Privilege reference

This is for:

System Administrator

In the Coveo privilege system, each domain can be associated to one or more access level to form a privilege, which allows an API key or a group of users to perform certain operations in the Coveo Administration Console. See Manage privileges and Navigate the "Privileges" tab for more information.

However, although many domains offer a View and an Edit access level, the abilities represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as Allowed or Push. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Administration Console, domains of privilege are grouped by service, and this page uses the same arrangement. Use the In this article menu on the right side of the page to browse the services and domains.

Important

The operation of granting privileges isn’t to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. When allowed to delegate powers, you should have a good understanding of how the Coveo privilege system works and be well aware of the implications of each choice you make. In this regard, we recommend thoroughly reading the privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, that is, granting just enough privileges for the grantee to perform their tasks (see Manage privileges and Principle of Least Privilege).

In the following tables, the typical grantees associated to a privilege are mostly the built-in groups that are granted this access level by default (see built-in groups comparison tables). However, they could also include typical groups of users that should have the privilege granted to them (for example, support agents). Members of the Administrators group are always granted the highest access level. Similarly, the Typical grantee column shows which API key presets are granted each access level.

Analytics service

Administrate domain

Access level Grantee abilities Typical grantees

Allowed

Warning

This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well.

  • Administrators

  • Admin API keys

  • Analytics API keys

Analytics data domain

Access level Grantee abilities Typical grantees

View

  • Analytics managers

  • Analytics viewers

  • Relevance managers

  • Admin API keys

  • Monitoring API keys

Push

  • OAuth tokens, API keys, and search tokens assigned to a process such as a search interface

  • Anonymous search API keys

  • Search API keys

Push and view

  • Administrators

  • Analytics API keys

Data exports domain

Important

The Data exports domain access levels are ineffective without the View access level on the Analytics data domain

Access level Grantee abilities Typical grantees

View

View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range

Monitoring API keys

Edit

  • Administrators

  • Analytics managers

  • Analytics viewers

  • Relevance managers

  • Admin API keys

  • Analytics API keys

Data health domain

Access level Grantee abilities Typical grantees

View

Administrators

Delete user data domain

Access level Grantee abilities Typical grantees

Allowed

Delete usage analytics user data

Warning

This privilege is especially potent since grantees can delete usage analytics user data. This can break existing reports and also render some datasets inaccurate.

  • Administrators

  • Admin API keys

  • Analytics API keys

Dimensions domain

Important

The Dimensions domain access levels are ineffective without the View access level on the Analytics data domain.

Access level Grantee abilities Typical grantees

View

  • Analytics viewers

  • Monitoring API keys

Edit

Add, edit, or delete dimensions created by Coveo organization members

  • Administrators

  • Analytics managers

  • Admin API keys

Impersonate domain (analytics)

Access level Grantee abilities Typical grantees

Allowed

Allow a custom process or bot to push usage analytics events with different identities

  • Administrators

  • Admin API keys

  • Analytics API keys

Named filters domain

Important

The Named filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains.

Access level Grantee abilities Typical grantees

View

  • Analytics viewers

  • Monitoring API keys

Edit

  • Administrators

  • Analytics managers

  • Relevance managers

  • Admin API keys

  • Analytics API keys

Permission filters domain

Important

The Permission filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains.

Access level Grantee abilities Typical grantees

View

View permission filters restricting the usage analytics data that analysts can review in reports

Note

Without the View access level, you can’t see the permissions filters that are assigned to your identity in reports.

  • Analytics viewers

  • Analytics managers

  • Relevance managers

  • Monitoring API keys

Edit

Note

The Edit access level is ineffective without the View access level on the Groups domain.

  • Administrators

  • Admin API keys

  • Analytics API keys

Property domain

Important

The Property domain access levels are ineffective without the View access level on the Analytics data domain.

Access level Grantee abilities Typical grantees

View

View properties that manage tracking IDs across different sites or applications

  • Analytics viewers

  • Analytics managers

  • Relevance managers

Edit

Add a property to register a new tracking ID, or edit or delete an existing property.

  • Administrators

  • Analytics managers

  • Relevance managers

Reports domain

Important

The Reports domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains.

Access level Grantee abilities Typical grantees

View

View usage analytics reports (dashboards and explorers)

  • Analytics viewers

  • Monitoring API keys

Edit

Add, edit, or delete usage analytics reports (dashboards and explorers)

Note

The Edit access level is ineffective without the Allowed access level on the Administrate domain.

