How Coveo for Sitecore Handles Sitecore Access Rights
How Coveo for Sitecore Handles Sitecore Access Rights
Sitecore provides website administrators the ability to be very specific as to the items a user should be allowed to view.
Sitecore handles access rights with a combination of the following:
- Security accounts (that is, users and roles)
- Access rights on items
- A set of rules that determine how conflicting access rights are resolved
The goal of this article is to explain how Coveo for Sitecore replicates the Sitecore access right data model and how it emulates Sitecore logic in determining whether a user should be allowed to see a given item in a Coveo-powered search interface results list.
Sitecore Security Accounts
A Sitecore security account is either a user or a role. A role consists of a collection of users who typically share common functions. Sitecore website administrators typically prefer to group users in roles and then specify access rights at the role level. This practice simplifies and streamlines management of permissions. See Sitecore security for details.
A Sitecore security account is defined by its name, which is the combination of a domain name and an account name (for example, sitecore\Developer).
Sitecore Security Domains
A security domain is a collection of security accounts that share some logical relationship.
Sitecore comes with the following default domains:
-
Extranet
The default domain for website visitors. Most website visits are registered under the
extranet\Anonymous
user. -
Sitecore
The users that can access the Sitecore clients such as website content authors and developer.
-
Default
Only used when no default domain is specified in the site configurations.
Sitecore Access Rights
By default, Sitecore associates all new users and roles with the sitecore\Everyone
role, and this role has Read
access allowed on all items by default. This way, Sitecore is now able to resolve Read
access rights to items for the newly created security account.
After creating a security account, you can start assigning access rights to the security account at the item level.
Coveo for Sitecore uses the Read
access right setting of an item to determine if a user should be allowed to see the item in a search result list. Consequently, the following sections focus mainly on the impact of other rights and settings on the Read
access right value resolution.
Granting the Administrator Right to a Sitecore User
When creating a Sitecore user, you can specify through a checkbox that the user is an Administrator.
When you grant the Administrator
right, the user has Read
access to all items in the Sitecore content tree.
Setting the user as an Administrator
doesn’t add the user to any Sitecore role.
Assigning Access Rights on an Item to a Security Account in Sitecore
When assigning access rights on an item to a security account in Sitecore, the following access rights can impact the Read
access right value resolution for the user in Sitecore and, as a consequence, the right the user has to see the item in a search interface results list:
-
The
Read
access rightYou can set this access right to
Allowed
orDenied
on a Sitecore item for the selected security account. -
The
Inheritance
access rightBy default, all Sitecore items inherit access rights from their parents in the content tree. However, you can prevent an item from inheriting access rights for the selected security account by setting its
Inheritance
access right toDenied
.
Two additional security options can be set on an item which have an impact on the Read
access right value for all security accounts:
-
The
Require Login
optionWhen you set an item to
Require Login
, you essentially set itsRead
access toDenied
for theextranet\Anonymous
user, and therefore force users to log in through the Sitecore client before they can request the item or one of its descendants. -
The
Remove Inherit
optionThis sets the
Inheritance
access right toDenied
for theEveryone
role, which all users and roles are members of. This option therefore negates, for all users, theRead
access right that the item and its descendants would otherwise inherit from parent items.
Sitecore Rules for Conflicting Access Rights
In Sitecore, many access rights and settings come in play when determining if a user should be granted Read
access rights on a given item, and these access rights and settings inevitably bring about conflicts.
Hence, Sitecore has default access right values and a set of rules to avoid insufficient information scenarios, and determine which security setting overrides another.
The following table presents the default values for access rights.
Access Right(s) | Default Value |
---|---|
All rights | Denied |
Inheritance |
Allowed |
When all else is equal, the following rules determine the resolved value for the Read
access right a given security account has over an item:
-
Denied
overrulesAllowed
. - User access rights overrule role access rights.
- Access rights explicitly specified on an item directly overrule access rights inherited from a parent.
- Access rights explicitly granted overrule the
Inheritance
access right and rights inherited from a parent.
For more details regarding Sitecore access rights conflict management, see Assigning access rights.
Coveo Cloud Security Identities
Coveo for Sitecore automatically updates Coveo Platform identities so that they remain in synch with Sitecore security account data. The role of the security cache is to store and maintain a list of all relationships between Sitecore security identities (for example, role - user relationships).
