When extending ServiceAuthorizationManager, what does the base implementation provide?
The entry point for ServiceAuthorizationManager comes from the authorization behavior of the service and goes first to CheckAccess(OperationContext, Message). This first version of CheckAccess does nothing but forward to CheckAccess(OperationContext). It's this second version of CheckAccess that does all of the work.
The base implementation of CheckAccess does two things for you.
First, CheckAccess uses GetAuthorizationPolicies to compute the set of authorization policies for the ServiceSecurityContext. This method takes the authorization policies from the inner ServiceSecurityContext on the SecurityMessageProperty and folds in the external authorization policies from the property. The combined set of policies becomes the set of authorization policies used for the ServiceSecurityContext of the operation.
Second, CheckAccess calls CheckAccessCore for people that want to use this lighter-weight extensibility point. The base implementation of CheckAccessCore simply allows all access so it's not a very interesting implementation.