---
title: Add a SharePoint Server source
slug: '2061'
canonical_url: https://docs.coveo.com/en/2061/
collection: index-content
source_format: adoc
---
# Add a SharePoint Server source

Members with the [required privileges](#required-privileges) can index SharePoint on-premises content and make it searchable.

To retrieve SharePoint _Online_ content, [create a SharePoint Online source](https://docs.coveo.com/en/1739/) instead.

> **Important**
>
> To help reduce the risks of SharePoint vulnerability exploitation, always use the latest supported version of SharePoint Server and apply the latest [Microsoft security updates](https://learn.microsoft.com/en-us/officeupdates/sharepoint-updates).

> **Leading practice**
>
> The number of [items](https://docs.coveo.com/en/210/) that a source processes per hour (crawling speed) depends on various factors, such as network bandwidth and source configuration.
> See [About crawling speed](https://docs.coveo.com/en/2078/) for information on what can impact crawling speed, as well as possible solutions.

## Source key characteristics

The following table presents the main characteristics of a SharePoint Server source.

[cols="4",options="header"]
|===
2+|Features
|Supported
|Additional information

2+|SharePoint version
^|Subscription Edition, 2019, 2016, 2013, and Foundation 2013
|

2+|Indexable content
|Sites, sub-sites, public user profiles (Not available in Microsoft SharePoint Foundation.), personal websitesfootnote:foundation[], lists, list items, list item attachments, document libraries, document sets, documents, web parts, and microblog posts and replies.
|

.3+.^|[Content update operations](https://docs.coveo.com/en/2039/)
|[refresh](https://docs.coveo.com/en/2710/)
^|[check]
|[Takes place every six hours by default](https://docs.coveo.com/en/1933/). A rescan or rebuild is required to take account of deleted user profiles.

|[rescan](https://docs.coveo.com/en/2711/)
^|[check]
|[Takes place every week by default](https://docs.coveo.com/en/1933/).

|[rebuild](https://docs.coveo.com/en/2712/)
^|[check]
|

.3+.^|[Content security](https://docs.coveo.com/en/1779/) options
|[Same users and groups as in your content system](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system)
^|[check]
|On-premises Active Directory [permission](https://docs.coveo.com/en/223/) systems aren't supported with SharePoint Server sources of the [**On-Premises** type](https://docs.coveo.com/en/1612/).
However, if you use the [Crawling Module](https://docs.coveo.com/en/3260/) Active Directory is supported.

|[Specific users and groups](https://docs.coveo.com/en/1779#specific-users-and-groups)
^|[check]
|

|[Everyone](https://docs.coveo.com/en/1779#everyone)
^|[check]
|

.4+|[Metadata indexing for search](#index-metadata)

|Automatic mapping of [metadata](https://docs.coveo.com/en/218/) to [fields](https://docs.coveo.com/en/200/) that have the same name
2+a|This setting is disabled by default and [not recommended for this source type](https://docs.coveo.com/en/1640#about-the-performfieldmappingusingallorigins-setting).

|Automatically indexed [metadata](https://docs.coveo.com/en/218/)
2+|Examples of [auto-populated default fields](https://docs.coveo.com/en/1833#field-origin) (no user-defined metadata required):  
&nbsp;

&bull; `author`

&bull; `clickableuri`

&bull; `date`

&bull; `filename`

&bull; `filetype`

&bull; `indexeddate`

&bull; `language` (auto-detected from item content)

&bull; `searchablemeta`  (The keys and values indexed in the `searchablemeta` field are also available as separate indexable metadata. You don't need to parse them. Proceed as explained in the [Indexing metadata)(#index-metadata) section to index the pieces you need.]

