Coveo, Microsoft Dynamics 365, and Security

Coveo Cloud uses a flexible security model capable of reproducing any security model to make sure that your data is at least as secure in your Coveo index as it is in Microsoft Dynamics 365 (see Coveo Cloud V2 Management of Security Identities and Item Permissions). Whether they are in Microsoft Dynamics 365 or querying the Coveo index, your users have access to the exact same items and those not matching the current user security credentials are not included in the results list. Thus, they will not see in the result title or excerpt any sensitive information they are not supposed to see such as coworkers expense accounts, other teams sales leads, or other teams confidential projects.

Item Security Model

Coveo Cloud applies a security model to each indexed item depending on the data repository security model. In Microsoft Dynamics 365, this model is composed of three levels:

  1. Owner: groups or users who own the item.
  2. Shared: groups or users with whom the item is shared.
  3. Roles: groups or users who typically have access to the items based on their role.

Each one of these levels includes two sets containing a list of allowed groups or users.

  1. [Level] Set: groups or users who have access to this item.
  2. Entity Type Set: groups or users who typically have access to this entity type.

In Microsoft Dynamics 365, the concept of denied user does not exist. You are either allowed or unknown.

To resolve security on each item and determine whether an item can appear in the search results for a specific, Coveo Cloud analyzes the permissions on an item as follows:

  1. For each permission level, Coveo Cloud goes through each permissions set:
    1. If the user is allowed in all sets, the user can see the item. Other permissions levels are ignored.
    2. If the user is unknown in all sets, the next permissions level is checked.
  2. If the user is unknown in all permissions levels, the user cannot see the item.

Security Expansion

In order for Coveo to recognize users from Microsoft Dynamics 365, the different groups and users must be mapped to a list of security identities (in the case of Microsoft Dynamics 365, the primary email) which is then used to determine if a user has access or not to an item. These identities are stored into the Coveo security cache. At query time, the item permissions are compared to the identity in the cache to determine if the user is allowed (see Security Identities).

Once a day, Coveo Cloud calls the Microsoft Dynamics 365 security provider to update the mapping of groups and users to their emails. This means that any change made to the security groups or users in Microsoft Dynamics 365 will be effective in the Coveo index at most 24 hours later. If you want those changes to be effective immediately, you can manually trigger a security identities refresh (see Refresh Tab).

Search Authentication

They API key is a basic authentication method used to secure the interactions between Coveo for Microsoft Dynamics 365 and the Coveo Search API (see API Key Authentication). The key is included in each query and it identifies the API call as legitimate. The key is included in the entity called Coveo Configuration so it is available for Coveo for Microsoft Dynamics 365 to use. It is thus important that you do not share this key with anyone or reduce the security on the Coveo Configuration entity.