--- title: Privilege reference slug: '1707' canonical_url: https://docs.coveo.com/en/1707/ collection: manage-an-organization source_format: adoc --- # Privilege reference In the Coveo [privilege](https://docs.coveo.com/en/228/) system, each [domain](https://docs.coveo.com/en/2819/) can be associated to one or more [access level](https://docs.coveo.com/en/2818/) to form a privilege, which allows an API key or a group of users to perform certain operations in the [Coveo Administration Console](https://docs.coveo.com/en/183/). See [Manage privileges](https://docs.coveo.com/en/3151/) and [Navigate the "Privileges" tab](https://docs.coveo.com/en/2807/) for more information. However, although many domains offer a **View** and an **Edit** access level, the [abilities](https://docs.coveo.com/en/2817/) represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as **Allowed** or **Push**. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Administration Console, domains of privilege are grouped by [service](https://docs.coveo.com/en/2821/), and this page uses the same arrangement. Use the **In this article** menu on the right side of the page to browse the services and domains. > **Important** > > The operation of granting privileges isn't to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. > When allowed to delegate powers, you should have a good understanding of how the Coveo privilege system works and be well aware of the implications of each choice you make. > Thoroughly read the privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, that is, granting just enough privileges for the grantee to perform their tasks (see [Manage privileges](https://docs.coveo.com/en/3151/) and [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)). In the following tables, the _typical grantees_ associated to a privilege are mostly the [built-in groups](https://docs.coveo.com/en/1980#built-in-groups) or [group templates](https://docs.coveo.com/en/2807#about-the-template-menu) that are granted this access level by default (see [built-in groups comparison tables](#built-in-group-comparison-tables)). However, they could also include typical groups of users that should have the privilege granted to them (for example, support agents). Members of the Administrators group are always granted the highest access level. Similarly, the **Typical grantee** column shows which [API key templates](https://docs.coveo.com/en/1718#api-key-templates) are granted each access level. ## Analytics service ### Administrate domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|* Manage the organization [data](https://docs.coveo.com/en/259/): ** Add and delete test usage analytics data in the account ** Edit, get, delete, and disable the organization account * [Define IP addresses whose events are flagged as internal](https://docs.coveo.com/en/1562#internal-event-filters) > **Warning** > > This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well. a|* Administrators * Knowledge managers |=== ### Analytics data domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View [reports](https://docs.coveo.com/en/1674/) * View [dimensions](https://docs.coveo.com/en/1522/) * View [named filters](https://docs.coveo.com/en/1990/) * View [permission filters](https://docs.coveo.com/en/1917/) * View usage analytics [data exports](https://docs.coveo.com/en/1856/) a|* Analytics managers * Analytics viewers * Relevance managers a|Push a|Send [events](https://docs.coveo.com/en/2949/) to [Coveo Analytics](https://docs.coveo.com/en/182/) a|* OAuth tokens, API keys, and search tokens assigned to a process such as a search interface * Anonymous search API keys * Authenticated search API keys * Usage analytics API keys * Search pages API keys * Anonymous Case Assist API keys a|Push and view a|* View [reports](https://docs.coveo.com/en/1674/) * View [dimensions](https://docs.coveo.com/en/1522/) * View [named filters](https://docs.coveo.com/en/1990/) * View [permission filters](https://docs.coveo.com/en/1917/) * View usage analytics [data exports](https://docs.coveo.com/en/1856/) * Send [events](https://docs.coveo.com/en/2949/) to [Coveo Analytics](https://docs.coveo.com/en/182/) a|Administrators |=== ### Data exports domain > **Important** > > The **Data exports** domain access levels are ineffective without the **View** access level on the [**Analytics data** domain](#analytics-data-domain) [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View and download usage analytics [data exports](https://docs.coveo.com/en/1856/) containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range a| a|Edit a|* [Add, edit, or delete analytics data exports](https://docs.coveo.com/en/1856/) from the specified user visits * [Review user visits](https://docs.coveo.com/en/1964/) a|* Administrators * Analytics managers * Analytics viewers * Relevance managers |=== ### Data health domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [organizational data health for a specific date range.](https://docs.coveo.com/en/m44f6381/) a|Administrators |=== ### Delete user data domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Delete usage analytics user data > **Warning** > > This privilege is especially potent since grantees can delete usage analytics user data. This can break existing reports and also render some datasets inaccurate. a|Administrators |=== ### Dimensions domain > **Important** > > The **Dimensions** domain access levels are ineffective without the **View** access level on the [**Analytics data** domain](#analytics-data-domain). [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View [dimensions](https://docs.coveo.com/en/1522/) * View [reports](https://docs.coveo.com/en/1674/) * View [named filters](https://docs.coveo.com/en/1990/) * View [permission filters](https://docs.coveo.com/en/1917/) a|Analytics viewers a|Edit a|[Add, edit, or delete dimensions](https://docs.coveo.com/en/1522/) created by Coveo organization members a|* Administrators * Analytics managers |=== ### Impersonate domain (analytics) [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Allow a custom process or bot to push usage analytics events with different identities a|* Administrators * Usage analytics API keys |=== ### Named filters domain > **Important** > > The Named filters domain access levels are ineffective without the **View** access level on the [**Analytics data**](#analytics-data-domain) and [**Dimensions**](#dimensions-domain) domains. