Understanding Resource Access

As explained in Understanding the Custom Access Level, when granting privileges to a group of users or an API key, there are some domains in which you can select an access level for each resource in the domain, in a granular fashion.

Similarly, when creating or editing a resource, the Access tab allows you determine whether each group and API key in your Coveo Cloud organization should be able to view or edit this resource. In other words, you can choose who can make changes to the resource configuration. This feature is especially useful when you have a fair number of groups or API keys in your organization, as you can select an access level for each of them in this single tab rather than editing the privilege set of each group or API key one at a time.

More specifically, when you create or edit a new resource, the Access tab shows a list of groups and API keys. In the Access Level column, you can then select View or Edit for each available group or API key. Groups and API keys granted the View access level can only review the configuration of the resource you are creating or editing. With the Edit access level, however, they can make changes to this configuration. As for the Membership column, it indicates to the user whether they are a member of each group (Member icon) or not (Non member icon).

The resources to which access can be managed in a granular fashion in the Access tab are those that are offer a custom access level option (see Understanding the Custom Access Level).

  • In the Access tab, groups or API keys for which there is no drop-down menu in the Access Level column have either the privilege to edit all resources of this domain or no privilege at all regarding this domain (see Understanding the Custom Access Level). Since these groups’ access level is already determined, you have no decision to make regarding them in the Access tab.

    You are creating a new source. In the Access tab, among the groups allowed to view sources, there is the Administrators group. You cannot select an access level for this group, as it already has the privilege to edit all sources (see Built-In Groups).

  • To use the Access tab to its full extent, you must be granted at least the View All access level for the Groups and API Keys domains. These privileges allow you to select an access level for each group and API key whose access level is not already determined (see previous note). Without them, you can only select an access level for the groups of which you are a member.

  • Among the groups for which you have a decision to make in the Access tab, those of which you are a member are granted the Edit access level by default, whereas those of which you are not a member are granted the View access level.

If you remove the Edit access level from all the groups of which you are a member, you will not be able to edit your group once it is saved. Only administrators and members of other groups that have the Edit access level on this group will be able to do so. To keep your privilege to edit this group, set the Access level to Edit for at least one of the groups of which you are a member.

Your company uses Coveo Cloud to make its internal Microsoft content and its social media content searchable. In the Sources page, there is therefore a SharePoint Online source, an Exchange source, a Twitter source, and a YouTube source (see Adding and Managing Sources).

As a Coveo Cloud administrator, you can edit all sources, but you delegated the responsibility to manage sources to other people, i.e., Microsoft sources managers and social media sources managers (see Understanding the Custom Access Level). The Microsoft sources managers are only allowed to edit the SharePoint Online Exchange sources, while the social media sources managers can manage the YouTube source only. Both of these groups of users are also allowed to create sources, and have the View All access level for the Groups domain.

One of the social media source managers decides to make your company’s tweets searchable. They therefore create a Twitter source. In the Add a Twitter Source panel, in the Access tab, they see the following:

Social Media Source Manager's Access tab

By default, the Microsoft Sources Managers are granted the View access level, as it is a group of which the source creator is not a member. To allow the Microsoft Sources Managers group to edit the Twitter source, the social media source manager must switch this group’s access level to Edit.

The Social Media Sources Managers group, of which the source creator is a member, has the Custom access level for the Sources domain and is therefore allowed to edit the new Twitter source by default. The source creator is also a member of the Users group, but this group is not allowed to edit sources, as it has been granted the View all access level on the Sources domain.

Since the source creator is a member of two groups, the highest access level applies in case of conflict (see Built-In Groups and Remark: Conflicting Access Levels).

Alternatively, one could go in the Groups and API Keys pages to grant the View access level for a resource to each of the desired groups and API keys (see Adding and Managing Groups and Adding and Managing API Keys). This method, however, would be less efficient than using the Access tab to grant the View access level to all the desired groups and API keys at once, and would require the privilege to edit the desired groups and API keys.