Access Check

The access checks performed by the checkAccess() method are similar to role checks.

There are two differences regarding access checks:

Instead of a role name, a SecResource instance and an action string are supplied. The SecResource object is retrieved with the help of the attribution provider, so it is not possible to perform access checks without an attribution provider installed.
A com.sybase.security.SecEnvironment instance may be present, depending on which variant of the method was called.

This argument is additional information the client must pass to the back-end security provider. This could be information about where the security check occurs or extra rules to evaluate in addition to the standard security check. The contents of this structure are not defined by the CSI except to declare it as attributed. Clients and providers need to coordinate what attributes are supported and meaningful. It is important for authorization providers to know when to return NO and when to return ABSTAIN. The same decision flow should be used to determine the return value for the checkAccess() method.