Management of security identities and item permissions

Many enterprise systems are secured, meaning that users must authenticate to access the system and have the appropriate permissions to retrieve a specific item in the system. Each secured enterprise system type has its own permission model, that is, a set of rules determining who can access an item.

Coveo can fully respect the permission model of each of its supported content sources, therefore ensuring that every search result is returned only to the users allowed to access it. To achieve this level of protection, Coveo crawlers use an early-binding permission retrieval method to import item permissions at crawling time (see Coveo Indexing Pipeline). Thanks to the early-binding method, permissions are extracted at the same moment item data is retrieved, meaning that every piece of information is correctly protected. Furthermore, the fact that Coveo uses early binding to retrieve item permissions favors search performance since items for which specific users don’t have access are filtered out before their queries, which isn’t the case for systems that use other permission retrieval methods.

This series of articles provides an overview of the permission management within Coveo, as well as a glossary of the most important related terms (see Glossary).


To place the focus on item permission management, all the examples in this series of articles assume that the query made by the search page user matches the title of the desired items.

Documentation Subdivision

The security identity and permission management articles are divided as follows. Readers are advised to browse these pages in order.

What’s Next?

In a basic secured search scenario, a user makes a query using a security identity that has access to an item. The search API then returns the desired item in the search results.