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [named filters](https://docs.coveo.com/en/1990/) a|Analytics viewers a|Edit a|[Add, edit, or delete named filters](https://docs.coveo.com/en/1990/) a|* Administrators * Analytics managers * Relevance managers |=== ### Permission filters domain > **Important** > > The Permission filters domain access levels are ineffective without the **View** access level on the [**Analytics data**](#analytics-data-domain) and [**Dimensions**](#dimensions-domain) domains. [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [permission filters](https://docs.coveo.com/en/1917/) restricting the usage analytics data that analysts can review in reports > **Note** > > Without the **View** access level, you can't see the permissions filters that are assigned to your identity in reports. a|* Analytics viewers * Analytics managers * Relevance managers a|Edit a|[Add, edit, or delete permission filters](https://docs.coveo.com/en/1917/) > **Note** > > The **Edit** access level is ineffective without the **View** access level on the [**Groups** domain](#groups-domain). a|Administrators |=== ### Property domain > **Important** > > The **Property** domain access levels are ineffective without the **View** access level on the [**Analytics data**](#analytics-data-domain) domain. [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [properties](https://docs.coveo.com/en/o7vh0012/) that manage tracking IDs across different sites or applications a|* Analytics viewers * Analytics managers * Relevance managers a|Edit a|Add a [property](https://docs.coveo.com/en/o7vh0012#add-a-property) to register a new tracking ID, or edit or delete an existing property. a|* Administrators * Analytics managers * Relevance managers |=== ### Reports domain > **Important** > > The **Reports** domain access levels are ineffective without the **View** access level on the [**Analytics data**](#analytics-data-domain) and [**Dimensions**](#dimensions-domain) domains. [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View usage analytics reports ([dashboards](https://docs.coveo.com/en/1542/) and [explorers](https://docs.coveo.com/en/1899/)) a|Analytics viewers a|Edit a|Add, edit, or delete usage analytics reports ([dashboards](https://docs.coveo.com/en/1542/) and [explorers](https://docs.coveo.com/en/1899/)) > **Note** > > The **Edit** access level is ineffective without the **Allowed** access level on the [**Administrate** domain](#administrate-domain). a|* Administrators * Analytics managers * Relevance managers |=== ### Snowflake management domain > **Important** > > The **Edit** access level is ineffective without the **Allowed** access level on the [**Administrate** domain](#administrate-domain). [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View the **Raw Data** page * View Snowflake reader account [monthly credit consumption](https://docs.coveo.com/en/l4gb2122#snowflake-credits) a|* Administrators * Analytics managers * Analytics viewers * Relevance managers a|Edit a|* [Add or edit](https://docs.coveo.com/en/l4gb2122#add-or-edit-users) Snowflake reader accounts * [Add or block](https://docs.coveo.com/en/l4gb2122#add-or-block-ip-addresses) IP addresses * [Share Data](https://docs.coveo.com/en/l4gb2122#add-or-edit-users) with other Snowflake accounts a|* Administrators * Analytics managers * Relevance managers |=== ### View all reports domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|View all reports, regardless of [report accesses](https://docs.coveo.com/en/1888/). Members that don't have this access level can only review the reports they're explicitly allowed to access. > **Warning** > > This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they wouldn't be allowed to access otherwise. a|* Administrators * Analytics managers |=== ## Commerce service ### Catalog domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View catalog entities and catalog configurations a| a|Edit a|[Add](https://docs.coveo.com/en/3139/), edit, or delete catalog entities a|Administrators |=== ### Catalog setup domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View catalog schemas a| a|Edit a|Create, edit, or delete catalog schemas a|Administrators |=== ### Merchandising hub domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+a|View all a|View CMH resources for all [properties](https://docs.coveo.com/en/p4ue0547/). a| .2+a|[Custom](https://docs.coveo.com/en/3151#custom-access-level) a|View a|View CMH resources for the specified properties. a| a|Edit a|Edit CMH resources for the specified properties a| 2+a|Edit all a|Add, edit, or delete CMH resources for all properties. a|Administrators |=== ## Content service ### Connectivity diagnostic logs domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|[Download update logs](https://docs.coveo.com/en/1969#download-update-logs) a|* Administrators * Content managers |=== ### Crawling Module domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* Access the [**Crawling Modules**](https://platform.cloud.coveo.com/admin/#/orgid/content/crawling-module/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/crawling-module/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/crawling-module/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/crawling-module/)) page * Select the [Crawling Module](https://docs.coveo.com/en/3260/) instance responsible for crawling a [source](https://docs.coveo.com/en/3390/) a|Content