Roles (Security node)

Info tab (roles)

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).

On the Info tab of a role, you can set the following:

Name	Description
Name	Enter a name for the role.
Description	Enter a description for the role.
Management Client profile	Select a Management Client profile to associate with the role. You cannot apply this to the default Administrators role. Requires permissions to manage security on the management server.
Smart Client profile	Select a Smart Client profile to associate with the role. Requires permissions to manage security on the management server.
Default time profile	Select a default time profile to associate with the role. You cannot apply this to the default Administrators role.
Evidence lock profile	Select an evidence lock profile to associate with the role.
Smart Client login within time profile	Select a time profile for which the XProtect Smart Client user associated with this role is allowed to log in. If the XProtect Smart Client user is logged in when the period expires, he or she is logged off automatically. You cannot apply this to the default Administrators role.
Allow Smart Client login	Select the check box to allow users associated with this role to log in to XProtect Smart Client. Access to Smart Client is not allowed by default. Clear the check box to deny access to XProtect Smart Client.
Allow XProtect Mobile client login	Select the check box to allow users associated with this role to log in to XProtect Mobile client. Access to XProtect Mobile client is not allowed by default. Clear the check box to deny access to XProtect Mobile client.
Allow XProtect Web Client login	Select the check box to allow users associated with this role to log in to XProtect Web Client. Access to XProtect Web Client is not allowed by default. Clear the check box to deny access to XProtect Web Client.
Login authorization required	Select the check box to associate login authorization with the role. It means that XProtect Smart Client or the Management Client asks for a second authorization, typically by a superuser or manager, when the user logs in. To enable administrators to authorize users, configure the management server's Authorize Users permission on the Overall Security tab. You cannot apply this to the default Administrators role.
Make users anonymous during PTZ sessions	Select the check box to hide the names of users associated with this role when they control PTZ sessions.

User and Groups tab (roles)

On the User and Groups tab, you assign users and groups to roles (see Assign/remove users and groups to/from roles). You can assign Windows users and groups or basic users (see Users (explained)).

External IDP (roles)

On the External IDP tab, you can view existing claims and add new claims to roles.

Name	Description
External IDP	The name of the external IDP.
Claim name	A variable that is defined in the external IDP.
Claim value	The value of the claim, such as a group name, that can be used to assign the appropriate role to the user.

Overall Security tab (roles)

On the Overall Security tab, you set up overall permissions for roles. For every component available in your system, define access permissions for the roles by setting Allow or Deny. When a role is denied access to a component, that component is not visible in the Overall Security tab to a user in that role.

The Overall Security tab is not available in the free XProtect Essential+.

You can define more access permissions for XProtect Corporate than for the other XProtect VMS products. This is because you can only set up differentiated administrator permissions in XProtect Corporate, while you can set up overall permissions for a role that uses XProtect Smart Client, XProtect Web Client, or XProtect Mobile client in all products.

The overall security settings only apply to the current site.

If you associate a user with more than one role and select Deny on a security setting for one role and Allow for another, the Deny permission overrules the Allow permission.

In the following, the descriptions show what happens on each individual permission for the different system components if you select Allow for the relevant role. If you use XProtect Corporate, you can see which settings are available only to your system under each system component.

For every system component or functionality, the full system administrator can use the Allow or Deny check boxes to set up security permissions for the role. Any security permissions that you set up here are set up for the whole system component or functionality. If, for example, you select the Deny check box on Cameras, all cameras added to the system are unavailable for the role. In contrast, if you select the Allow check box, the role can see all cameras added to the system. The result of selecting Allow or Deny on your cameras is that the camera settings on the Device tab then inherit your selections on the Overall Security tab so that either all cameras are either available or unavailable to the particular role.

If you want to set security permissions for individual cameras or similar, you can only set these individual permissions on the tab of the relevant system component or functionality if you have not set any overall permissions for the system component or functionality on the Overall Security tab.

The descriptions below also apply to the permissions that you can configure through the MIP SDKs.

If you want to switch your base license from XProtect Corporate to one of the other products, make sure that you remove all security permissions that are available to only XProtect Corporate. If you do not remove those permissions, you cannot complete the switch.

Management Server

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Connect	Enables users to connect to the Management Server. This permission is enabled by default. You can temporarily deny connection permission on roles for maintenance purposes, and then reapply access to the system. This permission must be selected to allow access to the system.
Read	This permission is a highly privileged administrative permission that gives significant access rights to the XProtect VMS, including access to sensitive data such as credentials configured in the system. Enables the permission to access a wide range of functionality, including: Logging in with the Management Client List of current tasks Server logs It also enables access to: Remote Connect Services Smart Client Profiles Management Client Profiles Matrix Time Profiles Registered Servers and Service Registration API This permission also reveals some sensitive information to the client: Credentials for any configured external IDP Credentials, IP-addresses, and other information for all cameras in the XProtect VMS Credentials for configured mail server Credentials for any configured matrix Credentials configured for the Interconnect feature Credentials configured for license activation This permission does not reveal credentials for users of the XProtect VMS. This includes Basic Users, Windows users and users from external IDPs.
Edit	Enables the permission to modify data in a wide range of functionality, including: Options License Management It also enables users to create, delete, and edit the following: Remote Connect Services Device groups Matrix Time Profiles Notification Profiles Registered Servers Enables the permission to configure local IP ranges when configuring the network on the recording server.
System Monitor	Enables the permission to view the data of the System Monitor.
Status API	Enables the permission to perform queries on the Status API located on the recording server. This means that the role with this permission enabled has access to read the status of the items located on the recording server.
Manage Federated site hierarchy	Enables the permission to add and detach the current site to other sites in a federated site hierarchy. If you set this permission to allowed on the child site only, the user can still detach the site from the parent site.
Backup Configuration	Enables the permission to create backups of the system configuration using the system's backup and restore functionality.
Authorize users	Enables the permission to authorize users when they are asked for a second login in XProtect Smart Client or Management Client. You define if a role requires login authorization on the Info tab.
Manage security	Enables the permission to manage permissions for the Management Server. It also enables users to create, delete, and edit the following features: Roles Basic users Smart Client Profiles Management Client Profiles

