In the first phase, a policy request is issued for the search itself, using the search action. If the policy result is deny, the search is not performed. Otherwise, statements in the policy result are applied to the search filter, giving statements a chance to alter the filter.
You can only use statement types that are written specifically for the search action. For example, you can use the Add Filter statement type to constrain the scope of a search.
You can also use the Combine SCIM Search Authorizations statement type at this point. If you use this statement, search results are authorized by using a special mode, described in Search response authorization.