Business User access API improvements

We’ve released some improvements to the business user access API to allow for the maintenance of restricted access users.

The API endpoint is

GET /api/v2/business/{businessid}/access

An example business access record for an unrestricted user is

   "accessType": "Unrestricted",
   "employeeGroups": null,
   "reports": null,
   "name": "Slade Wilson",
   "email": ""

An example business access record for a restricted access user is:

  "accessType": "Restricted",
  "employeeGroups": [
      "employeeGroupId": 113,
      "permissions": "ApproveTimesheets, ApproveLeaveRequests, CreateTimesheets,
 CreateLeaveRequests, ViewLeaveRequests"
  "reports": {
    "accessType": "None",
    "specificReports": 0
  "name": "Nancy Jones",
  "email": ""

Field Documentation

accessType - allowed values are Unrestricted (default) and Restricted
employeeGroups > permissions - the specific permissions for a restricted user for a particular employee group. Allowed values can be retrieved from /api/v2/business/{businessid}/lookupdata/employeegrouppermissions
reports > accessType - allowed values are None, SpecificReports or AllReports
reports > specificReports - should only be specified if accessType is set to SpecificReports. This should be a comma separated list of report ids (which can be retrieved from /api/v2/business/{businessid}/lookupdata/reports). If access type is not specific reports, set the value of specificReports to zero (0)

Refer to KeyPay API Reference: Specifications list for more details

Hi Paul, I’m trying to create an unrestricted access but no luck. Can you guide me on where do I do wrong in my params? Thanks. Here I included my screenshot

I’d tried the above example. But still getting the “An error has occured”.

Hi Daniel,

I believe my colleague replied to you via a support ticket , but for prosperity I will note that:

  1. you need to be sending through the data as JSON rather than as key value pairs
  2. you need to set the content type to application/json via a HTTP header
  3. in postman, this information would be sent through in the body section, rather than the Params section.
  4. {: and }: is NOT valid JSON

See screenshot below for a basic example of granting user access: