Source Permission Types

The source permission type determines the view permissions attached to each item of a source, and consequently, who can see each source item in search results.

The permission types listed in the topic refers to the possible values for the Content security parameter in source configuration panels. The Content security parameter will progressively be replaced by a tab (with the same name) containing new options, starting with the Salesforce source (see Security - Tab and Add or Edit a Salesforce Source).

Current Content Security parameter value Equivalent in the Security tab
Secured Users following system permissions
Shared Everyone
Private Specific identities

Selecting the appropriate permission type for a given source is very important to ensure that, when returning search results, Coveo Cloud returns only source items that a given user is authorized to see directly in the original system.

Icon-SourceSecurityShared Secured

Anonymous or authenticated users only see search results for items to which they have access within the original system (see Coveo Cloud V2 Management of Security Identities and Item Permissions).

You have a Secured source for all content in your Salesforce organization. Your sales personnel, customer support agents, partners, and even customers, can all log in to your Salesforce organization, but they only see Salesforce content to which they were granted access to. When they use a Coveo search interface in which they are authenticated with their Salesforce credentials, they also only see search results for Salesforce content to which they were granted access.

Select Secured whenever this option is available.

The Secured option is available when the system being made searchable is secured (meaning users must authenticate themselves to gain access to its content) and when Coveo Cloud can extract permissions from the system for each item. Depending on permissions granted within the system, each user can access a different set of items. A secured system can also include public content, meaning it is accessible to anonymous users.

One security identity provider is created per secured source.

Icon-SourceSecurityShared Shared

All users, anonymous or authenticated, can search the whole content of a Shared source that is part of the scope of a search interface to which they have access.

Before building a source with a Shared permission type, make sure that all the content visible using the supplied source credentials may be disclosed to all search users.

Icon-SourceSecurityPrivate Private

Only the user who sets a source security to Private (typically the source creator) or edits the source configuration can see this source content in search results.

Once a Private source is created, any other Coveo organization member granted the privilege to edit sources can change the source configuration and become the new user for whom this source content is private.

  • By default, private source access is limited to only one identity. However, an administrator can restrict source content access to specific users or groups by setting source-level permissions. Currently, however, this can only be done by modifying the source JSON configuration (see Configure a Source-Level Permission).

  • The administration console user interface does not currently show who is the identity that has private access to the source. However, you can see the identity from the source JSON configuration (see Edit a Source JSON Configuration).

  • When a member who created sources is excluded from the organization:

    • The sources he created remain in the organization.

    • If a source he created is private, nobody can view its content in search results, because a search token will no longer be generated for him.

A person in your Coveo Cloud organization is a member of your organization through both Google and Salesforce security providers with the same corporate email. The member creates a private source while being logged in with its corporate Google account.

In a Coveo search interface, the member will be able to see results from his private source only when he is authenticated with either of its Google or Salesforce accounts. This is because the Coveo Cloud resolves identities to emails through its internal single sign-on system.