Business User access API improvements

We’ve released some improvements to the business user access API to allow for the maintenance of restricted access users.

The API endpoint is

GET /api/v2/business/{businessid}/access

An example business access record for an unrestricted user is

   "accessType": "Unrestricted",
   "employeeGroups": null,
   "reports": null,
   "name": "Slade Wilson",
   "email": ""

An example business access record for a restricted access user is:

  "accessType": "Restricted",
  "employeeGroups": [
      "employeeGroupId": 113,
      "permissions": "ApproveTimesheets, ApproveLeaveRequests, CreateTimesheets,
 CreateLeaveRequests, ViewLeaveRequests"
  "reports": {
    "accessType": "None",
    "specificReports": 0
  "name": "Nancy Jones",
  "email": ""

Field Documentation

accessType - allowed values are Unrestricted (default) and Restricted
employeeGroups > permissions - the specific permissions for a restricted user for a particular employee group. Allowed values can be retrieved from /api/v2/business/{businessid}/lookupdata/employeegrouppermissions
reports > accessType - allowed values are None, SpecificReports or AllReports
reports > specificReports - should only be specified if accessType is set to SpecificReports. This should be a comma separated list of report ids (which can be retrieved from /api/v2/business/{businessid}/lookupdata/reports). If access type is not specific reports, set the value of specificReports to zero (0)

Refer to for more details

Hi Paul, I’m trying to create an unrestricted access but no luck. Can you guide me on where do I do wrong in my params? Thanks. Here I included my screenshot

I’d tried the above example. But still getting the “An error has occured”.

Hi Daniel,

I believe my colleague replied to you via a support ticket , but for prosperity I will note that:

  1. you need to be sending through the data as JSON rather than as key value pairs
  2. you need to set the content type to application/json via a HTTP header
  3. in postman, this information would be sent through in the body section, rather than the Params section.
  4. {: and }: is NOT valid JSON

See screenshot below for a basic example of granting user access: