The allowed functions list, defined in e3config.xml by the element AllowedFunctions contains a series of ClientFunction elements. Each ClientFunction element must have pattern and type attributes. The pattern attribute specifies a string, in which the wildcard ?matches a single character and * matches zero or more characters. The type attribute must specify one of the four Arbortext PE Application types, java, javascript, acl, or vbscript.

When the Arbortext PE Request Manager receives an f=acl, f=java, f=javascript, or f=vbscript request, it consults the allowed function list to see if the function or class query parameter matches an entry in the allowed function list. If there is no match, then the operation is disallowed and the Arbortext PE Request Manager returns an error to the client.