Non-Address Contact Detail Restriction

See the "User Access" chapter of the Security Guide for details of this type of access restriction. The HTTP API will only expose non-address contact details of a person if the user has access rights.

Restrict Top-Level Resource

The person or relation resource itself can be accessed irregardless of the contact detail access restriction. The non-address contact details attributes are concealed for users that do not have access rights.

Restrict Sub-Resource

Not implemented in the HTTP API. Person and relation do not exist as sub resources in Oracle Health Insurance Components.

Concealing of Linked Resource

The non-address contact details are concealed for users that do not have access rights.

Inference Prevention

When using a non-address-contact-detail as a query condition, only contact details a user has access to are used.

For example, the user is searching for persons with a certain business phone number:

/[api-context-root]/generic/persons?q=phoneNumberBusiness.eq("123-456-789")

The Query API adds a filter like this:

where person.phoneNumberBusiness.eq("123-456-789")
and (person.accessRestrictionContactDetail is null
 or person.accessRestrictionContactDetail in (accessrestrictions of user where Retrieve = Y)
)

Filtering on phoneNumberBusiness (and other protected fields) is also needed when person acts as lookup (on any level), for example

/[api-context-root]/generic/claims?q=claimantRelation.phoneNumberBusiness.eqic("123-456-789")