Recording Servers

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Edit	Enables the permission to edit properties on the recording servers, except for network configuration settings that require edit permission on the management server.
Delete	Enables the permission to delete recording servers. To do this, you must also give the user delete permissions on: Hardware security group if you have added hardware to the recording server If any of the devices on the recording server contains evidence locks, you can only delete the recording server if it is offline.
Manage hardware	Enables the permission to add hardware on recording servers.
Manage storage	Enables the permission to administrate storage containers on recording server, that is, to create, delete, move, and empty storage containers.
Manage security	Enables the permission to manage security permissions for recording servers.

Failover Servers

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to see and access failover servers in the Management Client.
Edit	Enables the permission to create, update, delete, move, and enable or disable failover servers in the Management Client.
Manage security	Enables the permission to manage security permissions for the failover servers.

Mobile Servers

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to see and access mobile servers in the Management Client.
Edit	Enables the permission to edit and delete mobile servers in the Management Client.
Manage security	Enables the permission to manage security permissions for the mobile servers.
Create	Enables the permission to add mobile servers to the system.

Hardware

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Edit	Enables the permission to edit properties on hardware.
Delete	Enables the permission to delete hardware. If any of the hardware devices contains evidence locks, you can only delete the hardware if the recording server is offline.
Driver commands	Enables the permission to send special commands to the drivers and thereby control features and configuration on the device itself. The Driver commands permission is for special developed MIP plug-ins in the clients only. It does not control standard configuration tasks.
View passwords	Enables the permission to view passwords on hardware devices in the Edit Hardware dialog box.
Manage security	Enables the permission to manage security permissions for the hardware.

Cameras

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view camera devices in the clients and the Management Client.
Edit	Enables the permission to edit properties for cameras in the Management Client. It also enables users to enable or disable a camera.
View Live	Enables the permission to view live video from cameras in the clients and the Management Client.
View restricted live	Enables the permission to view live restricted video from cameras in the clients and the Management Client.
Playback	Enables the permission to play back recorded video from cameras in all clients.
Playback restricted recordings	Enables the permission to play back recorded restricted video from cameras in all clients.
Retrieve remote recordings	Enables the permission to retrieve recordings in the clients from cameras on remotes sites or from edge storages on cameras.
Read sequences	Enables the permission to read the sequence information related to, for example, playing back recorded video in the clients.
Smart search	Enables the permission to use the Smart search function in the clients.
Export	Enables the permission to export recordings from the clients.
Create bookmarks	Enables the permission to create bookmarks in recorded and live video in the clients.
Read bookmarks	Enables the permission to search for and read bookmark details in the clients.
Edit bookmarks	Enables the permission to edit bookmarks in the clients.
Delete bookmarks	Enables the permission to delete bookmarks in the clients.
Create and extend evidence locks	Enables the permission to create and extend evidence locks in the clients.
Read evidence locks	Enables the permission to search and read evidence locks in the clients.
Delete and reduce evidence locks	Enables the permission to delete or reduce evidence locks in the clients.
Create and extend live and playback restrictions	Enables the permission to create and extend restrictions in the clients.
Read live and playback restrictions	Enables the permission to see a list of existing restrictions in the clients.
Delete and reduce live and playback restrictions	Enables the permission to delete and reduce restrictions in the clients.
Start manual recording	Enables the permission to start manual recording of video in the clients.
Stop manual recording	Enables the permission to stop manual recording of video in the clients.
AUX commands	Enables the permission to use auxiliary (AUX) commands on the camera from the clients. AUX commands offer users the control of, for example, wipers on a camera connected via a video encoder. Camera-associated devices connected via auxiliary connections are controlled from the client.
Manual PTZ	Enables the permission to use PTZ functions on PTZ cameras in the clients and the Management Client.
Activate PTZ presets or patrolling profiles	Enables the permission to move PTZ cameras to preset positions, start and stop patrolling profiles, and pause a patrolling in the clients and the Management Client. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
Manage PTZ presets or patrolling profiles	Enables the permission to add, edit, and delete PTZ presets and patrolling profiles on PTZ cameras in the clients and the Management Client. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
Lock/unlock PTZ presets	Enables the permission to lock and unlock PTZ presets in the Management Client. This prevents or allows other users from changing preset positions in the clients and in the Management Client.
Reserve PTZ sessions	Enables the permission to set PTZ cameras in reserved PTZ session mode in the clients and the Management Client. In a reserved PTZ session, other users with higher PTZ priority are not able to take over the control. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
Release PTZ sessions	Enables the permission to release other users' PTZ sessions from the Management Client. You can always release your own PTZ sessions - without this permission.
Delete recordings	Enables the permission to delete stored video recordings from the system via the Management Client.
Lift privacy masks	Enables the permission to temporarily lift privacy masks in XProtect Smart Client. It also enables the permission to authorize other XProtect Smart Client users to lift privacy masks. Lifting privacy masks only applies to privacy masks configured as liftable privacy masks in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for the camera.

