| Time | Status | User Agent | |
|---|---|---|---|
Retrieving recent requests… | |||
Overview
The ExternalAccess action grants secure, time-limited access to a specific record for external users (users without full system accounts). This action creates an ExternalAccessKey that generates a unique, encrypted URL allowing the recipient to view and potentially interact with the record without logging into the system.
When executed, this action:
- Creates an access key with optional expiration date
- Generates a secure URL containing an encrypted token
- Sends an email notification to the recipient with the access link
- Optionally enables one-time password (OTP) authentication for enhanced security
This is commonly used for:
- Allowing claimants to view their claim details
- Enabling vendors to submit invoices or documents
- Granting policyholders access to their policy information
- Sharing inspection results with external parties
- Collecting information via interview forms/mobile forms
Access for Internal Users
If the intended recipient has an Origami account with login credentials, you can use this feature to for convenience-based use cases such as:
- Direct Link Convenience - Bypasses normal navigation. Instead of the user logging in, navigating through menus to find the record, they click the link and go directly to it.
- Mobile/Email Workflow - User gets a notification email with a one-click link, perfect for mobile access or quick reviews without opening the full application.
- Simplified Permissions - The access is scoped to just that specific record and uses the LoginUser permissions from the ExternalAccessType, not the user's full system permissions. This can be more restrictive.
- Time-Limited Access - You can set an expiration (revokeDate), which is useful for temporary reviews or audits.
- Audit Trail - The ExternalAccessKey record tracks when the link was accessed, providing visibility into who viewed what and when.
What happens when the recipient clicks the link?
- Silent Login: The system authenticates them using the encrypted token (no username/password needed)
- Identity Switch: They're logged in as the LoginUser specified in the ExternalAccessType configuration
- Permission Scope: They operate with that LoginUser's permissions, BUT filtered to only the specific record(s) allowed by their access keys, which could be more limited than their full User permissions.
Domain Restrictions
The ExternalAccess action can be used with any domain as long as that domain has been defined in an ExternalAccessType configuration but it requires that an administrator ExternalAccessType be configured for that specific domain.
See also: https://live.origamirisk.com/Origami/ExternalAccessTypes
Practical Example
Scenario: Claim adjuster needs 3 vendors to submit repair estimates for Claim #5000
What happens:
- Execute ExternalAccess action 3 times (once per vendor)
- Each creates a separate ExternalAccessKey
- Each vendor receives their own unique encrypted URL
- All 3 vendors can simultaneously:
- Click their link
- View Claim #5000
- Upload documents/estimates
- Fill out forms
- Each can have different expiration dates
- Adjuster can revoke access individually by updating RevokeDate
Key point: The vendors are NOT "assigned" to the claim. They simply have a magic link that grants them temporary, scoped access to view/interact with that specific claim record.