If your purpose is to check that the item names supplied in the subscription requests are consistent with the user visibility rules, the callback to use is notifyNewTables. It is invoked after getItems and includes all subscription attributes; it lets you return an exception if the whole request is not acceptable.

Note that the method has a couple of caveats:
One is that wantsTablesNotification has to be implemented to return true in order to enable the invocation to notifyNewTables.
The other is that the method is invoked with the "group id" (that is, the input of the previous invocation to getItems, not the output), which, in some cases may be a hassle.

However, for similar cases, we suggest trying to leverage the flexibility offered by getItems:
If the P&L were unique for each user, a user could request just PNL and getItems could change that into PNL.12345 based on the knowledge of the involved user.
In that case, any request for PNL.12345 should simply be refused with an ItemsException as syntactically wrong.