knowledge cannot be contained in a management pack.  Even if you create a new one.  They are objects in Service Manager not MP elements.  Service Manager knowledge is not like Operations Manager knowledge.

    Wednesday, August 19, 2009 2:17 AM

All replies

  • Hi Anders -

    I assume you are using a CTP2 build.

    Starting in CTP2 and going forward anyone who is in the End User role will be able to read all knowledge articles.  Out of the box we put the NT_AUTHORITY\Authenticated Users user group in the End User role.  This means that out of the box all authenticated users can read all knowledge articles. 

    The only way to create a situation where there are some users which cannot see certain knowledge articles is to do the following:
    1) Remove NT_AUTHORITY\Authenticated Users from the End User role (and possibly replace it with a group which does not include the users you don't want to read the knowledge articles)
    2) Create a group of Secret knowledge articles
    3) Create a group of Not Secret knowledge articles
    4) Create user roles and grant the appropriate knowledge article group to them

    Regarding your other questions...
    Where are knowledge articles stored?
    Knowledge articles are stored as objects of the System.Knowledge.Document class in the database.  They are not stored in management packs.

    How do I know which management packs to select when creating a new role?
    First, it's important to know that the management packs screen in the Create User Role wizard is just there to help you filter down the objects that are displayed on the remaining screens in the wizard.  Selecting a management pack in that wizard has no influence on security scopes.  It is purely for UI filtering purposes.

    If you know the management pack(s) that contain the objects you want to grant to the user role then you can select them up front in the wizard and the remaining pages in the wizard will be easier to use.  If you dont know then you can just select all and browse all of the objects on the remaining screens.


    Saturday, August 8, 2009 12:43 AM
  • Hi Travis,
     
    Thanks for your answer. If I start modify the default end-user role, don't I break other things then? Like the feature that all my domain users can create incidents.
     
    I removed NT_AUTHORITY\Authenticated Users from the End User Role. Then I cant add a group, as there is a issue with that (ID 419688 at connect) so I added a user direct instead. The result of that is that I get a permission denied issue when the user tries to open the console and I cant add NT_AUTHORITY\Authenticated Users back to the End user role.
     
    Any more ideas? The result should be a normal end user role, then a couple of different roles where I can select (add them to different groups) depending on what level of security access them are (how trusted they are :) ).
     
    Is it possible to store knowledge in management packs at all, if I author a new management pack?
     
    Thanks
     

    --

    Anders Bengtsson
    Microsoft MVP - Ops Mgr
    www.contoso.se
    Saturday, August 8, 2009 8:00 PM
    Answerer
  • RE: Any more ideas? The result should be a normal end user role, then a couple of different roles where I can select (add them to different groups) depending on what level of security access them are (how trusted they are :) ).
    Answer: No, unfortunately sorry I dont have any other ideas until 419688 is fixed.  Even when it is fixed, my proposal above is not really an ideal solution because you need to create an AD user group which contains all users in the organization execpt those that are going to have scoped access to knowledge.  AD doesnt really support a notion of exclusion of certain objects from groups unfortunately.

    RE: Is it possible to store knowledge in management packs at all, if I author a new management pack?
    Answer: No, sorry Service Manager knowledge cannot be contained in a management pack.  Even if you create a new one.  They are objects in Service Manager not MP elements.  Service Manager knowledge is not like Operations Manager knowledge.

    Wednesday, August 19, 2009 2:17 AM