Roles (Security node)

Info tab (roles)

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).

On the Info tab of a role, you can set the following:

Name

Description

Name

Enter a name for the role.

Description

Enter a description for the role.

Management Client profile

Select a Management Client profile to associate with the role.

You cannot apply this to the default Administrators role.

Requires permissions to manage security on the management server.

Smart Client profile

Select a Smart Client profile to associate with the role.

Requires permissions to manage security on the management server.

Default time profile

Select a default time profile to associate with the role.

You cannot apply this to the default Administrators role.

Evidence lock profile

Select an evidence lock profile to associate with the role.

Smart Client login within time profile

Select a time profile for which the XProtect Smart Client user associated with this role is allowed to log in.

If the XProtect Smart Client user is logged in when the period expires, he or she is logged off automatically.

You cannot apply this to the default Administrators role.

Allow Smart Client login

Select the check box to allow users associated with this role to log in to XProtect Smart Client.

Access to Smart Client is not allowed by default. Clear the check box to deny access to XProtect Smart Client.

Allow XProtect Mobile client login

Select the check box to allow users associated with this role to log in to XProtect Mobile client.

Access to XProtect Mobile client is not allowed by default. Clear the check box to deny access to XProtect Mobile client.

Allow XProtect Web Client login

Select the check box to allow users associated with this role to log in to XProtect Web Client.

Access to XProtect Web Client is not allowed by default. Clear the check box to deny access to XProtect Web Client.

Login authorization required

Select the check box to associate login authorization with the role. It means that XProtect Smart Client or the Management Client asks for a second authorization, typically by a superuser or manager, when the user logs in.

To enable administrators to authorize users, configure the management server's Authorize Users permission on the Overall Security tab.

You cannot apply this to the default Administrators role.

Make users anonymous during PTZ sessions

Select the check box to hide the names of users associated with this role when they control PTZ sessions.

User and Groups tab (roles)

On the User and Groups tab, you assign users and groups to roles (see Assign/remove users and groups to/from roles). You can assign Windows users and groups or basic users (see Users (explained)).

External IDP (roles)

On the External IDP tab, you can view existing claims and add new claims to roles.

Name

Description

External IDP The name of the external IDP.
Claim name A variable that is defined in the external IDP.
Claim value The value of the claim, such as a group name, that can be used to assign the appropriate role to the user.

Overall Security tab (roles)

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).

On the Overall Security tab, you set up overall permissions for roles. For every component available in your system, define access permissions for the roles by setting Allow or Deny. When a role is denied access to a component, that component is not visible in the Overall Security tab to a user in that role.

The Overall Security tab is not available in the free XProtect Essential+.

You can define more access permissions for XProtect Corporate than for the other XProtect VMS products. This is because you can only set up differentiated administrator permissions in XProtect Corporate, while you can set up overall permissions for a role that uses XProtect Smart Client, XProtect Web Client, or XProtect Mobile client in all products.

The overall security settings only apply to the current site.

If you associate a user with more than one role and select Deny on a security setting for one role and Allow for another, the Deny permission overrules the Allow permission.

In the following, the descriptions show what happens on each individual permission for the different system components if you select Allow for the relevant role. If you use XProtect Corporate, you can see which settings are available only to your system under each system component.

For every system component or functionality, the full system administrator can use the Allow or Deny check boxes to set up security permissions for the role. Any security permissions that you set up here are set up for the whole system component or functionality. If, for example, you select the Deny check box on Cameras, all cameras added to the system are unavailable for the role. In contrast, if you select the Allow check box, the role can see all cameras added to the system. The result of selecting Allow or Deny on your cameras is that the camera settings on the Device tab then inherit your selections on the Overall Security tab so that either all cameras are either available or unavailable to the particular role.

If you want to set security permissions for individual cameras or similar, you can only set these individual permissions on the tab of the relevant system component or functionality if you have not set any overall permissions for the system component or functionality on the Overall Security tab.

The descriptions below also apply to the permissions that you can configure through the MIP SDKs.

