Customize Search Results per permissions

Copper Contributor

Hello all,

I have been facing an issue. I have installed an addon to allow me to integrate Sharepoint with Confluence. As it is using the search from SharePoint I started a crawl on the main SharePoint site.


Afterwards, when I logged in to my normal account, which only has read access to 1 subsite,  I was able to view all the documents on all sites through the search. What is worse, I was able to view their content and yet I don't have any permission to the sites that are located-in.

I have completely deleted the search index and stopped the crawlers.



How can I limit search results to show only the content that the logged in user have access to. ?




2 Replies
I've noticed when I flip between my test accounts, my test account (restricted) often inherits permissions from my actual (site collection admin) account. I see this as a pretty major security flaw in our own deployment. Not sure what others have seen, but I am training my users to access SharePoint in either an incognito window, or to set up up one browser to clear cache and cookies upon closure of the browser.
Well the idea is I'm using an admin account that has access to all sites and documents to get all the content from Sharepoint by crawling.

afterwards I want the users including me as an IT who uses the search to view only the content they have access to without seeing the documents from another departments.
e.g. an Accountant from Finance site can only find documents from Finance without being able to see HR documents on the search.

as for some reason after enabling the search even though I do not have access to lets say "Marketing" site I still see all their documents on the search and if I click on the search results it will take me to the file on word online and I can view and edit the files without having this permission on Sharepoint. which is a huge security flaw if that's the case or something is seriously wrong with the implementation with office online.

I know I can exclude some sites from being crawled into but I want to have the flexibility that won't require me to do everything manually such as changing the settings every time a new site is created, a new document library is created or new users joining.