Access to VTS components, objects, and Security Manager dialogs can be further controlled by workstation-specific access restrictions. Restrictions are enforced through two strings of bits called the "system station mask" and the "application station mask". Each bit in each string restricts the corresponding system privilege or application privilege.
In this context, "enforcement" refers to the imposition of workstation-specific access restrictions, while "exemption" refers to the lack of imposition of these restrictions on users with the Station Mask Bypass system privilege.
The enforcement/exemption process takes place whenever the SecurityCheck function is called. If the user is not exempt, the security bit in the user's appropriate Privilege string is ANDed with the corresponding bit in the station mask bit string. If the result is 0, the user does not have the Privilege at that workstation, even if the user has been granted that Privilege.
If the station mask is not specified for a particular workstation, the user is considered to be exempt from access restrictions on that workstation. If new Privileges are added online, the user is exempted from access restrictions on that workstation for those Privileges until the station mask is explicitly modified to enforce restrictions for those Privileges.