Coveo for Sitecore 5 is now available!

Understanding How to Leverage Virtual Users With Coveo

Virtual users are a feature of Sitecore that enables you to dynamically create non-Sitecore users and assign them Sitecore roles.

These users can only be created using the Sitecore API. According to the Sitecore documentation, creating a typical virtual user looks like this:

Sitecore.Security.Accounts.User user = Sitecore.Security.Authentication.AuthenticationManager.BuildVirtualUser(@"dummy\user",true);
if (user != null) {
    string domainRole = @"sitecore\Sitecore Client Users";
    if (Sitecore.Security.Accounts.Role.Exists(domainRole)) {
        user.Roles.Add(Sitecore.Security.Accounts.Role.FromName(domainRole));
    }
    Sitecore.Security.UserProfile profile = user.Profile;
    profile.FullName = "Dummy User";
    profile.Save();
    Sitecore.Security.Authentication.AuthenticationManager.Login(user);
}

Coveo for Sitecore supports these virtual users on both REST (JSUI) queries and LINQ queries, and injects it its roles.

Support for LINQ queries has been discontinued as of the November 2018 version of Coveo for Sitecore 4.1.

To make sure that it works, you need to follow a few rules.

Rule 1 - Add Roles on the Virtual User

The roles are used as additional identities on the queries to Coveo. This is how you are able to resolve the permissions on items.

If there are no roles assigned to the virtual user, Coveo is not able to resolve this user as a Sitecore user.

Rule 2 - Log In with the Proper Method

The AuthenticationManager offers various calls to log in the virtual user. In the provided example, you are using the method that takes the user object as a parameter.

There is also a Login method that takes only the user name as a parameter. This method will not work; virtual users in this case are not considered persistent, and the Sitecore API does not return them. 

Rule 3 - Have the Proper Permissions Set on the Sitecore Items

If all items have anonymous permission set on them in Sitecore, you do not have to set anything.

If, for instance, anonymous is denied, ensure that the items have the virtual user roles allowed on items, either explicitly or by inheritance.

If the roles are not allowed, Coveo denies the virtual user access to items.

How It Works

The Coveo Security Provider adds the Sitecore users to the Coveo Security Cache. At query time, the Security Provider compares the user performing the query with the user list in that cache. If the user is known and is allowed on the item, then the item is returned.

Virtual users are not part of the Sitecore User Manager list, which means that the Security Provider is not able to add it to the cache. The AddVirtualGroups processor declared in the getSearchUserIdentities pipeline resolves the virtual user back to the Role it is assigned to.

This processor can be found in the Coveo.SearchProvider.Rest.config file.

The Index will then receive the Sitecore role, not the virtual user.