Filtered access to third-party data

Resource access determines which specific resources a caller can access. For example, a caller with access to the GET /claim/v1/claims endpoint can access claims, but they cannot necessarily access every claim in the system. Resource access determines which claims a caller can access.

Callers who always have access to the same set of fields

For some types of callers, when they have access to a given resource type, they can access the same set of fields on every accessible resource. This typically applies to services and service providers (vendors).

For example, suppose Joe's Auto Shop is a service provider that can access service requests assigned to them. For every service request, they have access to the following fields:

  • customer
  • expectedServiceCompletionDate
  • id
  • instruction
  • kind
  • referenceNumber
  • requestedServiceCompletionDate
  • serviceRequestNumber

Joe's Auto Shop can always access the same fields on every service request. This is because Joe's Auto Shop always has the same business relationship with service requests. Every accessible service request is a service request that is assigned to Joe's Auto Shop.

Callers whose access varies from resource to resource

For other types of callers, some accessible resources contain "third-party data" that the caller is not allowed to access. Therefore, when a caller has access to a given resource type, they cannot always access the same set of fields on every accessible resource. The accessible fields vary based on the business relationship the caller has with the resource. This typically applies to claimants and producers.

For example, suppose Ray Newton is a caller who is a claimant. He is the insured for a claim with two vehicle incidents, one for his car and one for the third party's car. He has access to both vehicle incidents. But the fields he can access varies.

For the vehicle incident for Ray Newton's car, he can access these fields:

  • collisionPoint
  • damageDescription
  • driver
  • equipmentFailure
  • id
  • incidentOwner
  • lossParty
  • passengers
  • vehicle (including all child fields)

For the vehicle incident for the third party's car, he can access only these fields:

  • driver
  • id
  • vehicle (including only the make, model, and year child fields)

Ray does not have access to collisionPoint, damageDescription, equipmentFailure, incidentOwner, lossParty, or passengers because these fields contain third-party data.

Controlling access to third-party data

Cloud API has additional features that are used to control access to third-party data. The access depends on the caller's business relationship with the resource. This topic details these features.

Third-party data access applies only to claimants and producers. Both of these types of callers are users (as opposed to services). Therefore, the reminder of this topic uses the term "user" to reference the caller.

Also, this topic uses "access" to generically refer to both view and edit permissions. Later sections of this topic detail how to specify the exact permissions a user has on a field that they can access.

For information on the features of resource access that determine which resources a caller can access, see Resource access.