managers a|Edit a|This access level allows a [Crawling Module](https://docs.coveo.com/en/3260/) instance to report its status to Coveo. This status is then displayed on the [**Crawling Modules**](https://platform.cloud.coveo.com/admin/#/orgid/content/crawling-module/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/crawling-module/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/crawling-module/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/crawling-module/)) page. Granting this access level to groups of users doesn't give them any additional capabilities. a|* Administrators * Crawling Module API keys > **Note** > > Administrators are granted the highest access level for all domains, including **Crawling Module**. However, in this case, having the **Edit** access level instead of **View** doesn't grant them any additional capabilities. It only makes a difference for [Crawling Module](https://docs.coveo.com/en/3260/) API keys, which require the **Edit** access level. |=== ### Crawling Module log request domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|Granting this privilege to groups of users or API keys doesn't give them any additional capabilities. a| a|Edit a|[Download Crawling Module logs from the Activity panel](https://docs.coveo.com/en/3272#download-logs-through-the-administration-console) > **Warning** > > This privilege is especially potent since grantees can use it to access logs that are normally available to the host server's administrators only. Although the logs contain no sensitive information such as passwords and no indexed content, they still show the host name of the Crawling Module host server, the accessed URLs, etc. a|Administrators |=== ### Extensions domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+a|View all a|View the code and usage statistics of available [extensions](https://docs.coveo.com/en/1645/) assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues. a| .2+a|[Custom](https://docs.coveo.com/en/3151#custom-access-level) a|View a|View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues. a| a|Edit a|[Add code snippets to apply transformations to indexed items](https://docs.coveo.com/en/1645#add-an-indexing-pipeline-extension) such as adding or modifying metadata. Grant this privilege to developers only. a| 2+a|Edit all a|[Add code snippets to apply transformations to indexed items](https://docs.coveo.com/en/1645#add-an-indexing-pipeline-extension) such as adding or modifying metadata. Grant this privilege to developers only. a| * Administrators * Content managers |=== ### Fields domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [fields](https://docs.coveo.com/en/1833/) and field configuration a|Users a|Edit a| * [Add, edit, or delete fields](https://docs.coveo.com/en/1833/) * [Add](https://docs.coveo.com/en/144/), update, or delete fields in batches a| * Administrators * Content managers |=== ### Logical indexes domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* When your organization has more than one index: ** On the **Sources** page, see in which index the content of each source is stored ** When adding a source, select the index in which the retrieved content will be stored a| a|Edit a|* This access level doesn't give its grantee any additional capabilities. a|* Administrators * Content managers |=== ### Push identities to security providers domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |Custom |Allow |[Use the Push API to add, update, or disable security identities](https://docs.coveo.com/en/68/) in the specified security identity providers .2+a| 2+|Allow for all providers |[Use the Push API to add, update, or disable security identities](https://docs.coveo.com/en/68/) in any security identity provider |=== ### Push items to sources domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |Custom |Allow a|* [Use the Push API to add, update, or delete items](https://docs.coveo.com/en/68/) in the specified Push sources * [Use the Stream API to add, update, or delete items](https://docs.coveo.com/en/p48b0322/) in the specified Catalog sources * [Use the Push API to update the status](https://docs.coveo.com/en/35#update-the-status-of-a-push-source) of the specified Push sources .2+a| 2+|Allow for all sources a|* [Use the Push API to add, update, or delete items](https://docs.coveo.com/en/68/) in any Push source * [Use the Stream API to add, update, or delete items](https://docs.coveo.com/en/p48b0322/) in any Catalog source * [Use the Push API to update the status of a Push source](https://docs.coveo.com/en/35#update-the-status-of-a-push-source) |=== ### Security identities domain > **Important** > > The Security identities domain access levels are ineffective without the **View** access level on the [**Security identity providers** domain](#security-identity-providers-domain). [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View [security identity provider](https://docs.coveo.com/en/1905/) update status, statistics, and refresh schedule * [View security identity provider references](https://docs.coveo.com/en/1905#Review) such as provider IDs and the sources that use each provider * [View the permissions and effective permissions on Coveo organization items](https://docs.coveo.com/en/1712#permissions-tab) * View security identities and their status inside each security provider a| a|Edit a|Only required by certain API calls (for example, enable all disabled entities in security cache). Granting this access level to groups of users doesn't give them any additional capabilities. a|Administrators |=== ### Security identity providers domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View [security identity provider](https://docs.coveo.com/en/1905/) update status, statistics, and refresh schedule * [View security identity provider references](https://docs.coveo.com/en/1905#Review) such as provider IDs and the sources that use each provider * View