Microphones

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view microphone devices in the clients and the Management Client.
Edit	Enables the permission to edit microphone properties in the Management Client. It also allows users to enable or disable microphones.
Listen live	Enables the permission to listen to live audio from speakers in the clients and the Management Client.
Listen restricted live audio	Enables the permission to listen to live restricted audio from speakers in the clients and the Management Client.
Playback	Enables the permission to play back recorded audio from microphones in the clients.
Playback restricted recordings	Enables the permission to play back recorded restricted audio from microphones in the clients.
Retrieve remote recordings	Enables the permission to retrieve recordings in the clients from microphones on remotes sites or from edge storages on cameras.
Read sequences	Enables the permission to read the sequence information related to, for example, the Playback tab in the clients.
Export	Enables the permission to export recordings from the clients.
Create bookmarks	Enables the permission to create bookmarks in the clients.
Read bookmarks	Enables the permission to search for and read bookmark details in the clients.
Edit bookmarks	Enables the permission to edit bookmarks in the clients.
Delete bookmarks	Enables the permission to delete bookmarks in the clients.
Create and extend evidence locks	Enables the permission to create or extend evidence locks in the clients.
Read evidence locks	Enables the permission to search and read evidence lock details in the clients.
Delete and reduce evidence locks	Enables the permission to delete or reduce evidence locks in the clients.
Create and extend live and playback restrictions	Enables the permission to create and extend restrictions on microphones in the clients.
Read live and playback restrictions	Enables the permission to see a list of existing restrictions on microphones in the clients.
Delete and reduce live and playback restrictions	Enables the permission to delete and reduce restrictions on microphones in the clients.
Start manual recording	Enables the permission to start manual recording of audio in the clients.
Stop manual recording	Enables the permission to stop manual recording of audio in the clients.
Delete recordings	Enables the permission to delete stored recordings from the system.
Manage security	Enables the permission to manage security permissions in the Management Client for microphones.

Speakers

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view speaker devices in the clients and the Management Client.
Edit	Enables the permission to edit properties for speakers in the Management Client. It also allows users to enable or disable speakers.
Listen live	Enables the permission to listen to live audio from speakers in the clients and the Management Client.
Listen restricted live audio	Enables the permission to listen to live restricted audio from speakers in the clients and the Management Client.
Speak	Enables the permission to speak through the speakers in the clients.
Playback	Enables the permission to play back recorded audio from speakers in the clients.
Playback restricted recordings	Enables the permission to play back recorded audio from speakers in the clients.
Retrieve remote recordings	Enables the permission to retrieve recordings in the clients from speakers on remotes sites or from edge storages on cameras.
Read sequences	Enables the permission to use the Sequences feature while browsing recorded audio from speakers in the clients.
Export	Enables the permission to export recorded audio from speakers in the clients.
Create bookmarks	Enables the permission to create bookmarks in the clients.
Read bookmarks	Enables the permission to search for and read bookmark details in the clients.
Edit bookmarks	Enables the permission to edit bookmarks in the clients.
Delete bookmarks	Enables the permission to delete bookmarks in the clients.
Create and extend evidence locks	Enables the permission to create or extend evidence locks to protect recorded audio in the clients.
Read evidence locks	Enables the permission to view recorded audio protected by evidence locks in the clients.
Delete and reduce evidence locks	Enables the permission to delete or reduce evidence locks on protected audio in the clients.
Create and extend live and playback restrictions	Enables the permission to create and extend restrictions on speakers in the clients.
Read live and playback restrictions	Enables the permission to see a list of existing restrictions on speakers in the clients.
Delete and reduce live and playback restrictions	Enables the permission to delete and reduce restrictions on speakers in the clients.
Start manual recording	Enables the permission to start manual recording of audio in the clients.
Stop manual recording	Enables the permission to stop manual recording of audio in the clients.
Delete recordings	Enables the permission to delete stored recordings from the system.
Manage security	Enables the permission to manage security permissions in the Management Client for speakers.

