This function is called whenever accessing a specific value of an attribute of an entry, so it gives the highest granularity and flexibility in implementing custom access control that can entirely bypass the functionalities provided by slapd.

When an overlay that provides the bi_access_allowed hook is instantiated, the control during access checking is passed to the overlay's function first. That function may return 0 (deny) or 1 (grant); in this case, the result value is immediately returned to the caller.

If that function returns SLAP_CB_CONTINUE, the control is passed to the following overlay in the list, and eventually to the database specific function, if any, or to the frontend function for conventional access checking.