Hello,
When calling the userInfo for a user (either in Separate or Combined CIS2) we get back a list of activity codes. In the docs:
This is described as:
An array of Activity Codes assigned to the End-User’s job role e.g. B0021. Only Activity Codes explicitly granted to the job role are listed, the full set of activities that the End-User can perform must be determined by reference to the [National RBAC Database (Excel spreadsheet) [Archive Content]]
Can you clarify what “Only Activity Codes explicitly granted to the job role are listed” means?
I’ve taken it as meaning that if my user has a permission that includes another it will only include the directly granted one and will not list the included one.
If a user role has a baseline set of activities I’ve been assuming that these are included in the response explicitly and we’re not meant to assume that a user always has the baseline RBAC activities of their role.
Can I confirm if the above assumptions are correct please?
Thank you,
Liam