protected override bool DoCheckAccessLevel(ISecurityManager secman, ISession session, AccessLevel access) { //Bypass security checks if the data is needed for system use if (SecurityFlowScope.CheckFlag(SYSTEM_USE_FLAG)) { return(true); } if (!base.DoCheckAccessLevel(secman, session, access)) { return(false); } if (!Target.IsAssigned) { return(true); } var id = Target.AsString(); //allow{ path='*' } - match all //deny { path='*@fin::*' } - but deny access to `fin` forest //deny { path='geo@class::*' } - any `geo` tree in `class` forest if (!access.Data.ChildrenNamed(ALLOW_SECT) .Any(c => id.MatchPattern(c.ValOf(PATH_ATTR)))) { return(false); //NONE allowed } if (access.Data.ChildrenNamed(DENY_SECT) .Any(c => id.MatchPattern(c.ValOf(PATH_ATTR)))) { return(false); //Deny match } return(true); }