one of the documented procedures in this installation of the ACS
im_user_is_authorized   conn   args   why
What it does:
Returns filter_ok if user is employee
Defined in: /web/philip/tcl/intranet-defs.tcl

Source code:

    set user_id [ad_verify_and_get_user_id]
    if { $user_id == 0 } {
	# Not logged in
	ns_db releasehandle $db 
	ad_returnredirect "/register/index?return_url=[ns_urlencode [ns_conn url]?[ns_conn query]]"
	return filter_return
    set db [ns_db gethandle]
    set is_authorized_p [im_user_is_authorized_p $db $user_id]
    ns_db releasehandle $db 
    if { $is_authorized_p > 0 } {
	return filter_ok
    } else {
	ad_return_error "Access denied" "You must be an employee or otherwise authorized member of [ad_parameter SystemName] to see this page. You can <a href=/register/index?return_url=[ad_urlencode [im_url_with_query]]>login</a> as someone else if you like."
	return filter_return