&bull; `title`  
&nbsp;

After a content update, [inspect your item field values](https://docs.coveo.com/en/2053#inspect-search-results) in the **Content Browser**.

|Extracted but not indexed metadata
2+a|The SharePoint Server source extracts some of the site, list, list item, and file-level metadata that the SharePoint APIs make available.  
&nbsp;

After a rebuild, review the [**View and map metadata**](https://docs.coveo.com/en/m9ti0339#view-and-map-metadata-subpage) subpage for the list of indexed metadata, and [index additional metadata](https://docs.coveo.com/en/m9ti0339#index-metadata).

|Custom metadata extraction
2+a|[Add columns to your lists and libraries](https://support.microsoft.com/en-us/office/create-a-column-in-a-list-or-library-2b0361ae-1bd3-41a3-8329-269e5f81cfa2?ui=en-us&rs=en-us&ad=us).
The SharePoint Server source automatically extracts the metadata in these columns during content updates.
|===

## Requirements

### SharePoint account permissions

When you want to include SharePoint content, you must create a specific SharePoint account to be used by the source only.
Otherwise, you must also change the source [**Password** value](https://docs.coveo.com/en/2061#username-and-password) each time the account password changes to prevent authentication errors.

. Access your SharePoint tenant with an administrator account.

. On your SharePoint tenant:

.. Select or create a user account for the source to use when retrieving your SharePoint content.
See the following table to identify the required type of user for your web application enabled authentication.

[cols="4",options="header"]
|===
|SharePoint environment
^|SharePoint web application enabled authentication
^|User type
^|User format

.^|Classic
^.^|Windows
^|Windows account
.2+^|`domain\username`  

or  

`username@domain.com`

.2+.^|Claims
^.^|Windows
^|Windows account

^|Okta
^|Okta SSO
^|`username@domain.com`
|===

.. Grant appropriate SharePoint permissions to the SharePoint account to ensure it has access to the content that you want to make searchable.

The following table presents the minimal required permissions that the source account must have to perform specific actions.

[cols="2",options="header"]
|===
|Action to perform
|Minimal required permission

|Content and security indexing, source refresh, and site collection discovery
|[**Full Read** policy](https://docs.coveo.com/en/1992#add-the-full-read-policy-to-all-sharepoint-tenant-web-applications) for each web application to make searchable.

a|Personal site, public user profile, and social tags indexing

> **Note**
>
> When including personal sites or public user profiles, the account used as source credentials must not have a personal site on the SharePoint Server being included to prevent failures when attempting to retrieve the list of personal sites.
a|* [**Read** permission](https://docs.coveo.com/en/1992#add-the-sharepoint-website-read-permission) for the site collection of the source URL.

* [**Retrieve People Data for Search Crawlers** permission](https://docs.coveo.com/en/1992#add-the-retrieve-people-data-for-search-crawlers-permission) to the **User Profile Service Application**.
|===

## Add a SharePoint Server source

A SharePoint Server source [indexes](https://docs.coveo.com/en/204/) on-premises (server) content.
To retrieve cloud content instead, see [Add a SharePoint Online source](https://docs.coveo.com/en/1739/).

Before you start, ensure that your SharePoint instance meets the source [requirements](https://docs.coveo.com/en/2061#requirements).

Follow the instructions below to add a SharePoint Server source that uses the desired [content retrieval method](https://docs.coveo.com/en/1612/).

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click **Add source**.

. In the **Add a source of content** panel, click the **On-premises** ([server]) or the **Crawling Module** ([crawlingmodule]) tab, depending on your [content retrieval context](https://docs.coveo.com/en/1612/).
With the latter, you must [install the Crawling Module](https://docs.coveo.com/en/3263/) to make your source operational.

. Click the **SharePoint Server** tile.

> **Leading practice**
>
> It's best to create or edit your source in your sandbox organization first.
> Once you've confirmed that it indexes the desired content, you can copy your source configuration to your production organization, either [with a snapshot](https://docs.coveo.com/en/3239/) or manually.
> 
> See [About non-production organizations](https://docs.coveo.com/en/2959/) for more information and best practices regarding sandbox organizations.

### "Configuration" tab

In the **Add a SharePoint Server Source** panel, the **Configuration** tab is selected by default.
It contains your source's general and authentication information, as well as other parameters.

#### General information

##### Source name

Enter a name for your source.

