Granting SharePoint Permissions to the Crawling Account
Tip: The best practice is to create a dedicated account for the exclusive use of the Coveo connector with a password that never changes. If you must change the password of this account you will need to change it both in the original identity provider system (AD or other) and in the corresponding CES user identity (see Adding a User Identity).
This crawling account must have the proper rights to retrieve the information from your SharePoint farm (tenant in SharePoint Online). There are two methods to configure the necessary SharePoint permissions for the crawling account.
Automatic Permissions Setup
The SharePoint and SharePoint Legacy connectors have the ability to automatically set the required permissions to allow the crawling account to gain read access to the whole content as long as the following requirements are met:
For SharePoint 2016, 2013, Foundation 2013, 2010, Foundation 2010, and 2007 (Not for SharePoint Online)
The Coveo SharePoint web service must be installed on the SharePoint farm (see Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint)
The crawling account must:
Be a member of the SharePoint farm administrators group (see Adding the Crawling Account to the SharePoint Farm Administrators Group)
Have the Read permission for the site collection(s) that you want to index (see Adding the SharePoint Website Read Permission).
Manual Permissions Setup
When your SharePoint environment does not meet the requirements for the automatic method, you must manually set permissions for your SharePoint crawling account.
The following table presents the minimal required permissions that the crawling account must have to perform the specified action for the supported SharePoint versions.
Note: CES 7.0.8047+ (December 2015) For OneDrive for Business, follow the actions applicable to your SharePoint version.
|SharePoint version||Action to perform||Minimal required permission|
|✓||Content and Security indexing, incremental refresh, and site collection discovery||
|✓||✓||✓||✓||Full Read policy for all SharePoint farm web applications (see Adding the Full Read Policy to All SharePoint Farm Web Applications).|
Personal site, user profile and social tags indexing
|Read permission for the site collection of the source starting address (see Adding the SharePoint Website Read Permission).|
|✓||✓||✓||Retrieve People Data for Search Crawlers permission to the User Profile Service Application (see Adding the Retrieve People Data for Search Crawlers Permission to the User Profile Service Application).|
|✓||Manage user profiles permission to the Shared Service Rights (see Adding the Manage User Profiles Permission in Shared Service Rights).|
|✓||Owner of all personal sites collections (see Adding the Personal Sites Collections Owner Permissions for SharePoint Online).|
Once you granted the appropriate permissions:
(For SharePoint on-premises versions only) Optionally install the Coveo SharePoint web service (see Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint).
(For SharePoint sources only) Create and index a SharePoint source (see Configuring and Indexing a Microsoft SharePoint Source or Configuring and Indexing a Microsoft SharePoint Source With the Legacy Connector).
(For OneDrive for Business sources only) Create and index a OneDrive for Business source (see Configuring and Indexing a Microsoft OneDrive for Business Source).