  • Administrators

  • Analytics managers

  • Relevance managers

  • Admin API keys

  • Analytics API keys

Snowflake management domain

Important

The Edit access level is ineffective without the Allowed access level on the Administrate domain.

Access level Grantee abilities Typical grantees

View

  • Administrators

  • Analytics managers

  • Analytics viewers

  • Relevance managers

  • Monitoring API keys

Edit

  • Administrators

  • Analytics managers

  • Relevance managers

  • Admin API keys

  • Analytics API keys

View all reports domain

Access level Grantee abilities Typical grantees

Allowed

View all reports, regardless of report accesses. Members that don’t have this access level can only review the reports they’re explicitly allowed to access.

Warning

This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they wouldn’t be allowed to access otherwise.

  • Administrators

  • Analytics managers

  • Admin API keys

  • View all reports

Commerce service

Catalog domain

Access level Grantee abilities Typical grantees

View

View catalog entities and catalog configuration

Monitoring API keys

Edit

Add, edit, or delete catalog entities

  • Administrators

  • Admin API keys

Merchandising hub domain

Access level Grantee abilities Typical grantees

View

View Search, Product listings, and Recommendations managers

Monitoring API keys

Edit

Add, edit, or delete Search, Product listings, and Recommendations managers

  • Administrators

  • Admin API keys

Content service

Connectivity diagnostic logs domain

Access level Grantee abilities Typical grantees

View

  • Administrators

  • Content managers

  • Admin API keys

  • Monitoring API keys

Crawling Module domain

Access level Grantee abilities Typical grantees

View

  • Content managers

  • Users

  • Monitoring API keys

Note

Only content managers and users of organizations created after November 19th, 2019 are granted this privilege by default. Content managers and users of older organizations can be granted this privilege manually if needed.

Edit

This access level allows a Crawling Module instance to report its status to Coveo. This status is then displayed on the Crawling Modules (platform-ca | platform-eu | platform-au) page. Granting this access level to groups of users doesn’t give them any additional capabilities.

  • Administrators

  • Admin API keys

  • Crawling Module API keys

Note

Administrators are granted the highest access level for all domains, including Crawling Module. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level.

Crawling Module log request domain

Access level Grantee abilities Typical grantees

View

Granting this privilege to groups of users or API keys doesn’t give them any additional capabilities.

Edit

Warning

This privilege is especially potent since grantees can use it to access logs that are normally available to the host server’s administrators only. Although the logs contain no sensitive information such as passwords and no indexed content, they still show the hostname of the Crawling Module host server, the accessed URLs, etc.

  • Administrators

  • Admin API keys

Extensions domain

Access level Grantee abilities Typical grantees

View all

View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues.

Monitoring API keys

View

View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues.

Edit

Add code snippets to apply transformations to indexed items such as adding or modifying metadata. We recommend that you grant this privilege to developers only.

Edit all

Add code snippets to apply transformations to indexed items such as adding or modifying metadata. We recommend that you grant this privilege to developers only.

  • Administrators

  • Content managers

  • Admin API keys

Fields domain

Access level Grantee abilities Typical grantees

View

View fields and field configuration

  • Users

  • Monitoring API keys

Edit

  • Administrators

  • Content managers

  • Admin API keys

Logical indexes domain

Access level Grantee abilities Typical grantees

View

  • When your organization has more than one index:

    • On the Sources page, see in which index the content of each source is stored

    • When adding a source, select the index in which the retrieved content will be stored

Monitoring API keys

Edit

  • This access level doesn’t give its grantee any additional capabilities.

  • Administrators

  • Content managers

  • Admin API keys

Security identities domain

Important

The Security identities domain access levels are ineffective without the View access level on the Security identity providers domain.

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

Only required by certain API calls (for example, enable all disabled entities in security cache). Granting this access level to groups of users doesn’t give them any additional capabilities.

  • Administrators

  • Admin API keys

Security identity providers domain

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

  • Administrators

  • Admin API keys

Source metadata domain

Access level Grantee abilities Typical grantees

View

View a sample of the metadata discovered while indexing a source

Warning

This privilege is especially potent since grantees bypass the content permissions of the sources they can edit. They can therefore access sensitive index content that they can’t normally access in the original repository.