security identities and their status inside each security provider a| a|Edit a|* [Refresh security identity providers](https://docs.coveo.com/en/1905#refresh-a-security-identity-provider) * [Configure security identity refresh schedules](https://docs.coveo.com/en/1905#configure-security-identity-refresh-schedules) * [Edit a security identity provider](https://docs.coveo.com/en/1905#edit-a-security-identity-provider) a|Administrators |=== ### Source metadata domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View a sample of the metadata discovered while indexing a source > **Warning** > > This privilege is especially potent since grantees bypass the content permissions of the [sources they can edit](#sources-domain). > They can therefore access sensitive index content that they can't normally access in the original repository. a|Administrators |=== ### Sources domain > **Notes** > > * To [review source content in the **Content Browser**](https://docs.coveo.com/en/2053/), you must have the **Allowed** access level on the [**Execute queries** domain](#execute-queries-domain). > * Unlike for other resources, the ability to create sources can be granted without the **Edit** access level. > You can therefore grant a group or API key the **View all** or **Custom** access level for the **Sources** domain and check the **Can Create** checkbox to allow users to create resources in this domain. [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+|View all a|* View all [sources](https://docs.coveo.com/en/3390#review-the-activity-of-a-source) * View configuration of all sources * [View all source logs](https://docs.coveo.com/en/1864/) * [Subscribe to source notifications](https://docs.coveo.com/en/1911/) a|Users .2+|[Custom](https://docs.coveo.com/en/3151#custom-access-level) |View a|* View [source](https://docs.coveo.com/en/3390#review-the-activity-of-a-source) * View source configuration * [View source logs](https://docs.coveo.com/en/1864/) * [Subscribe to source notifications](https://docs.coveo.com/en/1911/) .2+| |Edit a|* Edit or [delete](https://docs.coveo.com/en/3390#delete-a-source) specific sources * [Schedule source updates](https://docs.coveo.com/en/1933/) * [Edit specific source mappings](https://docs.coveo.com/en/1640/) * Launch, pause, resume, and cancel specific [source updates](https://docs.coveo.com/en/3390#refresh-rescan-or-rebuild-sources) * [Subscribe to source notifications](https://docs.coveo.com/en/1911/) 2+|Edit all a|* [Add sources](https://docs.coveo.com/en/3390#add-a-source) * Edit or [delete](https://docs.coveo.com/en/3390#delete-a-source) all sources * [Edit all source update schedules](https://docs.coveo.com/en/1933/) * [Edit all source mappings](https://docs.coveo.com/en/1640/) * Launch, pause, resume, and cancel all [source updates](https://docs.coveo.com/en/3390#refresh-rescan-or-rebuild-sources) * [Subscribe to source notifications](https://docs.coveo.com/en/1911/) a|* Administrators * Content managers |=== > **Important** > > The **Edit** access level on the **Sources** domain does not grant the ability to [push or stream items to Push and Catalog sources](#push-items-to-sources-domain). ## Customer service ### Case Assist configuration domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View elements of the [**Case Assist**](https://platform.cloud.coveo.com/admin/#/orgid/service/case-assist/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/service/case-assist/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/service/case-assist/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/service/case-assist/)) page a| a|Edit a|Manage elements of the [**Case Assist**](https://platform.cloud.coveo.com/admin/#/orgid/service/case-assist/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/service/case-assist/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/service/case-assist/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/service/case-assist/)) page a|Administrators |=== ### Use Case Assist domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Leverage [case assist configurations](https://docs.coveo.com/en/3328/) in support cases a|* Administrators * Content managers * Relevance managers * Users * Use Case Assist API keys |=== ### Insight Panel configuration domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View elements of the [**Insight Panel**](https://platform.cloud.coveo.com/admin/#/orgid/service/insight-panel/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/service/insight-panel/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/service/insight-panel/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/service/insight-panel/)) page a| a|Edit a|Manage elements of the [**Insight Panel**](https://platform.cloud.coveo.com/admin/#/orgid/service/insight-panel/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/service/insight-panel/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/service/insight-panel/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/service/insight-panel/)) page a|Administrators |=== ### Insight Panel interface domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View an Insight Panel interface in a Customer Relationship Management (CRM) system a| a|Edit a|Create, update, or delete an Insight Panel interface a|Administrators |=== ### Insight Panel items domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [items](https://docs.coveo.com/en/210/) relevant to a case using the Insight Panel interface a|* Administrators * Support agents |=== ### Insight Panel User Actions domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View user actions relevant to a case using the Insight Panel interface a|* Administrators * Support agents |=== ## Knowledge service ### Answer manager domain > **Important** > > Both the **Edit** and **View** access level on the **Answer manager** domain allows the member to view all generated answers for which feedback exists in an answer configuration in the Answer Manager. > This may include content to which the member may not have access to otherwise through the repository's permission system. > > Exercise caution when granting this privilege to members. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* [View the feedback for generated answers](https://docs.coveo.com/en/p5db0180/) in the Answer Manager * View the rules in the [Knowledge Hub](https://docs.coveo.com/en/p59f0295/)’s Answer Manager a| a|Edit a|* Add, edit, or delete [answer configurations](https://docs.coveo.com/en/p5db9314/) and [rules](https://docs.coveo.com/en/p5db0039/) in the Answer Manager * [View the feedback for generated answers](https://docs.coveo.com/en/p5db0180/) in the [Knowledge Hub](https://docs.coveo.com/en/p59f0295/)’s Answer Manager a|* Administrators * Knowledge managers |=== ### Chunk inspector domain > **Important** > > The **Enable** access level on the **Chunk inspector** domain allows the member to view all segments of text (chunks) used during answer generation, as well as the chunks for a given indexed item. > This may include content to which the member may not have access to otherwise through the repository's permission system. > > Exercise caution when granting this privilege to members. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Access the [Knowledge Hub](https://docs.coveo.com/en/p59f0295/)’s Chunk Inspector to [view the segments of text (chunks) used for a generated answer or a specific item](https://docs.coveo.com/en/p5dc0110/). a|* Administrators * Knowledge managers |=== ### Knowledge hub domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Access the Coveo Knowledge Hub a|* Administrators * Knowledge managers |=== ### GenAI analytics domain > **Important** > > The **Allowed** access level on the **GenAI analytics** domain allows the member to view metrics related to all [RGA](https://docs.coveo.com/en/nbtb6010/) implementations in your organization. > Exercise caution when granting this privilege to members. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Access the [GenAI Performance](https://docs.coveo.com/en/p5dc1316/) dashboards a|* Administrators * Knowledge managers |=== ### GenAI analytics index content domain > **Important** > > The **View** access level on the **GenAI analytics index content** domain exposes index content that the member may not otherwise have access to through the repository's permission system. > Exercise caution when granting this privilege to members. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View content in the [GenAI Performance](https://docs.coveo.com/en/p5dc1316/) dashboards pertaining to indexed items a|* Administrators * Knowledge managers |=== ## Machine learning service ### Allow content preview domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Enable a|Inspect the resources available to create content-based Coveo Machine Learning models > **Warning** > > This privilege gives grantees indirect access to [index](https://docs.coveo.com/en/204/) content. > Grantees could therefore have access to sensitive content to which they wouldn't have under normal conditions. a|* Administrators * Relevance managers |=== ### Models domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View Coveo Machine Learning models a| a|Edit a|[Add, edit, or delete machine learning models](https://docs.coveo.com/en/1832/), and therefore optimize search results relevance and search experience in general a|* Administrators * Relevance managers |=== ### User profiles domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View the Coveo Machine Learning user profile made for each user or visitor ID a| a|Edit a|Edit the Coveo Machine Learning user profile made for each user or visitor ID a|Administrators |=== ## Organization service ### API keys domain > **Note** > > This domain is only available when [configuring groups](https://docs.coveo.com/en/1980/), as API keys can't be granted the privilege to view or edit other API keys. [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+a|View all a|View in read-only mode the configuration of all [API keys](https://docs.coveo.com/en/1718/) a|* Content managers * Relevance managers .2+a|[Custom](https://docs.coveo.com/en/3151#custom-access-level) a|View a|View in read-only mode the configuration of specific [API keys](https://docs.coveo.com/en/1718/) a| a|Edit a|[Edit, delete, activate, and disable specific API keys](https://docs.coveo.com/en/1718#create-an-api-key) a| 2+a|Edit all a|[Add, edit, delete, activate, and disable all API keys](https://docs.coveo.com/en/1718#create-an-api-key) a|Administrators |=== ### Activities domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|[Access the Activity Browser and view all organization activities](https://docs.coveo.com/en/1969/) > **Important** > > A member with the **View** access level on the **Activities** domain can access the [Activity Browser](https://docs.coveo.com/en/1969/). > This member can therefore see all activities taking place in the organization, including those from Coveo Administration Console pages that they can't access. a|* Content managers * Relevance managers a|Edit a|[Send custom activities to Coveo](https://docs.coveo.com/en/1546/) a|Administrators |=== ### Critical updates domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|Access the list of available critical updates a| a|Edit a|Enable/disable critical updates in the organization a|Administrators |=== ### Customer keys domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|Access the list of available [BYOK encryption keys](https://docs.coveo.com/en/o5kb0530/) a| a|Edit a|Add, activate, or delete [BYOK encryption keys](https://docs.coveo.com/en/o5kb0530/) a|Administrators |=== ### Groups domain > **Leading practice** > > Grant the **Edit** or **Edit all** access level for the **Groups** domain only to a few people, ideally the authority in your company that manages access