Gravatar for cdesrochers@coveo.com

Question by Cédric Desrochers, Dec 19, 2016 3:12 PM

What would be the best-practice to show content from Secured Salesforce sources to anonymous users?

Out-of-the-box, it appears that the Coveo for Salesforce integration can only show the content of Shared sources to anonymous users, which makes perfect sense at first glance.

However the native search box on a Salesforce community seems to be able to show results for at least some objects (e.g. Questions) that have permissions attached, even if users are anonymous. We suspect this is due to the native search being able to show said content to anonymous users through the community's guest user profile.

Ultimately, the end-goal would be to show selected objects from Secured sources to anonymous users in a first step, and then to respect the permissions as usual once users are logged in.

Use of the Anonymous Profile as per https://onlinehelp.coveo.com/en/cloud/configuringcoveoforsalesforcev2.htm does not appear to be giving out the desired result.

One idea would consequently be to identify the community's guest user's email and to inject the latter in the access token via userIds as per https://developers.coveo.com/display/public/SearchREST/Search+Token+Authentication. Obviously, one would need to ensure that the objects in question are visible to the guest user profile, on Salesforce's side.

Essentially:
1) Would you have a better recommendation?
2) Did we miss an easy out-the-box way to achieve this goal?

We'd certainly have follow-ups, but let's start form the above foundation.

Gravatar for jfcadrin@coveo.com

Comment by JFCG, Dec 21, 2016 10:40 AM

To be clear, we're in no way trying to circumvent permissions; we're trying to reproduce the native search's behavior. By using the guest user, our understanding is that we'd be achieving this goal while respecting permissions.

1 Reply
Gravatar for glaporte@coveo.com

Answer by Gregory Laporte, Dec 21, 2016 12:36 PM

Hi,

Your Search Token should already contains the email address of the guest user when you are searching from an anonymous community. You can easily grab your Search Token from the network tab of your browser and explore it's content on a website like https://jwt.io/. If this profile have access to the content in Salesforce, it should also have access through Coveo Search.

If the user doesn't have access to it in Salesforce and you want to show the content anyways, it's against our recommendations but you can add additional user identities if you generate your own token. There are multiple ways to achieve that: https://developers.coveo.com/display/public/SalesforceV2/JsSearch+Visualforce+Component#JsSearchVisualforceComponent-additionalUserIdentities https://developers.coveo.com/display/public/SalesforceV2/Community+Builder+-+Advanced+Lightning+Integration#CommunityBuilder-AdvancedLightningIntegration-GenerateaSearchTokenwithCustomCode

Gravatar for jfcadrin@coveo.com

Comment by JFCG, Dec 21, 2016 2:44 PM

We had already confirmed in both the JSON userIdentities and in the decoded search token that the querying user was "anonymous" from the email security provider.

However, when we check the configuration of the community, the guest user email should in fact be acmesuccesscenter@acme.force.com.test2, which does not match with the user being recognized as "anonymous".

We can see on the content that acmesuccesscenter@acme.force.com.test2 is in fact an Allowed user in the indexed permissions of the desired content.

The only thing we find for "Anonymous" in the Security Browser is a user from the email security provider that's listed as a member of wildcard-@-wildcard. This explains why "anonymous" can see the content coming from Shared sources.

All the things we see suggest it's perfectly normal that "anonymous" users cannot see in Coveo results content that comes from Secured sources.

So I guess that it all boils down to Coveo not reproducing the behavior of the native search. If that is the as-designed and fully expected behavior, I believe we might need to stick to it .

Can you just confirm that not reproducing the native Salesforce search behavior is as-designed and that we have no plan to add a feature to inject the community's guest user? If so, we could make a feature request and go from there.

Ask a question