Metadata

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to receive metadata in the clients.
Edit	Enables the permission to edit metadata properties in the Management Client. It also allows users to enable or disable metadata devices.
Live	Enables the permission to receive live metadata from metadata devices in the clients.
View restricted live	Enables the permission to receive live restricted metadata from metadata devices in the clients.
Playback	Enables the permission to play back recorded data from metadata devices in the clients.
Playback restricted recordings	Enables the permission to play back restricted recorded data from metadata devices in the clients.
Retrieve remote recordings	Enables the permission to retrieve recordings in the clients from metadata devices on remotes sites or from edge storages on cameras.
Read sequences	Enables the permission to read the sequence information related to, for example, the Playback tab in the clients.
Export	Enables the permission to export recordings in the clients.
Create and extend evidence locks	Enables the permission to create evidence locks in the clients.
Read evidence locks	Enables the permission to view evidence locks in the clients.
Delete and reduce evidence locks	Enables the permission to delete or reduce evidence locks in the clients.
Create and extend live and playback restrictions	Enables the permission to create and extend restrictions on metadata in the clients.
Read live and playback restrictions	Enables the permission to see a list of existing restrictions on metadata in the clients.
Delete and reduce live and playback restrictions	Enables the permission to delete and reduce restrictions on metadata in the clients.
Start manual recording	Enables the permission to start manual recording of metadata in the clients.
Stop manual recording	Enables the permission to stop manual recording of metadata in the clients.
Delete recordings	Enables the permission to delete stored recordings from the system.
Manage security	Enables the permission to manage security permissions in the Management Client for metadata.

Input

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view input devices in the clients and the Management Client.
Edit	Enables the permission to edit properties for input devices in the Management Client. It also enables users to enable or disable an input device.
Manage security	Enables the permission to manage security permissions in the Management Client for input devices.

Output

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view output devices in the clients.
Edit	Enables the permission to edit properties for output devices in the Management Client. It also enables users to enable or disable an output device.
Activate	Enables the permission to activate outputs in the clients.
Manage security	Enables the permission to manage security permissions in the Management Client for output devices.

Smart Wall

Security permission	Description
Full control	Enables the permission to manage all security permissions in XProtect Management Client.
Read	Enables the permission to view a video wall in XProtect Smart Client.
Edit	Enables the permission to edit properties for the Smart Wall definition in XProtect Management Client.
Delete	Enables the permission to delete existing Smart Wall definitions in XProtect Management Client.
Operate	Enables the permission to activate and modify Smart Wall definitions, for example to change and activate presets or apply cameras on views in XProtect Smart Client and in XProtect Management Client. You can associate Operate with time profiles that define when the user permission applies.
Create Smart Wall	Enables the permission to create new Smart Wall definitions in XProtect Management Client.
Manage security	Enables the permission to manage security permissions in XProtect Management Client for the Smart Wall definition.
Playback	Enables the permission to play back recorded data from a video wall in XProtect Smart Client. You can associate Playback with time profiles that define when the user permission applies.

View Groups

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view View Groups in the clients and in the Management Client. View groups are created in the Management Client.
Edit	Enables the permission to edit properties on the View Groups in the Management Client.
Delete	Enables the permission to delete View Groups in the Management Client.
Operate	Enables the permission to use View Groups in XProtect Smart Client, that is, to create and delete subgroups and views.
Create view group	Enables the permission to create View Groups in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for View Groups.

User-defined Events

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view user-defined events in the clients.
Edit	Enables the permission to edit properties on user-defined events in the Management Client.
Delete	Enables the permission to delete user-defined events in the Management Client.
Trigger	Enables the permission to trigger user-defined events in the clients.
Manage security	Enables the permission to manage security permissions in the Management Client for user-defined events.
Create user-defined event	Enables the permission to create new user-defined events in the Management Client.

Analytics Events

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view analytics events in the Management Client.
Edit	Enables the permission to edit properties on analytics events in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for analytics events.

Generic Events

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view generic events in the clients and the Management Client.
Edit	Enables the permission to edit properties on generic events in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for generic events.

Matrix

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to select and send video to the Matrix recipient from the clients.
Edit	Enables the permission to edit properties for a Matrix in the Management Client.
Delete	Enables the permission to delete a Matrix in the Management Client.
Create Matrix	Enables the permission to create a new Matrix in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for all Matrix's.

Rules

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view existing rules in the Management Client.
Edit	Enables the permission to edit properties for rules and to define rule behavior in the Management Client. It also requires that the user has read permissions on all the devices that are impacted by the rule.
Delete	Enables the permission to delete rules from the Management Client. It also requires that the user has read permissions on all devices that are impacted by the rule.
Create rule	Enables the permission to create new rules in the Management Client. It also requires that the user has read permissions on all devices that are impacted by the rule.
Manage security	Enables the permission to manage security permissions in the Management Client for all rules.

Sites

Security permission

Description

Full control

Enables the permission to manage all security entries on this part of the system.

Read

Enables the permission to view other sites in the Management Client. Connected sites are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

Manage security

Enables the permission to manage security permissions on all sites.

System Monitor

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view system monitors in XProtect Smart Client.
Edit	Enables the permission to edit properties for system monitors in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for all system monitors.

Metadata search

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view the Metadata Use functionality in Management Client and its related settings, but does not enable the permission to change the settings.
Edit the metadata search configuration	Enables the permission to enable or disable metadata search categories, for example metadata for people or vehicles, in the Management Client.
Manage security	Enables the permission to manage security permissions for metadata searches.

Security permission	Description
Read public searches	Enables the permission to view and open saved public searches in XProtect Smart Client.
Create public searches	Enables the permission to save newly configured searches as public searches in XProtect Smart Client.
Edit public searches	Enables the permission to edit the details or the configuration of saved public searches in XProtect Smart Client, for example the name, description, cameras, and search categories.
Delete public searches	Enables the permission to delete saved public searches.
Manage security	Enables the permission to manage security permissions in the Management Client for search.