  • Administrators

  • Admin API keys

Sources domain

Notes
  • To review source content in the Content Browser, you must have the Allowed access level on the Execute queries domain.

  • Unlike for other resources, the ability to create sources can be granted without the Edit access level. You can therefore grant a group or API key the View all or Custom access level for the Sources domain and check the Can Create checkbox to allow users to create resources in this domain.

Access level Grantee abilities Typical grantees

View all

Users

Custom

View

Monitoring API keys

Edit

Edit all

  • Administrators

  • Content managers

  • Admin API keys

Customer service

Case Assist configuration domain

Access level Grantee abilities Typical grantees

View

View elements of the Case Assist (platform-ca | platform-eu | platform-au) page

Monitoring API keys

Edit

Manage elements of the Case Assist (platform-ca | platform-eu | platform-au) page

  • Administrators

  • Admin API keys

Use Case Assist domain

Access level Grantee abilities Typical grantees

Allowed

Leverage case assist configurations in support cases

  • Administrators

  • Content managers

  • Relevance managers

  • Users

Insight Panel configuration domain

Access level Grantee abilities Typical grantees

View

View elements of the Insight Panel (platform-ca | platform-eu | platform-au) page

Monitoring API keys

Edit

Manage elements of the Insight Panel (platform-ca | platform-eu | platform-au) page

  • Administrators

  • Admin API keys

Insight Panel interface domain

Access level Grantee abilities Typical grantees

View

View an Insight Panel interface in a Customer Relationship Management (CRM) system

Monitoring API keys

Edit

Create, update, or delete an Insight Panel interface

  • Administrators

  • Admin API keys

Insight Panel items domain

Access level Grantee abilities Typical grantees

View

View items that are relevant to a case in an Insight Panel interface

  • Administrators

  • Support agents

  • Admin API keys

  • Monitoring API keys

Machine learning service

Allow content preview domain

Access level Grantee abilities Typical grantees

Enable

Inspect the resources available to create content-based Coveo Machine Learning models

Warning

This privilege gives grantees indirect access to index content. Grantees could therefore have access to sensitive content to which they wouldn’t have under normal conditions.

  • Administrators

  • Relevance managers

  • Admin API keys

Models domain

Access level Grantee abilities Typical grantees

View

View Coveo Machine Learning models

Monitoring API keys

Edit

Add, edit, or delete machine learning models, and therefore optimize search results relevance and search experience in general

  • Administrators

  • Relevance managers

  • Admin API keys

User profiles domain

Access level Grantee abilities Typical grantees

View

View the Coveo Machine Learning user profile made for each user or visitor ID

Monitoring API keys

Edit

Edit the Coveo Machine Learning user profile made for each user or visitor ID

  • Administrators

  • Admin API keys

Organization service

API keys domain

Note

This domain is only available when configuring groups, as API keys can’t be granted the privilege to view or edit other API keys.

Access level Grantee abilities Typical grantees

View all

View in read-only mode the configuration of all API keys

  • Content managers

  • Relevance managers

  • Monitoring API keys

View

View in read-only mode the configuration of specific API keys

Edit

Edit all

  • Administrators

  • Admin API keys

Activities domain

Access level Grantee abilities Typical grantees

View

Important

A member with the View access level on the Activities domain can access the Activity Browser. This member can therefore see all activities taking place in the organization, including those from Coveo Administration Console pages that they can’t access.

  • Content managers

  • Relevance managers

  • Monitoring API keys

Edit

  • Administrators

  • Admin API keys

Critical updates domain

Access level Grantee abilities Typical grantees

View

Access the list of available critical updates

Monitoring API keys

Edit

Enable/disable critical updates in the organization

  • Administrators

  • Admin API keys

Groups domain

Tip
Leading practice

Grant the Edit or Edit all access level for the Groups domain only to a few people, ideally the authority in your company that manages access rights in corporate systems.

Access level Grantee abilities Typical grantees

View all

  • Analytics managers

  • Monitoring

View

View groups, including their privileges

  • Content managers

  • Relevance managers

Edit

Relevance managers

Edit all

  • Administrators

  • Admin API keys

Note

For the preceding grantees, by default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

Warning

The Edit all access level is especially potent since grantees can use it to add anyone, including themselves, to any organization group. This can lead to privilege escalation

See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

  • Administrators

  • Admin API keys

Notifications domain

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

  • Administrators

  • Admin API keys

On-premises administration domain

The privileges of this domain are required by the Coveo Crawling Module API keys only. Granting these privileges to groups of users doesn’t give them any additional capabilities.

