To access our services, a user must be signed in to a GOV.UK One Login account with the correct permissions. They might not have access to one of our services if they:

  • have not been granted permissions
  • do not have the right permissions set up
  • do not have permission to access that part of the service

To find out more about users and their permissions, read Adding permissions for ‘Manage’ and ‘Manage connection requests’.

Finding a pattern

We looked for a pattern to reuse. Although there was nothing in the GOV.UK design system or the Department for Education design system, there’s currently an access denied issue in the design system backlog. We reused the 'you do not have access to this service' page from this issue for the case where a user has no access. We chose the ‘you do not have permission to perform this action’ page for when a user has incorrect access.

No access

In this scenario, a user tries to access any part of the service. They’re signed in to their GOV.UK One Login account but there are no permissions associated with that account to access our services.

This results in a 401 page, which:

  • tells the user they do not have access to our service
  • suggests who they should contact if they need access

View the 401 ‘access denied’ page in our prototype. The password is: proto

Incorrect access

The most likely reason for this scenario is that someone sends them a deep link into one of our services, for example to view a connection request. They have permissions for one of our services, but not the permissions they need to access the link they received.

This results in a 403 page, which:

  • tells the user they do not have permission to perform this action
  • suggests who they should contact to get access

It’s possible that either they should not have access to that part of the service or that their permissions were set up incorrectly.

View the 403 ‘you do not have permission to perform this action’ page in our prototype. The password is: proto

Future considerations

We know that our 401 and 403 pages do not make it very easy for users to find out how they get access, if they need it. This is particularly important in the case of the 403 page, which might mean that someone’s permissions have not been set up correctly.

After we’ve designed our minimum viable product, we plan to introduce a user flow from these pages to help users find the person in their local authority to contact for access.

Share this page

Tags

Local authorities Voluntary and community sector (VCS) Social care workforce (children and families)