Product DocsMenu

How CES Handles the Sitecore Permission Model with the Legacy Connector

Sitecore handles security access rights slightly different than CES. CES denies access to a document whenever the user (or one of its roles) is denied access on this document, always overruling allow. In Sitecore, the same rule applies, but there are exceptions no matter if the access rule is explicitly set on an item or not, inherited from another item, or if the user is an administrator, etc.

CES overcomes this problem by implementing heuristic detecting cases where a user might have the right to see a document; even if that user is part of the role that does not have the right to see the same document.

The counterpart of that solution is that security changes on the Sitecore side are not considered by CES in a live indexing run by default. You must have a refresh schedule set on your sources if such security is present in your site. Fortunately, CES logs a warning during the source indexing if such security is encountered. If your security model works like the one expected by CES, the connector operates normally.

Note: You can change also set the LiveIndexingIncludeSecurity advanced parameter to True (see Modifying Hidden Sitecore Source Parameters for the Legacy Connector).