Data Access Group Restriction
This feature allows access to claims and authorizations of specific data access groups to be restricted.
It is possible to apply an access restriction to a data access group to indicate that the claims and authorizations of the data access group can only be accessed by users with a role that includes the restriction. The data access group needs to be provided with claims when they are sent to Claims if this level of protection is needed.
In the case of authorizations, the data access group attribute is also used. Again, the data access group attribute needs to be provided with authorizations when they are sent to Claims if this level of protection is needed.
- Example
-
User Bob is granted access restriction VIP_GROUP1. No access restrictions have been granted to user Pete. The following table shows for which data access groups they can access the claims.
Data Access Group Restriction | Claims for Group Accessible by Bob? | Claims for Group Accessible by Pete? |
---|---|---|
VIP_GROUP1 |
yes |
no |
empty |
yes |
yes |
VIP_GROUP2 |
no |
no |
n.a. |
yes |
yes |
- Inference Prevention
-
When a user searches for claims or authorizations, claims and authorizations of data access groups that they are not allowed to see will not be returned at all.
- Related Entities
-
For claims, see the related entities for the Brand restriction.
When access to an authorization is restricted, the following details are restricted also:
-
Authorization diagnosis
-
Authorization message
-
Authorization line
-
Authorization basket
-
Authorization service type
When searching with Generic API, Top level Resource access restriction is applied. For details refer to HTTP API Data Access Restriction Concepts |
Related APIs
The following APIs check for data access group access
-
Generic API on all the entities mentioned under related entities
-
All claims level operations (submit, back to change, pend resolution, unlocklines, unfinalize etc.)
-
Claims In IP
-
Claims Update IP