> **Leading practice**
>
> A source name can't be modified once it's saved, therefore be sure to use a short and descriptive name, using letters, numbers, hyphens (`-`), and underscores (`_`). Avoid spaces and other special characters.

##### URL

Enter one or more URLs corresponding to the desired site collection, lists, websites, and subsites to make searchable.
Each URL must include the protocol and tenant name.

> **Note**
>
> A specific folder in a list isn't supported.

**Examples**

* For a specific web application: `+https://site:8080/+`

* For a specific site collection: `+https://site:8080/sites/support+`

* For a specific website: `+https://site:8080/sites/support/subsite+`

* For a specific list: `+https://site:8080/sites/support/lists/contacts/allItems.aspx+`

##### Scope

In the dropdown menu, select the option for the content type matching the URLs you specified.
By default, **Web application** is selected.

Available options are the following:

[cols="2",options="header"]
|===
|Value
|Content to make searchable

|**Web application**
|All site collections of the specified web application.

|**Site collection**
|All web sites of the specified site collection.

|**Web and sub webs**
|Only the specified web site and its sub webs (also known as subsites).

|**List**
|Only the specified list or document library.
|===

##### Paired Crawling Module

If your source is a [Crawling Module source](https://docs.coveo.com/en/1612/), and if you have [more than one Crawling Module linked to this organization](https://docs.coveo.com/en/3271#deploying-multiple-crawling-module-instances), select the one with which you want to pair your source.
If you change the Crawling Module instance paired with your source, a successful [rebuild](https://docs.coveo.com/en/3390#refresh-rescan-or-rebuild-sources) is required for your change to apply.

##### Optical character recognition (OCR)

If you want Coveo to extract text from image files or PDF files containing images, enable the appropriate option.
The extracted text is processed as item data, meaning that it's fully searchable and will appear in the item [Quick view](https://docs.coveo.com/en/2760#search-result-quick-view).

> **Note**
>
> When OCR is enabled, ensure the source's relevant [file type configurations](https://docs.coveo.com/en/l3qg9275/) index the item content.
> Indexing the item's metadata only or ignoring the item will prevent OCR from being applied.

See [Enable optical character recognition](https://docs.coveo.com/en/2937/) for details on this feature.

##### Project

Use the **Project** selector to associate your source with one or more Coveo [projects](https://docs.coveo.com/en/n7ef0517/).

#### "Authentication" section

In the **Authentication** section, provide authentication information so that Coveo can access the content you want to make searchable.

In the dropdown menu, select the identity provider that you use to manage identities in your SharePoint site, and specify the corresponding options:

* **Active Directory On-Premises** (available when using the [Crawling Module](https://docs.coveo.com/en/1612/) only)

* **Windows** (NTLM or Kerberos)

* **Okta**

Depending on the option you chose in the dropdown menu, specify some of the following options.

##### Username and Password

The username and password of a [dedicated SharePoint administrator account](https://docs.coveo.com/en/1992/) that has access to the content to include, or if using Okta, the username of an Okta administrator account.
See [Source Credentials Leading Practices](https://docs.coveo.com/en/1920/).

##### Okta realm

The SharePoint trusted identity provider realm provided in your [Okta application configuration](https://docs.coveo.com/en/1975/).

**Example**

`urn:okta:sharepoint:exknuavz9hbOItwsS8e7`

##### Okta sign in URL

The URL to which users should be redirected to [authenticate with Okta](https://docs.coveo.com/en/1975/).

**Example**

`+https://dev-782461.oktapreview.com/app/appname/sso/wsfed/passive+`

##### Active Directory username and Active Directory password

Enter credentials to grant Coveo access to your Active Directory.


##### Expand well-known SIDs

Select this option if you want the users that are included in your Active Directory [well-known](https://docs.coveo.com/en/1603#granted-security-identities) security identifiers to be granted access to the indexed content.
Supported well-known SIDs are: `Everyone`, `Authenticated Users`, `Domain Admins`, `Domain Users`, and `Anonymous Users`.

When enabling this option, you can expect an increase in the duration of the security identity provider refresh operation.