If you want to switch your base license from XProtect Corporate to one of the other products, make sure that you remove all security permissions that are available to only XProtect Corporate. If you do not remove those permissions, you cannot complete the switch.

Device tab (roles)

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).

The Device tab lets you specify which features users/groups with the selected role can use for each device (for example, a camera) or device group in XProtect Smart Client.

Remember to repeat for each device. You can also select a device group, and specify role permissions for all the devices in the group in one go.

You can still select or clear such square-filled check boxes, but note that your choice in that case applies for all devices within the device group. Alternatively, select the individual devices in the device group to verify exactly which devices the relevant permission applies for.

Camera-related permissions

Specify the following permissions for camera devices:

Name

Description

Read

The selected camera(s) will be visible in the clients.

View live

Allows live viewing of video from the selected camera(s) in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

View restricted live

Allows live viewing of restricted video from the selected camera(s) in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded video from the selected camera(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded video from the selected camera(s) in the clients. Specify a playback limit or apply no restrictions.

Playback restricted recordings

Allows playback of recorded restricted video from the selected camera(s) in the clients. Specify the time profile or leave the default value.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Smart search

Allows the user to use the Smart search function in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of video from the selected camera(s) in the clients.

Stop manual recording

Allows stopping manual recording of video from the selected camera(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

AUX commands

Allows the use of auxiliary commands from the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the camera to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the camera from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Create and extend live and playback restrictions

Allows the client user to:

  • Create a live restriction on the camera
  • Create a playback restriction on the camera recordings
  • Add a new camera to a live or playback restriction
  • Extend the restriction period of the camera recordings

Requires user permissions to all devices included in the restriction.

Read live and playback restrictions

Allows the client user to:

  • See a list of existing live and playback restrictions on the camera
  • Filter and search the list of live and playback restrictions on the camera
Delete and reduce live and playback restrictions

Allows the client user to:

  • Remove a live restriction on the camera
  • Remove a playback restriction on the camera recordings
  • Reduce the restriction period of the camera recordings
  • Change the settings of the live or playback restriction

Requires user permissions to all devices included in the restriction.

Microphone-related permissions

Specify the following permissions for microphone devices:

Name

Description

Read

The selected microphone(s) will be visible in the clients.

Listen live

Allows listening to live audio from the selected microphones in the clients.
For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

Listen restricted live audio

Allows listening to live restricted video from the selected microphone(s) in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded audio from the selected microphone(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded audio from the selected microphone(s) in the clients. Specify a playback limit or apply no restrictions.

Playback restricted recordings

Allows playback of recorded restricted audio from the selected microphone(s) in the clients. Specify the time profile or leave the default value.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of audio from the selected microphone(s) in the clients.

Stop manual recording

Allows stopping manual recording of audio from the selected microphone(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the microphone to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the microphone from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Create and extend live and playback restrictions

Allows the client user to:

  • Create a live restriction on the microphone
  • Create a playback restriction on the audio recordings
  • Add a new microphone to a live or playback restriction
  • Extend the restriction period of the audio recordings

Requires user permissions to all devices included in the restriction.

Read live and playback restrictions

Allows the client user to:

  • See a list of existing live and playback restrictions on the microphone
  • Filter and search the list of live and playback restrictions on the microphone
Delete and reduce live and playback restrictions

Allows the client user to:

  • Remove a live restriction on the microphone
  • Remove a playback restriction on the audio recordings
  • Reduce the restriction period of the audio recordings
  • Change the settings of the live or playback restriction

Requires user permissions to all devices included in the restriction.

Speaker-related permissions

Specify the following permissions for speaker devices:

Name

Description

Read

The selected speaker(s) is visible in the clients.

Listen live

Allows listening to live audio from the selected speaker(s) in the clients.
For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

Listen restricted live audio

Allows listening to live restricted video from the selected speaker(s) in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.

Playback > Within time profile

Allows playback of recorded audio from the selected speaker(s) in the clients. Specify the time profile or leave the default value.

