The COBOL program can perform additional checks (e.g., user X can only view account Y if they own it). This is business logic authorization, not infrastructure authorization.