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

This access level, when granted to a Coveo Crawling Module API key, allows the Crawling Module to communicate with Coveo. Granting it to users or groups doesn’t give them any additional capabilities.

  • Administrators

  • Admin API keys

  • Crawling Module API keys

Note

Administrators are granted the highest access level for all domains, including On-Premises Organization. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level.

Organization domain

Access level Grantee abilities Typical grantees

View

  • Analytics managers

  • Analytics viewers

  • Content managers

  • Relevance managers

  • Users

  • Monitoring API keys

Edit

  • Administrators

  • Admin API keys

Single sign-on identity provider domain

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

  • Administrators

  • Admin API keys

Snapshots domain

See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.

Access level Grantee abilities Typical grantees

View

  • View the snapshots in the organization

  • Copy or download a snapshot

  • Validate a snapshot

  • View changes to apply

  • Match analogous resources

Monitoring API keys

Edit

  • Create a snapshot

  • Export a snapshot to a different organization

  • Apply a snapshot

  • Delete a snapshot

  • Administrators

  • Analytics managers

  • Content managers

  • Relevance managers

  • Admin API keys

Temporary access domain

Access level Grantee abilities Typical grantees

View

View who at Coveo has asked for and been granted temporary access to your organization, as well as the privileges they were granted

Monitoring API keys

Edit

Revoke temporary access to your organization

  • Administrators

  • Admin API keys

Vault entry domain

See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.

Note

To import sensitive information in your destination organization, you must have both of the following privileges:

  • The View access level on the Vault entry domain in the origin organization.

  • The Edit access level on the Vault entry domain in the destination organization.

Access level Grantee abilities Typical grantees

View

Import sensitive information (in the origin organization)

  • Analytics managers

  • Content managers

  • Relevance managers

  • Monitoring API keys

Edit

  • Apply a snapshot, if it contains sensitive information

  • Import sensitive information (in the destination organization)

  • Administrators

  • Admin API keys

Search service

Execute queries domain

Access level Grantee abilities Typical grantees

Allowed

For organization members and API keys to send queries and get search results in search pages connected to their Coveo organization

  • Administrators

  • Content managers

  • Relevance managers

  • Users

  • Anonymous search API keys

Expression validation result domain

Required to use an upcoming feature. Granting privileges on this domain doesn’t give the grantee any additional capabilities yet.

Access level Grantee abilities Typical grantees

Allowed

Obtain a search token for a search interface that replicates a permission system to execute queries and send usage analytics events as a specific user. See Use search token authentication for more information.

Warning

This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. Grantees could therefore access sensitive items that they can’t normally access in the original repositories.

  • Administrators

  • Search API keys

Modify authentication provider domain

Access level Grantee abilities Typical grantees

Allowed

Manage authentication for sources that index permissions, such as when they’re secured with SharePoint claims-based identities

  • Administrators

  • Admin API keys

Query logs domain

Access level Grantee abilities Typical grantees

View

In your consumption dashboard, download a list of the queries performed in a hub during a certain month

  • Administrators

  • Admin API keys

  • Monitoring API keys

Query pipeline preview domain

Access level Grantee abilities Typical grantees

View

Review how changes to result ranking rules affect search results on the Preview test search page.

  • Administrators

  • Content managers

  • Relevance managers

  • Users

Replay any query domain

Access level Grantee abilities Typical grantees

View

Replay a query through the Relevance Inspector.

  • Administrators

  • Content managers

  • Relevance managers

  • Users

Salesforce index configuration domain

Access level Grantee abilities Typical grantees

View

Monitoring API keys

Edit

Link a Coveo organization to a Salesforce organization that uses a Salesforce index

  • Administrators

  • Admin API keys

Search pages and IPX domain

Note

The following procedure is currently only effective in the Legacy Interface Editor.

Unlike for other resources, the ability to create search pages and IPX can be granted without the Edit access level. You can therefore grant a group or API key the View all or Custom access level for the Search pages and IPX domain and check the Can create checkbox to allow users to create resources in this domain. For this checkbox to be effective, the grantee will also need the Execute queries > Allowed and Fields > View accesses.

