Gravatar for pavan.omtri@towerswatson.com

Question by psomtri, Apr 26, 2015 12:00 AM

Group security not working on web connector source

Our search page to show search results from sitecore and external (web connector) sources. While editing search page in page editor while logged in with account (coveoadmin) which is a member of role "sitecore\our editors" it is not showing results from external source. I did add permission to group sitecore\our editors on in the external index. Results are not showing up until I add the user "coveoadmin" directly to the permissions.

How to make group permissions work? NOTE: user coveoadmin is also marked as sitecore administrator in addtion to being in our editors role

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Apr 27, 2015 10:10 AM

Hi,

Can you tell me exactly where you allowed the "sitecoreour editors" group in your external index? Is it in the external source permission tab in CES or in the external collection "edit permissions" section in CES?

Can you also tell me which "Security Provider" is displayed at the right of the "sitecoreour editors" allowed user and what kind of icon is displayed at its left (single silhouette or two of them)?

Finally, if you open the CES Console (through the Windows start menu) and you execute a query in the Sitecore Page Editor, which user is displayed for the query in the CES Console?

Gravatar for pavan.omtri@towerswatson.com

Comment by psomtri, Apr 27, 2015 12:25 PM

I added permissions at external source level, not the collection level. I have a custom name for security provider that I used in my coveo config and I see the same provider name (which is TW-Coveo-Sitecore-Security-Provider). And I have two silhouettes on the icon, On CES console it display's the user name against the query, in this case sitecore\CoveoAdmin.

Gravatar for pavan.omtri@towerswatson.com

Comment by psomtri, Apr 27, 2015 12:25 PM

Also I noticed some kind of caching going on with security , now I can see results from external source when logged in as CoveoAdmin even though I removed CoveoAdmin from "tw editors" group. So now I created a new test account called "CoveoTest" and added it to "tw editors" role and I don't see external source results when logged in with "CoveoTest"

Do I have to rebuild index every time I add a sitecore user to the sitercore role ?

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Apr 27, 2015 3:30 PM

This cache is the CES Security Cache. It refreshes at midnight every day by default (CES Administration tool > Configuration > Schedules > System). This schedule is configurable.

At indexing time, when CES see a user/group he doesn't have in its cache, he asks his security provider to get the other groups (Sitecore roles) in which the member is a "member of" and also its members if it is a user. CES cache these securities and queries by this user will use the securities from the cache.

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Apr 27, 2015 3:32 PM

If you change the user/group members in Sitecore, you should manually update the security cache (CES Administration tool > Status > Details > Content Security > Update Cache Now) or wait for the schedule to do it.

Gravatar for pavan.omtri@towerswatson.com

Comment by psomtri, Apr 27, 2015 4:13 PM

Thanks, when I manual update the cache the newly added user to the group is able to see the external website results.

But check to check the query time update of permissions cache, I add another user user (CoveoTest2) to the sitecore group after the "manual update cache" is completed. And I logged in to experience editor using CoveoTest2. Now my 1st query should get the group memberships from sitecore and add permissions to cache and show me the results from external source. But that is not happening. I just want to make sure your last but one comment still holds good.

2 Replies
Gravatar for pavan.omtri@towerswatson.com

Answer by psomtri, Apr 28, 2015 11:24 PM

For newly added user is it is possible for coveo to get the users group memberships when user executes the 1st query. Then it caches it and uses it for subsequent queries by that user. But we found that this not a default behavior in coveo for sitecore it had to enabled via some script.

Gravatar for jflheureux@coveo.com

Answer by Jean-François L'Heureux, Apr 27, 2015 4:39 PM

I just asked a security cache engineer and got the real answer. The expansion of the user securities is not done at the first query but only at indexing time. Sorry for the confusion. I updated my previous comment.

For your use case (A Sitecore role is already in CES security cache. A new user is added to this role. The user query the index.), the new user will be added to the CES security cache without any securities. The only documents he will be able to query are the anonymous-available documents until a security cache refresh is done automatically or manually.

Gravatar for pavan.omtri@towerswatson.com

Comment by psomtri, Apr 27, 2015 6:46 PM

Thanks for the clarification, I tested with my use case for a extranet logged in user, and I am is not able to see any documents from external web source. I documents on external source are not anonymous-available documents. How do I make them anonymous-available documents? I already have given access to extranet\anonymous, but my logged in user is not extranet anonymous I need to make my documents anonymous-available in general, how do I do that ?

Gravatar for jflheureux@coveo.com

Comment by Jean-François L'Heureux, Apr 28, 2015 9:47 AM

To make external sources documents anonymously available to Sitecore users, I normally allow the Sitecore "Everyone" group (with my Sitecore security provider) on my external source. Since every Sitecore user is member of the Sitecore "Everyone" role, they gain access to the external sources documents.

Gravatar for pavan.omtri@towerswatson.com

Comment by psomtri, Apr 28, 2015 11:44 AM

Nope that did not work, it still wont let my new user see the content. I am opening a support ticket.

Ask a question