Manage Member Groups

The members of your Coveo organization are organized by groups to ease privilege management. The members of a group are granted a set of privileges, which determines which features and data of Coveo these group members can access.

Coveo organizations come with built-in groups, which you can use, duplicate, or edit. You can also create your own groups.

Built-in Groups

A Coveo organization comes with several built-in member groups. Members of these groups are granted a set of privileges that allows them to access the tools required to accomplish their duties in the Coveo Administration Console (see Privileges).

The Coveo built-in groups have already been granted a set of privileges that’s appropriate for their duties. You can edit these groups and add members to them.

Leading practice

Before adding members to a built-in group, you should revise the default privilege set of that group to ensure that it’s in accordance with your business' hierarchy of responsibilities.

Alternatively, you can create a new group from scratch, and optionally grant it a privilege set via the Preset menu.

The Coveo built-in groups have been created with specific duties in mind. The following is an overview of these original tasks but, as mentioned previously, you can edit the privilege set of a group at any moment.


Members of the Administrators group have the highest access level for all privileges and can create resources in all domains. You should therefore only allow a few select users in the Administrators group of your Coveo organization.

The Administrators group is the only one that can manage search pages. They can modify your organization settings and implement a single sign-on method for organization members to use at login. Furthermore, administrators can access all the indexed content and query logs for troubleshooting purposes. They can also receive notifications about any type of activity occurring in the organization.

The Administrators group can’t be deleted, and its privileges can’t be edited. You can however duplicate the Administrators group, and then edit the privilege set of the new group.

Analytics Managers

Analytics managers can manage usage analytics, i.e., edit dimensions, named filters, reports, etc.

Analytics Viewers

Members of the Analytics Viewers group can access the reports that the analytics managers allowed them to see, but can’t edit these reports. The analytics viewers' job typically requires them to review your organization usage analytics and draw conclusions.

Content Managers

Content managers have the privileges required to index content and customize how and what’s retrieved. They can edit sources, fields, and indexing pipeline extensions. They can also execute queries in the Content Browser to ensure data is adequately indexed. Moreover, if you have sources that index the permission system of the original repository, content managers can manage and troubleshoot security identities and security identity providers.

Relevance Managers

Relevance managers are typically responsible for optimizing the capabilities of your Coveo solution. They can fine-tune query pipeline components such as ranking rules and featured result rules, create Coveo Machine Learning (Coveo ML) models that will learn from user behavior and help return the most relevant content, and create reports to analyze the impact of their changes.


Members of the Users group can access and use your Coveo search interfaces, but can’t make any changes in the Coveo Administration Console.

Add or Edit a Group


Coveo Support employees aren’t authorized to grant privileges to customers in a Coveo organization. If you want to be granted access to a Coveo organization, you must follow the access request workflows of your company.

On the Groups (platform-ca | platform-eu | platform-au) page, click Add Group or click the desired group, and then click Edit in the Action bar.

On the Add Group/Edit a Group subpage, the "Configuration" tab is shown by default. Other tabs are "Members", "Privileges", and "Access".

"Configuration" Tab

In the Group name box, enter a name for your group.

Leading practice

Use role-related names for group names such as Search Content Managers, Analytics Managers, and Relevance Analysts.

"Members" Tab


The Members tab isn’t available when creating a group. You must therefore skip to the Privileges tab. Once you have completed the group creation process, you will need to edit your new group to add members to it.

The Members tab lets you add members to a group. There are two ways to do so:

You can also remove members from the group through the Members tab.

Import Members

You can add several members at once to a group by selecting an OpenID domain, single sign-on groups, or Salesforce user profiles. The corresponding users will then be able to log in to your organization.

  1. Log in to Coveo (platform-ca | platform-eu | platform-au) with a user from the same OpenID domain as the users you want to add.


    Select Log in with Salesforce if you want to add members from a Salesforce group.

    Similarly, if you want to add users retrieved from a single sign-on (SSO) identity provider, log in using the SSO.

  2. On the Groups (platform-ca | platform-eu | platform-au) page, click the group to which you want to add the identity set, and then click Edit in the Action bar.

  3. On the Edit a Group subpage, in the "Members" tab, under Include the following identities, select an OpenID domain, single sign-on groups, or Salesforce user profiles to add to the group.

    • The SSO provider groups displayed in the Identity set menu are the groups provided in the user.groups attribute of the identity provider assertion. Therefore, only SSO provider groups in which your account is included are available; as an administrator, you may therefore want to be a member of all groups. This limitation doesn’t apply when configuring this feature via API calls rather than with the Coveo Administration Console.