> **Leading practice**
>
> If your entire content is secured with `Everyone` or `Authenticated users`, we recommend selecting the [**Everyone** content security option](https://docs.coveo.com/en/1779#everyone) instead.
> The result will be the same, that is, all users will be able to access the database content through your search interface, and Coveo's update operations will be more efficient.

##### Expand trusted domains

Select this option to have Coveo connect to your root domain to get the security identities of your other domains through the root domain.

If your environment contains more than one domain, you can establish a bidirectional or outbound cross-link relationship between the root domain of your Crawling Module server and your additional domains.
When you do so, these domains trust your root domain, and Coveo can get their security identities through this root domain.

When enabling this option, you can expect an increase in the duration of the security identity provider refresh operation.
Moreover, if a linked domain is unreachable, Coveo stops the security identity provider refresh operation.

##### Enable TLS

Select this option to use a TLS protocol to retrieve your security identities.
If you do, we strongly recommend selecting StartTLS if you can.
Since LDAPS is a much older protocol, you should only select this value if StartTLS is incompatible with your environment.

##### Email attributes

By default, Coveo retrieves the email address associated to each security identity from the `mail` attribute.
Optionally, you can specify additional or different attributes to check.
Should an attribute contain more than one value, Coveo uses the first one.

#### "Content to include" section

In the **Content to Include** section, consider changing the default settings to make additional content searchable.

##### User profiles

Check this box to index public SharePoint user profiles.

> **Note**
>
> This box is unavailable if you selected **Okta** as the [identity provider](#authentication-section).

##### Personal sites

When the [**Scope**](https://docs.coveo.com/en/2061#scope) is **Web application**, check this box to include SharePoint personal sites.

#### "Crawling Settings" Section

In the **Crawling Settings** section, the **Reindex all child items on UpdateShallow** option allows you to reindex the children of an item that has been updated.
This ensures that, if the metadata of the child items contains parent item information, this information stays up to date.
However, checking this box significantly impacts the source [refresh](https://docs.coveo.com/en/2710/) time.
Therefore, if you don't check it, [schedule](https://docs.coveo.com/en/1933/) source [rescans](https://docs.coveo.com/en/2711/) so that the child items are eventually updated as well.

**Example**

You change your SharePoint site name.
In the metadata of the child items, the site name appears under `spsitename`.
If the box isn't checked, the children aren't reindexed and keep an outdated `spsitename` until the next source rescan or [rebuild](https://docs.coveo.com/en/2712/).
However, if the box is checked, the children are updated along with the parent SharePoint site item.

#### "Filters" section

Use this section to [include](#inclusion-filters) or [exclude](#exclusion-filters) content from specific pages based on URL expressions.

> **Note**
>
> You can view your URL expressions in the `addressPatterns` attribute of your source [JSON configuration panel](https://docs.coveo.com/en/1685#access-the-edit-configuration-with-json-panel).

##### Inclusion filters

Your source indexes only the pages that match a URL expression specified in this section.

> **Note**
>
> The [URLs](https://docs.coveo.com/en/2061#url) you specified for your source must be part of the inclusion filter scope, otherwise the corresponding content won't be indexed.
> For example, if you entered `+https://site:8080/sites/support+` as the source URL, that URL must match one of your filter expressions to index the corresponding content.
> If a source URL redirects to another URL, both URLs must be part of the inclusion filter scope.

. Enter a URL expression to apply as the inclusion filter.

. Select whether the URL expression uses a **Wildcard** or a **Regex** (regular expression) pattern.

