User Access Restriction Model

User access restrictions control access to functionality on various levels:

  • They determine which functions users may access. This covers the access of UI pages and menus.

  • In addition, the restrictions indicate which protected data may be accessed from the functions. For example, a user can access a normal address, but cannot see a secured address.

  • The restrictions indicate if the user may read, create, update, and/or delete data.

Protected data refers to data that requires fine grained security. By default, data is implicitly protected by controlling access to the functions that create, read, update and delete it. Data that requires more protection than this is referred to as protected data. With protected data, the values of specific fields are also taken into consideration. For example, contracts can be protected based on the data access group. This protection is in addition to the protection from controlling access to the contract screens.

Function and data access should be coordinated. In order to access protected data, users must have access to both the protected data and the functions that maintain the data.

For convenience, access restrictions are defined per 'functional' role and users are given access to the roles. This simplifies administration of user access by allowing set up to be done per role instead of per user. When several users perform the same role, the role can be set up once, and all the users can be assigned to it. Users may be assigned to more than one role. In this case access is cumulative (users have access to the functions and protected data that is included in any of their roles).

This document describes the data model that is the basis for implementing user access restriction functionality.

Concepts

Access Restriction Model

User

A user is a system log-in 'account'. A user represents a person who may access the system (as specified by the roles that they hold).

User Role

Field

Description

Login name

Name used for authentication.

Display name

Name used for display.

Default language

Language used as a default for the display language.

Default country

Default country.

Active indicator

Active indicator. An inactive user cannot access the system anymore (cannot login).

Access Role

An access role holds a collection of restrictions. In general, roles are expected to match 'functional' roles within the organization. For example, the 'Contracts Manager' role would include all restrictions needed to carry out the work of a contracts manager.

Access Role

Field

Description

Code

Unique code.

Name

User friendly name.

Description

Description.

Active?

Is the role active? An inactive role cannot be granted to additional users, nor can additional access restriction grants be added to the role. Access restrictions already granted to users via this role remain valid.

Enabled

Is the role enabled? Access granted to a disabled role is (temporarily) not valid, that is, the user currently does not have that access.

OHI specific?

When checked, the access role is seeded.

User Role

A user role gives a user the privileges of a role. For example, a user with the 'Contracts Manager' role can access the functions and data for which the 'Contracts Manager' role has permissions.

Field Description

User

The user.

Access role

The role granted to the user.
NOTE

In case of conflicting grants, for example, the user has view only grant through one role and is allowed to edit through another role, then the most non-restrictive grant applies, that is, the user is allowed to edit.

User Role History

The user role history holds the history of the user’s authentication settings and the user access restrictions rights. It shows when the user was created, deleted, activated, and de-activated and which access roles were assigned and revoked.

A business rule on the user creates the entries in the user role history.

Field Description

Login name

The login name of the user.

Date time

The timestamp the change took place.

Action

The action that took place.

Access Role

The code of the access role that was assigned or revoked

Access Restriction

Access restriction is a general term used to refer to something for which access is or can be restricted.

Field Description

Code

Code of the access restriction, unique.

Oracle Health Insurance Specific?

This indicator is query only and used to differentiate between seeded access restrictions and customer created access restrictions. True if it is a seeded access restriction, false if it is a custom access restriction.

Name

Name of the access restriction.

Active?

An item which indicates whether it is possible to add new references to it.

Enabled?

Is the access restriction enabled? A grant on a disabled access restriction is (temporarily) not valid, that is, the user currently does not have that access.

Type

The type of restriction. The following types exist:

  • Approval limit

  • Approve product

  • Address contact detail

  • Authorization Form

  • Brand claim access

  • Brand policy access

  • Claim message group

  • Claim settlement

  • Claim unfinalization

  • Data access group authorization access

  • Data access group claim & authorization access

  • Data access group policy access

  • Data access group contract access

  • Diagnosis display

  • Dynamic Field Usage

  • Function

  • HTTP API

  • HTTP IP

  • Item

  • Integration

  • Identifiers Type

  • Non-address contact detail

  • Payer claim access

  • Pend reason resolution

  • Pend resolution

  • Person details

  • Pricing Constructs

  • Procedure display

  • Set product status

  • Submit product to test

  • Unfinalize authorization

  • User credentials

See the User Access chapters on the Security Guide of Oracle Health Insurance applications for details about the different types. More information about the HTTP related access restrictions can be found in the Security Guide.

Seeded Access Restrictions

  • Each access restriction of type HTTP API represents one of the API resources.

  • Each access restriction of type HTTP IP represents one of the HTTP integration points.

  • Each access restriction of type Function represents one of the ADF user interface pages.

  • For each resource, HTTP integration point and ADF user interface page, an access restriction is provided as seed data.

    NOTE

    The users HTTP API resource has two seeded access restrictions: 'users API' and 'usercredentials API'.
    The users API access restriction gives a user access to the users API resource with the loginName and alternateUserId concealed. Only when the user also has a grant on the usercredentials API access restriction, the loginName and alternateUserId are no longer concealed. A grant on the usercredentials API access restriction does not give access to the users API resource; it only lifts the concealing of the loginName and alternateUserId.

Access Restriction Grant

An access restriction grant connects a role to an access restriction. Users with this role, get the right to access a function or data that is protected by the access restrictions.

Furthermore, it indicates the level of access in terms of having read, create, update and/or delete rights by setting the Create, Retrieve, Update and Delete (CRUD) indicators. Meaning of these indicators differ, depending on the specific type of access restriction.

For details, refer to the data access restrictions chapter.

Field Description

Access Role

The access role the grant is for.

Access Restriction

The access restriction to which access is granted.

Create indicator

Depends on the type of access restriction.

Retrieve indicator

Depends on the type of access restriction.

Update indicator

Depends on the type of access restriction.

Delete indicator

Depends on the type of access restriction.