Adding and Managing Groups

The members of your Coveo Cloud organization are organized by groups to ease privilege management. The members of a group are granted a set of privileges, which determines which features and data of Coveo Cloud these group members can access.

Coveo Cloud organizations come with built-in groups, which you can use, duplicate, or edit. You can also create your own groups.

Add or Edit a Group

Coveo Support employees aren’t authorized to grant privileges to customers in a Coveo Cloud organization. If you want to be granted access to a Coveo Cloud organization, you must follow the access request workflows of your company.

Access the “Edit a Group” Subpage

On the Groups page, click the desired group, and then in the Action bar, click Edit.

On the Add Group/Edit a Group subpage, the “Configuration” tab is shown by default. Other tabs are “Members”, “Privileges”, and “Access”.

“Configuration” Tab

In the Group name box, enter a name for your group.

Use role-related names for group names such as Search Content Managers, Analytics Managers, and Relevance Analysts.

“Members” Tab

The Members tab isn’t available when creating a group. You must therefore skip to the Privileges tab. Once you have completed the group creation process, you’ll need to edit your new group to add members to it.

The Members tab lets you add members to a group. There are two ways to do so:

You can also remove members from the group through the Members tab.

Import Members

You can add several members at once to a group by selecting an OpenID domain, single sign-on groups, or Salesforce user profiles. The corresponding users will then be able to log in to your organization.

  1. Log in to the Coveo Platform with a user from the same OpenID domain as the users you want to add.

    Select Log in with Salesforce, when you want to add members from a Salesforce group.

    Similarly, if you want to add users retrieved from a single sign-on (SSO) identity provider, log in using the SSO.

  2. On the Groups page, click the group to which you want to add the identity set, and then in the Action bar, click Edit.

  3. On the Edit a Group subpage, in the “Members” tab, under Include the following identities, select an OpenID domain, single sign-on groups, or Salesforce user profiles to add to the group.

    • Supported OpenID domains are Google, Salesforce, and Office 365.

    • The SSO provider groups displayed in the Identity set menu are the groups provided in the user.groups attribute of the identity provider assertion. Thus, only SSO provider groups in which your account is included are available; as an administrator, you may therefore want to be a member of all groups. This limitation doesn’t apply when configuring this feature via API calls rather than with the Coveo Console (see SAML Authentication API documentation).

    • SSO provider groups are available in the drop-down menu only once you have:

  4. Click Save.

    Although the users in the identity sets you import into your organization can access Coveo Cloud, they don’t appear on the organization member list (see Adding and Managing Members).

Add Specific Members to a Group

You can individually invite people to a group, which is useful when a group should contain only a few users.

  1. Access the “Members” tab.

  2. In the Members tab, under Additional members, click Invite member.

  3. In the Provider drop-down menu:

    • Select the OpenID domain (Google, Salesforce, or Office 365) in which the desired user is defined.

    • Select Single sign-on if the desired user is defined within a SSO identity provider.

    • Select Any listed to let the user choose the supported provider of their choice when they will log in to your organization for the first time.

  4. If you selected an OpenID domain in step 3, in the Username box, enter the Google/Salesforce/Office 365 username corresponding to the user that you want to add to the group.

  5. If you selected a Single sign-on in step 3, in the Username box, enter the SSO NameID value that Coveo Cloud should expect from the SSO provider for this user.

  6. If you selected Any listed in step 3, in the Email box, enter an email address linked to a valid account in one of the available providers.

    The user will receive an email notification, inviting them to join your Coveo Cloud organization (see Join a Coveo Cloud Organization).

  7. (When you select Google, Salesforce, Office 365, or Single sign-on) When you want the user to receive an email notification:

    1. Enable the Send an email notification toggle button.

    2. For Salesforce and Office 365, since the Username isn’t necessarily an email address, in the Email box appearing below the toggle, you must enter the user email address to which you want to send the notification.

  8. Click Invite Member.

    The user appears in the Additional Members list with the Invited tag. The user must log in once to and allow Coveo Cloud to use his or her account to become a group and organization member (see Join a Coveo Cloud Organization). The invitation expires after 14 days if the user doesn’t log in.

  9. Click Save.

Delete Members From a Group

  1. Access the “Members” tab.

  2. In the Members tab, click the member you want to remove from the group.

  3. In the Action bar, click Delete.

  4. Click Delete to confirm.

“Privileges” Tab

The Privileges tab lists the privileges granted to the members of the selected group. You can edit this list to grant or revoke privileges.

See Navigating the “Privileges” Tab and Grant Privileges for more information on how this tab is organized and Privilege Reference for an exhaustive list of the abilities associated with each domain and access level.

Coveo also recommends reviewing the rest of the Privilege Management documentation before granting or revoking any privilege.

  • Grant only the minimal privileges required for members of a group to perform their Coveo Cloud organization tasks. See Determine the Privileges to Grant for details.

  • Grant the privilege to edit groups (i.e., the Edit access level on the Groups domain) only to the smallest possible number of people, ideally the authority in your company that manages access rights in corporate systems, to ensure only legitimate members have the power to assign privileges to other members.

“Access” Tab

The Access tab lets you determine whether each group in your organization can view or edit the selected group. See Understanding Resource Access for more information.

Use the Access level drop-down menus to determine whether each group or API key allowed to view groups should also be allowed to edit the current group configuration.

Members of groups for which there’s no drop-down menu in the Access Level column are either allowed to edit all groups created in the organization or forbidden to see groups at all (see Groups Domain). Since these groups’ access level is already determined, you have no decision to make regarding them in the Access tab.

If you remove the Edit access level from all the groups of which you’re a member, you won’t be able to edit your group once it’s saved. Only administrators and members of other groups that have the Edit access level on this group will be able to do so. To keep your ability to edit this group, set the Access level to Edit for at least one of the groups of which you’re a member.


  1. Once you’re done, click Add Group or Save.

  2. If you just created a new group, add at least one member:

    1. Back on the Groups page, click the group, and then in the Action bar, click Edit.

    2. On the Edit a Group subpage, in the “Members” tab, add one or more members.

Duplicate a Group

You can only duplicate groups that are granted fewer privileges than yours.

Your group has been granted the four following privileges:

Service Domain Access level
Analytics View all reports Allowed
Organization Activities View
Organization Groups Edit
Organization Organization View

You can therefore duplicate groups that have three or fewer privileges.

  1. On the Groups page, click the group that you want to duplicate.

  2. In the Action bar, click Duplicate.

The duplicate of the original group has a name in the following format: [OriginalGroupName]_copy. Edit this group to change its name or any other aspect of its configuration.

Delete a Group

You can’t delete the Administrators group.

  1. On the Groups page, click the group you want to remove from your organization.

  2. In the Action bar, click Delete.

  3. Click Delete to confirm.

Review the Activity Regarding Groups

On the Groups page, in the right section of the page header, click Activity (see Review Events Related to Specific Coveo Cloud Administration Console Resources).

If the Activity icon is grayed and unresponsive, you don’t have all of the required privileges to perform this action.

Required Privileges

By default, members of the Administrators built-in group can create and edit groups.

The following table indicates the privileges required to view or edit elements of the Groups page and associated subpages (see Privilege Management and Privilege Reference).

Action Service - Domain Required access level
View groups

Organization - Activities

Organization - Groups

Edit groups

Organization - Activities


Organization - Groups

Recommended Articles