Access denied pattern

[mtallamy]

What

Pattern for Access Denied resource page, responding to an HTTP 403

Why

For authenticated sites, particularly for users with different roles/claims, they need to indicate where access to a resource has been forbidden.

Anything else

This is likely to take a similar format to the existing resource not found (404) pattern.

[stevenaproctor]

@mtallamy The default one for HMRC is almost identical to the 404. We tried to keep it general rather than too technical.

<h1>You do not have permission to access this service</h1>
<p><a href=“mailto:emailaddress”>Email emailaddress</a> if you think you do have permission to access this service.</p>

[mtallamy]

Thanks for this @stevenaproctor. I agree that should be non-technical and very close to the 404, which is what we've implemented as a starter for 10 (adapting the 404 pattern). I also agree there should be contact details if the user thinks they should have access.

The example you give appears to assume that a user doesn't have access to the entire service, which in our case at least might not be the case. I'd prefer to see the message relate to a specific resource, rather than the entire service.

From a security perspective, and this moves away from my request for a specific 403 page, I wonder if there should be any differentiation between a 403 and a 404, i.e. should we indicate to a (potentially malicious) user that a resource does exist, even though they don't have access to it. Be interested on opinions on this.

[stevenaproctor]

@mtallamy Good point about being able to access the service versus the resource. We use "service" because that is the more common case but there would definitely be times when people could not get into specific resources or journeys. But, in our case, this would be handled, generally, without getting a https error.

Our page is almost identical to our 404 but we felt saying 'Page not found' was not the best user experience.

[adyhoran1]

Myself and other DfE content designers have created You do not have access pages for internal services. I think a pattern that gives guidance to Civil Service on whether and how to create You do not have access pages would be very useful 🙂

[Huskyteer]

Example from the Home Office used for 401 and 403 errors.

[Ciandelle]

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

[edwardhorsford]

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

@Ciandelle they're similar / related, but it's a different content need.

[edwardhorsford]

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

[mtallamy]

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

agreed, sounds good!