The security settings under the Settings tab are mostly centered around the needs of private or internal knowledge bases. By default, your knowledge base will be visible to the public which means anyone can peruse your content. However, under Settings > Security, you have quite a few options.
When would I use the different types of security?
IP-based Restriction —
This setting is great for internal office knowledge bases. If you can track down the IP addresses that your office uses, you can paste the comma separated list into the box and ensure that no one trying to access your knowledge base from outside of your office can get in.
Shared Password —
This one is great if you need to restrict access to your knowledge base but you aren't sure of your office's IP addresses or if your readers are going to be spread out. Creating a single password that you can give to everyone will allow you to control who gets in but will allow for more flexibility.
IP-based Restriction OR Shared Password—
You can also use this setting in combination with the IP protection setting for even more flexibility. What this means is that while someone is in your office they won't have to worry about logging in because they are accessing the knowledge base from an approved IP address. If they work from home one day though, they will be asked for the shared password to log in.
IP-based Restriction AND Shared Password —
Need more security? You can select to use IP-based restriction as well as a shared password for two-factor authentication.
Approved Readers —
Readers offer the most power in terms of authentication to your knowledge base. Essentially a reader is an individual login for each person or group whom you want to give access to your knowledge base. With this setting turned on, a person trying to access your knowledge base will be asked for a username and a password which we can then use to identify who they are. Once they log in, they will remain authenticated for 2 hours and can browse normally. If you select this option, you will need to set up readers under Your Account > Readers.
To make your knowledge base public and available to anyone with the link, go to Settings > Security and choose None for Access Security. If your site is public, it can show up in Google and other search engines.
Learn more about search engine optimization in our SEO guide.
Under Settings > Basic, you can choose to Force SSL links so that your knowledge base will load using "https" rather than "http". SSL links ensure that all data passed between the visitor and the site is encrypted.
All KnowledgeOwl subdomains can use SSL links and have the option to Force SSL (http links will redirect to https). However, if you have a private domain, you will need to add your site SSL certification, chain, and key to make SSL links works.
We recommend everyone choose Force SSL links. It will soon be the default for all new knowledge bases, and Google Chrome will be marking all HTTP websites as "insecure" starting in July, 2018.
To make some content private on your public knowledge base, you can create a reader group (or groups), restrict content to the appropriate group, and require readers to log in to get access to the reader group restricted content.
To log in readers to your site to access the restricted content, you can add a reader login/logout button to your website or use one of the other authentication methods like single sign-on or remote authentication to automatically authenticate certain readers.
To make your knowledge base private, go to Settings > Security and choose one of our available security options:
- Restrict by reader logins
Readers will be required to log in with a username and password. Users with full account admin access can set up readers, reader groups, and reader settings under Your Account > Readers (or Account > Readers for users with admin access to readers). Learn more in our Reader Management guide.
- Restrict by IP or shared password
Readers will need to be coming from a specified IP address or enter a shared password to access the site. You can also choose to require both an approved IP address and a password to log in.
- Remote authentication
Readers will be required to log in through a 3rd party site, such as your own website or application. You can use this option to automatically log in readers from your software.
- SAML SSO (single sign-on)
Readers will be required to log in through your specified identity provider, such as ADFS, Okta, or G Suites (Google Apps for Work).
- Salesforce SSO (single sign-on)
Readers will only be able to log in through your Salesforce account. Learn how to set it up in our Salesforce SSO Configuration guide.
To restrict content access in a private knowledge base, create reader groups for the different segment of your audience and restrict your content to the appropriate reader groups. When you create readers in KnowledgeOwl or log them in using single sign-on (SSO) or remote authentication, assign the readers to the appropriate groups.
To learn more about readers, read our Reader Management guide.
Even in public knowledge bases, you can restrict some content so that it is only visible to specific readers. To do so, create a reader group or groups and then restrict the category or individual articles to that group.
How does restricted content work?
Readers must be logged in to see content that is restricted. When content is restricted:
- Only readers who belong to the restricted group(s) will be able to see the content in the Table of Contents
- Only readers who belong to the restricted group(s) will see the content in Search Results
- Readers who do not belong to the restricted group will get a "You don't have access to view this" page if they enter the direct URL for the content
Restrictions can be set:
- At the category level: restrictions set here will automatically cascade to all articles or sub-categories as long as those sub-categories and articles have "None / Inherit" selected.
- At the article level: restrictions set here apply only to the individual article and don't impact other articles or categories in any way
Restrict access based on Reader Groups
- If you do not have your reader groups set up, you will need to set them up by following these instructions.
- Create a new category or article (or edit an existing one by clicking on the wrench icon to the right of any content) inside Knowledge Base > Articles.
- In the edit view for the category or article, select the Reader Groups should be able to view this content under Restrict to Groups in the right-hand column:
- Click Save.
If more than one group is selected, does a reader need to belong to all or only one of the groups?
This depends on your knowledge base's settings. Two Reader Group Logic options are supported:
- Example: An article is restricted to groups "Apples" and "Bananas". The article can be viewed by any reader in groups "Apples" OR "Bananas".
- Example: An article is restricted to groups "Apples" and "Bananas". The article can only be viewed by a reader in groups "Apples" AND "Bananas".
By default, all knowledge bases are set to Inclusive Reader Group Logic. You can check or update this by going to Settings > Security and checking the Reader Options section:
You can ensure that all your knowledge base links use HTTPS (SSL) by turning on Force SSL under Settings > Basic > Domain Setting > Knowledge Base Protocol. If someone tries to go to a non-secure link, they will be redirected to the secure version of the link.
If you are using a private domain, you will need to set up an SSL certificate if you want to use secure links. Learn more about setting up a private domain in our Private Domain guide.
You can allow readers to sign up for and log in to your knowledge base with their Google account.
To set up Google log in for readers:
- Open up Settings > Security in KnowledgeOwl and Google APIs and Services.
Go to Settings > Security and scroll down to Reader Sign Ins Using Google. Click on Google credentials settings to create a new project using Google APIs.
- Set up your OAuth consent screen.
Click OAuth consent screen and complete the set up. You must provide an email address and product name.
- Create OAuth client ID credentials and insert your KnowledgeOwl redirect URIs.
Click Create credentials > OAuth client id and choose Web application. Enter "KnowledgeOwl" as the name, and copy the Google Login Redirect URL and the Google Signup Redirect URL from KnowledgeOwl into the Authorized redirect URIs fields.
- Set up your client ID and secret in KnowledgeOwl.
Click create to get your client ID and client secret. Copy and paste your client ID and client secret into the corresponding fields in KnowledgeOwl. Save.
- Turn on Google log in for readers in KnowledgeOwl.
Go to Your Account > Readers > Settings and check "Allow readers to log in using their Google account" next to Allow Google Sign In. To allow readers to sign up using Google, check "Allow people to sign up to become a reader" as well. Save.