This page is not yet available in your language.

Site Navigation: Security

This article describes how to create basic users and how to set up roles, specify user rights for a role and assign users.

Roles (explained)

Roles determine which devices users can access. Roles also determine rights and handle security within the video management system. First, you add roles, then you add users and groups and finally a Smart Client and a Management Client profile as well as other default profiles that belong to each role. Roles you can create in the system have their own view groups in XProtect Smart Client in which their views are created and stored.

It is important that all roles, to have access to the Management Server, enable the Connect security right, located in Role Settings > Management Server > Overall Security tab (roles).

The system comes with one predefined role which you cannot delete: the Administrators role. Users and groups with the Administrators role have complete and unrestricted access to the entire system. For this reason, you cannot specify role settings for the Administrators role. The Administrators role has the default Smart Client profile and the default evidence lock profiles and does not have a time profile.

Users with local machine administrator rights on the computer running the management server automatically have administrator rights on the management server. Only users whom you trust as administrators of your system should have local machine administrator rights on the computer running the management server. You cannot turn this off. You add users and groups to the Administrators role just as with any other role. See Assign and remove users and groups to/from roles (see Assign/remove users and groups to/from roles).

In addition to the Administrators role, you can add as many roles as required to suit your needs. You may, for example, have different roles for users of XProtect Smart Client depending on which cameras you want them to access or similar restrictions. To set up roles in your system, expand the Security > Roles.

Rights of a role (explained)

Available functionality depends on the system you are using. See https://www.milestonesys.com/solutions/platform/product-index/ for more information.

When you create a role in your system, you can give the role a number of rights to the system components or features that the relevant role can access and use. You may, for example, want to create roles that only have rights to functionality in XProtect Smart Client or other Milestone viewing clients, with the rights to view only certain cameras. If you create such roles, these roles should not have rights to access and use the Management Client, but only have access to some or all functionality found in XProtect Smart Client or other clients. To address this, you may want to set up a role that has some or most typical administrator rights, for example, the rights to add and remove cameras, servers and similar functionality.

You can create roles that have some or most rights of a system administrator. This may, for example, be relevant if your organization wants to separate between people who can administrate a subset of the system and people who can administrate the entire system. The feature allows you to provide differentiated administrator permissions to access, edit or change a large variety of system functions, for example, the right to edit the settings for servers or cameras in your system. You specify these permissions on the Overall Security tab (see Overall Security tab (roles)). As a minimum, to enable that the differentiated system administrator can launch the Management Client, you must grant read permissions on the management server for the role.

It is important that all roles, to have access to the Management Server, enable the Connect security right, located in Role Settings > Management Server > Overall Security tab (roles).

You can also reflect the same limitations in the user interface of the Management Client for each role by associating the role with a Management Client profile that has the removed the corresponding system functions from the user interface. See Management ClientSite Navigation: Clients: Management Client profiles for information.

To give a role such differentiated administrator rights, the person with the default full administrator role must set up the role under Security > Roles > Info tab > Add new. When you set up the new role, you can then associate the role with your own profiles must similarly to when you set up any other role in the system or use the system's default profiles. For more information, see Add and manage a role.

Once you have specified what profiles you want to associate the role with, go to the Overall Security tab to specify the rights of the role.

The rights you can set for a role are different between your products. You can only give all available rights to a role in XProtect Corporate.

Users (explained)

The term users primarily refers to users who connect to the surveillance system through the clients. You can configure such users in two ways:

  • As basic users, authenticated by a user name/password combination
  • As Windows users, authenticated based on their Windows login

Windows Users

You add Windows Users through the use of Active Directory. Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. It identifies resources on a network in order for users or applications to access them. Active Directory uses the concepts of users and groups.

Users are Active Directory objects representing individuals with a user account. Example:

Groups are Active Directory objects with several users. In this example, the Management Group has three users:

Groups can contain any number of users. By adding a group to the system, you add all of its members in one go. Once you have added the group to the system, any changes made to the group in Active Directory, such as new members you add or old members you remove at a later stage, are immediately reflected in the system. A user can be a member of more than one group at a time.

You can use Active Directory to add existing user and group information to the system with some benefits:

  • Users and groups are specified centrally in Active Directory so you do not have to create user accounts from scratch
  • You do not have to configure any authentication of users on the system as Active Directory handles authentication

Before you can add users and groups through the Active Directory service, you must have a server with Active Directory installed on your network.

Basic users

If your system does not have access to Active Directory, create a basic user (see Users (explained)). For information about how to set up basic users, see Create basic user (see Create basic users).

