The getRestContactAuth... methods

ContactAuthorizationIdsRestV1Enhancement is a Gosu enhancement for the AuthorizedUser entity. It has a number of methods whose names start with "getRestContactAuth". Each method determines access for a specific set of resources.

For example:

  • The getRestContactAuthAccountAccess method determines access to account-based resources.

  • The getRestContactAuthRootResourceAccess method determines access to root resources, such as payment plans.

  • The getRestContactAuthAccountContactAccess method determines access to AccountContact resources.

When BillingCenter receives a call from a user using the contactAuthorizationIds resource access strategy, it first calls the appropriate method in this enhancement.

Each of these methods takes the contact IDs from the JWT and converts them into a map of userAccountContacts. For every contact in the map, there is a value identifying the level of access for that contact. This value is a typecode from the RestContactAuthAccessType typelist. It includes the following typecodes:

  • privileged - This contact has privileged access to the resource.

  • primary - This contact has a more restrictive "primary payer" access to the resource.

  • none - This contact does not have access to the resource.

Access is often granted based on the least restricted user. For example, if the list of contacts contains some contacts who are privileged and some who are primary, the caller is generally given privileged access.

Each of these methods returns an instance of a subclass of the AuthAccess class. Broadly speaking, there are three types of return values.

  • The method could return an UnfilteredAccess object.

    • The caller is not restricted by any third-party data filters. (The caller can access any resource and any field as specified by their API roles and any restrictions imposed by all callers using the contactAuthorizationIds resource access strategy.)

  • The method could return an NoAccess object.

    • The caller has no access to the resource.

  • The method could return an FilteredAccess object.

    • The caller is restricted by an accessible fields filter.

    • The caller may also be restricted to view only access.

UnfilteredAccess and NoAccess objects typically have no additional information. However, a FilteredAccess object typically has at least one additional piece of information. It identifies an accessiblefields.yaml file. (Note that the AuthAccess types determine field-level filtering for a single resource. Field-level filtering for collections are controlled by their own filters, which are declared in read-only Gosu files and referenced in the appropriate access.yaml file.)