If a customer wants to restrict visibility of Knowledge Documents they can create Knowledge Categories to limit visibility and the ability to create KD.
After configuring this, users are still able to create KD in Knowledge Categories they do not have permissions
Why is this?
Service Desk Manager 17.3 and higher
Default Data Partition Constraints Allow Logged in Users to create and view Knowledge Documents.
Creating and viewing knowledge documents is controlled by the data partition of the users role.
See the "Document Permissions" link in the Additional Information section
The permission group set on the category is propagated to the Knowledge Document
For example, looking at a user whos default role is Level 2 Analyst
The Level 2 Analyst has a Data Partition named Service Desk Analyst
By default, this data partition has the following Pre-Update Constraint on the SKELETONS table:
(ACTIVE_STATE >= 0) AND (WRITE_PGROUP in @root.pgroups OR WRITE_PGROUP.[pgroup]contained_roles.role IN @root.role OR ASSIGNEE_ID.[group]group_list.member IN (@root.id) or (ACTIVE_STATE > 0 AND ASSIGNEE_ID = @root.id) OR (ACTIVE_STATE = 0 AND OWNER_ID= @root.id))
The bolded part is an OR constraint saying that if ASSIGNEE_ID is a logged in user or OWNER_ID is a logged in user this allows the creation of KD.
For this scenario, when the user creates a Knowledge Document, they pass the data partition constraint as the ASSIGNEE_ID will be a logged in user that is creating the document, and the OWNER_ID is a logged in user
If you want to enforce the permissions based on group ONLY, you can remove the clause of ASSIGNEE_ID and OWNER)UD in the Pre-Update constraint and the View constraint.
Please thoroughly test this in a non production environment first as owners of existing Knowledge Documents may not be able to view their Knowledge Documents if they are not part of the permission group.