Synchronizing Security Identities

Coveo for Sitecore can handle and replicate item Read access rights specified in Sitecore. When you require Sitecore users to login to view items, and you configure Coveo for Sitecore to index Sitecore permissions, an item only appears in search page results if the querying user has the Read access right on that item in Sitecore.

Sitecore supports users and roles. Changes to these security accounts in Sitecore can occur frequently, and they can have an impact on a Sitecore user’s right to view an item in search results. When a user queries the Coveo index, the security identity cache is interrogated to quickly determine which users can and can’t view a given item in search results.

The goal of this article is to provide information on the various mechanisms in Coveo for Sitecore that ensure that the security identity cache remains synchronized with Sitecore security account data, and on options available in the Coveo for Sitecore user interface to force the update of the security identity cache.

Automatic Security Identity Synchronization

Coveo for Sitecore automatically synchronizes Coveo Cloud security identities with Sitecore security account data

  • the first time the index is initialized and the Sitecore identities have not been pushed once yet, and
  • at the beginning of each Sitecore index rebuild operation, if the pushPermissionsOnRebuild flag is set to true.

These two actions trigger PUT calls to https://push.cloud.coveo.com/v1/organizations/{organizationId}/providers/{providerId}/permissions/batch which update the Coveo Cloud security identities, followed by a POST call to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/securitycache/refresh which updates the security identity cache.

Manual Security Identity Synchronization

To manually synchronize security identities

  1. Open the Coveo Search section of the Sitecore Control Panel (see Opening the Coveo Search Control Panel Section).

  2. Choose Indexing Manager.

  3. In the Command Center menu, select Security.

    You can also access the Security section of the Command Center using URL http://[INSTANCE NAME]/coveo/command-center/index.html#security, where [INSTANCE NAME] is the name of your Sitecore instance. Non Sitecore administrators can only access the Command Center by URL (see Giving Access to the Command Center).

  4. In the Synchronize identities section, click Synchronize.

This Synchronize option triggers PUT calls to https://push.cloud.coveo.com/v1/organizations/{organizationId}/providers/{providerId}/permissions/batch which update the Coveo Cloud security identities, followed by a POST call to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/securitycache/refresh which updates the security identity cache.

Automatic Security Identity Cache Refresh

The security identity cache is fully refreshed by default each night. Furthermore, by default, Coveo for Sitecore also hooks itself to the following Sitecore events to maintain the security identity cache up to date.

Event Handler
user:updated OnUserUpdated
user:deleted OnUserDeleted
role:created OnRoleCreated
role:deleted OnRoleDeleted
roles:usersAdded OnUsersAddedToRole
roles:usersRemoved OnUsersRemovedFromRole

roles:rolesAdded

OnRolesAddedToRoles
roles:rolesRemoved OnRolesRemovedFromRoles

Hence, in the Coveo.SearchProvider.config file, you can see the following elements.

<events>
  ...
  <event name="user:updated">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnUserUpdated" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnUserUpdated"/>
  </event>
  <event name="user:deleted">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnUserDeleted" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnUserDeleted"/>
  </event>
  <event name="role:created">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnRoleCreated" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnRoleCreated"/>
  </event>
  <event name="role:deleted">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnRoleDeleted" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnRoleDeleted"/>
  </event>
  <event name="roles:usersAdded">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnUsersAddedToRole" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnUsersAddedToRole"/>
  </event>
  <event name="roles:usersRemoved">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnUsersRemovedFromRole" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnUsersRemovedFromRole"/>
  </event>
  <event name="roles:rolesAdded">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnRolesAddedToRoles" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnRolesAddedToRoles"/>
  </event>
  <event name="roles:rolesRemoved">
    <handler type="Coveo.SearchProvider.Events.ExpandedPermissionsEventHandler, Coveo.SearchProviderBase" method="OnRolesRemovedFromRoles" />
    <handler type="Coveo.SearchProvider.Events.EntityEventHandler, Coveo.SearchProviderBase" method="OnRolesRemovedFromRoles"/>
  </event>
</events>

Manual Update of a Security Cache Identity

You can manually update a specific security cache identity as follows:

  1. Open the Coveo Search section of the Sitecore Control Panel (see Opening the Coveo Search Control Panel Section).

  2. Choose Indexing Manager.

  3. In the Command Center menu, select Security.

    You can also access the Security section of the Command Center using URL http://[INSTANCE NAME]/coveo/command-center/index.html#security, where [INSTANCE NAME] is the name of your Sitecore instance. Non Sitecore administrators can only access the Command Center by URL (see Giving Access to the Command Center).

    You can update a specific user or role through the Update a security identity option (see Understanding the Indexing Manager - Security).

This Update a security identity option triggers a POST call to https://platform.cloud.coveo.com/rest/organizations/{organizationId}/securitycache/refresh/entity.

Recommended Articles