The canonical reference is here, but there's one vital piece of information missing. It doesn't tell you where you get a secured object from.

I broke down tonight and (using this opportunity to try out Enterprise Architect 6.1) mapped it out.

Security in ATG can be broken down into three areas. There's user and persona related information. There's access right information. And finally there's the "secured object" which says who can do what.

There are the rights:

And finally there are the secured objects. The code sample for determining the rights of a secured object is:

SecurityContext context = securedObject.getSecurityContext()
SecurityPolicy policy = context.getSecurityPolicy();
boolean hasAccess = policy.hasAccess(securedObject, user, StandardAccessRights.EXECUTE);

Most of the security framework assumes secured repository items. I had thought that you could use AccessConfiguration, but those classes are not only undocumented, but they're not functional. The only way I've found to get good secured objects is to use /atg/webservice/security/NucleusSecurityManager, mentioned in the Integration Framework guide. This uses a repository for the secured objects, but since it's a part of DAS and there's an Admin interface that allows you to add items yourself, it's not too much hassle.

So. If you want to use restrict access secured object, create a new user in the ACC. Then add the user to a group. Then bring up the NucleusSecurityManager and add a new functional id to it with the ACL of the group. After that, you just get the SecurityObject from the SecurityManager, and run through it as usual.