Get the applicable role or DN of the user from the SSOToken and check it against a pre-configured (or hardcoded) list of roles or users that are allowed access.
The administrator must configure a role and assign all policy agents and entities such as applications that can possibly log into Access Manager and into this role.
Instantiate a PolicyEvaluator and call PolicyEvaluator.isAllowed(ssotoken, logname);.