rights in corporate systems. [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+a|View all a|* View all [groups](https://docs.coveo.com/en/1980/), including their privileges * View [organization members](https://docs.coveo.com/en/1821/) a|Analytics managers .2+a|[Custom](https://docs.coveo.com/en/3151#custom-access-level) a|View a|View [groups](https://docs.coveo.com/en/1980/), including their privileges a|* Content managers * Relevance managers a|Edit a|* [Duplicate](https://docs.coveo.com/en/1980#duplicate-a-group), [edit](https://docs.coveo.com/en/1980#add-or-edit-a-group), or [delete](https://docs.coveo.com/en/1980#delete-a-group) groups and members * [Edit group member privileges](https://docs.coveo.com/en/1980#privileges-tab) * [Send invitations to users](https://docs.coveo.com/en/1821#add-members) a|Relevance managers 2+a|Edit all a| * [Duplicate](https://docs.coveo.com/en/1980#duplicate-a-group), [edit](https://docs.coveo.com/en/1980#add-or-edit-a-group), or [delete](https://docs.coveo.com/en/1980#delete-a-group) all groups and their members * [Edit privileges of all groups](https://docs.coveo.com/en/1980#privileges-tab) * [Send invitations to users](https://docs.coveo.com/en/1821#add-members) a|Administrators |=== > **Note** > > For the preceding grantees, by default, members of the **Relevance Managers** built-in group can edit this group only. > This allows them to invite other people in the **Relevance Managers** group, but not in other groups. > **Warning** > > The **Edit all** access level is especially potent since grantees can use it to add anyone, including themselves, to any organization group. > This can lead to [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) ### Link domain See [Privileges required to manage snapshots](https://docs.coveo.com/en/3357/) for details on the privileges you need to use the resource snapshot feature. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* [Validate a resource snapshot](https://docs.coveo.com/en/3239#apply-a-snapshot-to-an-organization) * View changes to apply a| a|Edit a|[Match analogous resources](https://docs.coveo.com/en/3239#apply-a-snapshot-to-an-organization) a|Administrators |=== ### Notifications domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View [organization notifications](https://docs.coveo.com/en/1583/) a| a|Edit a|[Edit and delete organization notifications](https://docs.coveo.com/en/1583/) a|Administrators |=== ### On-premises administration domain The privileges of this domain are required by the [Coveo Crawling Module](https://docs.coveo.com/en/3260/) [API keys](https://docs.coveo.com/en/1718/) only. Granting these privileges to groups of users doesn't give them any additional capabilities. [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a| a| a|Edit a|This access level, when granted to a [Coveo Crawling Module](https://docs.coveo.com/en/3260/) [API key](https://docs.coveo.com/en/1718/), allows the Crawling Module to communicate with Coveo. Granting it to users or groups doesn't give them any additional capabilities. a|* Administrators * Crawling Module API keys > **Note** > > Administrators are granted the highest access level for all domains, including **On-Premises Organization**. > However, in this case, having the **Edit** access level instead of **View** doesn't grant them any additional capabilities. > It only makes a difference for [Crawling Module](https://docs.coveo.com/en/3260/) API keys, which require the **Edit** access level. |=== ### Organization domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* [Access the Coveo Administration Console](https://docs.coveo.com/en/2822/) (if the grantee is a group of users) * [View the Coveo license details and limits, as well as the organization basic information](https://docs.coveo.com/en/1562/) a|* Analytics managers * Analytics viewers * Content managers * Relevance managers * Users a|Edit a|* [Edit the organization display name and contact email](https://docs.coveo.com/en/1562#organization-details) * [Delete the organization](https://docs.coveo.com/en/1562#organization-details) a|Administrators |=== ### Projects domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|[View the organization's projects](https://docs.coveo.com/en/n7ef0517#view-a-project) a|* User * Analytics Manager * Analytics Viewer * Relevance Manager * Content Manager * Merchandiser * Knowledge Manager a|Edit a|[Add or edit the organization's projects](https://docs.coveo.com/en/n7ef0517#add-or-edit-a-project) a|Administrators |=== ### Single sign-on identity provider domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|[View the organization's single sign-on configuration](https://docs.coveo.com/en/1562#single-sign-on) a| a|Edit a|[Configure single sign-on for the organization](https://docs.coveo.com/en/1562#single-sign-on) a|Administrators |=== ### Snapshots domain See [Privileges required to manage snapshots](https://docs.coveo.com/en/3357/) for details on the privileges you need to use the resource snapshot feature. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|* View the [snapshots](https://docs.coveo.com/en/3239/) in the organization * Copy or download a snapshot * Validate a snapshot * View changes to apply * Match analogous resources a| a|Edit a|* Create a [snapshot](https://docs.coveo.com/en/3239/) * Copy a snapshot to a different organization * Apply a snapshot * Delete a snapshot a|* Administrators * Analytics managers * Content managers * Relevance managers |=== ### Temporary access domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |View |View who at Coveo has asked for and been granted temporary access to your organization, as well as the privileges they were granted | |Edit |Revoke temporary access to your organization a|Administrators |=== ### Vault entry domain See [Privileges required to manage snapshots](https://docs.coveo.com/en/3357/) for details on the privileges you need to use the resource