- Manage an Organization
The members of your Coveo organization are organized by groups to ease privilege management. The members of a group are granted a set of privileges, which determines which features and data of Coveo these group members can access.
A Coveo organization comes with several built-in member groups. Members of these groups are granted a set of privileges that allows them to access the tools required to accomplish their duties in the Coveo Administration Console (see Privileges).
The ownership and responsibilities held by each role are unique to each business. Before adding members to a built-in group, you should revise the default privilege set of a built-in group to ensure that’s in accordance with your business’ hierarchy of responsibilities is respected before assigning members to built-in groups.
The Coveo built-in groups have been created with specific duties in mind. The following is an overview of these original tasks but, as mentioned previously, you can edit the privilege set of a group at any moment.
Members of the Administrators group have the highest access level for all privileges and can create resources in all domains. You should therefore only allow a few select users in the Administrators group of your Coveo organization.
The Administrators group is the only one that can manage search pages. They can modify your organization settings and implement a single sign-on method for organization members to use at login. Furthermore, administrators can access all the indexed content and query logs for troubleshooting purposes. They can also receive notifications about any type of activity occurring in the organization.
Analytics managers can manage usage analytics, i.e., edit dimensions, named filters, reports, etc.
Members of the Analytics Viewers group can access the reports that the analytics managers allowed them to see, but can’t edit these reports. The analytics viewers’ job typically requires them to review your organization usage analytics and draw conclusions.
Content managers have the privileges required to index content and customize how and what’s retrieved. They can edit sources, fields, and indexing pipeline extensions. They can also execute queries in the Content Browser to ensure data is adequately indexed. Moreover, if you have sources that index the permission system of the original repository, content managers can manage and troubleshoot security identities and security identity providers.
Relevance managers are typically responsible for optimizing the capabilities of your Coveo solution. They can fine-tune query pipeline components such as ranking rules and featured result rules, create Coveo Machine Learning (Coveo ML) models that will learn from user behavior and help return the most relevant content, and create reports to analyze the impact of their changes.
Members of the Users group can access and use your Coveo search interfaces, but can’t make any changes in the Coveo Administration Console.
Add or Edit a Group
Coveo Support employees aren’t authorized to grant privileges to customers in a Coveo organization. If you want to be granted access to a Coveo organization, you must follow the access request workflows of your company.
On the Groups page, click Add Group or click the desired group, and then click Edit in the Action bar.
In the Group name box, enter a name for your group.
Use role-related names for group names such as
Search Content Managers,
Analytics Managers, and
The Members tab isn’t available when creating a group. You must therefore skip to the Privileges tab. Once you have completed the group creation process, you will need to edit your new group to add members to it.
The Members tab lets you add members to a group. There are two ways to do so:
Import a group of members from an OpenID domain, Salesforce user profiles, or single sign-on provider.
Add a single member manually.
You can also remove members from the group through the Members tab.
You can add several members at once to a group by selecting an OpenID domain, single sign-on groups, or Salesforce user profiles. The corresponding users will then be able to log in to your organization.
Log in to Coveo with a user from the same OpenID domain as the users you want to add.
Select Log in with Salesforce, when you want to add members from a Salesforce group.
Similarly, if you want to add users retrieved from a single sign-on (SSO) identity provider, log in using the SSO.
On the Groups page, click the group to which you want to add the identity set, and then click Edit in the Action bar.
On the Edit a Group subpage, in the “Members” tab, under Include the following identities, select an OpenID domain, single sign-on groups, or Salesforce user profiles to add to the group.
Supported OpenID domains are Google, Salesforce, and Microsoft.
The SSO provider groups displayed in the Identity set menu are the groups provided in the
user.groupsattribute of the identity provider assertion. Therefore, only SSO provider groups in which your account is included are available; as an administrator, you may therefore want to be a member of all groups. This limitation doesn’t apply when configuring this feature via API calls rather than with the Coveo Administration Console (see SAML Authentication API documentation).
SSO provider groups are available in the drop-down menu only once you have:
Although the users in the identity sets you import into your organization can access Coveo, they don’t appear on the organization member list (see Manage Members).
Add Specific Members to a Group
You can individually invite people to a group, which is useful when a group should contain only a few users.
In the Members tab, under Additional members, click Invite member.
In the Invite Member panel that opens, under Provider, select the identity provider in which the member to add is defined. When logging in to the Coveo Administration Console, the member must enter the credentials they use to log in to this third-party application. Your options are:
An OpenID domain (Google, Salesforce, or Microsoft).
Single sign-on if you implemented single sign-on in your organization
Any listed, which lets the user choose from the supported providers when they log in your organization for the first time.
This option works only if the user has a single email address linked to multiple providers. If a user uses
email@example.com one provider and
firstname.lastname@example.org another provider, for instance, Coveo considers these to be different addresses. In this case, you should select a single provider and have your users log in with the corresponding address.
In the Email/Username box, enter the address or username of the user that you want to add to the group. If you selected a Single sign-on in step 3, this is the
NameIDvalue that Coveo should expect from the SSO provider.
Check the Send an email notification box if you want the user to receive an invitation to log in to Coveo.
If the member has never logged in to Coveo before, tell them which identity provider they should select when logging in to Coveo.
Delete Members From a Group
In the Members tab, click the member you want to remove from the group, and then click Delete in the Action bar.
Click Delete to confirm.
The Privileges tab lists the privileges granted to the members of the selected group. You can edit this list to grant or revoke privileges.
See Navigating the “Privileges” Tab and Grant Privileges for more information on how this tab is organized and Privilege Reference for an exhaustive list of the abilities associated with each domain and access level.
Coveo also recommends reviewing the rest of the Manage Privileges documentation before granting or revoking any privilege.
Grant only the minimal privileges required for members of a group to perform their Coveo organization tasks. See Determine the Privileges to Grant for details.
Grant the privilege to edit groups (i.e., the Edit access level on the Groups domain) only to the smallest possible number of people, ideally the authority in your company that manages access rights in corporate systems, to ensure only legitimate members have the power to assign privileges to other members.
The Access tab lets you determine whether each group in your organization can view or edit the selected group. See Resource Access for more information.
Use the Access level drop-down menus to determine whether each group or API key allowed to view groups should also be allowed to edit the current group configuration.
Members of groups for which there’s no drop-down menu in the Access Level column are either allowed to edit all groups created in the organization or forbidden to see groups at all (see Groups Domain). Since these groups’ access level is already determined, you have no decision to make regarding them in the Access tab.
Once you’re done, click Add Group or Save.
If you just created a new group, add at least one member:
Duplicate a Group
You can only duplicate groups that are granted fewer privileges than yours.
Your group has been granted the four following privileges:
|Analytics||View all reports||Allowed|
You can therefore duplicate groups that have three or fewer privileges.
On the Groups page, click the group that you want to duplicate, and then click Duplicate in the Action bar.
The duplicate of the original group has a name in the following format:
[OriginalGroupName]_copy. Edit this group to change its name or any other aspect of its configuration.
Delete a Group
You can’t delete the Administrators group.
On the Groups page, click the group you want to remove from your organization, and then click Delete in the Action bar.
Click Delete to confirm.
Review the Activity Regarding Groups
On the Groups page, in the right section of the page header, click (see Review Events Related to Specific Coveo Administration Console Resources).
By default, members of the Administrators built-in group can create and edit groups.
|Action||Service - Domain||Required access level|
Organization - Activities
Organization - Groups
Organization - Activities
Organization - Groups