Playback > Limit playback to

Allows playback of recorded audio from the selected speaker(s) in the clients. Specify a playback limit or apply no restrictions.

Playback restricted recordings

Allows playback of recorded restricted audio from the selected speaker(s) in the clients. Specify the time profile or leave the default value.

Read sequences

Allows reading the sequence information related to, for example, the Sequence explorer in the clients.

Export

Allows the user to export recordings from the clients.

Start manual recording

Allows starting manual recording of audio from the selected speaker(s) in the clients.

Stop manual recording

Allows stopping manual recording of audio from the selected speaker(s) in the clients.

Read bookmarks

Allows search for and read bookmark details in the clients.

Edit bookmarks

Allows editing bookmarks in the clients.

Create bookmarks

Allows adding bookmarks in the clients.

Delete bookmarks

Allows deleting bookmarks in the clients.

Create and extend evidence locks

Allows the client user to:

  • Add the speaker to new or existing evidence locks
  • Extend the expiry time for existing evidence locks
  • Extend the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Delete and reduce evidence locks

Allows the client user to:

  • Remove the speaker from existing evidence locks
  • Delete existing evidence locks
  • Shorten the expiry time for existing evidence locks
  • Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the evidence lock.

Read evidence locks

Allows the client user to search for and read evidence lock details.

Create and extend live and playback restrictions

Allows the client user to:

  • Create a live restriction on the speakers
  • Create a playback restriction on the audio recordings
  • Add a new microphone to a live or playback restriction
  • Extend the restriction period of the audio recordings

Requires user permissions to all devices included in the restriction.

Read live and playback restrictions

Allows the client user to:

  • See a list of existing live and playback restrictions on the speakers
  • Filter and search the list of live and playback restrictions on the speakers
Delete and reduce live and playback restrictions

Allows the client user to:

  • Remove a live restriction on the speakers
  • Remove a playback restriction on the audio recordings
  • Reduce the restriction period of the audio recordings
  • Change the settings of the live or playback restriction

Requires user permissions to all devices included in the restriction.

Metadata-related permissions

Specify the following permissions for metadata devices:

Name

Description

Read

Enables the permission to see metadata devices and retrieve data from them in the clients.

Edit

Enables the permission to edit metadata properties. It also allows users to enable or disable metadata devices in the Management Client and via the MIP SDK.

View Live

Enables the permission to view live metadata from cameras in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions.

View live restriction

Enables the permission to view live restricted metadata from cameras in the clients.

For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions.

Playback

Enables the permission to play back recorded data from metadata devices in the clients.

Playback restricted recordings Enables the permission to play back recorded data from restricted metadata devices in the clients.
Read sequences

Enables the permission to use the Sequences feature while browsing recorded data from metadata devices in the clients.

Export

Enables the permission to export recorded audio from metadata devices in the clients.

Create and extend evidence locks

Enables the permission to create and extend the evidence locks on metadata in the clients.

Read evidence locks

Enables the permission to view evidence locks on metadata in the clients.

Delete and reduce evidence locks

Enables the permission to delete or reduce evidence locks on metadata in the clients.

Start manual recording

Enables the permission to start manual recording of metadata in the clients.

Stop manual recording

Enables the permission to stop manual recording of metadata in the clients.

Create and extend live and playback restrictions

Allows the client user to:

  • Create a live restriction on the metadata device
  • Create a playback restriction on the metadata device
  • Add new metadata to a live or playback restriction
  • Extend the restriction period of the metadata device

Requires user permissions to all devices included in the restriction.

Read live and playback restrictions

Allows the client user to:

  • See a list of existing live and playback restrictions on the metadata device
  • Filter and search the list of live and playback restrictions on the metadata device
Delete and reduce live and playback restrictions

Allows the client user to:

  • Remove a live restriction on the metadata device
  • Remove a playback restriction on the metadata device
  • Reduce the restriction period of the metadata device
  • Change the settings of the live or playback restriction

Requires user permissions to all devices included in the restriction.

