Security Identity Cache and Provider

Two additional modules must intervene in the indexing and querying processes to support item permissions consisting of groups or granted security identities: the security identity cache and a security identity provider. These modules work together to recreate and handle security identity relationships and fully support more complex secured search scenarios (see Security Identity Relationships and Typical Coveo Cloud Secured Search).

CCV2-Permissions-SecurityIdentityCacheAndProviders

In this module interaction diagram:

  • Blue boxes represent modules involved in the indexing process. However, the security identity provider is also involved in the querying process when a new user makes their first query (see Identity Refresh).

  • Gray boxes represent modules involved in the querying process.

  • Orange boxes represent modules involved in both the indexing and the querying process.

To place the focus on item permission management, all examples in this topic assume that the query made by the search page user matches the title of the desired items.

Security Identity Cache

The basic secured search scenario consists in determining whether a user is allowed to access an item (see Basic Secured Search). If the user’s security identity is allowed to access the item, the item is returned in the user’s search results. If the user’s security identity is denied access to the item or if it is not specified in the item permissions, the user cannot access the item (see Unspecified Security Identities).

In the basic secured search scenario, users query Coveo Cloud V2 using a single security identity (see Basic Secured Search). However, this scenario does not reflect the typical permission model: secured enterprise system administrators often mark a group security identity as allowed to access an item instead of listing several user security identities in the item permissions (see Group and Granted Security Identities). To support permission models including group and granted security identities, Coveo Cloud V2 must take the relationship between the user and their group, granted identity, or alias into account (see Security Identity Relationships).

The security identity cache is a module that stores and maintains a list of all relationships between security identities. Upon its first encounter with a security identity, the security identity cache queries the security identity provider to retrieve the security identity relationships. Then, when a user logs in to a Coveo Cloud V2 powered search interface, the security identity cache provides them with additional security identities corresponding to their aliases, to their granted identities, and to the groups of which they are a member. The user therefore makes a query using several security identities, which may or may not match the security identities allowed to access the queried item.

It is not necessary to have all allowed security identities to access an item. An item is returned in the search results as long as:

  • At least one of the user’s security identities is marked as allowed to access the item.

  • None of the user’s security identities is marked as denied access to the item.

The R&D_Roadmap_2017.pdf item has the following permissions:

  • board_of_directors@mycompany.com: allowed

  • rd_department@mycompany.com: allowed

  • interns@mycompany.com: denied

John Smith wants to access R&D_Roadmap_2017.pdf. He logs in as jsmith@mycompany.com, and is granted the following additional security identities:

  • rd_department@mycompany.com

  • team_leaders@mycompany.com

  • engineers@mycompany.com

John Smith now makes a query using his four security identities. One of them matches the security identities allowed to access R&D_Roadmap_2017.pdf, and none of them is denied access to the item. R&D_Roadmap_2017.pdf is therefore returned in John Smith’s search results.

CCV2-Permissions-SecurityCache

Security Identity Provider

The role of a security identity provider is to extract all relationships of a security identity: the group members, the granted identities and the identity aliases (see Security Identity Relationships and Security Identity Cache). Once extracted, these relationships are stored by the Coveo Cloud V2 security identity cache. Therefore, the security identity provider acts as a bridge between the secured enterprise system and the Coveo Cloud V2 security identity cache. You can review a list of your security identity providers in the Coveo Cloud V2 administration console (see Security Identities - Page).

Identity Refresh

When a newly created user logs in to a Coveo Cloud V2 powered search page for the first time and makes a query, this user’s granted security identities are retrieved during the querying process. The user can then access the items these granted identities are allowed to access (see Group and Granted Security Identities). However, group members are only retrieved and provided to the security identity cache when the group is refreshed, i.e., updated (see Security Identities - Page).

Automatic security identity refreshes are scheduled daily by default (see Edit Security Identity Provider Refresh Schedules. These scheduled refreshes update all security identities of a security identity provider. However, a Coveo Cloud V2 administrator can manually refresh the identities at any time. Such an update makes new users’ group security identities available immediately rather than following the next scheduled refresh. The administrator can either refresh the identities of all identity providers or of a single identity provider (see Refresh All Security Identities or Refresh a Security Identity Provider). The result is the same, i.e., the security cache is updated with the new identity relationships, but updating a single security identity provider is less time- and resource-consuming.

John Smith is a new employee at MyCompany. On his first day of work, the system administrator adds John Smith’s user security identity, jsmith, to the following Jive groups:

  • Jive\engineers

  • Jive\team_leaders

The secured enterprise system also grants Jive\jsmith the following granted security identities:

  • Jive\Everyone

  • Jive\AllRegisteredUsers

If the Coveo Cloud V2 administrator does not manually launch a security identity refresh, until the next scheduled refresh, John Smith will not be able to access Engineers_Training.pdf, which has the following permission model:

  • Jive\engineers: allowed

  • Jive\administration: allowed

  • Jive\training_team: allowed

However, item MyCompany_Presentation.pdf has the following permission model:

  • Jive\Everyone: allowed

John Smith can always access this item upon his first query because his granted security identities, among which one matches the item permissions, have already been provided to the security identity cache.

Item permissions and the security identity relationships stored in the security identity cache are updated differently. When item permissions change (e.g., you share a Google Document with someone else), this change becomes effective following an incremental refresh, a rescan, or a rebuild of the corresponding source (see Item Permission Update). However, if members of a group change (e.g., a new employee is hired and added to existing groups), the source security identities must be refreshed.

What’s Next?

In a typical secured search scenario, a user can access an item if at least one of their security identities is allowed to access it, and if none of their security identities is denied access to this item (see Typical Coveo Cloud Secured Search).