...
A good and fairly up-to-date overview of basic Hydra access controls can be found at https://github.com/projecthydra/hydra-head/wiki/Access-Controls-with-Hydra.
In addition to object-level permissions recorded in the rightsMetadata datastream, an object can have a relationship (via RELS-EXT) to special "admin policy object" (APO) which stores "inheritable" permissions in a "defaultRights" datastream using the same XML schema as rightsMetadata. The inheritable permissions of an APO are effectively added to the object's rightsMetadata in determining authorization.
...
Hydra makes no direct usage of the Fedora RI, since it relies on Solr for repository queries (via Blacklight and ActiveFedora). (ActiveFedora::Indexing#reindex_everything does use findObjects because it's intended to rebuild the Solr index from Fedora, but this is a maintenance operation and probably not pertinent to user-level AuthN/Z considerations.)
Repository Search
The principal means that Hydra enforces access controls on repository search is by adding permissions-related clauses to the Solr select queries.
...