Identifiers Type
This restriction type enables restricting access to identifiers of a person or an organization.
If an identifier type [1] has an access restriction, the user must have a role that includes a grant on that restriction to access identifiers of that type.
Level of Access
The access restriction grant also indicates the level of access in terms of having read, create, update and delete rights.
Grant | Restricts / Allows |
---|---|
Retrieve |
|
Create |
Allows the user to add an identifier of this restriction type. |
Update |
Allows the user to update an identifier of this restriction type. |
Delete |
Allows the user to delete an identifier of this restriction type. |
Example
In this example we have three identifier types linked to the person: a Social Security Number, a credit card number and a PAN card number.
The identifier type Social Security Number has a concealment expression \d*(?=-)|\d(?=\d{3})
[2]
This means that the application conceals all numbers except the last three, for users who have no Retrieve grant on this identifier type’s access restriction.
The identifier type credit card number does not have a concealment expression. This means that the application fully conceals the number for users who have no Retrieve grant on this identifier type’s access restriction.
The configuration holds two access restrictions of type identifier type: SECRET_IDENTIFIER and TOP_SECRET_IDENTIFIER.
The Social Security Number has the access restriction SECRET_IDENTIFIER, the credit card number has the access restriction TOP_SECRET_IDENTIFIER, the PAN card number has no access restriction.
The application holds the following person data:
Person | Person Code | Identifier Type | Identifier |
---|---|---|---|
Susan |
P12345 |
Credit Card Number |
4012 8888 8888 1881 |
Susan |
P12345 |
Social Security Number |
978-65-4321 |
Mary |
P45678 |
Social Security Number |
978-65-4329 |
Jane |
P22334 |
PAN Card Number |
289-68c-180D |
In this example user Bob has a role that grants him access to information protected by the SECRET_IDENTIFIER access restriction (in this case Social Security Numbers).
User Pete does not have a role that grants him access to protected identifier information.
User Bob
- Use Case 1
-
Bob searches for the person with person code P12345.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number. - Use Case 2
-
Bob searches for the person with Social Security Number 978-65-4321.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number. - Use Case 3
-
Bob searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction on which Bob has no grant. - Use Case 4
-
Bob searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number. - Use Case 5
-
Bob searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number.
User Pete
- Use Case 1
-
Pete searches for the person with person code P12345.
The application returns Susan with a concealed Social Security Number (***-***-321) and a fully concealed credit card number. - Use Case 2
-
Pete searches for the person with Social Security Number 978-65-4321.
The application returns no results. The number is protected by the SECRET_IDENTIFIER access restriction on which Pete has no grant. - Use Case 3
-
Pete searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction on which Pete has no grant. - Use Case 4
-
Pete searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number. - Use Case 5
-
Pete searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number. - Related Entities
-
Not applicable.
When searching with the generic API, the application applies access restrictions and concealing on top-level resource, sub-resource and linked resources. For details refer to HTTP API Data Access Restriction Concepts. |
\d*(?=-)|\d(?=\d{3})
returns 123-45-6789 as ***-**-*789.