Product DocsMenu

Refreshing Security Caches

Coveo Enterprise Search (CES) uses a security cache to quickly identify the security identity of a user performing a query (see What Is a Security Cache?) . The security cache is updated daily at midnight by default to ensure that any security identity changes made in indexed repositories within the last 24 hours are effective in the security cache and consequently reflected in search results. You can change the security update schedule time or frequency (see Modifying System Schedules) .

As described in the procedure below, you can also manually start the security cache update at anytime to ensure that all the latest permission changes made in all repositories will be effective shortly in search results.


  • Updating the cache sends requests to all repositories to get all users and groups. When repositories have a large number of users and groups, the repository servers and the Coveo Master server may consume noticeable resources to process the requests. This is why by default, the security cache update is scheduled only once a day during a typical off-peak period.

  • When you want to update the security cache for changes made only to one or a few specific security groups, you can efficiently do that using the Security Browser to find each of these groups and then click Update permissions for: [group_name] (see Using the Security Browser) .

  • The security cache does not contain document permission information. The index does. When the permissions on index documents change in a given repository, the change becomes effective in the index following an incremental refresh, a full refresh, or a rebuild of the corresponding source (see Applying an Action to a Collection or a Source) . The type of source action needed to update permission changes depend on the source connector type.

  • CES 7.0.7183+ (November 2014) The security cache update performance is improved by automatically disabling the update of invalid security entities in the cache. The invalid security entities remain in the security cache to allow to return indexed documents that would still be associated with these entities, but the entity relationships are cleared and these entities will no longer be updated. If invalid security entities return to a valid state, their update in the security cache will automatically be re-enabled.

    Example: In the security cache, the group G contains the user U. Document1 allows the group G, and Document2 allows the user U. When the group G or the user U are tagged invalid, the relationship between the group G or the user U is cleared in the security cache. When user U performs the query, only Document2 is returned.

The external security cache rather stores document-level permissions which are not indexed because they are listed in a separate directory.

Example: When mycompany\JSmith queries a repository for which document-level permissions are not indexed, CES has to access the security directory and determine which documents are accessible to mycompany\JSmith. To avoid repeating this lengthy process, CES keeps the permissions granted to mycompany\JSmith in the external security cache for future reference.

You can also manually refresh the security caches between scheduled refreshes.

To manually refresh the security caches

  1. On the Coveo server, access the Administration Tool (see Opening the Administration Tool).

  2. On the menu, select Status > Details.

  3. In the Details page, in the Content Security section:

    1. Click Update Cache Now to start the security cache update process.

      CES 7.0.7183+ (November 2014) While the update is ongoing, you can click the [Monitor Update Progress] link that appears to go to the Mirrors page where you can monitor the security cache update progress reported by a percentage value for each mirror.

      Note: In the CES Console, a message similar to the following one appears, allowing you to monitor the security cache update progress:

      Updating security cache (10%). Processed security items: 351515/3498585

      When the update is completed, the line changes to:

      Done updating security cache.

    2. In rare cases where one or more of your sources uses late-binding, click Clear External Security Cache Now when you want to reset the external security cache to ensure that permissions for all queries are up-to-date.

      CES starts rebuilding the cache from scratch using security providers to ask repositories the permissions for all late-binding source documents matching incoming queries (see External Security Cache) .

      In the CES Console, the following message appears: 

      The External Security Cache was cleared.

      Note: You can enable late-binding for a source from its Permissions page (see Modifying Source Security Permissions) .

People who viewed this topic also viewed