Who should have access to the VMS?

Access rights must be limited to a small number of clearly identified individuals on a strictly need-to-access basis. VMS access policies should be defined following the principle of “least privilege”: access right to users should be granted to only those resources which are strictly necessary to carry out their tasks.

Only the Data Controller, the system administrator, or other staff members specifically appointed by the Data Controller for this purpose should be able to grant, alter or annul access rights of any persons. Any provision, alteration or annulment of access rights must be made in accordance with criteria established in the organization's video surveillance policy.

Those having access rights must always be clearly identifiable individuals.

The video surveillance policy must clearly specify and document who has access to the video surveillance recordings and/or the technical architecture, for example VMS servers, of the video surveillance system, for what purpose and what those access rights consist of. In particular, you must specify who has the right to

• View the video/audio in real-time
• Operate the pan-tilt-and-zoom (PTZ) cameras
• View the recordings
• Export, or
• Delete any recording

In addition, you must configure access to the following VMS features:

• Bookmarks
• Evidence locks
• Lift Privacy masks
• Export
• Trigger events
• Start/stop recording
• Create/edit/delete/activate/lock/release PTZ presets
• Create/edit/delete/start/stop PTZ patrolling schemes
• Smart Search
• Audio, metadata, I/O and event permissions