Defining Source-Level Permissions

Most connectors support the Determined by source permissions content security option, which sets permissions at the source item level. This means that Coveo Cloud has permission information detailing who is allowed or denied access to each individual item through a Coveo-powered search interface.

However, some connectors don’t support indexing the original permission system and replicating it in a search interface. An alternative way to secure your source content is to define permissions manually, at the source level. In other words, you can specify who can or can’t access the items indexed with this source. This solution applies to all items as a whole, so end users are allowed to access either all source items or none.

To leverage this alternative, you must first create a source whose content is accessible to you only. Then, in the source JSON configuration, you can detail who else should be allowed to access to its content through a Coveo-powered search interface. By editing the source JSON configuration, you can expand the access restriction to other user or group security identities.

For more information on how Coveo handles permissions, see Coveo Cloud Management of Security Identities and Item Permissions.

To configure source-level permissions

  1. Create a source with the desired connector. In the Content Security tab of the source creation panel, select Source creator. Once you’re done, click Save.

  2. In the source JSON configuration, specifically the Permissions object, define the source permissions. See the Reference section for details on each object.

  3. Build your source.

Example

Your search interface is used by both your customers and your employees. You want to index an internal website, so you must ensure that only your employees can access the content of this website in their search results.

In the permissionSets object of the source JSON configuration, you modify the allowedPermissions to allow only users authenticated with an email identity of your company.

"permissions": [
  {
    "permissionSets": [
      {
        "allowedPermissions": [
          {
            "identityType": "Group",
            "securityProvider": "Email Security Provider",
            "identity": "*@<MY_COMPANY>.com"
          }
        ],
        "deniedPermissions": [],
        "name": "Internal Website"
      }
    ],
    "name": "Source-Level Permissions"
  }
],

Reference

Permissions (Array of Permission Set Object)

The Permissions array contains the permission sets to apply to the items indexed in your source. The security identities listed in these levels and sets are either allowed or denied access to the indexed items.

See the Permission Set Object section for details on the properties in this object.

Permission Set Object

A Permission Set object describes a single permission set, which contains lists of allowed and denied security identities.

For more information on how Coveo handles permissions, see Coveo Cloud Management of Security Identities and Item Permissions.

Name (String)

The name of the permission set.

AllowedPermissions (Array of Permission Object)

Each object in the AllowedPermissions array represents a security identity that should be allowed to access the indexed content.

If a user is listed under both AllowedPermissions and DeniedPermissions, the denial prevails so that security holes are avoided.

For more information on how Coveo handles permissions, see Coveo Cloud Management of Security Identities and Item Permissions.

See the Permission Object section for details on the properties expected in the AllowedPermissions object.

DeniedPermissions (Array of Permission Object)

Each object in the DeniedPermissions array represents a security identity to whom access to the indexed item should be denied.

If a user is both listed under AllowedPermissions and DeniedPermissions, the denial prevails so that security holes are avoided.

For more information on how Coveo handles permissions, see Coveo Cloud Management of Security Identities and Item Permissions.

See the Permission Object section for details on the properties expected in the DeniedPermissions object.

Permission Object

A Permission object describes a security identity that can be either allowed or denied in a source permission set.

See AllowedPermissions and DeniedPermissions for more details.

Identity (String, Required)

The name of the security identity. By default, the Email Security Provider is used and therefore email addresses are expected, but you can specify a different SecurityProvider to use.

IdentityType (String Enum, Required)

The type of security identity. Allowed values are User, Group, and VirtualGroup.

For more information on these types of security identities, see Coveo Cloud Management of Security Identities and Item Permissions.

SecurityProvider (String, Required)

The unique identifier of the target security identity provider that manages the specified identity, as displayed on the Security Identities Administration Console page. By default, the Email Security Provider is used.

What's Next for Me?