Roles and rights of a role (explained)
Roles determine which devices users can access. Roles also determine rights and handle security within the video management system. First, you add roles, then you add users and groups and finally a Smart Client and a Management Client profile as well as other default profiles that belong to each role. Roles you can create in the system have their own view groups in XProtect Smart Client in which their views are created and stored.
It is important that all roles, to have access to the Management Server, enable the Connect security right, located in Role Settings > Management Server > Overall Security tab (roles).
You add users and groups to the Administrators role just as with any other role. See Assign/remove users and groups to/from roles.
In addition to the Administrators role, you can add as many roles as required to suit your needs. You may, for example, have different roles for users of XProtect Smart Client depending on which cameras you want them to access or similar restrictions. To set up roles in your system, expand the Security > Roles.
Rights of a role
Available functionality depends on the system you are using. See https://www.milestonesys.com/solutions/platform/product-index/ for more information.
When you create a role in your system, you can give the role a number of rights to the system components or features that the relevant role can access and use. You may, for example, want to create roles that only have rights to functionality in XProtect Smart Client or other Milestone viewing clients, with the rights to view only certain cameras. If you create such roles, these roles should not have rights to access and use the Management Client, but only have access to some or all functionality found in XProtect Smart Client or other clients. To address this, you may want to set up a role that has some or most typical administrator rights, for example, the rights to add and remove cameras, servers and similar functionality.
You can create roles that have some or most rights of a system administrator. This may, for example, be relevant if your organization wants to separate between people who can administrate a subset of the system and people who can administrate the entire system. The feature allows you to provide differentiated administrator permissions to access, edit or change a large variety of system functions, for example, the right to edit the settings for servers or cameras in your system. You specify these permissions on the Overall Security tab (see Overall Security tab (roles)). As a minimum, to enable that the differentiated system administrator can launch the Management Client, you must grant read permissions on the management server for the role.
It is important that all roles, to have access to the Management Server, enable the Connect security right, located in Role Settings > Management Server > Overall Security tab (roles).
You can also reflect the same limitations in the user interface of the Management Client for each role by associating the role with a Management Client profile that has the removed the corresponding system functions from the user interface. See Management Client profiles (explained) for information.
To give a role such differentiated administrator rights, the person with the default full administrator role must set up the role under Security > Roles > Info tab > Add new. When you set up the new role, you can then associate the role with your own profiles must similarly to when you set up any other role in the system or use the system's default profiles. For more information, see Add and manage a role.
Once you have specified what profiles you want to associate the role with, go to the Overall Security tab to specify the rights of the role.
The rights you can set for a role are different between your products. You can only give all available rights to a role in XProtect Corporate.