snapshot feature. > **Note** > > To import sensitive information in your destination organization, you must have both of the following privileges: > > * The **View** access level on the **Vault entry** domain in the origin organization. > > * The **Edit** access level on the **Vault entry** domain in the destination organization. [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |View |Import sensitive information (in the origin organization) a|* Analytics managers * Content managers * Relevance managers |Edit a|* Apply a snapshot, if it contains sensitive information * Import sensitive information (in the destination organization) a|Administrators |=== ## Search service ### Execute queries domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|For organization members and API keys to [send queries](https://docs.coveo.com/en/1724/) and get search results in search pages connected to their Coveo organization a|* Administrators * Content managers * Relevance managers * Users * Anonymous search API keys * Search pages API keys |=== ### Expression validation result domain Required to use an upcoming feature. Granting privileges on this domain doesn't give the grantee any additional capabilities yet. ### Impersonate domain (search) [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|Obtain a search token for a [search interface that replicates a permission system](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system) to execute [queries](https://docs.coveo.com/en/231/) and send [Coveo Analytics events](https://docs.coveo.com/en/260/) as a specific [user](https://docs.coveo.com/en/250/). See [Use search token authentication](https://docs.coveo.com/en/56/) for more information. > **Warning** > > This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. > Grantees could therefore access sensitive items that they can't normally access in the original repositories. a|* Administrators * Authenticated search API keys |=== ### Modify authentication provider domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |Allowed a|Manage authentication for [sources that index permissions](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system), such as when they're secured with SharePoint claims-based identities a|Administrators |=== ### Query logs domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) |View a|In your [consumption dashboard](https://docs.coveo.com/en/1855/), download a list of the queries performed in a hub during a certain month a|Administrators |=== ### Query pipelines domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+|View all a|* View [query pipelines](https://docs.coveo.com/en/1611/) * View [query pipeline rules](https://docs.coveo.com/en/236/) * [View A/B tests](https://docs.coveo.com/en/3255/) | .2+|[Custom](https://docs.coveo.com/en/3151#custom-access-level) |View a|* View [query pipeline](https://docs.coveo.com/en/1611/) * View [query pipeline rules](https://docs.coveo.com/en/236/) * View [A/B test](https://docs.coveo.com/en/3255/) | |Edit a|* [Edit or delete specific query pipelines](https://docs.coveo.com/en/1791/) * [Edit or delete specific query pipeline rules](https://docs.coveo.com/en/1791#manage-query-pipeline-rules-and-models) * [Edit or delete specific A/B tests](https://docs.coveo.com/en/3255/) | 2+|Edit all a|* Optimize results relevance and search experience in general: ** [Add, edit, or delete all query pipelines](https://docs.coveo.com/en/1791/) ** [Add, edit, or delete all query pipeline rules](https://docs.coveo.com/en/1791#manage-query-pipeline-rules-and-models) ** [Add, edit, or delete all A/B tests](https://docs.coveo.com/en/3255/) a|* Administrators * Relevance managers |=== ### Query pipeline preview domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|Review how changes to result ranking rules affect search results on the **Preview** test search page. a|* Administrators * Content managers * Relevance managers * Users |=== ### Replay any query domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|Replay a query through the Relevance Inspector. a|* Administrators * Content managers * Relevance managers * Users |=== ### Salesforce index configuration domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a| a| a|Edit a|Link a Coveo organization to a Salesforce organization that uses a Salesforce index a|Administrators |=== ### Search pages and IPX domain [%header,cols=".^~,.^~,~,.^~"] |=== 2+|Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) 2+|View |Access all the hosted search pages and In-Product Experiences (IPX) in the Coveo organization a|* Users * Search pages API keys 2+|Edit a|* Add or delete all [hosted search pages](https://docs.coveo.com/en/1656/) and [In-Product Experiences (IPX)](https://docs.coveo.com/en/3160/) * Customize all [hosted search page](https://docs.coveo.com/en/1656#edit-a-hosted-search-interface) and [In-Product Experience (IPX)](https://docs.coveo.com/en/3160#customize-an-ipx-interface) interfaces a|Administrators |=== > **Warning** > > The **Edit** access level is a sensitive privilege which is typically granted only to administrators. > This privilege should remain limited to avoid being exploited by malicious users who could enter unwanted code and put search page users at risk. ### Search usage metrics domain [%header,cols="1,4,2"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|View a|View the [Consumption dashboard](https://docs.coveo.com/en/1855/) a|Relevance managers a|Edit a|Edit the entitlement metric of a search hub in the [Consumption dashboard](https://docs.coveo.com/en/1855/) a|Administrators |=== ### View all content domain [%header,cols="~,~,~"] |=== |Access level |Grantee abilities |[Typical grantees](#TypicalGrantees) a|Allowed a|[Browse all the content of a Coveo organization index](https://docs.coveo.com/en/2053#browse-all-the-content-of-your-organization-index) > **Warning** > > This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they