    • SSO provider groups are available in the drop-down menu only once you have:

  4. Click Save.


    Although the users in the identity sets you import into your organization can access Coveo, they don’t appear on the organization member list.

Add Specific Members to a Group

You can individually invite people to a group, which is useful when a group should contain only a few users.

  1. Access the "Members" tab.

  2. In the Members tab, under Additional members, click Invite member.

  1. In the Invite Member panel that opens:

    1. Under Provider, select the identity provider in which the member to add is defined. When logging in to the Coveo Administration Console, the member must enter the credentials they use to log in to this third-party application.

      Select Single sign-on if you implemented single sign-on in your organization.

      Select Any listed if the member’s email address is linked to more than one of the listed applications and you want to let them choose when they log in to Coveo for the first time.

    2. Under Email/Username, enter the email address of the member. If you selected a Single sign-on in step 3, this is the NameID value that Coveo should expect from the SSO provider.

    3. Check the Send an email notification box if you want the member to receive an invitation to log in to Coveo. When this option is disabled, the user is only notified of their invitation when connecting to Coveo.

  2. Click Invite. Your invitation expires after 31 days. Tell the new member which identity provider they should select when logging in to Coveo. The user will appear on the Members (platform-ca | platform-eu | platform-au) page once they accept the invitation.

Delete Members From a Group

  1. Access the "Members" tab.

  2. In the Members tab, click the member you want to remove from the group, and then click Delete in the Action bar.

  3. Click Delete to confirm.

"Privileges" Tab

The Privileges tab lists the privileges granted to the members of the selected group. You can edit this list to grant or revoke privileges.

See Navigating the "Privileges" Tab and Grant Privileges for more information on how this tab is organized and Privilege Reference for an exhaustive list of the abilities associated with each domain and access level.

Coveo also recommends reviewing the rest of the Manage Privileges documentation before granting or revoking any privilege.

Leading practices
  • Grant only the minimal privileges required for members of a group to perform their Coveo organization tasks. See Determine the Privileges to Grant for details.

  • Grant the privilege to edit groups (i.e., the Edit access level on the Groups domain) only to the smallest possible number of people, ideally the authority in your company that manages access rights in corporate systems, to ensure only legitimate members have the power to assign privileges to other members.

"Access" Tab

The Access tab lets you determine whether each group in your organization can view or edit the selected group. See Resource Access for more information.

Use the Access level drop-down menus to determine whether each group or API key allowed to view groups should also be allowed to edit the current group configuration.


Members of groups for which there’s no drop-down menu in the Access Level column are either allowed to edit all groups created in the organization or forbidden to see groups at all. Since these groups’ access level is already determined, you have no decision to make regarding them in the Access tab. See Groups Domain for details on this domain of privilege.


  1. Once you’re done, click Add Group or Save.

  2. If you just created a new group, add at least one member:

    1. Back on the Groups (platform-ca | platform-eu | platform-au) page, click the group, and then click Edit in the Action bar.

    2. On the Edit a Group subpage, in the "Members" tab, add one or more members.

Duplicate a Group

On the Groups (platform-ca | platform-eu | platform-au) page, click the group that you want to duplicate, and then click Duplicate in the Action bar.

The duplicate of the original group has a name in the following format: [OriginalGroupName]_copy. Edit this group to change its name or any other aspect of its configuration.


You can only duplicate groups that are granted fewer privileges than yours.


Your group has been granted the four following privileges:

Service Domain Access level


View all reports











You can therefore duplicate groups that have three or fewer privileges.

Delete a Group


You can’t delete the Administrators group.

  1. On the Groups (platform-ca | platform-eu | platform-au) page, click the group you want to remove from your organization, and then click Delete in the Action bar.

  2. Click Delete to confirm.

Review the Activity Regarding Groups

On the Groups (platform-ca | platform-eu | platform-au) page, in the right section of the page header, click Activity. See Review Events Related to Specific Coveo Administration Console Resources for details on the Activity panel.

Required Privileges

By default, members of the Administrators built-in group can create and edit groups.

The following table indicates the privileges required to view or edit elements of the Groups (platform-ca | platform-eu | platform-au) page and associated subpages (see Manage Privileges and Privilege Reference).

Action Service - Domain Required access level
View groups

Organization - Activities

Organization - Groups

Organization - Organization

Edit groups

Organization - Activities

Organization - Organization


Organization - Groups