--- title: Basic secured search slug: '1749' canonical_url: https://docs.coveo.com/en/1749/ collection: index-content source_format: adoc --- # Basic secured search A Coveo secured search scenario involves a [search interface](https://docs.coveo.com/en/2741/) that displays different content based on the end user's identity. Typically, the scope of this interface includes at least one [source](https://docs.coveo.com/en/246/) of content that's secured with a [permission](https://docs.coveo.com/en/223/) system and that's configured so that this system is replicated in the search interface. As a result, through the search interface, end users can only access the items they're allowed to access in the original repository. You can use [search token authentication](https://docs.coveo.com/en/56/) to implement secured search in your interface. However, before you build your search interface, see which [approach](https://docs.coveo.com/en/3368/) is right for you. In a basic secured search scenario: * At indexing time, the [crawler](https://docs.coveo.com/en/2121/) extracts the content and permissions of an [item](https://docs.coveo.com/en/210/), which is then sent to the index. For more information, see [Coveo indexing pipeline](https://docs.coveo.com/en/1893/). The security identities that are allowed or denied access to the item are then stored in the index along with the item content. * At query time: ** The [user](https://docs.coveo.com/en/250/) logs in to the Coveo-powered search interface using their user [security identity](https://docs.coveo.com/en/240/) and makes a [query](https://docs.coveo.com/en/231/). ** The index compares the security identity used at login and the security identity allowed to access the queried item. The index returns only items which the logged in user is allowed to access. See the [Basic search flowchart](#Basic). > **Note** > > To place the focus on item permission management, all examples in this article assume that the query made by the search page user matches the title of the desired items. **Example** John Smith's corporate Google Drive contains only one item, `Human_Resources_Annual_Report.pdf`. John Smith's corporate Google Account, `jsmith@mycompany.com`, is the only security identity allowed to access this item. [_Indexing process_](https://docs.coveo.com/en/1893/): . The Coveo administrator indexes John Smith's Google Drive. The Coveo crawler crawls the item and retrieves the item content, metadata, and permissions. > **Note** > > You can review a list of the [permissions applying to each item](https://docs.coveo.com/en/1712#review-effective-permissions-on-the-item) in the Coveo Administration Console. . The crawler sets `jsmith@mycompany.com` as the only security identity allowed to access this item. _End-user query_ . John Smith logs into a Coveo-powered search interface using the identity that's allowed to access the item, the `jsmith@mycompany.com` Google security identity. . When John Smith performs a search, the identity with which he logged into the search interface, `jsmith@mycompany.com`, is passed to the index along with the query. . The index: -- .. Retrieves all items matching the query. .. Filters out items to which `jsmith@mycompany.com` is denied access, as well as items in the permissions of which this security identity [isn't specified](#unspecified-security-identities). .. Returns the results to the search interface. -- Since `jsmith@mycompany.com` is allowed to access `Human_Resources_Annual_Report.pdf`, this item is returned in John Smith's search results. In other words, the search results to display are the items matching the query, minus the items that the querying user isn't allowed to access. ![Coveo search results are displayed if their permissions allow access to the querying user](https://docs.coveo.com/en/assets/images/index-content/permissions-displayed-search-results.png) The following diagram shows how permissions are sent to the index, and how the index returns search results when queried. Content accessible to the identity used to make a query then appears in the search results. ![How the Coveo index interacts with the crawler and the search interface](https://docs.coveo.com/en/assets/images/index-content/permissions-index-interactions-with-crawler-and-search-interface.png) > **Note** > > In this basic scenario diagram: > > * Blue boxes represent modules involved in the indexing process. > > * Gray boxes represent modules involved in the querying process. > > * Orange boxes represent modules involved in both the indexing and the querying process. > **Note** > > The permissions in the example above are [item-specific](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system); > permissions may also [apply to the source content as a whole](https://docs.coveo.com/en/1779#specific-users-and-groups) with connectors that don't support item-specific permissions. ## Unspecified security identities If the permissions of an item don't specify whether a certain security identity is allowed or denied access to this item, the user [authenticated](https://docs.coveo.com/en/2120/) with this security identity can't