Non-Address Contact Detail Restriction
See the "User Access" chapter of the Security Guide for details of this type of access restriction. The HTTP API will only expose non-address contact details of a person if the user has access rights.
Restrict Top-Level Resource
The person or relation resource itself can be accessed irregardless of the contact detail access restriction. The non-address contact details attributes are concealed for users that do not have access rights.
Restrict Sub-Resource
Not implemented in the HTTP API. Person and relation do not exist as sub resources in Oracle Health Insurance Components.
Concealing of Linked Resource
The non-address contact details are concealed for users that do not have access rights.
Inference Prevention
When using a non-address-contact-detail as a query condition, only contact details a user has access to are used.
For example, the user is searching for persons with a certain business phone number:
POST http://[hostName]:[portNumber]/[api-context-root]/generic/persons/search { "resource": { "q": "phoneNumberBusiness.eq('123-456-789')" } }
The Query API adds a filter like this:
where person.phoneNumberBusiness.eq("123-456-789")
and (person.accessRestrictionContactDetail is null
or person.accessRestrictionContactDetail in (accessrestrictions of user where Retrieve = Y)
)
Filtering on phoneNumberBusiness (and other protected fields) is also needed when person acts as lookup (on any level), for example
POST http://[hostName]:[portNumber]/[api-context-root]/generic/claims/search { "resource": { "q":"claimantRelation.phoneNumberBusiness.eqic('123-456-789')" } }