---
title: Deny anonymous users access to the master database
slug: '2716'
canonical_url: https://docs.coveo.com/en/2716/
collection: coveo-for-sitecore-v5
source_format: adoc
---
# Deny anonymous users access to the master database


[.version.c4sc.c4sc-pre.5-0-1153-1.August-15&-2022]
[Coveo for Sitecore pre-5.0.1153.1](https://docs.coveo.com/en/m3gf4364#release-notes)


This page explains how to deny anonymous users access to the `master` database items.

## How Coveo for Sitecore replicates the Sitecore security model

Coveo for Sitecore automatically replicates the Sitecore permissions model into the [Coveo Platform](https://docs.coveo.com/en/186/) to ensure that logged in users only have access to the documents they're allowed to see.
See [Handling of Sitecore access rights](https://docs.coveo.com/en/2311/) for more details.

However, it doesn't apply strict permissions based on the item publishing status in Sitecore.

This means that `master` database documents can be accessible through the `/coveo/rest` endpoint if the documents are allowed to anonymous users.

**Example**

By default, the `extranet\Anonymous` user has the `Read` access right over all documents in the `master` database in Sitecore.

A user accesses your website.
It's assigned the `extranet\Anonymous` identity because it's not logged into the system.

In this context, querying from the `/coveo/rest` endpoint will yield results from both `master` and `web` because the security model allows it in both databases.

## Denying anonymous users with the AddSecurityOnItemsWithDatabase processor

If you don't want your `master` items to be returned on queries before these items are published, you can enable a processor which adds a new permission level in Coveo.
That permission level denies access to the specified identity on all items associated with the specified database.

The default processor settings are the following:

* database: `master`

* domain: `extranet`

* identity: `extranet\anonymous`

> **Note**
>
> [.version.c4sc.c4sc-pre.5-0-1153-1.August-15&-2022]
> [Coveo for Sitecore pre-5.0.1153.1](https://docs.coveo.com/en/m3gf4364#release-notes)
> 
> 
> Coveo for Sitecore now enables the `AddSecurityOnItemsWithDatabase` processor by default when you [enable Sitecore permission indexing](https://docs.coveo.com/en/m3gf4364#step-4-activate-the-addsecurityonitemswithdatabase-processor).
> 
> A validation has also been added in the processor to prevent it from processing items when `Index Sitecore permissions` isn't selected.

[.version.no-link.c4sc.c4sc-pre.5-0-1153-1.August-15&-2022]
Coveo for Sitecore pre-5.0.1153.1


To deny anonymous users with the `AddSecurityOnItemsWithDatabase` processor

. In the `Coveo.SearchProvider.Custom.config` file, in the `<coveoPostItemProcessingPipeline>` element, enable the processor by uncommenting the `AddSecurityOnItemsWithDatabase` element.

```xml
<coveoPostItemProcessingPipeline>
    <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase">
        <database>master</database>
    </processor>
</coveoPostItemProcessingPipeline>
```

. To override the default processor settings, specify the identity parameters to be added to the documents, as follows:

```xml
<coveoPostItemProcessingPipeline>
    <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase">
        <database><SITECORE_DATABASE></database>
        <domain><SITECORE_DOMAIN></domain>
        <identity><SITECORE_ACCOUNT></identity>
    </processor>
</coveoPostItemProcessingPipeline>
```

replacing

** `<SITECORE_DATABASE>` with the name of the Sitecore database whose documents you want to add the identity to.

** `<SITECORE_DOMAIN>` with the name of the target Sitecore domain (for example, `extranet`)

** `<SITECORE_ACCOUNT>` with the name of the target Sitecore account, including the domain name (for example, `extranet\anonymous`)

. Rebuild your indexes.