Your Coveo Cloud security identity cache is synchronized automatically on a daily basis. Sitecore security account modifications and index rebuilds also trigger immediate security identity cache updates (see Security Identity Cache and Provider).
In your Coveo organization, you can view the content of your security cache as follows:
- Access the Coveo Cloud Administration Console.
- If applicable, select the organization associated with your production environment Sitecore instance.
- In the main menu, select Security Identities.
- Select the Expanded Sitecore Security Provider associated with your Sitecore instance.
- Click Explore Identities.
Coveo Cloud Item Permissions Management
Coveo for Sitecore pushes Sitecore access rights to Coveo Cloud so that when a Sitecore website visitor uses a Coveo for Sitecore search interface to perform a search query, Coveo Cloud can return only search results the user is authorized to see.
The following sections describe how under the hood, Coveo Cloud uses permission levels and sets to map Sitecore access rights.
Coveo Cloud Permission Levels and Sets
Coveo for Sitecore feeds the Coveo Cloud with item permissions inside a JSON object which contains a Permission Levels array. Permission levels in this array are listed by order of precedence and each permission level consists of one or several Permission Sets.
The following table summarizes the Coveo Cloud rules applied for permission level precedence, permission set data, and the analysis logic.
Rule | Description |
---|---|
Denial prevalence | If a user has at least one of their security identities that is allowed to access the item, and at least one that is denied access, the denial prevails over the allowance. |
Unspecified security identities | If the permissions of an item don’t specify whether a certain security identity is allowed or denied access to this item, the user authenticated with this security identity can’t see this item in search results. |
Public items and anonymous users | The permissions of an item specify whether this item can be accessed by anonymous users, that is, users that didn’t log in before making a query. This makes the item public and accessible to anyone, using any security identity, including an Anonymous User identity. |
When analyzing the permission sets of permission level n
of an item, Coveo Cloud either determines that the item should be included or excluded from the search results list, or the process moves on to analyze the permission sets for permission level n+1
(see Permission Levels).
How Coveo for Sitecore Maps Sitecore Rights to Permission Levels
Each time a Sitecore item is created or updated in the content tree, Sitecore calls Coveo for Sitecore. Coveo for Sitecore can then update its permission representation accordingly.
The following table shows how Coveo for Sitecore builds the JSON permission level representation it sends to the Coveo Platform using the rights specified in Sitecore. The table also explains how the Coveo Platform ultimately determines whether the querying user will be allowed to see the given item in a Coveo for Sitecore search results list.
Permission level | Sitecore rights mapped to permission sets | Condition required for conclusive analysis |
---|---|---|
1 | Sitecore Administrator right |
If the querying user is a member of the Sitecore Administrator group, the item is included in search results |
2 |
Read access rights for users specified directly on the queried item |
If the permission sets include one for the querying user, the analysis is conclusive.
|
3 |
Read access rights for roles specified directly on the queried item |
If the permission sets include at least one role the querying user is a member of, the analysis is conclusive.
|
4 |
Read access rights for users specified on the immediate parent of the item |
If the permission sets include one for the querying user, the analysis is conclusive.
|
5 |
Read access rights for roles specified on the immediate parent of the item |
If the permission sets include at least one role the querying user is a member of, the analysis is conclusive.
|
6 |
Read access rights for users specified on the second parent of the item |
If the permission sets include one for the querying user, the analysis is conclusive.
|
7 |
Read access rights for roles specified on the second parent of the item |
If the permission sets include at least one role the querying user is a member of, the analysis is conclusive.
|
8 |
Read ... users ... third parent of the item |
If the permission sets include one for the querying user... |
1: A permission level can’t contain only empty permission sets. Permission level numbers in this table assume that relevant access rights are specified on each associated content tree item in Sitecore.
2: The Inheritance
Sitecore access right is handled internally by Sitecore and is therefore absent from the JSON permission level representation.
For information on accessing and reviewing user and group permissions over an item in the Coveo Cloud Administration Console, see Permissions Tab.
For information on accessing and reviewing permission level and permission set data for an item in the Coveo Cloud Administration Console, see Permissions Details Tab.
Permissions Retrieval When Performing a Query
When performing a query in a Coveo for Sitecore search interface, Coveo for Sitecore calls the /coveo/rest
proxy in your Sitecore instance. The proxy relays the request to the Coveo Cloud which returns a JSON list of items, all of which the querying user is allowed to view (see Performing a Query from a Coveo-Powered Search Page).