Why are the results different on Permission Check for my Custom Application?

Are you on version 9?   There is no permission API that takes container Ids, its going to be the content or the application.   If you are on version 9 there is a secondary issue in the fact your version is not  supported any more and a new version of the permissions API was added in version 11.   I highly recommend upgrading

yes.. afraid I am on 9.x so... I keep telling my people... 
Looking forward to upgrading, hope your sales team is letting our leadership know we need to upgrade too.
we're up on our license, so there's not reason to not upgrade.

I totally get it.  I understand it maybe too much to ask. you already saved us with your last post. thank you for that.

The overloads allowed for 'entityId' and entityTypeId, and then the entityPermissionType is application or content, so I using the application enum value option.. 

I didn't know what an entity could be... 

since the method is check if the user can create an application, there is not an application Id yet.  But I'll try passing null values see if it's just the application enum value that returns true.

EntityType is going to be the contentTypeId or the applicationTypeId, the enum then defines which.   The EntityId will be the ApplicationId or ContentId respectively.  But  no containers, you do not check permissions against a container, it really is on an application, content based checks really will internally resolve up to applications.   I generally prefer application over content if you already have reference to it but content works as well if that the context you are in.

I wasn't catching errors.. but in debugging, I noticed it, and it seems the application type needs to be protected.. that maybe why i  am seeing problems... it didn't error out at first but it is now.

Ok.. having realized there was an error "the entity type is not secured" so I tried making the type id,  private protected, but clearly I didn't figure it out.  Because of the timing and we really need to upgrade, it looks like the NodePermissions.Get does the trick as well, without the error.. below is what I was working with.. for the "CanEdit". For "CanCreate" I'll try the NodePermission. Patrick brought to light the issue with the application or content id and types, which was on the issue... so the real solution is in his response.. and this is just a work around the error..

PermissionCheck _canEdit = TEApi.Permissions.Get(UI.Permissions.MapAppPermissionRegistrar.UpdateGroupMapApps, userId, applicationId, _applicationTypeId, _entityPermissionType).IsAllowed
 /***OR**/
 PermissionEntry nodeCheck = TEApi.NodePermissions.Get("MapApps", applicationId, UI.Permissions.MapAppPermissionRegistrar.UpdateGroupMapApps.ToString());

Not sure what you mean, ApplicationTypeId is just a guid, the property on your application type plugin has to be public, all of the interface members need to be

it must be something else... what would cause "the entity type is not secured" ? I'll try to follow the debug. maybe there is something in there that will help. Thought the NodePermissions method was working, but it was throwing an error (...security context name) as well.. can't find the "MapApps" which is the Category name for the application type... so not sure what the string is for this should be. the examples I have used  "groups" as the application name. So it must be something I am setting.

Are you implementing ISecuredContentType?

 ISecuredContentType Plugin Type 

no. but I did implemented the RegisterApplicationSecurableId for this application you provide earlier.

Registering permissions is only part of the process,  you need to also implement ISecurableContentType

ok. looking into it.

Ok.. looks like I need only to implement these parts for the MapContentType. 

 #region SecuredContentType
        public Guid DefaultPermissionId => throw new NotImplementedException();

        public Guid DefaultContentPermissionId => throw new NotImplementedException();

        

        public Guid GetContentPermissionId(IContent content)
        {
            throw new NotImplementedException();
        }

        public Guid GetSecurableId(IContent content)
        {
            throw new NotImplementedException();
        }
 
        #endregion

Ok.. looks like I need only to implement these parts for the MapContentType. 

 #region SecuredContentType
        public Guid DefaultPermissionId => throw new NotImplementedException();

        public Guid DefaultContentPermissionId => throw new NotImplementedException();

        

        public Guid GetContentPermissionId(IContent content)
        {
            throw new NotImplementedException();
        }

        public Guid GetSecurableId(IContent content)
        {
            throw new NotImplementedException();
        }
 
        #endregion

so how's this look?