Add and manage a role

  1. Expand Security and right-click Roles.
  2. Select Add Role. This opens the Add Role dialog box.
  3. Enter a name and description of the new role and click OK.
  4. The new role is added to the Roles list. By default, a new role does not have any users/groups associated with it, but it does have a number of default profiles associated.
  5. To choose different Smart Client and Management Client profiles, evidence lock profiles or time profiles, click the drop-down lists.
  6. You can now assign users/groups to the role, and specify which of the system’s features they can access.

For more information, see Assign/remove users and groups to/from roles and Roles settings.

Copy, rename or delete a role

Copy a role

If you have a role with complicated settings and/or rights and need a similar or almost similar role, it might be easier to copy the already existing role and make minor adjustments to the copy than to creating a new role from scratch.

  1. Expand Security, click Roles, right-click the relevant role and select Copy Role.
  2. In the dialog box that opens, give the copied role a new unique name and description.
  3. Click OK.

Rename a role

If you rename a role, this does not change the name of the view group based upon the role.

  1. Expand Security, and right-click Roles.
  2. Right-click required role and select Rename Role.
  3. In the dialog box that opens, change the name of the role.
  4. Click OK.

Delete a role

  1. Expand Security, and click Roles.
  2. Right-click the unwanted role and select Delete Role.
  3. Click Yes.

If you delete a role, this does not delete the view group based upon the role.

Assign/remove users and groups to/from roles

To assign or remove Windows users or groups or basic users to/from a role:

  1. Expand Security and select Roles. Then select the required role in the Overview pane:
  2. In the Properties pane, select the Users and Groups tab at the bottom.
  3. Click Add, select between Windows user or Basic user.

Assign Windows users and groups to a role

  1. Select Windows user. This opens the Select Users, Computers and Groups dialog box:
  2. Verify that the required object type is specified. If, for example, you need to add a computer, click Object Types and mark Computer. Also verify that the required domain is specified in the From this location field. If not, click Locations to browse for the required domain.
  3. In the Enter the object names to select box, enter the relevant user names, initials, or other types of identifier which Active Directory can recognize. Use the Check Names feature to verify that Active Directory recognizes the names or initials that you have entered. Alternatively, use the "Advanced..." function to search for users or groups.
  4. Click OK. The selected users/groups are now added to the Users and Groups tab's list of users who you have assigned the selected role. You can add more users and groups by entering multiple names separated by a semicolon (;).

Assign basic users to a role

  1. Select Basic User. This opens the Select Basic Users to add to Role dialog box:
  2. Select the basic user(s) that you want to assign to this role.
  3. Optional: Click New to create a new basic user.
  4. Click OK. The selected basic user(s) are now added to the Users and Groups tab's list of basic users who you have assigned the selected role.

Remove users and groups from a role

  1. On the Users and Groups tab, select the user or group you want to remove and click Remove in the lower part of the tab. You can select more than one user or group, or a combination of groups and individual users, if you need to.
  2. Confirm that you want to remove the selected user(s) or and group(s). Click Yes.

A user may also have roles through group memberships. When that is the case, you cannot remove the individual user from the role. Group members may also hold roles as individuals. To find out which roles users, groups, or individual group members have, use the View Effective Roles function.

View effective roles

With the Effective Roles feature, you can view all roles of a selected user or group. This is practical if you are using groups and it is the only way of viewing which roles a specific user is a member of.

  1. Open the Effective Roles window by expanding Security, then right-clicking Roles and select Effective Roles.
  2. If you want information about a basic user, enter the name in the User name field. Click Refresh to display the roles of the user.
  3. If you use Windows users or groups in Active Directory, click the "..." browse button. Select object type, enter the name, and click OK. The user's roles appear automatically.

Roles settings

Info tab (roles)

Available functionality depends on the system you are using. See https://www.milestonesys.com/solutions/platform/product-index/ for more information.

On the Info tab of a role, you can set the following:

Name

Description

Name

Enter a name for the role.

Description

Enter a description for the role.

Management Client profile

Select a Management Client profile to associate with the role.

You cannot apply this to the default Administrators role.

Requires permissions to manage security on the management server.

Smart Client profile

Select a Smart Client profile to associate with the role.

Requires permissions to manage security on the management server.

Default time profile

Select a default time profile to associate with the role.

You cannot apply this to the default Administrators role.

Evidence lock profile

Select an evidence lock profile to associate with the role.

Smart Client login within time profile

Select a time profile for which the XProtect Smart Client user associated with this role is allowed to log in.

If the XProtect Smart Client user is logged in when the period expires, he or she is logged off automatically.

You cannot apply this to the default Administrators role.

Allow Smart Client login

Select the check box to allow users associated with this role to log in to XProtect Smart Client.