Input-related permissions

Specify the following permissions for input devices:

Name

Description

Read

The selected input(s) will be visible in the clients.

Output-related permissions

Specify the following permissions for output devices:

Name

Description

Read

The selected output(s) will be visible in the clients. If visible, the output will be selectable on a list in the clients.

Activate

The selected output(s) can be activated from the Management Client and the clients. Specify the time profile or leave the default value.

PTZ tab (roles)

You set up permissions for pan-tilt-zoom (PTZ) cameras on the PTZ tab. You can specify the features users/groups can use in the clients. You can select individual PTZ cameras or device groups containing PTZ cameras.

Specify the following permissions for PTZ:

Name

Description

Manual PTZ

Determines if the selected role can use PTZ functions and pause a patrolling on the selected camera.

Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role.

Activate PTZ presets or patrolling profiles

Determines if the selected role can move the selected camera to preset positions, start and stop patrolling profiles, and pause a patrolling.

Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.

PTZ Priority

Determines the priority of PTZ cameras. When several users on a surveillance system want to control the same PTZ camera at the same time, conflicts may occur.

You can avoid such a situation by specifying a priority for use of the selected PTZ camera(s) by users/groups with the selected role. Specify a priority from 1 to 32,000, where 1 is the lowest priority. The default priority is 3,000. The role with the highest priority number is the one who can control the PTZ camera(s).

Manage PTZ presets or patrolling profiles

Determines the permission to add, edit and delete PTZ presets and patrolling profiles on the selected camera in both the Management Client and XProtect Smart Client.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.

Lock/unlock PTZ presets

Determines if the role can lock and unlock preset positions for the selected camera.

Reserve PTZ sessions

Determines the permission to set the selected camera in reserved PTZ session mode.

In a reserved PTZ session other users or patrolling sessions with higher PTZ priority are not able to take over the control.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.

Release PTZ sessions

Determines if the selected role can release other users' PTZ sessions from the Management Client.

You can always release your own PTZ sessions - without this permission.

Speech tab (roles)

Relevant only if you use speakers on your system. Specify the following permissions for speakers:

Name

Description

Speak

Determine if users should be allowed to talk through the selected speaker(s). Specify the time profile or leave the default value.

Speak priority

When several client users want to talk through the same speaker at the same time, conflicts may occur.

Solve the problem by specifying a priority for use of the selected speaker(s) by users/groups with the selected role. Specify a priority from Very low to Very high. The role with the highest priority is allowed use the speaker before other roles.

Should two users with the same role want to speak at the same time, the first come, first served-principle applies.

Remote Recordings tab (roles)

Specify the following permissions for remote recordings:

Name

Description

Retrieve remote recordings

Enables the permission to retrieve recordings in the clients from cameras, microphones, speakers, and metadata devices on remotes sites or from edge storages on cameras.

Smart Wall tab (roles)

Through roles, you can grant your client users Smart Wall-related user permissions:

Name

Description

Read

Allows users to view the selected Smart Wall in XProtect Smart Client.

Edit

Allows users to edit the selected Smart Wall in the Management Client.

Delete

Allows users to delete the selected Smart Wall in the Management Client.

Operate

Allows users to apply layouts on the selected Smart Wall in XProtect Smart Client and to activate presets.

Playback

Allows users to play back recorded data from the selected Smart Wall in XProtect Smart Client.

External Event tab (roles)

Specify the following external event permissions:

Name

Description

Read

Allows users to search for and view the selected external system event in the clients and the Management Client.

Edit

Allows users to edit the selected external system event in the Management Client.

Delete

Allows users to delete the selected external system event in the Management Client.

Trigger

Allows users to trigger the selected external system event in the clients.

View Group tab (roles)

On the View Group tab, you specify which view groups the users and user groups with the selected role can use in the clients.

Specify the following permissions for view groups:

Name

Description

Read

Enables the permission to view the View Groups in the clients and in the Management Client. View groups are created in the Management Client.

