Deny Anonymous Users Access to the Master Database

This page explains how to deny anonymous users access to the master database items.

How Coveo for Sitecore Replicates the Sitecore Security Model

Coveo for Sitecore automatically replicates the Sitecore permissions model into the Coveo Platform to ensure that logged in users only have access to the documents they’re allowed to see (see Handling of Sitecore Access Rights).

However, it doesn’t apply strict permissions based on the item publishing status in Sitecore.

This means that master database documents can be accessible through the /coveo/rest endpoint if the documents are allowed to anonymous users.


By default, the extranet\Anonymous user has the Read access right over all documents in the master database in Sitecore.

A user accesses your website. It’s assigned the extranet\Anonymous identity because it’s not logged into the system.

In this context, querying from the /coveo/rest endpoint will yield results from both master and web because the security model allows it in both databases.

Denying Anonymous Users With the AddSecurityOnItemsWithDatabase Processor

If you don’t want your master items to be returned on queries before these items are published, you can enable a processor which adds a new permission level in Coveo. That permission level denies access to the specified identity on all items associated with the specified database.

The default processor settings are the following:

  • database: master

  • domain: extranet

  • identity: extranet\anonymous


Coveo for Sitecore now enables the AddSecurityOnItemsWithDatabase processor by default when you enable Sitecore permission indexing.

A validation has also been added in the processor to prevent it from processing items when Index Sitecore permissions isn’t selected.

To deny anonymous users with the AddSecurityOnItemsWithDatabase processor

  1. In the Coveo.SearchProvider.Custom.config file, in the <coveoPostItemProcessingPipeline> element, enable the processor by uncommenting the AddSecurityOnItemsWithDatabase element.

        <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase">
  2. If you want to override the default processor settings, you can explicitly specify the identity parameters to be added to the documents, as follows:

        <processor type="Coveo.SearchProvider.Processors.AddSecurityOnItemsWithDatabase, Coveo.SearchProviderBase">


    • <SITECORE_DATABASE> with the name of the Sitecore database whose documents you want to add the identity to.

    • <SITECORE_DOMAIN> with the name of the target Sitecore domain (for example, extranet)

    • <SITECORE_ACCOUNT> with the name of the target Sitecore account, including the domain name (for example, extranet\anonymous)

  3. Rebuild your indexes.