Permissions are enforced by initiating the access check, and by anchoring at one of the security levels: device, network, workspace, or system. The choice of the security level depends on the operation performed.
For instance, system level is selected for system operations, such as user management operations; and network level is chosen for network-centric operations, such as modifying a network, managing views, viewing device details, and so on.
Enforcement at the network, workspace, and the device levels also requires an access context, which involves the target concrete resource that is being accessed directly or indirectly by the user operation.
This helps in examining the permissions associated with that resource for the user attempting the access. Every service method enabling the user operation is secured by an interceptor that implements the appropriate access checks for the methods.
The access controller implements business logic to determine if the supplied Principal has the correct privileges required for the service method.