 #region SecuredContentType
      
        public Guid DefaultPermissionId = InternalApi.VerintDataService.DefaultPermissionId;

        public Guid DefaultContentPermissionId = InternalApi.VerintDataService.DefaultContentPermissionId;

        public Guid GetContentPermissionId(IContent content)
        {
           return content.ContentId;
        }

        public Guid GetSecurableId(IContent content)
        {
            return content.ContentId;
        }
 
        #endregion

You need to implement ISecuredContentType.Get,  you should implement it explicitly so you do not collide with the IContentType version as this one must never do a permission check or you will end up in an infinite loop.

DefaultPermissionId should whatever your "Read/View" permission is.

GetSecurableId  is  the ApplicationId the content belongs to.

GetContentPermissionId/DefaultContentPermissionId  should be the ContentTypeId

Sorry, I am having problems with setting the explicit DefaultContentPermissionId and "implement ISecuredContentType.Get" 
I'm using the IContent provided in the method as ISecuredContentType but I was expecting to get the default permission id. (you said use the contentTypeId so updated code below)

#region SecuredContentType  
        private static readonly Guid _readMapsId = InternalApi.VerintDataService.ReadMapsId;
       
        Guid ISecuredContentType.DefaultPermissionId { get { return _readMapsId; } }

        Guid ISecuredContentType.DefaultContentPermissionId { get { return _contentTypeId; } }

        public Guid DefaultContentPermissionId { get; private set; }
        public Guid DefaultPermissionId { get; private set; }
        public Guid GetContentPermissionId(IContent content)
        { 
            var securedContent  = content as ISecuredContentType;
            
            var contentPermissionId = securedContent.Get(DefaultPermissionId) ;

            return contentPermissionId.ContentTypeId;
        }

        public Guid GetSecurableId(IContent content)
        {
            return content.Application.ApplicationId;
        }
 
        #endregion

updated my reply and code in previous response

You're double implementing DefaultPermissionId and DefaultContentPermissionId, you only need the explicit implementation. Likewise as Patrick mentioned, you need an explicit implementation of ISecuredContentType.Get.

commented out the second set. I'm not able to reference the explicit ISecuredContentType.DefaultPermissionId or ISecuredContentType.DefaultContentPermissionId.  I don't understand how to create the  "explicit implementation of ISecuredContentType.Get" 

ok.. I think I got it.. to reference the explicit default guids, i need to cast an object as the ISecureContentType.  do I need to use the IContent object? not sure what that get's me.. or am I completely twisted around?

#region SecuredContentType  
        private static readonly Guid _readMapsId = InternalApi.VerintDataService.ReadMapsId;
       
        Guid ISecuredContentType.DefaultPermissionId { get { return _readMapsId; } }

        Guid ISecuredContentType.DefaultContentPermissionId { get { return _contentTypeId; } }

        //public Guid DefaultContentPermissionId { get; private set; }
        //public Guid DefaultPermissionId { get; private set; }
        public Guid GetContentPermissionId(IContent content)
        { 
            var securedContent  = content as ISecuredContentType;
            
            var contentPermissionId = securedContent.DefaultPermissionId  ;

            return contentPermissionId;
        }

        public Guid GetSecurableId(IContent content)
        {
            return content.Application.ApplicationId;
        }
 
        #endregion

so I built this, and running thru the debug process now to see if that fixed the"entity type is not secure" error.

so both these permission calls have errors still. if the above is okay, what's next?

PermissionCheck check2 = TEApi.Permissions.Get(UI.Permissions.MapAppPermissionRegistrar.UpdateGroupMapApps, userId, applicationId, mapApp.ApplicationTypeId, _entityPermissionType);
//Error: The entity type is not secured.
PermissionEntry nodeCheck2 = TEApi.NodePermissions.Get("Map App", applicationId, UI.Permissions.MapAppPermissionRegistrar.UpdateGroupMapApps.ToString());
//Error: The Security Context with identifier 'Map App' could not be found.
            

 ISecuredContentType Plugin Type 

you're missing explicit implementation of 

IContent Get(Guid contentId);

You can't overload the existing IContentType.Get method if you check any permissions in that method; this has to be separate.