Functional Access Restriction (JET)

Each user who has successfully authenticated must be authorized to access system functions. This page describes authorization concepts, setup procedures, and typical use case scenarios.

Concepts

Access to all UI pages is restricted. An access restriction of type Function represents each page. As a result, a user can only access pages authorized through one of his roles. Function access is granted on the page level. It is not feasible to provide access to specific sections of a page. When a user gets access to the person’s page, for example, the user can access all aspects of that page, such as the person’s data, addresses, bank accounts, etc.

A user can retrieve access to a page and Create, Update, and Delete access as an option. Create access allows you to add new records (objects and their information). Delete access allows you to delete a record. Dynamic fields and multi-select drop-down lists are considered attributes of an entity. Update access allows you to add/remove/update such properties even if the user does not have Create or Delete access.

Menu options that the user cannot access are not displayed. If the user does not have access privileges for an action, the add/delete/save buttons on a page to which the user has access are hidden. Fields are shown as read-only if the user does not have update access.

If a link on a page to which the user has access takes the user to a page to which the user does not have access, an access denied page displays. The following table lists the CRUD indicators for function access type restriction in the context of JET UI:

Table 1. Function Access type Restriction
Type or CRUD indicator Create Grant on Access Restriction Retrieve or Read Grant on Access Restriction Update Grant on Access Restriction Delete Grant on Access Restriction

Function

A user who has this permission can create a new record. This permission is required for a user to access the 'Create' object page through the URL. Grant permission to 'Create' indicates that a user can add or delete information (while in the create mode).

Can access the page linked to this access restriction

A user with this permission can make changes to an existing record. The permission to update suggests that a user can add, edit, or delete a piece of information.

May delete an existing record (with its details)
The pages use HTTP API resources (generic/specific) to execute DMLs. Therefore, appropriate grants to GET (to view), POST (to create), PUT (to update), PATCH (to update), and DELETE (to delete) operations must be granted on the resource, operations, sub-resources, and linked resource. See Security for more details. The Oracle Health Insurance application takes care of these grants implicitly. Grant to a function code also grants access to API resources that the page uses automatically.

Whenever an access grant for the page is provided to a user, an access grant to the required IP/API is automatically granted. However, exceptions to the rules are IP/API, allowing users to perform restricted operations, such as submitting a claim or policy.

By configuring explicit grants through the user role, it is possible to override the implicit API/IP grant that the user receives through function access. For example, a user with access to view the person page also has automatic access to the addresses through API. However, the user must not have access to the address at all. To do this, delete the address configuration from the floorplan, build a more limited access grant for the address API, and assign it to the user role

Function Access and Object List in Table

A user’s actions on an object list page are determined by the resource displayed in the table - 1) a top-level object or 2) a details object

Object list displaying a top level object

Access to 'Retrieve'

  • A user with this grant can view the object list.

Access to 'Update'

  • A user with this permission can make changes to the object list. Grant to Update suggests users can add, update, or delete a top-level object from the list when more grants are available. Additional permits are necessary in addition to the Update grant to add or delete top-level objects.

Object list displaying a detail object

If the object list contains a detail object displayed through 'Object Navigation Links,' the top-level object’s function access restrictions apply. For example, for contract alignments within the contract page, the function access for the contract page applies.

Access to 'Retrieve'

  • A user with this grant can view the object list.

Access to 'Update'

  • A user with this permission can make changes to the detail object list. Grant to Update suggests users can add, update, or delete a detail object from the list.

Setup

The setup function authorization requires the following steps:

  1. During installation, Oracle Health Insurance loads type function access restrictions. There is no need to install function access restrictions manually

  2. Define the access roles using the setup access role function, and then assign access restrictions to each access role. Specify the create, retrieve, update, and delete flags for each access restriction.

  3. Define roles in the external identity store. It is important to note that the User Provisioning Service will use the code field to match Access Roles. As a result, make sure to include the Oracle Health Insurance access role code as an attribute of the role definition in the external identity store.

  4. Create users and grant roles to them in the external identity store.

  5. Provision the users to Oracle Health Insurance using the Provisioning Integration Point, described in the Developer Guide

  6. The provisioned users now have access to the functions for which they have been authorized.

Access Restriction to Login to the Oracle Health Insurance JET UI

The following are the typical generic resources to which users must have access restrictions to login into the JET application:

  • Retrieve access to function code CO0019, which gives the user access to the following APIs/Ips:

    • Retrieve Access to User Information IP

    • Retrieve Access to Current Properties IP

    • Retrieve Access to Messages API (generic API)

    • Retrieve Access to Boilerplate API (generic API)

    • Retrieve Access to Bookmark API (generic API)

    • Retrieve Access to User Preference API (generic API)

    • Retrieve Access to Widgets API (generic API)

    • Retrieve Access to User Preference Widgets API (generic API)

    • Retrieve Access to Users API (generic API)

    • Retrieve Access to Floorplan API (generic API)

    • Retrieve Access to Floorplan Tag Details API (generic API)

    • Retrieve Access to Insurable Entity Types API (generic API)

    • Retrieve Access to Languages API (generic API)

Use Cases

This use case describes setting up the Access Roles 'Contract Pages Readonly' and 'Contract Pages Updateonly.

Define Access Role

CONTRACTS Read-only Role

Create a new Access Role with the following values:

  • Code = 'CONTRACT PAGES READONLY'

  • Name = 'Contract Pages Readonly'

  • Descr ='This role gives read-only access to the contract page'

Create the following access restriction grants for this Access Role

  • Contracts

  • Specific and generic APIs listed in the contracts page UI

Only set the Retrieve? flag for these access restriction grants, not the Create?, Update? or Delete? flags.

Contracts Update-only Role

Create a new Access Role with following values:

  • Code = 'CONTRACT PAGES UPDATE ONLY'

  • Name = 'Contract Pages Update Only'

  • Descr ='This role gives update-only access to contract page'

Create the following access restriction grants for this Access Role

  • Contracts

  • Specific and generic APIs listed in the contracts page UI

Only set the Retrieve? and the Update? flags for these access restriction grants, not the Create? or Delete? flags.

Setup External Identity Store and Provision

Create new Access Roles in the external identity store. Make sure to store 'CONTRACT PAGES READONLY' and 'CONTRACT PAGES UPDATE ONLY' respectively as an attribute of the new roles.

Assign the roles to users in the external identity store. Execute the Provisioning Integration Point.

Access to the Oracle Health Insurance Application

Log in to Oracle Health Insurance using a user with only the CONTRACT PAGES READONLY role. This user can only see the contracts and its details, including alignments and adjustments. All create, update and delete options in the pages are disabled.

Log in to Oracle Health Insurance using a user with only the CONTRACT PAGES UPDATE ONLY role. This user can perform the following actions but cannot add or delete contracts:

  • add/update/remove/alignments/adjust existing contracts.

  • add/update/remove a dynamic field value for the existing contract and its details.

  • add/update/delete calculation periods.