Person Details Restriction

See the section "Person Details Restriction" in the "User Access" chapter of the Security Guide for details of this type of access restriction. The HTTP API will only expose persons to which the user has access to.

Restrict Top-Level Resource

Use Case

A person or relation is retrieved as top-level resource

The HTTP API will automatically add the following filter:

where relation.accessRestriction is null
or relation.accessRestriction in (accessrestrictions of user where Retrieve = Y)

Restrict Sub-Resource

Use Case

a top-level resource is retrieved with person as its sub resource.

This use case does not exist in Oracle Health Insurance Components.

Concealing of Linked Resource

Persons and relations as linked resources are concealed if the user does not have access rights.

Inference Prevention

When a relation attribute is used as query condition, the Query API will automatically add an additional filter to implement inference prevention.

For example, a user is searching for claims of person P:

/[api-context-root]/generic/claims?q=claimantRelation.code.eq("P")

The Query API will apply this filter:

where claims.person.code eq "P" and ( claims.person.accessRestriction == null
or claims.person.accessRestriction in (accessrestrictions of current User with
Retrieve = Y)

The filter is applied regardless of the query condition, even the relation attribute even when diagnosis is not part of the query criteria:

/[api-context-root]/generic/claimlines?q=claim.claimantRelation.code.eq("P")

The Query API automatically adds the filter in this case.