Alarms

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Manage	Enables the permission to manage alarms in the Smart Client. For example, changing priorities of alarms, re-assigning alarms to other users, acknowledging alarms, changing the alarm state of multiple alarms (for example from New to Assigned). To edit alarm settings, you also need the Edit alarm settings permission. Only when you set this to allowed does the Alarms and Events tab in the Options dialog appear.
View	Enables the permission to view the Alarm Manager tab in XProtect Smart Client and retrieve alarms and alarm settings through the API. To view alarms in XProtect Smart Client, you must enable the View permission for at least one alarm definition. You view alarms from third-party solutions by default.
Disable alarms	Enables the permission to disable alarms.
Receive notifications	Enables the permission to receive notifications about alarms in XProtect Mobile clients and XProtect Web Client.
Manage security	Enables the permission to manage security permissions for alarms.
Edit alarm settings	Enables the permission to edit alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention. To edit alarm settings, you also need the Manage permission.

Alarm Definitions

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
View	Enables the permission to view alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention.
Write	Enables the View permission.
Manage security	Enables the permission to manage security permissions for alarm definitions.

Server Logs

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read system log entries	Enables the permission to see system log entries.
Read audit log entries	Enables the permission to see audit log entries.
Read rule-triggered log entries	Enables the permission to see rule-triggered log entries.
Read log configuration	Enables the permission to read log settings in Tools > Options > Server Logs.
Update log configuration	Enables the permission to change log settings in Tools > Options > Server Logs.
Manage security	Enables the permission to manage security permissions for alarms.

Access Control

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Edit	Enables the permission to edit properties for the Access Control systems in the Management Client.
Use access control	Allows the user to use any access control-related features in the clients.
View cardholders list	Allows the user to view the cardholders list on the Access Control tab in the clients.
Receive notifications	Allows the user to receive notifications about access requests in the clients.
Manage security	Enables the permission to manage security permissions for all Access Control systems.

LPR

If your system runs with XProtect LPR, specify the following permissions for the user:

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Use LPR	Enables the permission to use any LPR-related features in the clients
Manage match lists	Enables the permission to add, import, modify, export, and delete match lists in the Management Client.
Read match lists	Enables the permission to view match lists.
Manage security	Enables the permission to manage security permissions in the Management Client for all Transaction definitions.

Transaction sources

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view properties for the Transaction sources in the Management Client.
Edit	Enables the permission to edit properties for the Transaction sources in the Management Client.
Delete	Enables the permission to delete Transaction sources in the Management Client.
Create	Enables the permission to create new Transaction sources in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for all Transaction sources.

Transaction definition

Security permission	Description
Full control	Enables the permission to manage all security entries on this part of the system.
Read	Enables the permission to view properties for the Transaction definitions in the Management Client.
Edit	Enables the permission to edit properties for the Transaction definitions in the Management Client.
Delete	Enables the permission to delete Transaction definitions in the Management Client.
Create	Enables the permission to create new Transaction definitions in the Management Client.
Manage security	Enables the permission to manage security permissions in the Management Client for all Transaction definitions.

Device tab (roles)

The Device tab lets you specify which features users/groups with the selected role can use for each device (for example, a camera) or device group in XProtect Smart Client.

Remember to repeat for each device. You can also select a device group, and specify role permissions for all the devices in the group in one go.

You can still select or clear such square-filled check boxes, but note that your choice in that case applies for all devices within the device group. Alternatively, select the individual devices in the device group to verify exactly which devices the relevant permission applies for.

Camera-related permissions

Specify the following permissions for camera devices:

Name	Description
Read	The selected camera(s) will be visible in the clients.
View live	Allows live viewing of video from the selected camera(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
View restricted live	Allows live viewing of restricted video from the selected camera(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
Playback > Within time profile	Allows playback of recorded video from the selected camera(s) in the clients. Specify the time profile or leave the default value.
Playback > Limit playback to	Allows playback of recorded video from the selected camera(s) in the clients. Specify a playback limit or apply no restrictions.
Playback restricted recordings	Allows playback of recorded restricted video from the selected camera(s) in the clients. Specify the time profile or leave the default value.
Read sequences	Allows reading the sequence information related to, for example, the Sequence explorer in the clients.
Smart search	Allows the user to use the Smart search function in the clients.
Export	Allows the user to export recordings from the clients.
Start manual recording	Allows starting manual recording of video from the selected camera(s) in the clients.
Stop manual recording	Allows stopping manual recording of video from the selected camera(s) in the clients.
Read bookmarks	Allows search for and read bookmark details in the clients.
Edit bookmarks	Allows editing bookmarks in the clients.
Create bookmarks	Allows adding bookmarks in the clients.
Delete bookmarks	Allows deleting bookmarks in the clients.
AUX commands	Allows the use of auxiliary commands from the clients.
Create and extend evidence locks	Allows the client user to: Add the camera to new or existing evidence locks Extend the expiry time for existing evidence locks Extend the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Delete and reduce evidence locks	Allows the client user to: Remove the camera from existing evidence locks Delete existing evidence locks Shorten the expiry time for existing evidence locks Shorten the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Read evidence locks	Allows the client user to search for and read evidence lock details.
Create and extend live and playback restrictions	Allows the client user to: Create a live restriction on the camera Create a playback restriction on the camera recordings Add a new camera to a live or playback restriction Extend the restriction period of the camera recordings Requires user permissions to all devices included in the restriction.
Read live and playback restrictions	Allows the client user to: See a list of existing live and playback restrictions on the camera Filter and search the list of live and playback restrictions on the camera
Delete and reduce live and playback restrictions	Allows the client user to: Remove a live restriction on the camera Remove a playback restriction on the camera recordings Reduce the restriction period of the camera recordings Change the settings of the live or playback restriction Requires user permissions to all devices included in the restriction.

