Non-Address Contact Detail Restriction

See the "User Access" chapter of the Security Guide for details of this type of access restriction. The HTTP API will only expose non-address contact details of a person if the user has access rights.

Restrict Top-Level Resource

The person or relation resource itself can be accessed irregardless of the contact detail access restriction. The non-address contact details attributes are concealed for users that do not have access rights.

Restrict Sub-Resource

Not implemented in the HTTP API. Person and relation do not exist as sub resources in Oracle Health Insurance Components.

Concealing of Linked Resource

The non-address contact details are concealed for users that do not have access rights.

Inference Prevention

When using a non-address-contact-detail as a query condition, only contact details a user has access to are used.

For example, the user is searching for persons with a certain business phone number:

POST http://[hostName]:[portNumber]/[api-context-root]/generic/persons/search
{
  "resource": {
    "q": "phoneNumberBusiness.eq('123-456-789')"
  }
}

The Query API adds a filter like this:

where person.phoneNumberBusiness.eq("123-456-789")
and (person.accessRestrictionContactDetail is null
 or person.accessRestrictionContactDetail in (accessrestrictions of user where Retrieve = Y)
)

Filtering on phoneNumberBusiness (and other protected fields) is also needed when person acts as lookup (on any level), for example

POST http://[hostName]:[portNumber]/[api-context-root]/generic/claims/search
{
  "resource": {
    "q":"claimantRelation.phoneNumberBusiness.eqic('123-456-789')"
  }
}