Go directly to contents.
Suomi.fi e-Authorizations

Requirements concerning logs

General requirements

The recording of event information is based on the Support Services Act. In order to enable ex post control, event and log data on  disclosures and other processing of data shall be kept. The terms and conditions of use of Suomi.fi e-Authorizations require that the user organisation maintain and save the event and log data required by the  service. 

The event and log data is based on identified user  organisations and users and other information on data processing and the end user. If there is cause to suspect abuses, the event and log data  makes it possible to investigate who has processed the data and on what  grounds. The service provider (DVV) has the right to obtain information  required by it on service use from a user organisation or a user within a deadline set by it.

The Digital and Population Data Services Agency requires that event  data on acting on behalf of another party be recorded for at least five  (5) years after the event, unless the legislation applicable to the  e-service requires the storage of event data for a shorter or longer  period. On the basis of the transaction data of the e-service, a person  acting on behalf of another party, the party on whose behalf someone is  acting, the time of acting on behalf of another party, and the content  and end result of acting on behalf of another party must be available  afterwards. This data is stored so that it can be examined afterwards  for the needs of both the e-service and Suomi.fi e-Authorizations.

The following information must be available in the event log:

  • Who is acting on behalf of whom and in what matters.
  • When they used the service (time stamps for completed surveys and answers given on Suomi.fi e-Authorizations).
  • Mandate survey response details.

Self-service services (WEB API / Data Exchange Layer)

Records to log

  • Request message requestId: Unique identifier of the event.
  • Unique identifier of the agent of the request message.
  • Unique identifier of the request message principal (if given).
  • Response message information on the right to use services / roles / authorisations.

Transactions taking place in the service location (REST API)

Records to log

1. In the X-userId header element: The identity (e.g. personal identity code or assertion of an identification event) of the person conducting  the mandate survey (i.e. an official). For example, X-userId: <user id> ; <site id> 

  • User ID = personal identity code or other unique identifier of the customer service / office official.
  • Site ID = Site unique code or other string or site name.
  • A semicolon is used as a separator character for records in order to use the program to separate the identifier of the operator and the  service location, if necessary.

2. Request_id: Unique identifier of the event

3. Unique identifier of the agent

4. Unique identifier of the client

5. Response message information on the right to use services / roles / authorisations

Examples

Acting on behalf of another person

Request message (Delegate query): 

{rova_host}/service/hpa/api/delegate/{sessionId}?requestId={requestId}&access_token={access_token}

Request message (AuthorizationList query): 

{rova_host}/service/hpa/api/authorizationlist/{sessionId}/{personId}?requestId={requestId}&access_token={access_token}

The most relevant log records for transaction data from the request message:

  • personId = unique identifier of the agent / assignee / agent. Finns use a personal identity code and foreigners have a UID.
  • requestId = unique identifier of the request. Based on this information, it is possible to find the same log entry in the  DVV and e-service log files and compare them if necessary.

Response message (Delegate query): 

[{"personId":"310813A951F","name":"Kumpulainen Onni Matias"}]

Response message (AuthorizationList query): 

{"reasons":[],"roles":["ALL","http://valtuusrekisteri.suomi.fi/terveydenhuollon_asioiden_hoito"]}

The most relevant log records for event data from the response message:

  • personId = unique identifier of the client /  assignor / subject of transaction. Finns use a personal identity code  and foreigners have a UID.
  • roles = information on the right to use the  service. When acting on behalf of a minor dependent, this is ALL or  empty. In transactions on behalf of another party based on a mandate,  this is the technical identifier (URI) of the mandate theme.

Acting on behalf of a company

Request Message (OrganizationRoles query): 

{rova_host}/service/ypa/api/organizationRoles/{sessionId}/{organizationId}?requestId={requestId}&access_token={access_token}

The most relevant log records for transaction data from the request message:

  • organizationId = unique identifier of the company  or other organisation. Finnish companies enter a business ID and foreign companies use a foreign business ID.
  • requestId = unique identifier of the request. Based on this information, it is possible to find the same log entry in the  DVV and e-service log files and compare them if necessary.

Response message: 

[{"name":"Lumi Global Oy","identifier":"2305162-8","complete":true,"roles":["TJ, NIMKO, "http://valtuusrekisteri.suomi.fi/palkkatietojen_katselu"]}]

The most relevant log records for event data from the response message:

  • identifier = business ID
  • roles = the roles of the basic registers returned by the mandate query and the mandates of the authorisation register
Updated: 8/9/2025

Are you satisfied with the content on this page?