Security Identity Relationships

A group or granted security identity is usually related to at least another security identity (see Group and Granted Security Identities). Such relationships between security identities are crucial when determining the effective permissions of an item.

To place the focus on item permission management, all examples in this topic assume that the query made by the search page user matches the title of the desired items.

Child/Parent Relationship

Two security identities are in a child/parent relationship when one security identity includes another one. In other words, when a group contains several users, the group has a child relationship to each of the users, and each user has a parent relationship to the group. Similarly, if a user has a granted identity, the granted identity has a child relationship to the user, and the user has a parent relationship to the granted identity. A single security identity can have multiple child relationships and multiple parent relationships.

Coveo Cloud V2 combines all security identity relationships to create a hierarchical representation of all security identities of a secured enterprise system. Thus, it can extract from this representation a list of all parent security identities of every single security identity (see Granted Security Identities). As explained under Security Identity Cache and Provider, this list is crucial because it is used by the index to filter search results.

At MyHospital, there are two teams in the Medical Department: the nurse team and the doctor team. So, medical_dpt@myhospital.com is a group that contains groups nurses@myhospital.com and doctors@myhospital.com. medical_dpt@myhospital.com is therefore a parent of nurses@myhospital.com, and nurses@myhospital.com is a child of medical_dpt@myhospital.com.

John Smith and Barbara Allen are both nurses. nurses@myhospital.com is therefore a parent of jsmith@myhospital.com and ballen@myhospital.com, while jsmith@myhospital.com and ballen@myhospital.com are both children of nurses@mycompany.com.

Moreover, all user security identities, such as jsmith@myhospital.com, are children of both the Medical Department group security identity and the group security identity corresponding to their respective team.

CCV2-Permissions-SecurityIdentityRelationships-MyHospital

In such a scenario, an item to which access would be allowed to medical_dpt@myhospital.com only could be viewed by all nurses and doctors at MyHospital, i.e., John Smith, Barbara Allen, Martin Doe, and Jodie Bates. An item to which access would be allowed to nurses@myhospital.com only, however, could only be accessed by nurses John Smith and Barbara Allen.

Alias Relationship

The basic secured search scenario applies only for content and users of the same system (see Coveo Cloud V2 Management of Security Identities and Item Permissions). So, for a user to access the content they are allowed to access, they must make their query while authenticated with a security identity from the same system as the queried content. Alias relationships (formerly known as user mappings) solve this limitation, thus making the use of Coveo Cloud V2 much more efficient and intuitive.

Two user security identities are in an alias relationship (or sibling relationship) when they represent the same user in two different systems. Aliasing user security identities allows the user they represent to query Coveo Cloud V2 with a user security identity and accessing content from a source they should otherwise access with the other security identity.

At MyCompany, John Smith can log in to a Coveo Cloud V2 powered search interface using either his corporate email address, jsmith@mycompany.com, or an additional, unrelated Google email address, jsmith@gmail.com used for Google Drive storage purposes. If jsmith@gmail.com is not considered as an alias of John Smith’s corporate email address, John Smith can see his Google Drive content when logging in as jsmith@gmail.com, but not when logging in as jsmith@mycompany.com. The same applies for John Smith’s corporate address, which is related to his corporate emails.

However, if John Smith’s Google security identity is identified as an alias of John Smith’s corporate email security identity, John Smith can log in to a Coveo Cloud V2 powered search interface with his corporate email address, and then access the content accessible to either of those identities. John Smith can therefore retrieve emails as well as Google Drive content when logged in as jsmith@mycompany.com.

CCV2-Permissions-SecurityIdentityRelationships-AliasGoodPracticeNote

Alias relationships are currently unidirectional. So, when a security identity provider identifies an identity A as an alias of an identity B, content available to A is available when searching as B, but content available to B is not accessible when logging in as A.

Alias all security identities representing a user to a single identity that can be used to log in to the Coveo Cloud V2 powered search page, such as an email address (see Logging in to Coveo Cloud V2).

In the example scenario above, jsmith@gmail.com is an alias of jsmith@company.com. As a result, when John Smith logs in to a Coveo Cloud V2 powered search interface with his corporate email address, he can access both his emails and his Google Drive content. However, if he logs in as jsmith@gmail.com and makes a query, only Google Drive content will be accessible.

An alias relationship allows a security identity to access secured data from a different system without requiring the credentials with which this data is secured. When aliasing a security identity B to a security identity A, the developer in charge of these aliases must be aware that any discrepancy or mistake could lead to a security hole.

This is especially important when using a regex to alias all security identities from a system to security identities of another system.

Jane Smith was hired at MyCompany before John Smith. Her corporate email address is therefore jsmith@mycompany.com, while John Smith’s is jsmith2@mycompany.com. Jane Smith does not use Salesforce at work, but John Smith does. So, if a regex maps John Smith’s Salesforce account, JSmith, to his expected corporate email address, the Salesforce account is associated with Jane Smith’s email address. Jane Smith could then access John Smith’s Salesforce content through a Coveo Cloud V2 search, while John Smith would not find any Salesforce content while logged in with his corporate email address.

When a security identity in a system A has several aliases in a system B, logging in and searching with the security identity system A shows results available to all user aliases of this account at once.

This happens frequently when conducting user acceptance tests, or in QA or staging environments, as a tester may set up multiple test accounts using their corporate email address.

John Smith is a software tester at MyCompany. To conduct his tests appropriately, he sets up several email addresses. These email addresses are each marked as allowed to see content that none of the other test addresses are allowed to access. John Smith then aliases these test addresses to his corporate email address. Therefore, when he logs in to a Coveo Cloud V2 powered search page using his corporate email address, he can see the content associated to each of his test addresses.

CCV2-Permissions-MultipleAAccountsAliasedToOneBAccount

Denial Prevalence

If a user is both denied and allowed access to an item at once, i.e.,they have at least one of their security identities that is allowed to access the item, and at least one that is denied access, the denial prevails over the allowance.

John Smith is both a software developer and team leader, and therefore belongs to both the Software Developers and the Team Leaders groups. Using Coveo Cloud V2, he tries to retrieve an item to which access is allowed to the team leaders, but not to the software developers. Since the Denied permission prevails over the Allowed permission, the desired item does not appear in John Smith’s search results.

Denial also prevail over the universal availability of a public item (see Public Items and Anonymous Users).

What’s Next?

In Coveo Cloud V2, the security identity cache and a security identity provider work together to recreate and handle security identity relationships (see Security Identity Cache and Provider).