Microphone-related permissions

Specify the following permissions for microphone devices:

Name	Description
Read	The selected microphone(s) will be visible in the clients.
Listen live	Allows listening to live audio from the selected microphones in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
Listen restricted live audio	Allows listening to live restricted video from the selected microphone(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
Playback > Within time profile	Allows playback of recorded audio from the selected microphone(s) in the clients. Specify the time profile or leave the default value.
Playback > Limit playback to	Allows playback of recorded audio from the selected microphone(s) in the clients. Specify a playback limit or apply no restrictions.
Playback restricted recordings	Allows playback of recorded restricted audio from the selected microphone(s) in the clients. Specify the time profile or leave the default value.
Read sequences	Allows reading the sequence information related to, for example, the Sequence explorer in the clients.
Export	Allows the user to export recordings from the clients.
Start manual recording	Allows starting manual recording of audio from the selected microphone(s) in the clients.
Stop manual recording	Allows stopping manual recording of audio from the selected microphone(s) in the clients.
Read bookmarks	Allows search for and read bookmark details in the clients.
Edit bookmarks	Allows editing bookmarks in the clients.
Create bookmarks	Allows adding bookmarks in the clients.
Delete bookmarks	Allows deleting bookmarks in the clients.
Create and extend evidence locks	Allows the client user to: Add the microphone to new or existing evidence locks Extend the expiry time for existing evidence locks Extend the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Delete and reduce evidence locks	Allows the client user to: Remove the microphone from existing evidence locks Delete existing evidence locks Shorten the expiry time for existing evidence locks Shorten the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Read evidence locks	Allows the client user to search for and read evidence lock details.
Create and extend live and playback restrictions	Allows the client user to: Create a live restriction on the microphone Create a playback restriction on the audio recordings Add a new microphone to a live or playback restriction Extend the restriction period of the audio recordings Requires user permissions to all devices included in the restriction.
Read live and playback restrictions	Allows the client user to: See a list of existing live and playback restrictions on the microphone Filter and search the list of live and playback restrictions on the microphone
Delete and reduce live and playback restrictions	Allows the client user to: Remove a live restriction on the microphone Remove a playback restriction on the audio recordings Reduce the restriction period of the audio recordings Change the settings of the live or playback restriction Requires user permissions to all devices included in the restriction.

Speaker-related permissions

Specify the following permissions for speaker devices:

Name	Description
Read	The selected speaker(s) is visible in the clients.
Listen live	Allows listening to live audio from the selected speaker(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
Listen restricted live audio	Allows listening to live restricted video from the selected speaker(s) in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions. Specify the time profile or leave the default value.
Playback > Within time profile	Allows playback of recorded audio from the selected speaker(s) in the clients. Specify the time profile or leave the default value.
Playback > Limit playback to	Allows playback of recorded audio from the selected speaker(s) in the clients. Specify a playback limit or apply no restrictions.
Playback restricted recordings	Allows playback of recorded restricted audio from the selected speaker(s) in the clients. Specify the time profile or leave the default value.
Read sequences	Allows reading the sequence information related to, for example, the Sequence explorer in the clients.
Export	Allows the user to export recordings from the clients.
Start manual recording	Allows starting manual recording of audio from the selected speaker(s) in the clients.
Stop manual recording	Allows stopping manual recording of audio from the selected speaker(s) in the clients.
Read bookmarks	Allows search for and read bookmark details in the clients.
Edit bookmarks	Allows editing bookmarks in the clients.
Create bookmarks	Allows adding bookmarks in the clients.
Delete bookmarks	Allows deleting bookmarks in the clients.
Create and extend evidence locks	Allows the client user to: Add the speaker to new or existing evidence locks Extend the expiry time for existing evidence locks Extend the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Delete and reduce evidence locks	Allows the client user to: Remove the speaker from existing evidence locks Delete existing evidence locks Shorten the expiry time for existing evidence locks Shorten the protected interval for existing evidence locks Requires user permissions to all devices included in the evidence lock.
Read evidence locks	Allows the client user to search for and read evidence lock details.
Create and extend live and playback restrictions	Allows the client user to: Create a live restriction on the speakers Create a playback restriction on the audio recordings Add a new microphone to a live or playback restriction Extend the restriction period of the audio recordings Requires user permissions to all devices included in the restriction.
Read live and playback restrictions	Allows the client user to: See a list of existing live and playback restrictions on the speakers Filter and search the list of live and playback restrictions on the speakers
Delete and reduce live and playback restrictions	Allows the client user to: Remove a live restriction on the speakers Remove a playback restriction on the audio recordings Reduce the restriction period of the audio recordings Change the settings of the live or playback restriction Requires user permissions to all devices included in the restriction.

