Use Create Formula for Document- and Role-Based Access Control

This article walks you through the Create Formula screen, starting with document-based access control which is available on all content sources and then turning to role-based access control, available only in Salesforce. For concrete examples, check out the Related section.

Document-Based Access Control

Restrain visibility in search results even for those content sources where role-based access control is not possible because the users aren't required to log in. The documents to go public or invisible are selected based on their field properties, such as the title, URL, author name, create date, and others.

Role-Based Access Control

Access restrictions on Salesforce cases, articles, and other objects are carried over to indexed files by default. If a case is out of scope for a user ID inside Salesforce console, the case remains inaccessible on the search results page as well. However, sometimes admins might want to diverge from the default settings. In such scenarios, they can use Create Formula's role-based access control.


If Salesforce is one of your content sources, then you can extend role-based access control settings with Independent Conditions to other content sources as well.

Popular Use Cases

Fig. 1.1

Create Formula Screen

On the Content Sources screen, select a content source and a content type. Then click Create Formula.

A dialog will open. On the extreme left of the dialog is a tab in yellow, which is the object Documentation.

The remaining tabs in gray are fields or content types. Their number varies with the content source and the content type. In the next image, you can spot eight fields for the object Documentation.

Document-based access control can be applied either on:

  1. Entire objects
  2. Individual content fields

Fig. 1.2

Let's say your goal is to change visibility settings of Documentation based on a document's created date. For that, drag Created Date to the gray area.

Fig. 1.3

A dialog will open in which two fields are of interest to us: 

  1. Action Name is where access control settings are labeled. Prefer descriptive labels. For demonstration, "Exclude Last Month" has been chosen. Our goal is to hide all the documents created in the past month from the search results page.
  2. Add Conditions. User personas in Add Conditions support only Salesforce. Scroll down to User-Based Access Control to learn about them.
  3. Response is where field values are selected. The idea of picking field values can seem tricky at first but once grasped, you will find it intuitive. Here are two examples:
    • GOAL: Hide all the articles written by Jose Saramago. Here article is an object, author name is a field, and Jose Saramago is an author name value. The field author name can take other values as well, such as Naguib Mahfouz, Fyodor Dostoevsky, or Michel de Montaigne. But we want the action of hiding articles described in Formula Field Mapping (next section) to take place only when author name has a specific value (Jose Saramago).
    • GOAL. Don't show any article drafts to external users. Article is an object, article state is a field and in article state == draft, the field value is draft. Users are another object and user type is a field. In our case, user type == external. The goal is to hide all drafts from external users which is possible in Formula Field Mapping.



GOAL: Hide the documents updated in the December, 2020.

The documentation is an object (Fig. 1.3) and last updated is a field (Fig. 1.3). December, 2020 is a value of the field last updated. We drag last updated to the gray box where a new dialog opens (Fig. 1.4).

Because the goal is to hide documents, we give our action a descriptive name in Action Name. In Response, we select the date range.

Fig. 1.4

When you click Save, the dialog resembles the next image.

Fig. 1.5

All we have done so far is specify that we want an action to occur when field value is something. What that action is going to be is specified in Formula Field Mapping.

Formula Field Mapping has two dropdowns and a gray box. The dropdowns are Operators and List of Formula. The precise access control setting in the shape of a formula appear in the gray box.


Four operators are available.

  • AND. Boolean operator. Used to select two or more field values. AND (Val1, Val2, Val3)  returns only those documents which have all of these three field values.
  • OR. Boolean operator. Used to make a selection between two or more field values. OR (Val1, Val2, Val3) returns all the documents which have any of these three field values.
  • NOT. Boolean operator. Used to exclude documents with specified field values from results. NOT (Val1) excludes all the documents with the field value Val1.
  • REGEX.Interpret the field value as a regular expression. It is useful when a field is, let's say, view_href and you want to go public with or remove access to URLs from a specific host. Or when the field is title and you don't want any document with the word "archived" in it.

List of Formula

The formula are essentially Action Names with Response values. Once created, they are available for use on any content source and across all search clients. We have so far created only one Formula: Exclude Last Month.

Formula Field Mapping

Using both the dropdowns, you can create simple as well as complex formulas. The formula in the next image excludes all documents whose Created Date is between 1 December, 2020 and 31 December, 2020.

Fig. 1.6

Role-Based Access Control (Salesforce)

Role-based access control is solely available for Salesforce content sources. Instead of an admin specifying explicitly, Responses are picked based on certain user properties. The entire process has three steps, as opposed to two in document-based access control. The extra step is Add Conditions, which can be completed in three parts: 

  1. Define User Properties
  2. Select an Operator
  3. Write a condition

Each of the steps is explained next.

User Properties

Six user properties are supported: 

  • UserId
  • UserType
  • AccountId
  • ProfileId
  • ContactId
  • PermissionSet

Fig. 1.7


The user properties are then compared with values using operators, of which six are available.

  • Equals: Equation is true when User Property equals to the specified value.
  • Not Equals: Equation is true when User Property is not equal to the specified value.
  • And: Equation is true when two or more User Properties are true.
  • OR: Equation is true at least of the User Properties is true.
  • Includes: Equation is true when a User Property includes the specified value.
  • Dependency in: Equation is true when a User Property equals the Response value of another Action.

Fig. 1.8


With user properties and operators, you can create simple as well as complex creations. One simple condition is in the next image which says that when the users are external, then set response value to 31 days,

Fig. 1.9

Next we are going to exclude the articles with the Last Modified Date between starting from 01 January, 2021 and ending on 31 January, 2021.

Fig. 1.10

Independent Conditions

Independent Conditions are used to extend role-based access control settings, based on Salesforce, to other content sources.


An organization uses Salesforce Community and another to host docs, let's say Confluence. It wants to hide a document, Bug Fixes: 2021-12-04, on Confluence from external users. Document-based access control would have sufficed if the goal was to hide it from all the users. But that's not the case here. We want everyone, but external users, to be able to find the document. However, access control based on a user's profile is available only in Salesforce. It's exactly for such situations that Independent Conditions offers a way out.

The following example shows how you can hide a Confluence document based on its title from external users. The users are identified from Salesforce data.

Open a search client, connected with both Confluence and Salesforce Community, for editing. Next go to Content Sources, find Salesforce Community, click Create Formula, and then Independent Conditions.

Give the condition a descriptive title in Action Name. In Add Condition, set User.UserType == External. Finally, insert True in Response.

Save the settings. Then open the Confluence content source. In our case, the content source is named Docs Site.


Although this example is about Confluence, the same steps can be applied to any content source other than Salesforce.

Because we are going to hide a document based on a value in the field Title, we have to drag Title to the gray box.

Next, give the action a name, select Equals from Operator and choose Hide from External (the independent condition from Salesforce Community) from Dependency. In Response, write the title of the document that has to be hidden.

Here's a summary of what's happening here:

  • Hide Bug Fixes Doc (Confluence) calls Hide From External (Salesforce Community Independent Condition)
  • Hide From External (Salesforce Community Independent Condition) returns True if the user is External
  • When the condition is True, Hide Bug Fixes Doc (Confluence) returns Bug Fixes: 2021-12-04 from Response

Next, the task is to hide any document for which the Title matches Hide Bug Fixes: 2021-12-04. For that we simply write NOT (Hide Bug Fixes Doc) in Formula Field Mapping.

VoilĂ ! We have just applied user-based access control on a non-Salesforce platform with Independent Conditions.

Example 1: Hide a Document Based on Its URL

Last updatedFriday, February 26, 2021

Was this article helpful? Send us your review at