Modifying Source Item Permissions

In this article

You can use indexing pipeline extensions to get, clear, add, or set permissions associated with source items (see Document Object Python API Reference).


While modifying source item permissions with an indexing pipeline extension is legitimate, you must be aware that your code must apply the appropriate permissions in all cases to prevent exposing sensitive information to the wrong people. We recommend that you use the permission modification extensions only in simple security model cases that you understand very well and that you can thoroughly test.


You have a source indexing your Salesforce Knowledge articles. The Coveo Salesforce source doesn’t support index permission for Knowledge content, so by default all articles have the Email Security Provider @ permission making them searchable by any user, including anonymous users.

Your Knowledge Base (KB) article writing process involves validation stages and only articles that are in the Public state should be visible to anonymous users. All others should only be visible to your company employees. Your custom Boolean metadata kav_ispublic identifies public articles when set to true.

In this simple security model, you can use the following indexing pipeline extension script to set restrictive permissions for non public articles.

meta = document.get_meta_data_value('kav_ispublic')
is_public = meta and str(meta[0]).lower() == 'true'
# For non public articles only
if not is_public:
    # Delete the *@* permission
    # Restrict access to users authenticated with an account resolving to an email ending with
    document.add_allowed('*', 'group', 'Email Security Provider')

You can now include your Salesforce Knowledge articles source in a public search interface where anonymous users will only see the public articles.