Edit

Enables the permission to edit properties on View Groups in the Management Client.

Delete

Enables the permission to delete View Groups in the Management Client.

Operate

Enables the permission to use View Groups in XProtect Smart Client, that is to create and delete subgroups and views.

Servers tab (roles)

Specifying role permissions on the Servers tab is only relevant if your system works in a Milestone Federated Architecture setup.

Name

Description

Sites

Enables the permission to view the selected site in the Management Client. Connected sites are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

See Configuring Milestone Federated Architecture for more information.

Matrix tab (roles)

If you have configured Matrix recipients on your system, you may configure Matrix role permissions. From a client, you can send video to selected Matrix recipients. Select the users who can receive this on the Matrix tab.

The following permissions are available:

Name

Description

Read

Determine if users and groups with the selected role can select and send video to the Matrix recipient from the clients.

Alarms tab (roles)

If you use alarms in your system setup to provide central overview and control of your installation (including any other XProtect servers), you can use the Alarms tab to specify the alarm permissions for users and groups with the selected role they should have, for example, how to handle alarms in the clients.

In Alarms, you specify the permissions for alarms:

Security permission

Description

Manage

Enables the permission to manage alarms in the Smart Client. For example, changing priorities of alarms, re-assigning alarms to other users, acknowledging alarms, changing the alarm state of multiple alarms (for example from New to Assigned). To edit alarm settings, you also need the Edit alarm settings permission.

Only when you set this to allowed does the Alarms and Events tab in the Options dialog appear.

View

Enables the permission to view the Alarm Manager tab in XProtect Smart Client and retrieve alarms and alarm settings through the API.

To view alarms in XProtect Smart Client, you must enable the View permission for at least one alarm definition. You view alarms from third-party solutions by default.

Disable alarms

Enables the permission to disable alarms.

Receive notifications Enables the permission to receive notifications about alarms in XProtect Mobile clients and XProtect Web Client.
Edit alarm settings Enables the permission to edit alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention. To edit alarm settings, you also need the Manage permission.

In Alarm Definitions, you specify the permissions for a specific alarm definition:

Name

Description

View

Enables the permission to view alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention.

Write

Enables the View permission.

Access Control tab (roles)

When you add or edit basic users, Windows users or groups, specify access control settings:

Name

Description

Use access control

Allows the user to use any access control-related features in the clients.

View cardholders list

Allows the user to view the cardholders list on the Access Control tab in the clients.

Receive notifications

Allows the user to receive notifications about access requests in the clients.

LPR tab (roles)

If your system runs with XProtect LPR, specify the following permissions for the users:

Name

Description

Use LPR

Enables the permission to use any LPR-related features in the clients.

Manage match lists

Enables the permission to add, import, modify, export, and delete match lists in the Management Client.

Read match lists

Enables the permission to view match lists.

Incidents tab (roles)

If you have XProtect Incident Manager, you can specify the following permissions for your roles.

To give a Management Client administrator role the permissions to manage or view incident properties, select the Incident properties node.

To give an operator of XProtect Smart Client permission to view your defined incident properties, select Incident properties and give View permission. To give general permissions to manage or view incident projects, select the Incident project node. Expand the Incident project node and select one or more sub-nodes to give permissions for these additional specific features or capabilities.

Name

Description

Manage

Permission to manage (view, create, edit, and delete) settings and properties related to a feature or view a user interface element represented by the selected node in either Management Client or XProtect Smart Client.

View

Permission to view (but not create, edit, and delete) the settings and properties related to a feature, view defined incident properties, or view a user interface element represented by the selected node in either Management Client or XProtect Smart Client.

MIP tab (roles)

Through the MIP SDK, a third-party vendor can develop custom plug-ins for your system, for example, integration to external access control systems or similar functionality. The third-party plug-ins will have their own settings on individual tabs.

The settings you change depend on the actual plug-in. Find the custom settings for the plug-ins on the MIP tab.