This function is called to obtain the security policy associated with the object. In the ACL-based systems, this information represents the object ACL, whereas in a capability-based systems, this information may contain a list of authorities allowed to grant capabilities. If no security information is attached to the object, then this function can be omitted.
This function tells the application server whether the requested operation or set of operations is authorized, or if additional application-specific checks are required. It returns the code YES if all requested operations are authorized, NO if at least one operation is not authorized, MAYBE if there are some unevaluated restrictions and additional application-specific checks are required. A list of restrictions is also returned, each restriction being marked as evaluated or not evaluated.
The application must understand the restrictions that are returned unevaluated, otherwise it rejects the request. If the application understands the restrictions, it checks them against the information about the request, the target object, or other environment conditions to determine whether the restrictions have been met.
This function allows the application to discover access control policies associated with the targeted object applied to particular principal. It returns a list of rights that the principal is authorized for and corresponding restrictions, if any.