In order to verify whether or not an administrative user can access a Business Object, it is generally sufficient to check that a user has the SIDs that are required to read and write instances of the Business Object Type. As noted above, the SIDs required for a particular Business Object are provided to CTM by implementing the curam.util.ctm.bom.SecurityBOM.
However, some Business Object Types may have more advanced security requirements, involving custom programmatic security checks. These checks can be implemented in curam.util.ctm.bom.AuthorisationBOM for the Business Object Type. If curam.util.ctm.bom.AuthorisationBOM is provided for a Business Object Type, it will be used instead of the curam.util.ctm.bom.SecurityBOM to verify whether or not a user can read or write instances of the Business Object Type.
This BOM can be implemented by providing an implementation of the interface curam.util.ctm.bom.AuthorisationBOM. Please refer to the Javadoc for curam.util.ctm.bom.AuthorisationBOM for further information.