Access level Grantee abilities Typical grantees

View all

Access all the hosted search pages and In-Product Experiences (IPX) in the Coveo organization

  • Users

  • Monitoring API keys

Custom

View

Access all the hosted search pages and In-Product Experiences (IPX) in the Coveo organization

Edit

Edit all

  • Administrators

  • Admin API keys

Warning

The Edit all access level is a sensitive privilege which is typically granted only to administrators. This privilege should remain limited to avoid being exploited by malicious users who could enter unwanted code and put search page users at risk.

Search usage metrics domain

Access level Grantee abilities Typical grantees

View

  • Relevance managers

  • Monitoring API keys

Edit

Edit the entitlement metric of a search hub in the Consumption dashboard

  • Administrators

  • Admin API keys

View all content domain

Access level Grantee abilities Typical grantees

Allowed

Warning

This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they can’t normally access in the original repositories.

Administrators

Built-in group comparison tables

The following tables compare the privileges granted to each built-in group.

Analytics service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Administrate

Allowed

-

-

-

-

-

Analytics data

Push and view

View

View

-

View

-

Data exports

Edit

Edit

Edit

-

Edit

-

Data health

View

View

View

-

View

-

Delete user data

Allowed

-

-

-

-

-

Dimensions

Edit

Edit

View

-

Edit

-

Impersonate

Allowed

-

-

-

-

-

Metric alerts

Edit

Edit

View

-

Edit

-

Named filters

Edit

Edit

View

-

Edit

-

Permission filters

Edit

View

View

-

View

-

Reports

Edit

Edit

View

-

Edit

-

Snowflake management

Edit

Edit

View

-

-

-

Validate event

View

View

View

-

View

-

View all reports

Allowed

Allowed

-

-

Allowed

-

Commerce service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Catalog

Edit

-

-

-

-

-

Merchandising hub

Edit

-

-

-

-

-

Product listing

Edit

-

-

-

-

-

Content service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Connectivity diagnostic logs

View

-

-

View

-

-

Crawling Module

Edit

-

-

View

-

View

Crawling Module log request

Edit

-

-

-

-

-

Extensions

Edit all

-

-

Edit all

-

-

Fields

Edit

-

-

Edit

View

View

Logical indexes

Edit

-

-

Edit

-

-

Security identities

Edit

-

-

Edit

-

-

Security identity providers

Edit

-

-

Edit

-

-

Source metadata

View

-

-

-

-

-

Sources

Edit all

-

-

Edit all

-

View all

"Customer service" service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Case Assist configuration

Edit

-

-

-

-

-

Insight Panel user actions

View

-

-

-

-

-

Insight Panel configuration

Edit

-

-

-

-

-

Insight Panel interface

Edit

-

-

-

-

-

Insight Panel items

View

-

-

-

-

-

Use Case Assist

Allowed

-

-

Allowed

Allowed

Allowed

Machine learning service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Allow content preview

Allowed

-

-

-

Allowed

-

Models

Edit

-

-

-

Edit

-

User profiles

Edit

-

-

-

-

-

Organization service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

API keys

Edit all

-

-

View all

View all

-

Activities

Edit

-

-

View

View

-

Critical updates

Edit

View

-

View

View

-

Groups

Edit all

View all

-

Custom

Custom

-

Link

Edit

Edit

-

Edit

Edit

-

Notifications

Edit

-

-

-

-

-

On-premises administration

Edit

-

-

-

-

-

Organization

Edit

View

View

View

View

View

Projects

Edit

View

View

View

View

View

Single sign-on identity provider

Edit

-

-

-

-

-

Snapshots

Edit

Edit

-

Edit

Edit

-

Temporary access

Edit

-

-

-

-

-

Vault entry

Edit

View

-

View

View

-

Search service

Domain Administrators Analytics Managers Analytics Viewers Content Managers Relevance Managers Users

Execute queries

Allowed

-

-

Allowed

Allowed

Allowed

Expression validation result

View

-

-

-

-

-

Impersonate

Allowed

-

-

-

-

-

Modify authentication provider

Allowed

-

-

-

-

-

Query logs

View

-

-

-

-

-

Query pipeline preview

View

-

-

-

-

-

Query pipelines

Edit all

-

-

-

Edit all

-

Replay any query

View

-

-

-

-

-

Salesforce index configuration

Edit

-

-

-

-

-

Search pages and IPX

Edit all

-

-

-

-

View all

Search usage metrics

Edit

-

-

-

View

-

View all content

Allowed

-

-

-

-

-