Overview of resource access strategies

Strategies and IDs

A resource access strategy is a set of logic that identifies which resources a caller can access.

A resource access ID is a string that identifies either who the caller is or what the caller owns.

For each call, resource access is determined by executing the resource access strategy using resource access IDs as input. For example, suppose a given resource access strategy states "the caller can access information on claims where they are the producer of service for the claim's policy". And suppose, for a given call, the resource access ID is AllRisk-0017. This would mean the following:

The caller can access resources that are on claims where the producer code for the policy's producer of service is "AllRisk-0017".
The caller cannot access resources that are on claims where the producer code for the policy's producer of service is not "AllRisk-0017".

Some resource access strategies expect a single resource access ID. Other resource access strategies allow for an array of resource access IDs.

Some resource access strategies require a single resource access ID. Other resource access strategies allow for an array of resource access IDs.

The list of resource access strategies

The base configuration includes the following resource access strategies:


Strategy name	Persona using this strategy	Resource access ID is...	Grants access to...	More information
cc_contactAuthorizationIds	Insureds and third-party claimants	An array of contact authorization IDs	Resources where at least one of the specified contacts has an appropriate business relationship with the resource	The contactAuthorizationIds resource access strategy
cc_producerCodes	Producers of service	A set of one or more producer codes	Resources associated with claims where the producer code for the producer of service on the claim's policy is one of the provided producer codes	The producerCodes resource access strategy
cc_gwabuid	Claims service provides	The ABUID (Address Book Unique IDentifier) of the service provider contact	Resources associated with claims for which the provided ABUID is associated with one of the claim's service providers
cc_username	Internal users	A ClaimCenter user name	Resources this internal user could see in ClaimCenter based on their associated Access Control Lists (ACLs).
cc.service	Trusted service-to-service application	Not applicable	All resources	The service resource access strategy
default	Callers who have been authenticated but specify no resource access strategy with the call	Not applicable	Typically just metadata resources only (such as API definitions)
unauthenticated	Callers who have not been authenticated	Not applicable	Typically just metadata resources only (such as API definitions)

Note: There is also a cc_policyNumbers resource access strategy. This strategy expects the JWT to have an array of policy numbers. It gives access to resources associated with claims whose policy number is one of the provided policy numbers. Guidewire recommends insurers use the cc_contactAuthoriationIds strategy instead of the cc_policyNumbers strategy. The cc_contactAuthoriationIds strategy is more robust, as it provides additional configuration options and is appropriate for both insureds and third-party claimants.

The JWT identifies which resource access strategy to use by listing the strategy name in the scp token claim. If the given strategy requires resource access IDs, then the JWT also contains a token claim whose name is the strategy name and whose contents are the resource access IDs.

For example, suppose that a given call is using the cc_producerCodes resource access strategy with a resource access ID of AllRisk-0017. The JWT would include the following.

"scp": [
  "cc_producerCodes"
],
"cc_producerCodes": [
  "AllRisk-0017"
]

Determining a call's resource access strategy

Resource access strategies are assigned by internal code as described in the following table. For calls made by services with user context, two resource access strategies are assigned, one at the service level and one at the user level. For all other types of calls, only one resource strategy is assigned.


Strategy name	This is assigned to a call when...
cc_contactAuthorizationIds	Any of the following are true: The JWT's `scp` token claim contains `cc_contactAuthorizationIds`, or The call includes a user context header, and the header includes a `cc_contactAuthorizationIds` token claim.
cc_producerCodes	Any of the following are true: The JWT's `scp` token claim contains `cc_producerCodes`, or The call includes a user context header, and the header includes a `cc_producerCodes` token claim.
cc_gwabuid	Any of the following are true: The JWT's `scp` token claim contains `cc_gwabuid`, or The call includes a user context header, and the header includes a `cc_gwabuid` token claim.
cc_policyNumbers	Any of the following are true: The JWT's `scp` token claim contains `cc_policyNumbers` (and it does not contain a `cc_contactAuthorizationIds` token claim), or The call includes a user context header, and the header includes a `cc_policyNumbers` token claim (and it does not contain a `cc_contactAuthorizationIds` token claim). (If the JWT contains both a `cc_policyNumbers` token claim and a `cc_contactAuthorizationIds` token claim, then the `cc_contactAuthorizationIds` strategy is used.)
cc_username	Any of the following are true: The call is using basic authentication, or The JWT's `scp` token claim contains `cc_username`, or The call includes a user context header, and the header includes a `cc_username` token claim, or The JWT specifies a client ID that was mapped to a service account.
cc.service	The JWT's `scp` token claim contains `cc.service`.
default	The caller has been authenticated, but the JWT specifies no resource access strategy.
unauthenticated	The caller has not been authenticated.