Identifier Type
This restriction type enables the restriction of access to identifiers of a person, an organization, or a provider.
If an identifier type [1] has an access restriction, the user must have a role that includes a grant on that restriction to access identifiers of that type.
Level of Access
The access restriction grant also indicates the level of access in terms of read, create, update, and delete rights
Grant | Restricts / Allows |
---|---|
Retrieve |
|
Create |
Allows the user to add an identifier of this restriction type. |
Update |
Allows the user to update an identifier of this restriction type. |
Delete |
Allows the user to delete an identifier of this restriction type. |
Example
In this example we have three identifier types linked to the person: a Social Security Number, a Credit card number, and a PAN card number.
The identifier type Social Security Number has a concealment expression \d*(?=-)|\d(?=\d{3})
[2]
This means that the application conceals all numbers except the last three, for users without the retrieve grant on this identifier type’s access restriction.
The identifier type credit card number does not have a concealment expression. This means that the application fully conceals the number for users without the retrieve grant on this identifier type’s access restriction.
The configuration holds two access restrictions of type identifier type: SECRET_IDENTIFIER and TOP_SECRET_IDENTIFIER.
The Social Security Number has the access restriction SECRET_IDENTIFIER
, the credit card number has the access restriction TOP_SECRET_IDENTIFIER
, and the PAN card number has no access restriction.
The application holds the following personal data:
Person | Person Code | Identifier Type | Identifier |
---|---|---|---|
Susan |
P12345 |
Credit Card Number |
4012 8888 8888 1881 |
Susan |
P12345 |
Social Security Number |
978-65-4321 |
Mary |
P45678 |
Social Security Number |
978-65-4329 |
Jane |
P22334 |
PAN Card Number |
289-68c-180D |
In this example user Bob has a role that grants him access to information protected by the SECRET_IDENTIFIER
access restriction (in this case Social Security Numbers).
User Pete does not have a role that grants him access to protected identifier information.
User Bob
- Use Case 1
-
Bob searches for the person with person code P12345.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number. - Use Case 2
-
Bob searches for the person with Social Security Number 978-65-4321.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number. - Use Case 3
-
Bob searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction, on which Bob has no grant. - Use Case 4
-
Bob searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number. - Use Case 5
-
Bob searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number.
User Pete
- Use Case 1
-
Pete searches for the person with person code P12345.
The application returns Susan with a concealed Social Security Number (***-***-321) and a fully concealed credit card number. - Use Case 2
-
Pete searches for the person with Social Security Number 978-65-4321.
The application returns no results. The number is protected by the SECRET_IDENTIFIER access restriction on which Pete has no grant. - Use Case 3
-
Pete searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction on which Pete has no grant. - Use Case 4
-
Pete searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number. - Use Case 5
-
Pete searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number. - Related Entities
-
Not applicable.
When searching with the generic API, the application applies access restrictions and conceals on top-level resources, sub-resources, and linked resources. See HTTP API Data Access Restriction Concepts for more information. |
\d*(?=-)|\d(?=\d{3})
returns 123-45-6789 as ***-**-*789.