After a user is authenticated, the framework handles permissioning. Permissions are assigned at the level of pages within a workflow. Permissions are binary: access is either granted or denied. All standard BAM permissions still apply for any actions taken via the BAM REST API.
Permissions can be edited via the Workflow Permissions page in BlueCat Gateway.