Security Control Levels in CES

In Coveo Enterprise Search (CES), controlling access to indexed content is a key issue. In CES, access to content can be controlled by multiple security levels, linked to collections and sources that are unified index organization units (see Understanding Coveo .NET Components Hierarchy), as well as security associated with each document in their original system or repository.

Collection-level security

You can assign access rules to each collection defined in the unified index. Only users meeting the collection security rules can access documents indexed within one of the sources of the collection (see Modifying Collection Permissions).

Example: You define a Human Resources collection, and set security rules so that only Human Resources employees can access this content.

Source-level security

By default, all users who have access to the parent collection can access the sources of the collection. You can however override these permissions. A user that is explicitly allowed access to a source can see the source documents in the results (including the results excerpt, summary and Quick View) but still needs the document-level permissions to be able to open the document (see Modifying Source Security Permissions).

Example: Within the Human Resources collection, you define a Salary and benefits source, and set security rules so that only authorized users from the Human Resources employees can view source documents in the results. However, these authorized users will be able to open a source document only if they have document-level permissions to do so.

Document-level security

Each system or repository containing documents assigns security rules to the elements it contains following a specific security model. One of the key features of CES connectors is to know the security model of the system or repository for which it is designed to connect to (see Security).

When CES indexes content from a system or repository, you generally set the connector to crawl the system or repository using an account that has full access, so that it can index all the content. For each document, the connector extracts the content of the document but also, the security rules associated with the document. Consequently, the unified index contains the content and the security for each document.

Example: The access to a document in the Salary and benefits source from the Human Resources collection is restricted to only to the Human Resources Director.

When a user performs a query, the Coveo server searches for documents matching the query, and then verifies for each matching document if the user performing the query has access rights to this document .The following diagram outlines the process that CES uses to determine if a document can be included in the search results for a given user.