Non-address Contact Detail Restriction

See the User Access Guide for details of this type of access restriction. The HTTP API will only expose non-address contact details of a person if the user has access rights.

Restrict Top-level Resource

The person or relation resource itself can be accessed irregardless of the contact detail access restriction. The non-address contact details attributes are concealed for users that do not have access rights.

Restrict Sub Resource

Not implemented in the HTTP API. Person and relation do not exist as sub resources in Oracle Health Insurance Components.

Concealing of Linked Resource

The non-address contact details are concealed for users that do not have access rights.

Inference Prevention

When using a non-address-contact-detail as a query condition, only contact details a user has access to are used.

For example, the user is searching for persons with a certain business phone number:

/[api-context-root]/generic/persons?q=phoneNumberBusiness.eq('123-456-789')

The Query API adds a filter like this:

where person.phoneNumberBusiness.eq('123-456-789')
and (person.accessRestrictionContactDetail is null
 or person.accessRestrictionContactDetail in (accessrestrictions of user where Retrieve = Y)
)

Filtering on phoneNumberBusiness (and other protected fields) is also needed when person acts as lookup (on any level), for example

/[api-context-root]/generic/claims?q=claimantRelation.phoneNumberBusiness.eqic('123-456-789')