It is possible, start with OES 11.1.2.2, to add a SM (Security Module) inside WCC. That means that the majority of WCC actions will be checked against the powerful OES rule Engine, as described in Oracle Entitlements Server and Oracle WebCenter Content. That allows to implement an ABAC authorization model, depending upon session context, for instance.
Note: it’s a more integrated approach than that documented for WCP, where OVD is used in front of OES for providing Dynamic Roles.)