Access to Smart Client is allowed by default. Clear the check box to deny access to XProtect Smart Client.

Allow XProtect Mobile client login

Select the check box to allow users associated with this role to log in to XProtect Mobile client.

Access to XProtect Mobile client is allowed by default. Clear the check box to deny access to XProtect Mobile client.

Allow XProtect Web Client login

Select the check box to allow users associated with this role to log in to XProtect Web Client.

Access to XProtect Web Client is allowed by default. Clear the check box to deny access to XProtect Web Client.

Login authorization required

Select the check box to associate login authorization with the role. It means that XProtect Smart Client or the Management Client asks for a second authorization, typically by a superuser or manager, when the user logs in.

To enable administrators to authorize users, configure the management server's Authorize Users right on the Overall Security tab.

You cannot apply this to the default Administrators role.

Make users anonymous during PTZ sessions

Select the check box to hide the names of users associated with this role when they control PTZ sessions.

User and Groups tab (roles)

On the User and Groups tab, you assign users and groups to roles (see Assign/remove users and groups to/from roles). You can assign Windows users and groups or basic users (see Users (explained)).

Name

Description

Name

Displays the name of the user or group assigned to this role.

Description

Displays the description that you entered when the basic user was created.

Overall Security tab (roles)

Available functionality depends on the system you are using. See https://www.milestonesys.com/solutions/platform/product-index/ for more information.

On the Overall Security tab, you set up overall rights for roles. For every component available in your system, define access rights for the roles by setting Allow or Deny. When a role is denied access to a component, that component is not visible in the Overall Security tab to a user in that role.

The Overall Security tab is not available in the free XProtect Essential+.

You can define more access rights for XProtect Corporate than for XProtect Expert, XProtect Professional+, and XProtect Express+. This is because you can only set up differentiated administrator rights in XProtect Corporate, while you can set up overall rights for a role that uses XProtect Smart Client, XProtect Web Client, or XProtect Mobile client in all products.

The overall security settings only apply to the current site.

If you associate a user with more than one role and select Deny on a security setting for one role and Allow for another, the Deny right permission overrules the Allow right permission.

In the following, the descriptions show what happens on each individual right for the different system components if you select Allow for the relevant role. If you use XProtect Corporate, you can see which settings are available only to your system under each system component.

For every system component or functionality, the full system administrator can use the Allow or Deny check boxes to set up security permissions for the role. Any security permissions that you set up here are set up for the whole system component or functionality. If, for example, you select the Deny check box on Cameras, all cameras added to the system are unavailable for the role. In contrast, if you select the Allow check box, the role can see all cameras added to the system. The result of selecting Allow or Deny on your cameras is that the camera settings on the Device tab then inherit your selections on the Overall Security tab so that either all cameras are either available or unavailable to the particular role.

If you want to set security permissions for individual cameras or similar, you can only set these individual permissions on the tab of the relevant system component or functionality if you have not set any overall permissions for the system component or functionality on the Overall Security tab.

The descriptions below also apply to the rights that you can configure through the MIP SDKs.

If you want to switch your base license from XProtect Corporate to one of the other products, make sure that you remove all security rights that are available to only XProtect Corporate. If you do not remove those rights, you cannot complete the switch.

Device tab (roles)

Available functionality depends on the system you are using. See https://www.milestonesys.com/solutions/platform/product-index/ for more information.

The Device tab lets you specify which features users/groups with the selected role can use for each device (for example, a camera) or device group in XProtect Smart Client.

Remember to repeat for each device. You can also select a device group, and specify role rights for all the devices in the group in one go.

You can still select or clear such square-filled check boxes, but note that your choice in that case applies for all devices within the device group. Alternatively, select the individual devices in the device group to verify exactly which devices the relevant right applies for.

Camera-related rights

Specify the following rights for camera devices:

Name

Description

Read

The selected camera(s) will be visible in the clients.

View live

Allows live viewing of video from the selected camera(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the right to view the clients' Live tab. This right is granted as part of the application rights. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded video from the selected camera(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded video from the selected camera(s) in the clients. Specify a playback limit or apply no restrictions.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Smart search

Allows the user to use the Smart search function in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of video from the selected camera(s) in the clients.

Stop manual recording

Allows stopping manual recording of video from the selected camera(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

AUX commands

Allows the use of auxiliary commands from the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the camera to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the camera from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Microphone-related rights

Specify the following rights for microphone devices:

Name

Description

Read

The selected microphone(s) will be visible in the clients.

