Roles and permissions of a role (explained)

Roles determine which devices users can access. Roles also determine permissions and handle security within the video management system. First, you add roles, then you add users and groups and finally a Smart Client and a Management Client profile as well as other default profiles that belong to each role. Roles you can create in the system have their own view groups in XProtect Smart Client in which their views are created and stored.

It is important that all roles, to have access to the Management Server, enable the Connect security permission, located in Role Settings > Management Server > Overall Security tab (roles).

You add users and groups to the Administrators role just as with any other role. See Assign/remove users and groups to/from roles.

In addition to the Administrators role, you can add as many roles as required to suit your needs. You may, for example, have different roles for users of XProtect Smart Client depending on which cameras you want them to access or similar restrictions. To set up roles in your system, expand the Security > Roles.

Permissions of a role

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/solutions/platform/product-index/).

When you create a role in your system, you can give the role a number of permissions to the system components or features that the relevant role can access and use. You may, for example, want to create roles that only have permissions to functionality in XProtect Smart Client or other Milestone viewing clients, with the permissions to view only certain cameras. If you create such roles, these roles should not have permissions to access and use the Management Client, but only have access to some or all functionality found in XProtect Smart Client or other clients. To address this, you may want to set up a role that has some or most typical administrator permissions, for example, the permissions to add and remove cameras, servers and similar functionality.

You can create roles that have some or most permissions of a system administrator. This may, for example, be relevant if your organization wants to separate between people who can administrate a subset of the system and people who can administrate the entire system. The feature allows you to provide differentiated administrator permissions to access, edit or change a large variety of system functions, for example, the permission to edit the settings for servers or cameras in your system. You specify these permissions on the Overall Security tab (see Overall Security tab (roles)). As a minimum, to enable that the differentiated system administrator can launch the Management Client, you must grant read permissions on the management server for the role.

It is important that all roles, to have access to the Management Server, enable the Connect security permission, located in Role Settings > Management Server > Overall Security tab (roles).

You can also reflect the same limitations in the user interface of the Management Client for each role by associating the role with a Management Client profile that has the removed the corresponding system functions from the user interface. See Management Client profiles (explained) for information.

To give a role such differentiated administrator permissions, the person with the default full administrator role must set up the role under Security > Roles > Info tab > Add new. When you set up the new role, you can then associate the role with your own profiles must similarly to when you set up any other role in the system or use the system's default profiles. For more information, see Add and manage a role.

Once you have specified what profiles you want to associate the role with, go to the Overall Security tab to specify the permissions of the role.

The permissions you can set for a role are different between your products. You can only give all available permissions to a role in XProtect Corporate.