Time off API: new permission required to access attachments

The Time off module in Bob now respects a new permission for viewing attachments in time off requests:

People's Data > Time off > Requests > View, download, and edit attachments

Previously, having only the permission Create, edit all fields, and cancel people's requests that haven't been approved yet was enough to access attachments via Bob and via the Public API. Now, only users and service users who have the new permission will have access to the attachment.

This new permission helps meet privacy and compliance requirements (e.g., for US regulations), keeps sensitive data like doctors’ notes secure, and allows managers to approve time off without seeing private documentation

What’s new in the Public API

To align with this new permission, the following endpoint has been updated:

• Get the details of an existing time off request - it now checks for this new permission before returning any attached files.

If a service user lacks this permission, attachment details will be masked in the response like this:

"attachmentLinks": [
  {
    "name": "******",
    "url": "******",
    "mimeType": "******"
  }
]

⚠️ Action required

If your integration relies on access to attachments, make sure to grant your service user's permission group the following permission: People’s data > Time off > Requests > View, download, and edit attachments.

To learn more, see Time off required permissions.