Live > Listen

Allows listening to live audio from the selected microphones(s) in the clients.
For XProtect Smart Client, it requires that the role has been granted the right to view the clients' Live tab. This right is granted as part of the application rights. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded audio from the selected microphone(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded audio from the selected microphone(s) in the clients. Specify a playback limit or apply no restrictions.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of audio from the selected microphone(s) in the clients.

Stop manual recording

Allows stopping manual recording of audio from the selected microphone(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the microphone to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the microphone from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Speaker-related rights

Specify the following rights for speaker devices:

Name

Description

Read

The selected speaker(s) is visible in the clients.

Live > Listen

Allows listening to live audio from the selected speaker(s) in the clients.
For XProtect Smart Client, it requires that the role has been granted the right to view the clients' Live tab. This right is granted as part of the application rights. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded audio from the selected speaker(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded audio from the selected speaker(s) in the clients. Specify a playback limit or apply no restrictions.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of audio from the selected speaker(s) in the clients.

Stop manual recording

Allows stopping manual recording of audio from the selected speaker(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the speaker to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the speaker from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user rights to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Metadata-related rights

Specify the following rights for metadata devices:

Name

Description

Read

Enables the right to see metadata devices and retrieve data from them in the clients.

Edit

Enables the right to edit metadata properties. It also allows users to enable or disable metadata devices in the Management Client and via the MIP SDK.

View Live

Enables the right to view metadata from cameras in the clients. For XProtect Smart Client, it requires that the role has been granted the right to view the clients' Live tab. This right is granted as part of the application rights.

Playback

Enables the right to play back recorded data from metadata devices in the clients.

Read sequences

Enables the right to use the Sequences feature while browsing recorded data from metadata devices in the clients.

Export

Enables the right to export recorded audio from metadata devices in the clients.

Create and extend evidence locks

Enables the right to create and extend the evidence locks on metadata in the clients.

Read evidence locks

Enables the right to view evidence locks on metadata in the clients.

Delete and reduce evidence locks

Enables the right to delete or reduce evidence locks on metadata in the clients.

Start manual recording

Enables the right to start manual recording of metadata in the clients.

Stop manual recording

Enables the right to stop manual recording of metadata in the clients.

Input-related rights

Specify the following rights for input devices:

Name

Description

Read

The selected input(s) will be visible in the clients.

Output-related rights

Specify the following rights for output devices:

Name

Description

Read

The selected output(s) will be visible in the clients. If visible, the output will be selectable on a list in the clients.

Activate

The selected output(s) can be activated from the Management Client and the clients. Specify the time profile or leave the default value.

PTZ tab (roles)

You set up rights for pan-tilt-zoom (PTZ) cameras on the PTZ tab. You can specify the features users/groups can use in the clients. You can select individual PTZ cameras or device groups containing PTZ cameras.

Specify the following rights for PTZ:

Name

Description

Manual PTZ

Determines if the selected role can use PTZ functions and pause a patrolling on the selected camera.

Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role.

Activate PTZ presets or patrolling profiles

Determines if the selected role can move the selected camera to preset positions, start and stop patrolling profiles, and pause a patrolling.

Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ right.

PTZ Priority

Determines the priority of PTZ cameras. When several users on a surveillance system want to control the same PTZ camera at the same time, conflicts may occur.

You can avoid such a situation by specifying a priority for use of the selected PTZ camera(s) by users/groups with the selected role. Specify a priority from 1 to 32,000, where 1 is the lowest priority. The default priority is 3,000. The role with the highest priority number is the one who can control the PTZ camera(s).

Manage PTZ presets or patrolling profiles

Determines the right to add, edit and delete PTZ presets and patrolling profiles on the selected camera in both the Management Client and XProtect Smart Client.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ right.

Lock/unlock PTZ presets

Determines if the role can lock and unlock preset positions for the selected camera.

Reserve PTZ sessions

Determines the right to set the selected camera in reserved PTZ session mode.

In a reserved PTZ session other users or patrolling sessions with higher PTZ priority are not able to take over the control.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ right.

Release PTZ sessions

Determines if the selected role can release other users' PTZ sessions from the Management Client.

You can always release your own PTZ sessions - without this permission.

Speech tab (roles)

Relevant only if you use speakers on your system. Specify the following rights for speakers:

Name

Description

Speak

Determine if users should be allowed to talk through the selected speaker(s). Specify the time profile or leave the default value.

Speak priority

When several client users want to talk through the same speaker at the same time, conflicts may occur.

Solve the problem by specifying a priority for use of the selected speaker(s) by users/groups with the selected role. Specify a priority from Very low to Very high. The role with the highest priority is allowed use the speaker before other roles.

Should two users with the same role want to speak at the same time, the first come, first served-principle applies.

Remote Recordings tab (roles)

Specify the following rights for remote recordings:

Name

Description

Retrieve remote recordings

Enables the right to retrieve recordings in the clients from cameras, microphones, speakers, and metadata devices on remotes sites or from edge storages on cameras.

Smart Wall tab (roles)

Through roles, you can grant your client users Smart Wall-related user rights for the Smart Wall feature:

Name

Description

Read

Allows users to view the selected Smart Wall in the clients.

Edit

Allows users to edit the selected Smart Wall in the Management Client.

Delete

Allows users to delete the selected Smart Wall in the Management Client.

Operate

Allows users to apply layouts on the selected Smart Wall in the client and to activate the selected preset.

Playback

Allows users to play back recorded data from the selected Smart Wall in the clients.

External Event tab (roles)

Specify the following external event rights:

Name

Description

Read

Allows users to search for and view the selected external system event in the clients and the Management Client.

Edit

Allows users to edit the selected external system event in the Management Client.

Delete

Allows users to delete the selected external system event in the Management Client.

Trigger

Allows users to trigger the selected external system event in the clients.

View Group tab (roles)

On the View Group tab, you specify which view groups the users and user groups with the selected role can use in the clients.

Specify the following rights for view groups:

Name

Description

Read

Enables the right to view the View Groups in the clients and in the Management Client. View groups are created in the Management Client.

Edit

Enables the right to edit properties on View Groups in the Management Client.

Delete

Enables the right to delete View Groups in the Management Client.

Operate

Enables the right to use View Groups in XProtect Smart Client, that is to create and delete subgroups and views.

Servers tab (roles)

Specifying role rights on the Servers tab is only relevant if your system works in a Milestone Federated Architecture setup.

Name

Description

Sites

Enables the right to view the selected site in the Management Client. Connected sites are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

See Configuring Milestone Federated Architecture for more information.

Matrix tab (roles)

If you have configured Matrix recipients on your system, you may configure Matrix role rights. From a client, you can send video to selected Matrix recipients. Select the users who can receive this on the Matrix tab.

The following rights are available:

Name

Description

Read

Determine if users and groups with the selected role can select and send video to the Matrix recipient from the clients.

Alarms tab (roles)

If you use alarms in your system setup to provide central overview and control of your installation (including any other XProtect servers), you can use the Alarms tab to specify the alarm rights users/groups with the selected role should have, for example, how to handle alarms in the clients.

Specify the following rights for alarms:

Name

Description

Manage

Enables the right to manage alarms, for example changing priorities of alarms and re-delegate alarms to other users, acknowledge alarms and change the state, for example from New to Assigned, of several alarms at the same time.

View

Enables the right to view alarms and print alarm reports.

Disable alarms

Enables the right to disable alarms.

Receive notifications

Enables the right to receive notifications about alarms in XProtect Mobile clients and XProtect Web Client.

Access Control tab (roles)

When you add or edit basic users, Windows users or groups, specify access control settings:

Name

Description

Use access control

Allows the user to use any access control-related features in the clients.

View cardholders list

Allows the user to view the cardholders list on the Access Control tab in the clients.

Receive notifications

Allows the user to receive notifications about access requests in the clients.

LPR tab (roles)

If your system runs with XProtect LPR, specify the following rights for the users:

Name

Description

Use LPR

Enables the right to use any LPR-related features in the clients.

Manage license plate match lists

Enables the right to add, import, modify, export, and delete license plate match lists in the Management Client.

Read license plate match lists

Enables the right to view license plate match lists.

MIP tab (roles)

Through the MIP SDK, a third-party vendor can develop custom plug-ins for your system, for example, integration to external access control systems or similar functionality.

The settings you change depend on the actual plug-in. Find the custom settings for the plug-ins on the MIP tab.

Basic users (explained)

When you add a basic user to your system, you create a dedicated surveillance system user account with basic user name and password authentication for the individual user. This is in contrast to the Windows user, added through Active Directory.

When working with basic users, it is important to understand the difference between basic user and Windows user.

  • Basic users are authenticated by a user name/password combination and are specific to a system. Even if basic users have the same name and password, a basic user created at one federated site does not have access to another federated site
  • Windows users are authenticated based on their Windows login and are specific to a machine

Create basic users

To create a basic user on your system:

  1. Expand Security > Basic Users.
  2. In the Basic Users pane, right-click and select Create Basic User.
  3. Specify a user name and a password, and repeat it to be sure you have specified it correctly.
  4. The password must meet the complexity requirements for the Windows operating system on the computer with the Management Server service installed.

  5. Click OK to create the basic user.