Access Restrictions for Jet Pages

Access to all UI pages is protected by access restrictions of type Function. Each page is represented by an access restriction of type function. So a user can only access pages he has been granted access to via one of his roles. Function access is granted on the level of a page. It is not possible to give access to certain parts of a page. For example, when the user has access to the persons page, he can search for persons, he can access all parts of that a view and edit person page like person data, person addresses, person bank accounts and so on.

A user can be granted Retrieve access to a page, and optionally also Create, Update, and/or Delete access. Create access means that new records (objects and its details) can be added. Delete access means that records can be deleted. Dynamic fields and multi-select drop down lists are considered attributes of an entity, if the user has Update access to the page he can add/remove/update such attributes even if he does not have Create or Delete access.

Menu options to which the user does not have access, are not shown. On a page to which the user has access, add /delete / save buttons are hidden if the user does not have access rights for that operation. If the user does not have update access, fields are displayed as read-only.

The pages uses HTTP API resources and Integration points (generic/specific) to perform DMLs and therefore, appropriate grants to GET (to view), POST (to create), PUT (to update), PATCH (to update), DELETE (to delete) operations must be granted on the resource, operations, sub resources and linked resource.

Whenever a page access is provided to a user, access to required IP/API is automatically granted. However, exception to the rules are IP/API that allow user to perform certain restricted operations, for example, submitting a group client or policy.

The following table provides details on pages that require additional API/IP access to perform special operations - function code - API/IP access required

Table 1. Access Restrictions for Jet Pages
Page Function Access Restricted Access Restrictions

Policies Search
Policies View

PO0001

  • To access Validate policies, user must have access to "policies.validateIP" and update access to PO0001

  • To access Submit policies, user must have access to "policies.submitIP" and update access to PO0001

  • To access Revert policy to previous version, user must have access to "policies.revertIP" and update access to PO0001

  • To access operation To Edit, user must have access to "policies.toEdit" and update access to PO0001

  • To view policy calculation periods, access to generic api policycalculationperiods is needed.

  • To view and edit member (person) details from policy page, user must have relevant access grant to function access RM0012

  • To view and edit policy notes, user must have relevant access grant to notes API

  • To view policy enrollment events, user must have read access grant to generic api enrollment events

Policy Attached Data View

PO0001

  • Appropriate access to resource attachedpolicydata

Group Setup

Table 2. Group Setup
Page Function Access Restricted Access Restrictions

Group Client Search
Group Client View and Edit

PO0083

  • To submit group client, user must have access to "groupclient.submit IP"and update access to PO0083

Configuration

Table 3. Configuration
Page Function Access Restricted Access Restrictions

Change event rules

PO0032

In order to access monitoring fields for insurable entity types "Object", GET access to generic resource as given by its configured resource name must be provided.