Identifier Type

This restriction type enables the restriction of access to identifiers of a person or an organization.

If an identifier type [1] has an access restriction, the user must have a role that includes a grant on that restriction to access identifiers of that type.

Level of Access

The access restriction grant also indicates the level of access in terms of read, create, update and delete rights.

Table 1. Level of Access - Meaning
Grant Restricts / Allows

Retrieve

  • This grant allows the user to find a person, organization, provider, or policy when searching for an identifier of this restriction type.
    Without this grant the application does not return any person, organization, provider, or policy when searching for an identifier of this restriction type.

  • If the identifier type has a concealment expression, this grant allows the user to view the unconcealed value of the identifier. Without the grant the application conceals the value.
    If the identifier type has no concealment expression the application does not conceal the value.

Create

Allows the user to add an identifier of this restriction type.

Update

Allows the user to update an identifier of this restriction type.

Delete

Allows the user to delete an identifier of this restriction type.

Example

In this example we have three identifier types linked to the person: a Social Security Number, a credit card number, and a PAN card number.

The identifier type Social Security Number has a concealment expression \d*(?=-)|\d(?=\d{3}) [2] This means that the application conceals all numbers except the last three, for users without the retrieve grant on this identifier type’s access restriction.

The identifier type credit card number does not have a concealment expression. This means that the application fully conceals the number for users without the retrieve grant on this identifier type’s access restriction.

The configuration holds two access restrictions of type identifier type: SECRET_IDENTIFIER and TOP_SECRET_IDENTIFIER.

The Social Security Number has the access restriction SECRET_IDENTIFIER, the credit card number has the access restriction TOP_SECRET_IDENTIFIER, and the PAN card number has no access restriction.

The application holds the following personal data:

Table 2. Example Data Identifier Type Access Restriction
Person Person Code Identifier Type Identifier

Susan

P12345

Credit Card Number

4012 8888 8888 1881

Susan

P12345

Social Security Number

978-65-4321

Mary

P45678

Social Security Number

978-65-4329

Jane

P22334

PAN Card Number

289-68c-180D

In this example user Bob has a role that grants him access to information protected by the SECRET_IDENTIFIER access restriction (in this case Social Security Numbers).
User Pete does not have a role that grants him access to protected identifier information.

User Bob

Use Case 1

Bob searches for the person with person code P12345.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number.

Use Case 2

Bob searches for the person with Social Security Number 978-65-4321.
The application returns Susan with an unconcealed Social Security Number and a fully concealed credit card number.

Use Case 3

Bob searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction, on which Bob has no grant.

Use Case 4

Bob searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number.

Use Case 5

Bob searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number.

User Pete

Use Case 1

Pete searches for the person with person code P12345.
The application returns Susan with a concealed Social Security Number (***-***-321) and a fully concealed credit card number.

Use Case 2

Pete searches for the person with Social Security Number 978-65-4321.
The application returns no results. The number is protected by the SECRET_IDENTIFIER access restriction on which Pete has no grant.

Use Case 3

Pete searches for the person with credit card number 4012 8888 8888 1881.
The application returns no results. The number is protected by the TOP_SECRET_IDENTIFIER access restriction on which Pete has no grant.

Use Case 4

Pete searches for the person with person code P22334.
The application returns Jane with an unconcealed PAN card number.

Use Case 5

Pete searches for the person with PAN card number 289-68c-180D.
The application returns Jane with an unconcealed PAN card number.

Related Entities

Not applicable.

When searching with the generic API, the application applies access restrictions and conceals on top-level resources, sub-resources, and linked resources. See HTTP API Data Access Restriction Concepts for more information.
1. An identifier type is, for example, a social security number or a driver’s license number.
2. The concealment expression is a regular expression (regex). The application replaces each value returned by the expression with an asterisk. For example, the regular expression \d*(?=-)|\d(?=\d{3}) returns 123-45-6789 as ***-**-*789.