Inherited device permissions

When setting ‘Allow’ or ‘Deny’ permissions for devices, for instance cameras, on the ‘Overall Security ’ tab, the permissions are inherited by all devices of this type in the VMS.

Allow permission

In the example below, permissions have been set to ‘Allow ’ for some of the camera functions.

Overall Security – ‘Allow’ set for some of the camera functions in XProtect Management Client

Having set the camera permissions for the role in the ‘Overall Security ‘ tab. The ‘Allow ‘ permissions are now inherited by all cameras currently added to the VMS as well as cameras that may be added to the VMS later.

This can be seen by selecting the ‘Device’ tab, where the camera permissions set to ‘Allow ‘ on the ‘Overall Security ‘ tab, are now checked and greyed out for all cameras.

Allow permissions inherited by the cameras and shown as checked and read only in XProtect Management Client

Settings not defined as either ‘Allow ‘ or ‘Deny ‘ on the ‘Overall Security ‘ tab can be set individually per group or per individual camera.

Permissions not set to either ‘Allow ‘ or ‘Deny ‘ can be set individually per group or per camera in XProtect Managment Client

Deny permission and multiple roles

In addition to the ‘Allow ‘ permission, XProtect Corporate supports a ‘Deny ‘ permission. The ‘Deny ‘ permission can be used to override the ‘Allow ‘ permission in cases where users or administrators are members of multiple roles and, via the combined ‘Allow ‘ permissions in the roles, gain access to more functions than they should.

To make it easier to understand how permissions across roles are combined for users or administrators that are members of multiple roles, the following examples will illustrate it for various scenarios:

If the ‘Allow ‘ permission is set for some specific cameras on the ‘Device’ tab in one role and nothing is selected in another role, the users or administrators will be able to access the cameras for which the ‘Allow ‘ permission is set
If the ‘Allow ‘ permission is set for ‘Cameras’ on the ‘Overall Security ‘ tab in one role and nothing is selected in another role, the users or administrators will be able to access all cameras
If the ‘Allow ‘ permission is set for ‘Cameras’ on the ‘Overall Security ‘ tab in one role, but set to ‘Deny ‘ on the ‘Overall Security ‘ tab in another role, the users or administrators will not be able to access any cameras, as ‘Deny ‘ overrides the ‘Allow ‘ permission
If the ‘Allow‘ permission is set for some specific cameras on the ‘Device’ tab in one role, but set to ‘Deny‘ on the ‘Overall Security‘ tab in another role, the users or administrators will not be able to access any cameras, as ‘Deny‘ overrides the ‘Allow‘ permission

Therefore, by creating an extra role with ‘Deny ‘ set for the unwanted permissions and by adding the users or administrators to this role, the unwanted permissions can be removed for the users or administrators. This can be utilized to permanently or temporarily deny users or administrators access to functions and device types, that they would otherwise be able to access.

Overall Security – ‘Deny ’ set for some of the camera functions in XProtect Managment Client

When selecting the device tab, the camera permissions set to ‘Deny ‘ on the ‘Overall Security ‘ tab, are displayed as unchecked and greyed out as they are inherited from the ‘Overall Security ‘ tab.

‘Deny ‘ permissions inherited by the cameras are shown as unchecked and read-only in XProtect Management Client

Documentation – Role Settings

For detailed information about configuration of roles and permissions, please refer to the documentation which can be found by selecting the ‘Roles’ node in the XProtect Management Client and pressing F1 on the keyboard. Alternatively, visit Milestone – Documentation; Roles