What values are used as resource access IDs?
User names
For some auth flows, resource access IDs are user names. For these auth flows, every call must present a user name or service account name. Resource access is determined by this name. The following Cloud API auth flows support this:
- Internal user
- Service with internal user context
Business IDs
For other auth flows, resource access IDs are business IDs. These IDs represent what the caller owns, such as policy numbers (for ClaimCenter policy holders), account numbers (for PolicyCenter account holders), or address book unique identifiers (for vendors providing services for ClaimCenter claims). For these auth flows, every call must present one or more business IDs. Resource access is determined by what the caller owns. The following Cloud API auth flows support this:
- External user
- Service with external user context
No resource IDs
There is two auth flows that do not use resource IDs.
For standalone services, resource access is enforced by the service itself, and not by Cloud API. Therefore, there is no need to provide resource access IDs.
For services with service account mapping, the service is mapped to a service account. Information in the service account is used to determine resource access, but there are no resource IDs passed within the auth flow.
Summary of behaviors
The following table summarizes these behaviors.
Internal User | External User | Standalone service | Service with Internal User Context | Service with External User Context | Service with Service Account Mapping | |
---|---|---|---|---|---|---|
What are the resource access IDs? | user names |
business data (such as policy numbers and account numbers) |
not applicable | user names |
business data (such as policy numbers and account numbers) |
not applicable |
For a summary of all the issues to consider in a single table, see Summary of the issues to consider.