Metadata-related permissions

Specify the following permissions for metadata devices:

Name	Description
Read	Enables the permission to see metadata devices and retrieve data from them in the clients.
Edit	Enables the permission to edit metadata properties. It also allows users to enable or disable metadata devices in the Management Client and via the MIP SDK.
View Live	Enables the permission to view live metadata from cameras in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions.
View live restriction	Enables the permission to view live restricted metadata from cameras in the clients. For XProtect Smart Client, it requires that the role has been granted the permission to view the clients' Live tab. This permission is granted as part of the application permissions.
Playback	Enables the permission to play back recorded data from metadata devices in the clients.
Playback restricted recordings	Enables the permission to play back recorded data from restricted metadata devices in the clients.
Read sequences	Enables the permission to use the Sequences feature while browsing recorded data from metadata devices in the clients.
Export	Enables the permission to export recorded audio from metadata devices in the clients.
Create and extend evidence locks	Enables the permission to create and extend the evidence locks on metadata in the clients.
Read evidence locks	Enables the permission to view evidence locks on metadata in the clients.
Delete and reduce evidence locks	Enables the permission to delete or reduce evidence locks on metadata in the clients.
Start manual recording	Enables the permission to start manual recording of metadata in the clients.
Stop manual recording	Enables the permission to stop manual recording of metadata in the clients.
Create and extend live and playback restrictions	Allows the client user to: Create a live restriction on the metadata device Create a playback restriction on the metadata device Add new metadata to a live or playback restriction Extend the restriction period of the metadata device Requires user permissions to all devices included in the restriction.
Read live and playback restrictions	Allows the client user to: See a list of existing live and playback restrictions on the metadata device Filter and search the list of live and playback restrictions on the metadata device
Delete and reduce live and playback restrictions	Allows the client user to: Remove a live restriction on the metadata device Remove a playback restriction on the metadata device Reduce the restriction period of the metadata device Change the settings of the live or playback restriction Requires user permissions to all devices included in the restriction.

Input-related permissions

Specify the following permissions for input devices:

Name	Description
Read	The selected input(s) will be visible in the clients.

Output-related permissions

Specify the following permissions for output devices:

Name	Description
Read	The selected output(s) will be visible in the clients. If visible, the output will be selectable on a list in the clients.
Activate	The selected output(s) can be activated from the Management Client and the clients. Specify the time profile or leave the default value.

PTZ tab (roles)

You set up permissions for pan-tilt-zoom (PTZ) cameras on the PTZ tab. You can specify the features users/groups can use in the clients. You can select individual PTZ cameras or device groups containing PTZ cameras.

Specify the following permissions for PTZ:

Name	Description
Manual PTZ	Determines if the selected role can use PTZ functions and pause a patrolling on the selected camera. Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role.
Activate PTZ presets or patrolling profiles	Determines if the selected role can move the selected camera to preset positions, start and stop patrolling profiles, and pause a patrolling. Specify a time profile, select Always, or leave the default value that follows the default time profile defined on the Info tab for that role. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
PTZ Priority	Determines the priority of PTZ cameras. When several users on a surveillance system want to control the same PTZ camera at the same time, conflicts may occur. You can avoid such a situation by specifying a priority for use of the selected PTZ camera(s) by users/groups with the selected role. Specify a priority from 1 to 32,000, where 1 is the lowest priority. The default priority is 3,000. The role with the highest priority number is the one who can control the PTZ camera(s).
Manage PTZ presets or patrolling profiles	Determines the permission to add, edit and delete PTZ presets and patrolling profiles on the selected camera in both the Management Client and XProtect Smart Client. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
Lock/unlock PTZ presets	Determines if the role can lock and unlock preset positions for the selected camera.
Reserve PTZ sessions	Determines the permission to set the selected camera in reserved PTZ session mode. In a reserved PTZ session other users or patrolling sessions with higher PTZ priority are not able to take over the control. To allow this role to use other PTZ functions on the camera, enable the Manual PTZ permission.
Release PTZ sessions	Determines if the selected role can release other users' PTZ sessions from the Management Client. You can always release your own PTZ sessions - without this permission.

Speech tab (roles)

Relevant only if you use speakers on your system. Specify the following permissions for speakers:

Name	Description
Speak	Determine if users should be allowed to talk through the selected speaker(s). Specify the time profile or leave the default value.
Speak priority	When several client users want to talk through the same speaker at the same time, conflicts may occur. Solve the problem by specifying a priority for use of the selected speaker(s) by users/groups with the selected role. Specify a priority from Very low to Very high. The role with the highest priority is allowed use the speaker before other roles. Should two users with the same role want to speak at the same time, the first come, first served-principle applies.

Name

Description

Speak

Determine if users should be allowed to talk through the selected speaker(s). Specify the time profile or leave the default value.

Speak priority

When several client users want to talk through the same speaker at the same time, conflicts may occur.

Solve the problem by specifying a priority for use of the selected speaker(s) by users/groups with the selected role. Specify a priority from Very low to Very high. The role with the highest priority is allowed use the speaker before other roles.

Should two users with the same role want to speak at the same time, the first come, first served-principle applies.

Remote Recordings tab (roles)

Specify the following permissions for remote recordings:

Name	Description
Retrieve remote recordings	Enables the permission to retrieve recordings in the clients from cameras, microphones, speakers, and metadata devices on remotes sites or from edge storages on cameras.

