My application has to retrieve a list of users and then has to determine if the person making the search is "allowed" to see each of the returned users.

Currently, we achieve this by constructing an Example user, retrieving the users that match that Example, and then running a stored procedure on the returned users to check if the searcher can "see" them.

So when a user searches for other users, it goes like this:
Step 1: Create example user
Step 2: Get users in DB that match example
Step 3: Loop through results of Step 2, run the "can this searcher see this returned user" stored procedure for EACH returned user
Step 4: Only return the users that Step 3 authorized

What I'd like to do is get rid of the "post-processing" situation we have right now because it is awful for performance. Due to various business edicts, the only "acceptable" way to do this would be to add the stored procedure to the Hibernate Example/Criteria somehow. That is, combine Step 1 and Step 3, without making Step 1 a stored procedure and still use the stored procedure in Step 3. The stored procedure must be used as is, as per business rules, and can't be ripped out into equivalent HQL/SQL.

Is that possible? Can anyone give me any insight on this?

*Edit* I should clarify: The stored procedure is pretty much just a lookup on a table that maps user IDs to user IDs. It returns 0 if the searching user can't see the returned user and 1 (or greater) if the searching user can see the returned user. The stored procedure also does a check on another table to see if the searching user is a superuser and can automatically see everyone and, if so, will automatically return 1.