> **Leading practice**
>
> You can test your regexes to ensure that they match the desired URLs with tools such as [Regex101](https://regex101.com/).
> 
> You can customize regexes to meet your use case focusing on aspects such as:
> 
>  * Case insensitivity
> 
>  * Capturing groups
> 
>  * Trailing slash inclusion
> 
>  * File extension
> 
> For example, you want to index HTML pages on your company staging and dev websites without taking the case sensitivity or the trailing slash (/) into account, so you use the following regex:
> 
> `+(?i)^.**(company-(dev|staging)).**html.?$+`
> 
> The regex matches the following URLs:
> 
>  ** `+http://company-dev/important/document.html/+`
> 
>  ** `+http://ComPanY-DeV/important/document.html/+` (because of `(?i)`, the case insensitive flag)
> 
>  ** `+http://company-dev/important/document.html+` (with or without trailing `/` because of `.?`)
> 
>  ** `+http://company-staging/important/document.html/+` (because of `dev|staging`)
> 
> but doesn't match the following ones:
> 
>  ** `+http://besttech-dev/important/document.html/+` (`besttech` isn't included in the regex)
> 
>  ** `+http://company-dev/important/document.pdf/+` (only `html` files are included)
> 
>  ** `+http://company-prod/important/document.html/+` (`prod` isn't included in the regex)

**Example**

The `www.mycompany.com` website you crawl contains versions in several languages and you want to have one source per language.
For the `US English` source, if the source URL is `www.mycompany.com/en-us/welcome.html`, the inclusion filter would be `www.mycompany.com/en-us/*`.

##### Exclusion filters

Your source ignores content from pages that match a URL expression specified in this section.

> **Note**
>
> The [URLs](https://docs.coveo.com/en/2061#url) you specified for your source must not be part of the exclusion filter scope, otherwise the corresponding content won't be indexed.
> For example, if you entered `+https://site:8080/sites/support+` as the source URL, and that URL matches one of your exclusion filter expressions, the corresponding content won't be indexed.
> If a source URL redirects to another URL, both URLs must not be part of the exclusion filter scope.

. Enter a URL expression to apply as the exclusion filter.

> **Notes**
>
> * Exclusion filters also apply to shortened and redirected URLs.
> 
> * By default, if pages are only accessible via excluded pages, those pages will also be excluded.
>  
> * Exclusion filters for Sharepoint Online sources are **not** case sensitive when using a **Regex** (regular expression).
> For example,`(company-(dev|staging)).*html.?$` will match `+http://
> ComPanY-dev/important/document.html+` without adding any additional symbols to account for case sensitivity.
> Exclusion filters are case sensitive when using **Wildcard** expressions.

. Select whether the URL expression uses a **Wildcard** or a **Regex** (regular expression) pattern.

**Examples**

* There's no point in indexing the search page of your website, so you exclude its URL:

`www.mycompany.com/en-us/search.html`

* You don't want to index ZIP files that are linked from website pages:

`www.mycompany.com/en-us/*.zip`

### "Content security" tab

Select who will be able to access the source items through a Coveo-powered [search interface](https://docs.coveo.com/en/2741/).
For details on the content security options, see [Content security](https://docs.coveo.com/en/1779/).

> **Important**
>
> When using the **Everyone** content security option, see [Safely apply content filtering](#safe) for information on how to ensure that your source content is safely filtered and only accessible by intended users.

### "Access" tab


. On the **Access** tab, specify whether each group (and API key, if applicable) in your [Coveo organization](https://docs.coveo.com/en/185/) can view or edit the current source.

For example, when creating a new source, you could decide that members of Group A can edit its configuration, while Group B can only view it.

For more information, see [Custom access level](https://docs.coveo.com/en/3151#custom-access-level).
On the **Access** tab, specify whether each group (and API key, if applicable) in your [Coveo organization](https://docs.coveo.com/en/185/) can view or edit the current source.

For example, when creating a new source, you could decide that members of Group A can edit its configuration, while Group B can only view it.

For more information, see [Custom access level](https://docs.coveo.com/en/3151#custom-access-level).

### Build the source

. Finish adding or editing your source:

** When you're done editing the source and want to make your changes effective, click **Add and build source**/**Save and rebuild source**.

** When you want to save your source configuration changes without starting a build/rebuild, such as when you know you want to make other changes soon, click **Add source**/**Save**.
On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click **Launch build** or **Start required rebuild** when you're ready to make your changes effective and index your content.

