Do you want to control and determine access permission from your software/application, not from Suprema devices?
Starting with SDK 2.5.0, this is possible with the GlobalAPB Zone Control modules. Let's see the BSDemo sample code and how it is working.
Although this is based on Global APB, Access rule is set. However, if you program your own access rules in the BS2_SetCheckGlobalAPBViolationHandler, you can set up your own rules instead of Global APB rule.
Access control from the server sample - Global APB
1. Initial setting : BS2_SetCheckGlobalAPBViolationHandler
2. User ID OPVSA access : Callback function OnCheckGlobalAPBViolation is called every access to check access rules(Please put your own rule in the callback function)
callback is called (Device sends isDualAuth=true twhen dual auth is on device)
Rule checker in the callback function
BS2_CheckGlobalAPBViolation returns the access rule(the rule in the onCheckGlobalAPBViolation) results
Result
3. User OPVSA access again the same device
Rule check : If the user access the same device? -> YES
Result : -1202 (BS_SDK_ERROR_HARD_APB_VIOLATION)
BS2_CheckGlobalAPBViolation result : -1202 (BS_SDK_ERROR_HARD_APB_VIOLATION)
Final results 
Caution
FW returns the default value(BS_SDK_SUCCESS) after auth timeout.