Security Control Levels in CES
You can assign access rules to each collection defined in the unified index. Only users meeting the collection security rules can access documents indexed within one of the sources of the collection (see Modifying Collection Permissions).
Example: You define a Human Resources collection, and set security rules so that only Human Resources employees can access this content.
By default, all users who have access to the parent collection can access the sources of the collection. You can however override these permissions. A user that is explicitly allowed access to a source can see the source documents in the results (including the results excerpt, summary and Quick View) but still needs the document-level permissions to be able to open the document (see Modifying Source Security Permissions).
Example: Within the Human Resources collection, you define a Salary and benefits source, and set security rules so that only authorized users from the Human Resources employees can view source documents in the results. However, these authorized users will be able to open a source document only if they have document-level permissions to do so.
Each system or repository containing documents assigns security rules to the elements it contains following a specific security model. One of the key features of CES connectors is to know the security model of the system or repository for which it is designed to connect to (see Security).
When CES indexes content from a system or repository, you generally set the connector to crawl the system or repository using an account that has full access, so that it can index all the content. For each document, the connector extracts the content of the document but also, the security rules associated with the document. Consequently, the unified index contains the content and the security for each document.
Example: The access to a document in the Salary and benefits source from the Human Resources collection is restricted to only to the Human Resources Director.
When a user performs a query, the Coveo server searches for documents matching the query, and then verifies for each matching document if the user performing the query has access rights to this document .The following diagram outlines the process that CES uses to determine if a document can be included in the search results for a given user.