see this item in their search results: when information is lacking, Coveo applies the strictest option to avoid security holes. Therefore, for an item to be returned in a user's search results, the user's security identity must be specifically marked as allowed to access the item, and not marked as [denied](https://docs.coveo.com/en/1618#denial-prevalence). **Example** John Smith is the author and owner of `Meeting_Agenda_June_2017.pdf`, which is saved on the corporate Google Drive. John shares it with coworkers Joey Clark and Jane Davis via the Google Drive document sharing feature. The item permissions are therefore: * `jclark@mycompany.com`: `allowed` * `jdavis@mycompany.com`: `allowed` * `jsmith@mycompany.com`: `allowed` John Smith's boss, Jessica Jones, wants to review `Meeting_Agenda_June_2017.pdf`. Jessica queries `Agenda` in a Coveo-powered search page, but to no avail: `Meeting_Agenda_June_2017.pdf` isn't returned in search results because the `jjones@mycompany.com` security identity isn't specified as allowed to access `Meeting_Agenda_June_2017.pdf`. Jessica must ask the item owner, John Smith, to share the `Meeting_Agenda_June_2017.pdf` on Google Drive to access it using the Coveo-powered search page. ![Coveo search results when user identity is unspecified in item permissions](https://docs.coveo.com/en/assets/images/index-content/permissions-search-results-when-identity-is-unspecified.png) ## [[Anonymous]]Public items and anonymous users Besides a list of allowed and denied identities, the permissions of a item specify whether this item can be accessed by anonymous users, that is, users that didn't log in before making a query. This makes the item public and accessible to anyone, using any security identity, including an `Anonymous User` identity. > **Note** > > Denied access permissions of an item still prevail over its universal availability. > As a result, security identities marked as denied access to a public item can't retrieve this item. **Example** At MyCompany, the Coveo-powered search page is used through the main company website by both the employees and the customers. Employees can authenticate on the search page whereas customers, who access the search page with out logging in, are anonymous users. You index `Product_Maintenance_Manual.pdf`, an item that both your customers and your employees may need to access, and make this item public, which enables anonymous access to this item. `Product_Maintenance_Manual.pdf` is therefore available on your Coveo-powered search page, regardless of whether the page users are authenticated or not. Anonymous users can therefore see this public item in their search results. ![Coveo search results of an anonymous user](https://docs.coveo.com/en/assets/images/index-content/permissions-search-results-of-an-anonymous-user.png) Logged-in employees can see this public item, along with the [secured content they're allowed to see](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system). ![Coveo search results showing public and secured items when logged in as John Smith](https://docs.coveo.com/en/assets/images/index-content/permissions-john-smith-search-results.png) ## [[Basic]]Basic search flowchart The following flowchart summarizes the permission analysis process executed for each item matching a query to determine whether the item should appear in the querying user's search results. ![Flowchart showing basic search permission logic | Coveo](https://docs.coveo.com/en/assets/images/index-content/permissions-basic-search-flow-chart.png) ## [[Permissions]]Item permission update When item permissions change, the item and its permissions must be recrawled and reindexed for changes to be effective. This is done during a [source update, that is, a refresh, rescan, or rebuild operation](https://docs.coveo.com/en/2039/). > **Note** > > Some connectors don't allow indexing item permissions. > Among connectors that do, some don't allow updating item permissions during a source refresh operation and rather require a source rescan or rebuild. > See the appropriate [connector](https://docs.coveo.com/en/1702#choosing-the-right-connector) page for details. **Example** John Smith is the only user allowed to access the item `Meeting_Agenda_June_2017.pdf`, which is saved on the corporate Google Drive. When Jane Doe queries `Meeting Agenda June 2017` in Coveo, this item isn't returned because Jane's security identity isn't specified in the item permissions. See [Unspecified security identities](#unspecified-security-identities) for more information. John Smith wants Jane Doe to access `Meeting_Agenda_June_2017.pdf` through Coveo, so he uses the Google Drive sharing feature to add `jdoe@mycompany.com` as a security identity allowed to access this item. The item will return in Jane Doe's search results after the next Google Drive source update. For more information, see [Refresh, Rescan, or Rebuild Sources](https://docs.coveo.com/en/3390#refresh-rescan-or-rebuild-sources). ## What's next? Secured enterprise systems typically include user security identities in [group and granted security identities](https://docs.coveo.com/en/1603/).