Smart Wall tab (roles)

Through roles, you can grant your client users Smart Wall-related user permissions:

Name	Description
Read	Allows users to view the selected Smart Wall in XProtect Smart Client.
Edit	Allows users to edit the selected Smart Wall in the Management Client.
Delete	Allows users to delete the selected Smart Wall in the Management Client.
Operate	Allows users to apply layouts on the selected Smart Wall in XProtect Smart Client and to activate presets.
Playback	Allows users to play back recorded data from the selected Smart Wall in XProtect Smart Client.

External Event tab (roles)

Specify the following external event permissions:

Name	Description
Read	Allows users to search for and view the selected external system event in the clients and the Management Client.
Edit	Allows users to edit the selected external system event in the Management Client.
Delete	Allows users to delete the selected external system event in the Management Client.
Trigger	Allows users to trigger the selected external system event in the clients.

View Group tab (roles)

On the View Group tab, you specify which view groups the users and user groups with the selected role can use in the clients.

Specify the following permissions for view groups:

Name	Description
Read	Enables the permission to view the View Groups in the clients and in the Management Client. View groups are created in the Management Client.
Edit	Enables the permission to edit properties on View Groups in the Management Client.
Delete	Enables the permission to delete View Groups in the Management Client.
Operate	Enables the permission to use View Groups in XProtect Smart Client, that is to create and delete subgroups and views.

Servers tab (roles)

Specifying role permissions on the Servers tab is only relevant if your system works in a Milestone Federated Architecture setup.

Name	Description
Sites	Enables the permission to view the selected site in the Management Client. Connected sites are connected via Milestone Federated Architecture. To edit properties, you need Edit permissions on the Management Server on each site.

Name

Description

Sites

Enables the permission to view the selected site in the Management Client. Connected sites are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

See Configuring Milestone Federated Architecture for more information.

Matrix tab (roles)

If you have configured Matrix recipients on your system, you may configure Matrix role permissions. From a client, you can send video to selected Matrix recipients. Select the users who can receive this on the Matrix tab.

The following permissions are available:

Name	Description
Read	Determine if users and groups with the selected role can select and send video to the Matrix recipient from the clients.

Alarms tab (roles)

If you use alarms in your system setup to provide central overview and control of your installation (including any other XProtect servers), you can use the Alarms tab to specify the alarm permissions for users and groups with the selected role they should have, for example, how to handle alarms in the clients.

In Alarms, you specify the permissions for alarms:

Security permission	Description
Manage	Enables the permission to manage alarms in the Smart Client. For example, changing priorities of alarms, re-assigning alarms to other users, acknowledging alarms, changing the alarm state of multiple alarms (for example from New to Assigned). To edit alarm settings, you also need the Edit alarm settings permission. Only when you set this to allowed does the Alarms and Events tab in the Options dialog appear.
View	Enables the permission to view the Alarm Manager tab in XProtect Smart Client and retrieve alarms and alarm settings through the API. To view alarms in XProtect Smart Client, you must enable the View permission for at least one alarm definition. You view alarms from third-party solutions by default.
Disable alarms	Enables the permission to disable alarms.
Receive notifications	Enables the permission to receive notifications about alarms in XProtect Mobile clients and XProtect Web Client.
Edit alarm settings	Enables the permission to edit alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention. To edit alarm settings, you also need the Manage permission.

In Alarm Definitions, you specify the permissions for a specific alarm definition:

Name	Description
View	Enables the permission to view alarm definitions, alarm states, alarm categories, alarm sounds, alarm retention, and event retention.
Write	Enables the View permission.

Access Control tab (roles)

When you add or edit basic users, Windows users or groups, specify access control settings:

Name	Description
Use access control	Allows the user to use any access control-related features in the clients.
View cardholders list	Allows the user to view the cardholders list on the Access Control tab in the clients.
Receive notifications	Allows the user to receive notifications about access requests in the clients.

LPR tab (roles)

If your system runs with XProtect LPR, specify the following permissions for the users:

Name	Description
Use LPR	Enables the permission to use any LPR-related features in the clients.
Manage match lists	Enables the permission to add, import, modify, export, and delete match lists in the Management Client.
Read match lists	Enables the permission to view match lists.

Incidents tab (roles)

If you have XProtect Incident Manager, you can specify the following permissions for your roles.

To give a Management Client administrator role the permissions to manage or view incident properties, select the Incident properties node.

To give an operator of XProtect Smart Client permission to view your defined incident properties, select Incident properties and give View permission. To give general permissions to manage or view incident projects, select the Incident project node. Expand the Incident project node and select one or more sub-nodes to give permissions for these additional specific features or capabilities.

Name	Description
Manage	Permission to manage (view, create, edit, and delete) settings and properties related to a feature or view a user interface element represented by the selected node in either Management Client or XProtect Smart Client.
View	Permission to view (but not create, edit, and delete) the settings and properties related to a feature, view defined incident properties, or view a user interface element represented by the selected node in either Management Client or XProtect Smart Client.

MIP tab (roles)

Through the MIP SDK, a third-party vendor can develop custom plug-ins for your system, for example, integration to external access control systems or similar functionality. The third-party plug-ins will have their own settings on individual tabs.

The settings you change depend on the actual plug-in. Find the custom settings for the plug-ins on the MIP tab.