> **Leading practice**
>
> By default, a Jira Software source indexes the entire Jira Software instance content.
> To index only certain projects, click **Save**, and then specify the desired address patterns in your [source JSON configuration](https://docs.coveo.com/en/1685/) before launching the initial build.
> See [Add source filters](https://docs.coveo.com/en/2006#add-source-filters) for further information.

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, follow the progress of your source addition or modification.

. Once the source is built or rebuilt, [review its content in the Content Browser](https://docs.coveo.com/en/2053/).

. Optionally, consider [editing or adding mappings](https://docs.coveo.com/en/1640/).


> **Note**
>
> If you selected **Specific URLs** or **User profiles** in the [**Content**](https://docs.coveo.com/en/1739#content) section, some additional items will appear in the Content Browser.
> To retrieve user profiles, Coveo must crawl your SharePoint Online instance, including your host site collection and the documents it contains.
> Items encountered during this process are also retrieved and therefore appear in the Content Browser.

### Index metadata

To use [metadata](https://docs.coveo.com/en/218/) values in [search interface](https://docs.coveo.com/en/2741/) [facets](https://docs.coveo.com/en/198/) or result templates, the metadata must be [mapped](https://docs.coveo.com/en/217/) to [fields](https://docs.coveo.com/en/200/).
Coveo automatically [maps](https://docs.coveo.com/en/217/) only a subset of the metadata it extracts.
You must map any additional metadata to fields manually.

> **Note**
>
> Not clear on the purpose of indexing metadata?
> Watch [this video](https://www.youtube.com/watch?v=BmmmVJ3AWi0).

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click your source, and then click **More** > **View and map metadata** in the Action bar.

. Review the default [metadata](https://docs.coveo.com/en/218/) that your source is extracting from your content.

. Map any currently _not indexed_ metadata that you want to use in facets or result templates to fields.

> **Important**
>
> For certain types of content, the source extracts a set of item keys and values, aggregates this information into the `coveo_AllMetadata` metadata, and indexes this metadata in the `searchablemeta` field.
> The keys and values that make up the `coveo_AllMetadata` metadata are also available as separate metadata.
> No parsing on your part is required.
> Just locate the name of the metadata you need on the **View and map metadata** subpage and proceed, as explained below, to index the metadata in a field.

.. Click the metadata and then, at the top right, click **Add to Index**.

.. In the **Apply a mapping on all item types of a source** panel, select the field you want to map the metadata to, or [add a new field](https://docs.coveo.com/en/1833#add-a-field) if none of the existing fields are appropriate.

> **Note**
>
> For advanced mapping configurations, like applying a mapping to a specific item type, see [Manage mappings](https://docs.coveo.com/en/1640#manage-mappings).

.. Click **Apply mapping**.

. Return to the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page.

. To reindex your source with your new mappings, click your source, and then click **More** > **Rebuild** in the Action bar.

. Once the source is rebuilt, review your item field values.
They should now include the values of the metadata you selected to index.

.. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click your source, and then click **More** > **Open in Content Browser** in the Action bar.

.. Select the card of the item for which you want to inspect properties, and then click **Properties** in the Action bar.

.. In the panel that appears, select the **Fields** tab.

### Additional adjustments

. If your source retrieves your content through the Crawling Module and if [access to its content is secured](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system) with an Active Directory security identity provider, you must [edit the JSON configuration](https://docs.coveo.com/en/1905#edit-a-security-identity-provider) of the security identity provider associated to this source to provide additional information.
In the security identity provider JSON configuration, add the following code snippet, in which you replace `<HOSTNAME>` with either your Active Directory server IP address or domain name to use to connect to your Active Directory.

```json
 "Hostname": {
   "value": "<HOSTNAME>"
 }
```

. Moreover, if you checked the [**Enable TLS** box](#enable-tls) in the [**Authentication** section](#authentication-section), ensure your security certificates are public and installed on the Crawling Module server.


## [[safe]]Safely apply content filtering

The best way to ensure that your indexed content is seen only by the intended users is to enforce [content security](#content-security-tab) by selecting the [**Same users and groups as in your content system**](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system) option. Should this option be unavailable, select [**Specific users and groups**](https://docs.coveo.com/en/1779#specific-users-and-groups) instead.

