Source Credentials Leading Practices

A system may offer secured content, meaning that you have to give the credentials (such as username and password) of an account in this system to gain access to some or all of its content.

You can create a source for a system with secured content, but you must then provide credentials to the source (typically in the Authentication source configuration section) so that your Coveo Cloud organization can gain access to the secured content in the system to include it in the source.

Consider the following source credentials leading practices:

  • Provide an account used exclusively by your Coveo Cloud source.

    Avoid using an administrator account that probably carries more permissions (sometimes called rights, roles, privileges, etc) than needed, or your employee account that may loose needed permissions if you change job or leave the organization.

  • The account password should not be forced to change regularly or expire automatically.

    Otherwise, you will need to also change the source Password value each time the password changes to prevent source Refresh/Rescan/Rebuild authentication errors.

  • In the system, grant appropriate permissions to the account.

    The account must allow your Coveo Cloud organization to see or view the content to include and to continuously maintain it searchable. The documentation of some source types may provide specific source credential requirements (see Available Coveo Cloud V2 Source Types).

    A given source type may need permissions to make calls to a particular system API to allow the Refresh process to catch deleted items.

  • The account should give access to all the secured content that you want to make searchable.

    Be careful however with Shared and Private source permission types, to provide an account with appropriate permissions to prevent disclosing sensitive content (see Source Permission Types).

    You create a Web source with a Shared permission type for your Intranet where employees must log in to gain access, but where most of the content is accessible to all employees apart from some sensitive human resources content that is accessible only to specific users.

    The source credentials should provide access only to the content accessible to all employees, not to all the Intranet content, to prevent disclosing restricted access items to any employee in the search results.

  • When a source type (such as a Web source) supports Basic authentication and you want to use it, provide username and password information only when the website uses a secured communication protocol such as TLS or SSL (HTTPS) to prevent exposing your credentials.