By default, all Workspaces share an AccessManager instance, created by RepositoryService at the startup (DefaultAccessManagerImpl) which supports default access control policy as described in the Access Control section. Custom Access Control policy can be applied to certain Workspace configuring access-manager element inside workspace as follows:

<workspace name="ws">        

   ...

   <!-- after query-handler element -->

   <access-manager class="org.exoplatform.services.jcr.CustomAccessManagerImpl">

      <properties>

         <property name="someProperty" value="value"/>

         ...

      </properties>

  </access-manager>

  ...

</workspace>

When implementing AccessManager, hasPermission() method has to be overriden so it uses the current invocation context at its discretion. For instance, it may get the current node's metadata and make a decision if the current User has appropriate permissions. Use Invocation Context's runtime properties to make a decision about current Session's privileges (see the Example below)

Simplified Sequence diagram for the Session.getNode() method (as an Example):