Data Access Group Restriction
See the User Access chapters in the Security Guide for details of this type of access restriction.
Conventions used in this section:
-
R is a resource subject to the data access group restriction. R acts as a top-level resource.
-
S is a resource subject to the data access group restriction. S acts as a sub resource.
-
L is a resource subject to the data access group restriction. L acts as a linked resource.
Please note that the same resource can act as a top-level resource in one use case, but as sub resource or linked resource in some other use case.
Restrict Top-Level Resource
Use case 1
A resource is retrieved which is subject to a data access group restriction.
HTTP API will automatically add the following filter:
where R.dataAccessGroup is null
or R.dataAccessGroup.accessRestriction is null
or R.dataAccessGroup.accessRestriction in (accessrestrictions of user where Retrieve = Y)
Use case 2
A resource is retrieved that is considered a child of a resource that is subject to a data access group restriction.
HTTP API will automatically add the following filter:
where C.R.dataAccessGroup is null
or C.R.dataAccessGroup.accessRestriction is null
or C.R.dataAccessGroup.accessRestriction in (accessrestrictions of user where Retrieve = Y)
where C is the child resource.
Use case 3
A resource is retrieved that is considered a grandchild of a resource that is subject to a data access group restriction.
HTTP API will automatically add the following filter:
where G.C.R.dataAccessGroup is null
or G.C.R.dataAccessGroup.accessRestriction is null
or G.C.R.dataAccessGroup.accessRestriction in (accessrestrictions of user where Retrieve = Y)
where C is the child resource and G the grandchild resource.
It is application specific which resources are considered children of a resource with regard to data access group restriction. This information is available in the User Access chapters in the Security Guide of the Oracle Health Insurance application.