can't normally access in the original repositories. a|Administrators |=== ## Built-in group comparison tables The following tables compare the privileges granted to each built-in group or group template. ### Analytics service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Administrate](#administrate-domain) |Allowed |- |- |- |- |- |Allowed |[Analytics data](#analytics-data-domain) |Push and view |View |View |- |View |- |View |[Data exports](#data-exports-domain) |Edit |Edit |Edit |- |Edit |- |View |[Data health](#data-health-domain) |View |View |View |- |View |- |View |[Delete user data](#delete-user-data-domain) |Allowed |- |- |- |- |- |- |[Dimensions](#dimensions-domain) |Edit |Edit |View |- |Edit |- |View |[Impersonate](#impersonate-domain-analytics) |Allowed |- |- |- |- |- |- |[Named filters](#named-filters-domain) |Edit |Edit |View |- |Edit |- |- |[Permission filters](#permission-filters-domain) |Edit |View |View |- |View |- |View |[Reports](#reports-domain) |Edit |Edit |View |- |Edit |- |Edit |[Snowflake management](#snowflake-management-domain) |Edit |Edit |View |- |- |- |Edit |Validate event |View |View |View |- |View |- |- |[View all reports](#view-all-reports-domain) |Allowed |Allowed |- |- |Allowed |- |Allowed |=== ### Commerce service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Catalog](#catalog-domain) |Edit |- |- |- |- |- |- |Merchandising hub |Edit |- |- |- |- |- |- |Product listing |Edit |- |- |- |- |- |- |=== ### Content service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Connectivity diagnostic logs](#connectivity-diagnostic-logs-domain) |View |- |- |View |- |- |- |[Crawling Module](#crawling-module-domain) |Edit |- |- |View |- |View |View |[Crawling Module log request](#crawling-module-log-request-domain) |Edit |- |- |- |- |- |- |[Extensions](#extensions-domain) |Edit all |- |- |Edit all |- |- |- |[Fields](#fields-domain) |Edit |- |- |Edit |View |View |View |[Logical indexes](#logical-indexes-domain) |Edit |- |- |Edit |- |- |- |[Push identities to security providers](#push-identities-to-security-providers-domain) |Allow for all providers |- |- |Allow for all providers |- |- |- |[Push items to sources](#push-items-to-sources-domain) |Allow for all sources |- |- |Allow for all sources |- |- |Allow for all sources |[Security identities](#security-identities-domain) |Edit |- |- |Edit |- |- |- |[Security identity providers](#security-identity-providers-domain) |Edit |- |- |Edit |- |- |- |[Source metadata](#source-metadata-domain) |View |- |- |- |- |- |- |[Sources](#sources-domain) |Edit all |- |- |Edit all |- |View all |View all |=== ### "Customer service" service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Case Assist configuration](#case-assist-configuration-domain) |Edit |- |- |- |- |- |Edit |[Insight Panel user actions](#insight-panel-user-actions-domain) |View |- |- |- |- |- |View |[Insight Panel configuration](#insight-panel-configuration-domain) |Edit |- |- |- |- |- |Edit |[Insight Panel interface](#insight-panel-interface-domain) |Edit |- |- |- |- |- |Edit |[Insight Panel items](#insight-panel-items-domain) |View |- |- |- |- |- |View |[Use Case Assist](#use-case-assist-domain) |Allowed |- |- |Allowed |Allowed |Allowed |Allowed |=== ### Knowledge service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Answer manager](#answer-manager-domain) |Edit |- |- |- |- |- |Edit |[Chunk inspector](#chunk-inspector-domain) |Enable |- |- |- |- |- |Enable |[Knowledge hub](#knowledge-hub-domain) |Enable |- |- |- |- |- |Enable |=== ### Machine learning service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Allow content preview](#allow-content-preview-domain) |Allowed |- |- |- |Allowed |- |Allowed |[Models](#models-domain) |Edit |- |- |- |Edit |- |View |[User profiles](#user-profiles-domain) |Edit |- |- |- |- |- |View |=== ### Organization service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[API keys](#api-keys-domain) |Edit all |- |- |View all |View all |- |- |[Activities](#activities-domain) |Edit |- |- |View |View |- |- |[Critical updates](#critical-updates-domain) |Edit |View |- |View |View |- |- |[Groups](#groups-domain) |Edit all |View all |- |Custom |Custom |- |- |[Link](#link-domain) |Edit |Edit |- |Edit |Edit |- |- |[Notifications](#notifications-domain) |Edit |- |- |- |- |- |- |[On-premises administration](#on-premises-administration-domain) |Edit |- |- |- |- |- |- |[Organization](#organization-domain) |Edit |View |View |View |View |View |View |[Projects](#projects-domain) |Edit |View |View |View |View |View |View |[Single sign-on identity provider](#single-sign-on-identity-provider-domain) |Edit |- |- |- |- |- |- |[Snapshots](#snapshots-domain) |Edit |Edit |- |Edit |Edit |- |- |[Temporary access](#temporary-access-domain) |Edit |- |- |- |- |- |- |[Vault entry](#vault-entry-domain) |Edit |View |- |View |View |- |- |=== ### Search service [%header,cols="8"] |=== |Domain |Administrators |Analytics Managers |Analytics Viewers |Content Managers |Relevance Managers |Users |Knowledge Managers |[Execute queries](#execute-queries-domain) |Allowed |- |- |Allowed |Allowed |Allowed |Allowed |[Expression validation result](#expression-validation-result-domain) |View |- |- |- |- |- |- |[Impersonate](#impersonate-domain-search) |Allowed |- |- |- |- |- |- |[Modify authentication provider](#modify-authentication-provider-domain) |Allowed |- |- |- |- |- |- |[Query logs](#query-logs-domain) |View |- |- |- |- |- |- |Query pipeline preview |View |- |- |- |- |- |- |[Query pipelines](#query-pipelines-domain) |Edit all |- |- |- |Edit all |- |- |Replay any query |View |- |- |- |- |- |- |[Salesforce index configuration](#salesforce-index-configuration-domain) |Edit |- |- |- |- |- |- |[Search pages and IPX](#search-pages-and-ipx-domain) |Edit |- |- |- |- |View |View |[Search usage metrics](#search-usage-metrics-domain) |Edit |- |- |- |View |- |- |[View all content](#view-all-content-domain) |Allowed |- |- |- |- |- |- |===