Access-By-Invite (Token-Secured WorkItem Access)
Grant a specific user access to a specific claim (or letter, or any WorkItem) with an expiration and one-click revoke — no permission spaghetti, no orphan access.
Key benefits
- · Per-WorkItem, per-user access grants with token security
- · Explicit expiration dates
- · One-click revoke terminal state
- · Invitation IS the access record — no separate permission table to manage
- · Accepts users from any portal (VCA, SPA, ADV, LEA) or external email
The problem
A claimant’s advocate, family member, or attorney sometimes needs access to a specific claim’s details — but only that claim, and only temporarily. A traditional permission model would bolt that user into a role with view access to a whole category, and the access would linger long after the need expired.
How Access-By-Invite works
- Per-WorkItem scope. The grant is tied to one specific claim (or OutDocument, or any WorkItem). Not a category, not a role.
- Explicit expiration. Every invitation has a date when it auto-expires.
- One-click revoke. At any time, staff can revoke — terminal state
UserAccessRemoved, immediate. - Token-secured. The invitation link carries a one-time token; no shared credentials.
- Multi-channel recipient. Grant to an existing VCA/SPA/ADV/LEA user or to an external email address.
Lifecycle
Draft → Sent → Accepted | Cancelled | UserAccessRemoved. Every transition is timestamped. Auditors see exactly who had access to what, when, and for how long.
Why this matters
Orphan access is a compliance liability — a user accidentally retains visibility to a claim long after the need ended. Access-By-Invite structurally eliminates orphans: every grant has an expiration, and revocation is one click.