Skip to content

Permissions

Permissions in Blazam differ from Active Directory in two major (and extremely helpful) ways.

Feature Active Directory Blazam
Reusable ACLs Each ACL is unique for each OU Create one type of access and reuse that list for any number of OUs
ACL Naming ACLs are simply a list of properties in the security tab with no real grouping or de-granularization Named ACLs allow for quick identification of access and its source as well as allowing the creation of role-based ACLs
ACL inheritance ACLs at higher-level OUs propagate down except for overriding denies Blazam behaves the same as Active Directory in this regard

TLDR

Blazam adds a layer of abstraction to Active Directory permissions. By including an Access Level layer between the OU permissions and the group assigned, you can create a single ACL rule and reuse it for as many groups on as many OUs as you'd like.

The Access Levels you define can be reused or combined to create exactly the configuration you desire.

Note

Permissions that are applied inherit fully down the OU tree unless a Deny permission is set at a lower level.

Access Based Example

With the four Access Levels below:

  • Read Users — read access to user demographic fields
  • Unlock Users — permission to unlock locked-out accounts
  • Reset Passwords — permission to reset user passwords
  • Read Groups — read access to group memberships

Assign all four of these Access Levels to the delegate group Help Desk for the /Company OU.

Now any member of Help Desk automatically receives all four permissions across the entire /Company OU tree. If a change to an Access Level needs to be made, it only needs to be changed in one place, and it immediately applies everywhere the Access Level is mapped.

A second group, Tier 2 Support, also a member of the Help Desk group, could receive the same four Access Levels plus Edit Users for /Company, without needing to recreate any of the underlying definitions — simply reusing what already exists.

Role-Based Example

An Access Level can be named and configured to represent an entire role rather than a single type of access.

For example, create an Access Level called Help Desk and configure it with:

  • Read access to user demographic fields
  • Unlock action on user accounts
  • Reset password action on user accounts
  • Read access to group memberships

Now assign the single Help Desk Access Level to any delegate group for any OU you'd like.

A group IT Support mapped to /Company with the Help Desk Access Level and a group Regional Admins mapped to /Company/Europe with the same Help Desk Access Level both receive the exact same set of permissions — defined once, reused everywhere.

If the role ever needs to change (e.g., adding edit access to phone numbers), update the single Help Desk Access Level and the change is instantly reflected for every group and OU it is mapped to.

Delegates

The core element of the permission system in Blazam is the "Delegate".

A "Delegate" can be any group or user.

Any "Delegate" added with any read permissions applied, or self-edit permissions enabled, will allow that user or members of that group to log into the application.

Nested group members are counted.

Allow Password Reset

When enabled, this allows the delegate to reset their own password if forgotten via the login screen.

The requirements for utilizing this feature are set below.

Users under multiple delegates with differing password reset requirements will have the strictest requirements applied.

Multiple requirements can be combined.

Users with password reset enabled will be able to optionally set any/all of the below requirements if they wish to do so, even if not required.

If MFA is enabled for the user, it will be required after the password reset process is complete.

Require Email

Note

This requires that the application FQDN be set in the Application Settings within Blazam. Email must also be configured for Blazam to send the reset email.

When enabled, this requires that the user have an email address in their Blazam profile. Note, this is pulled from Active Directory at first sync.

An email with a password reset link will be sent to the user's email address.

Require PIN

When enabled, this requires that the set a PIN in their Blazam profile to utilize the password reset feature.

You can also set a minimum PIN length.

Require Security Questions

When enabled, this requires that the user set their security questions in their Blazam profile to utilize the password reset feature.

Users create three of their own questions and answers in their Blazam profile.

Access Levels

Access Levels improve upon the default permission system found in Active Directory.

Parameters

Name

You can name your Access Levels however you'd like.

Object Permissions

Permissions are split between different Active Directory object types. You can set different permissions for groups, users, computers, contacts, printers, or OUs, or any combination therein.

Field Permissions

Under each object type allowed, you can choose which fields will be denied, readable, or editable.

Group Membership Access

Group membership control in Blazam is tied to the group and read permissions.

Assign/Unassign Action

The delegate user must have Assign/Unassign action permissions provided to the parent group in order to assign users or groups to it.

The delegate must also have read access to the user being assigned or unassigned.

Mappings

Mapping permissions is similar to default Active Directory permissions, but utilizes the powerful Access Level component to ease and enhance the delegation process.

Impersonation

As a super admin, you will be able to impersonate the application experience of other users. This is extremely helpful when setting up permissions to verify the access you intended.

Effective Permissions

An effective permission simulator is available to test usertarget applied permissions without having to enter impersonation.

Global Permission Settings

These permissions apply to all users and Active Directory search results.

Allow Action Access Requests

Allow users to request action permissions for objects they have read access to but lack the necessary action permissions.

Upon request, a notification is sent to all Super-Users for approval or rejection. If approved, Blazam automatically grants the requested action permission to the user.

Available Actions

  • Assign - Request permission to assign users or groups to groups
  • Unassign - Request permission to unassign users or groups from groups
  • Unlock - Request permission to unlock user accounts

Allow Field Access Requests

Allow users to request read or edit access to specific Active Directory fields that they currently cannot access.

You can configure which fields are available for users to request access to. For each field, you can also specify whether edit access requests are allowed in addition to read access requests.

Upon request, a notification is sent to all Super-Users for approval or rejection. If approved, Blazam automatically grants access to the requested field for the user.

This feature allows for dynamic, on-demand permission escalation while maintaining administrative oversight and approval workflows.

Allow self access

Allows all users that can log into Blazam (anyone under Delegates) to have additional permissions applied to their own Active Directory account within Blazam. The applied access is an additional Access Level with all the features it provides applied only to their own accounts.

You could, for instance, allow additional fields to be read, like Employee ID.

You can provide edit access to phone numbers or home addresses for self-service of address changes and emergency notification destinations.

You can allow a user to disable their own account if desired.