---
title: About the Email Security Provider
slug: '87'
canonical_url: https://docs.coveo.com/en/87/
collection: index-content
source_format: adoc
---
# About the Email Security Provider
The _Email Security Provider_, which is present by default in your [Coveo organization](https://docs.coveo.com/en/185/), serves as a central point to establish alias relationships between security identities corresponding to the same person across many secured enterprise systems.

A user will typically log in to your [search interface](https://docs.coveo.com/en/2741/) by authenticating with an email address.
This security identity is then added in the Email Security Provider.
You can then establish aliases between identities in your other providers and this identity to ensure that when a user logs in with that email, they see all content that they have access to, regardless of the system from which each item originated.

**Example**

You define an alias relationship between `aliceSmith@example.com` in the security identity provider of a secured Push [source](https://docs.coveo.com/en/246/) and the `aSmith@example.com` user in the Email Security Provider:

**Request**

```http
PUT https://api.cloud.coveo.com/push/v1/organizations/mycoveocloudv2organizationg8tp8wu3/providers/mysecurityidentityproviderc6s1f3e/mappings HTTP/1.1

Content-Type: application/json
Authorization: Bearer **********-****-****-****-************
```

**Payload**

See [`MappedIdentityBody` model](https://docs.coveo.com/en/78#mappedidentitybody-model) for details on the objects expected in the payload of a security identity mapping request.

```json
{
  "Identity": {
    "Name": "aliceSmith@example.com",
    "Type": "USER"
    },
    "Mappings": [
      {
        "Name": "aSmith@example.com",
        "Type": "USER",
        "Provider": "Email Security Provider"
      }
    ]
}
```

Assuming that the security identity provider of the secured Push source cascades to the Email Security Provider, the user `aSmith@example.com` will be automatically added in the Email Security Provider.

Should the security identity providers of other sources in your Coveo organization also include users which are defined as aliases of the `aSmith@example.com` user in the Email Security Provider, a person who authenticates as any one of those users would be recognized as the `aSmith@example.com` user from the Email Security Provider, and be able to access the secured [items](https://docs.coveo.com/en/210/) which this user is allowed to see in each of those sources.

## Granted identities

A [_granted identity_](https://docs.coveo.com/en/201/) is a type of [security identity](https://docs.coveo.com/en/240/) that's automatically given to certain authenticated users by a security identity provider.
A granted identity can be associated with multiple security identities to secure content.

The Email Security Provider automatically grants the following additional identities to each security identity it contains:

[%header,cols="~,~"]
|===
|Granted identity
|Granted to

|[`\**@**`](#allidentities)
|All identities in the Email Security Provider

|[`*@domain.com`](#domain-com)
|All identities with an email address in the `domain.com` domain

|[`\**@**.domain.com`](#subdomain)
|All identities with an email address in any subdomain of the `domain.com` domain
|===

### [[allidentities]] `\**@**`

The `\**@**` identity is granted to all Email Security Provider security identities.
Therefore, if you use this identity to secure your content, every user that has an Email Security Provider security identity will have access to this content.

Public sources typically index content secured with `\**@**`.

### `*@domain.com`

The `*@domain.com` identity is granted to all Email Security Provider security identities from the same domain.

For example, identities `jsmith@example.com` and `mwilson@example.com` are both granted the `*@example.com` identity.

### [[subdomain]] `\**@**.domain.com`

The `\**@**.domain.com` identity is granted to Email Security Provider security identities from any sub-domain of `domain.com`.

For example, identities `jsmith@subdomain.example.com`, `jbloggs@subdomain2.example.com`, and `mwilson@subsubdomain.subdomain.example.com` are all granted the `\**@**.example.com` identity.
However, only `mwilson@subsubdomain.subdomain.example.com` is granted the `\**@**.subdomain.example.com` identity.

### Examples

[%header,cols="~,~"]
|===
|User's identity
|Identities granted

|`jsmith@example.com`
|`\**@**`

`*@example.com`

|`jsmith@subdomain.example.com`
|`\**@**`

`\**@**.example.com`

`*@subdomain.example.com`

|`jsmith@subsubdomain.subdomain.example.com`
|`\**@**`

`\**@**.example.com`

`\**@**.subdomain.example.com`

`*@subsubdomain.subdomain.example.com`
|===