Product DocsMenu

Coveo Platform 6.5 >
Administrator Help > Connectors > Salesforce Connector > Choosing How to Set Permissions for a Source

Choosing How to set Permissions for a Salesforce Source

You can configure the Salesforce connector to manage permissions for Salesforce content using two possible methods: early-binding or late-binding. You must select which method to use before configuring your Salesforce source.

Early-binding (recommended)

With the early-binding method, the permissions associated to Salesforce content are incorporated into the unified index. When a user makes a query for Salesforce content, the index knows which content this user has access to and only returns query results for content this specific user has access to. This method is recommended because it provides optimal query performances.

The inconvenience of this method is that it cannot integrally reproduce the complex Salesforce security model.

Using the default mapping file

The default mapping file includes a security binding mapping (<AllowedUsers>) that grants access to all users that are members of the Salesforce Users CES custom security group. This mapping is in the <CommonMapping> section of the mapping file and therefore applies to all indexed Salesforce types of content (see About the Default Salesforce Mapping File).

When you index a Salesforce source using the default mapping file for the first time, CES creates the Salesforce Users custom security group. At this point, there are no members in this group. Consequently, nobody can search Salesforce content. In the Coveo Administration Tool, all you have to do is add users and groups to the Salesforce Users custom security group (see Managing Custom Security Groups). You can manage access to the Salesforce search results by adding/removing members to/from this group without having to rebuild the Salesforce source.

Using a custom mapping file

You can customize the mapping file to implement more specific early-binding security mappings, like creating independent custom security groups for each Salesforce type of content (see Creating and Using a Custom Salesforce Mapping File). In the Coveo Administration Tool, you can then add different users to the various custom security groups (see Managing Custom Security Groups).

Example: You may want that only users from your Sales department can search the Opportunity type of Salesforce content and only users from your Customer Support department can search the Case type of Salesforce content.

Note: You can also directly allow specific users to the <CommonMapping> or the <Mapping> section of a specific type of Salesforce content without using custom security groups. The inconvenience of this method is that you must modify the mapping file and rebuild or refresh the source each time you need to add/remove allowed users.


With the late-binding method, the permissions associated to Salesforce content are not in the index and must be fetched at query time. This method has the benefit of exactly matching the internal Salesforce permissions. The configuration only implies creating a Salesforce security provider (see Configuring a Salesforce Security Provider) and associating the security provider to the Salesforce source (see Modifying Source Security Permissions).

Note: When you associate a security provider to a Salesforce source, the connector ignores security settings from the default or custom mapping file.

The inconveniences of this method are:

  • Query performances can dramatically decrease as for each query, the security provider must validate the permissions of each query result to only return results to which the user has read permissions.

  • Users must enter their Salesforce credentials in the search interface for each search session.

What's Next?

Once you made the appropriate configuration for how you selected to set permissions on the source, configure and index the source (see Configuring and Indexing a Salesforce Source).