However, if you need to configure your source so that the indexed source content is accessible to [**Everyone**](https://docs.coveo.com/en/1779#everyone), you should adhere to the following leading practices.
These practices ensure that your source content is safely filtered and only accessible by the appropriate users:

* [Configure query filters](#configure-query-filters): Apply filter rules on a query pipeline to filter the source content that appears in search results when a query goes through that pipeline.

* [Use condition-based query pipeline routing](#use-condition-based-query-pipeline-routing): Apply a condition on a query pipeline to make sure that every query originating from a specific search hub is routed to the right query pipeline.
### Configure query filters

[Filter rules](https://docs.coveo.com/en/3410/) allow you to enter hidden [query](https://docs.coveo.com/en/231/) expressions to be added to all queries going through a given [query pipeline](https://docs.coveo.com/en/180/).
They're typically used to add a field-based expression to the [constant query expression (`cq`)](https://docs.coveo.com/en/179/).

**Example**

You apply the `@objectType=="Solution"` query filter to the pipeline to which the traffic of your public support portal is directed.
As a result, the `@objectType=="Solution"` query expression is added to any query sent via this support portal.

Therefore, if a user types `Speedbit watch wristband` in the search box, the items returned are those that match these keywords and whose `objectType` has the `Solution` value.
Items matching these keywords but having a different `objectType` value aren't returned in the user's search results.

To learn how to configure query pipeline filter rules, see [Manage filter rules](https://docs.coveo.com/en/3410/).

> **Note**
>
> You can also enforce a filter expression directly in the [search token](#configure-the-search-token).

### Use condition-based query pipeline routing

The most recommended and flexible query pipeline routing mechanism is [condition-based routing](https://docs.coveo.com/en/1666#condition-based-routing-recommended).

When using this routing mechanism, you ensure that search requests are routed to a specific query pipeline according to the search interface from which they originate, and the authentication is done server side.

To accomplish this:

. [Apply a condition to a query pipeline based on a search hub value](https://docs.coveo.com/en/1959/), such as **Search Hub is Community Search** or **Search Hub is Agent Panel**.
This condition ensures that all queries that originate from a specific search hub go through that query pipeline.

. [Authenticate user queries via a search token](#configure-the-search-token) that's generated server side and that contains the search hub parameter that you specified in the query pipeline.
> **Note**
>
> If you're using the Coveo In-Product Experience (IPX) feature, see [Implement advanced search token authentication](https://docs.coveo.com/en/3160#option-2-implement-advanced-search-token-authentication).

## Required privileges

You can assign privileges to allow access to specific tools in the [Coveo Administration Console](https://docs.coveo.com/en/183/).
The following table indicates the privileges required to view or edit elements of the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page and associated panels.
See [Manage privileges](https://docs.coveo.com/en/3151/) and [Privilege reference](https://docs.coveo.com/en/1707/) for more information.

> **Note**
>
> The **Edit all** privilege isn't required to create sources.
> When granting privileges for the [Sources](https://docs.coveo.com/en/1707#sources-domain) domain, you can grant a group or API key the **View all** or [**Custom**](https://docs.coveo.com/en/3151#custom-access-level) access level, instead of **Edit all**, and then select the **Can Create** checkbox to allow users to create sources.
> See [Can Create ability dependence](https://docs.coveo.com/en/3151#can-create-ability-dependence) for more information.

## What's next?

* [Schedule source updates](https://docs.coveo.com/en/1933/).

* If you selected the **Same users and groups as in your content system** [content security](#content-security-tab) option, you might want to read up on [how Coveo manages security identities and item permissions](https://docs.coveo.com/en/1719/) to replicate the [permission models](https://docs.coveo.com/en/225/) of the original repository.

* If you're [using the Crawling Module to retrieve your content](https://docs.coveo.com/en/1612/), consider [subscribing to deactivation notifications](https://docs.coveo.com/en/3271#subscribing-to-crawling-module-notifications) to receive an alert when a Crawling Module component becomes obsolete and stops the content crawling process.