Content Security

The Content security parameter of a source determines the view permissions attached to each item of this source, and consequently, who can see each item in their search results.

Selecting the appropriate content security for a source is crucial to ensure that, when returning search results, Coveo Cloud returns only the items that a user is allowed to access in the original system.

In a typical source configuration panel, the Content security parameter offers two or all three of the options listed in this article. However, with Salesforce sources, there is no Content security parameter, and you make your content security choice in the Security tab of the Add/Edit a Salesforce source panel, along with other security-related decisions (see Security - Tab and Add or Edit a Salesforce Source). Although the content security options in the Security tab appear under different names, they are equivalent to the Content security parameter options of other sources.

Content security parameter option Equivalent in the Salesforce source Security tab
Secured Users following system permissions
Shared Everyone
Private Specific identities


When you set the Content security parameter of a source to Secured, authenticated users only see search results corresponding to source items that they are allowed to access within the original system (see Coveo Cloud V2 Management of Security Identities and Item Permissions). Anonymous and unauthenticated users are impossible to relate to a user account in the original system, so the only content they can see in their search result is your public content.

The Secured option is available when the system being made searchable is secured, i.e., users must authenticate to gain access to its content, and when Coveo Cloud can extract item permissions from the system. Items may or may not appear in a user’s search results, depending on whether this user has access to these items in the original system

You have a secured source for all content in your Microsoft Dynamics 365 instance. Your sales personnel, customer support agents, partners, and even customers can all log in to your Microsoft Dynamics 365 instance, but they only see the Dynamics 365 content that they have been allowed to access. When they use a Coveo Cloud search interface in which they are authenticated with their Microsoft Dynamics 365 credentials, they also only see search results for Dynamics 365 content to which they were granted access by Dynamics 365 administrators.

Select Secured whenever this option is available.


All users, anonymous or authenticated, can search the whole content of a Shared source that is part of the scope of a search interface to which they have access.

Before building a shared source, ensure that all the content that will be made searchable may be disclosed to all search users. The Coveo Cloud crawler uses the enterprise system account of which you entered the credentials when creating the source, so any item accessible to this account will be publicly available via your Coveo Cloud search interface.


When you set the source Content security parameter to Private (typically when you create the source), only you can see content from this sources in your search results. However, the source is still visible in the Coveo Cloud administration console Sources page for users who have the privilege to view or edit sources.

Once a Private source is created, any Coveo Cloud organization member with the required privileges can edit this source and become the new user for whom this source content is private.

  • By default, access to the content of a private source is limited to only one identity. However, an administrator can restrict source content access to specific users or group by setting source-level permissions. Currently, however, this can only be done by modifying the source JSON configuration (see Configure a Source-Level Permission and Edit a Source JSON Configuration).

  • The administration console does not currently show the identity that has private access to the source. However, it is available in the source JSON configuration (see Edit a Source JSON Configuration).

  • When a member who created sources is excluded from the organization:

    • The sources they created remain in the organization.

    • If a source they created is private, nobody can view its content in search results since no search token is generated for the source creator anymore.

A person is a member of your Coveo Cloud organization through both Google and Salesforce security identity providers with the same corporate email. They create a private source while being logged in with their corporate Google account.

In a Coveo Cloud search interface, the member will be able to see results from their private source only when they are authenticated with either of their Google or Salesforce accounts. This is because the Coveo Cloud resolves identities to emails through its internal single sign-on system.