Folder access management

1 Target Audience
2 Who it’s for
3 Overview
- 3.1 When the feature is ENABLED
- 3.2 When the feature is DISABLED
4 Benefits
5 Step-by-Step Guide
6 Known Limitations
- 6.1 Can this feature be enabled on non-azure or self-hosted tenants?

Target Audience

Admins who configure the Knowledge Base (KB) to align well with the organization structure and access requirements

Who it’s for

Users who hold the knowledge.readand knowledge.write roles and need to view and modify KB access

Overview

With the release 2025.26, we introduce the “Can manage” access to the Knowledge Base UI. The feature is flagged (ENV variable FEATURE_FLAG_ENABLE_CAN_MANAGE_ACCESS_UN_11608) and must be enabled in node-scope-management and next-knowledge-upload services.

The following explains how enabling or disabling the feature flag affects the Knowledge Base actions available to users with different Zitadel roles and access rights.

This feature is by default disabled. If you like to enable it, please contact your account manager if you would like this feature enabled.

When the feature is ENABLED

Zitadel role / KB access	Can read	Can write	Can manage

Zitadel role / KB access

Can read

Can write

Can manage

knowledge.read

View contents in folder
Open file
View chunks

Cannot obtain this access

+ knowledge.write

View contents in folder
Open file
View chunks

Scope level:

Upload content
Delete content
Re-ingest failed content
Create folder
Delete folder
Rename folder

Scope level:

View access
Change access
configure ingestion

+ chat.admin.all

View contents in folder
Open file
View chunks

Root level:

Create folder
Delete folder

Scope level:

Upload content
Delete content
Re-ingest failed content
Rename folder

Scope level:

View access
Change access
configure ingestion

When the feature is DISABLED

Zitadel role / KB access	Can read	Can write

Zitadel role / KB access	Can read	Can write
knowledge.read	View contents in folder Open file View chunks	Not available
+ knowledge.write	View contents in folder Open file View chunks	Root and scope level: Create folder Delete folder Scope level: Upload content Delete content Re-ingest failed content Rename folder
+ chat.admin.all	View contents in folder Open file View chunks	Root and scope level: Create folder Delete folder Scope level: Upload content Delete content Re-ingest failed content Rename folder
+ chat.admin.all	View access Change access Configure ingestion

Benefits

Previously, only users assigned the chat.admin.role. were permitted to perform view and manage access actions. However, this setup proved limiting, as end-users also need the ability to manage access for their own teams in order to operate independently of admin intervention.

Additionally, there was an unconventional configuration in which users with the knowledge.write role were granted root-level access. This is inconsistent with the intended role structure, as root-level privileges should be reserved for users explicitly assigned the chat.admin.role..

Step-by-Step Guide

Go to the Knowledge Base UI.
Navigate to the scope/folder where you want to grant a member the “Can manage” access.
Locate the scope access panel
scope access panel
Click on the input box to select the member or group to give access. Click on the “Can manage” button. You can also check the “apply to all subfolders” if you want them to have access to subfolders of the current scope, then select the member you want to give the access(s).

Give access to member(s)
You can also use the Edit button beside a member to add the “Can manage” access.

Use edit button to give member access

Known Limitations

The chat.admin.role role is currently restricted by knowledge access rights, e.g., she must have the “Can manage” access to view and manage access. With the release of 2025.28, we plan to lift this restriction and the chat.admin.role role will be able to view all scopes / folders and perform all actions independently of her access rights.

Can this feature be enabled on non-azure or self-hosted tenants?

Yes.

Author	PTFRAG