Management Client profiles

XProtect Corporate supports customizing the XProtect Management Client to show only the user interface elements needed by a specific administrator role, thus making the XProtect Management Client easier to navigate and use.

The XProtect Management Client is customized in two steps:

Create a Management Client profile, and select which user interface elements should be available
In the administrator’s role, select the new Management Client profile

Having created a Management Client profile and selected it in the administrators’ role, the administrators in that role will only see the user interface elements specifically enabled for them when logging in with the XProtect Management Client. All other elements that are not enabled in the Management Client profile are removed from the XProtect Management Client’s user interface which makes it easier to navigate and use since only the needed user interface elements are shown.

Configuration Management Client profiles

Management Client profiles are located under the ‘Client’ node in the XProtect Management Client.

When a Management Client profile is selected, the user interface elements that can be turned on or off are shown on the ‘Profiles’ tab. Some nodes, like for instance the ‘Camera’ node, can be expanded to show futher elements that can be controlled.

Management Client Profiles node selected in XProtect Management Client – Provides access to recording servers and devices

In above example, the created ‘Recording Server and Camera Administrator’ profile provides access to the user interface elements needed to manage recording servers and devices.

Create a Management Client Profile

To create a Management Client Profile:

Right-click the ‘Mangement Client Profiles’ pane. and select‘ Add Management Client Profile‘.
Assign a name to it and, optionally, enter a description

By default, new profiles will provide access to all elements in the XProtect Management Client. To limit access to only some user interface elements, simply deselect the functions not needed.

Having created a Management Client profile, the next step is to use it in a role:

Create or select a role with management rights
In the ‘Info‘ tab’s ‘Management Client profile:‘ dropdown, select the created profile.

When users in this role log in with the XProtect Management Client, it will only show the user interface elements that have been enabled in the Management Client profile. All other elements are removed.

The screenshot below shows how the XProtect Management Client looks with only recording servers and devices enabled in the Management Client profile.

Management Client limited to only show the management interface for recording servers and cameras

Multiple Management Client profiles

If the administrator logging in with the XProtect Management Client is a member of multiple roles configured with different Management Client profiles, the profile with the highest priority will be assigned.

Setting the priority of the Management Client Profiles - highest priority at the top of the list.
The profile priority is set by changing the order of the Management Client profiles in the ‘Management Client Profiles’ pane. The profiles are listed with highest priority at the top, and lowest at the bottom. The priority can be changed by clicking the ‘Priority:’ up/down buttons.

Documentation – Management Client profiles

For details on usage of the Management Client profiles, please refer to the documentation which can be found by selecting the ‘Management Client Profiles’ node in the XProtect Management Client and pressing ‘F1’ on the keyboard. Alternatively, visit Milestone - Documentation; Management Client Profiles

Important Security notice!

Although the Management Client profiles are used to limit administrators access to user interface elements in the XProtect Management Client, it is important to understand that Management Client profiles is not a security permissions feature. It is only a feature for customizing the XProtect Management Client user interface.

This means that from a security perspective, it is not enough to just create a Management Client profile that limit the XProtect Management Client user interface for the administrators. A matching set of actual security permissions must also be set in the administrator’s role to ensure that the administrators can manage only what they are supposed to.

The reason for this is that a Management Client profile only removes the user interface elements from the XProtect Management Client. It does not make the VMS servers control and enforce the actual permissions the administrators have. Therefore, if all permissions are allowed in a role where the selected Management Client profile removes user interface elements from the XProtect Management Client, an administrator could use another application than the XProtect Management Client to manage the VMS. For example, using a custom-made 3^rd party “Management Tool” developed with the MIP SDK or the VMS API’s the administrator can get access to manage areas of the VMS that would otherwise not be available in the XProtect Management Client, due to the set Management Client profile.

Therefore, as described in the next section, the proper thing to do to make sure administrators can only manage what they are supposed to, is to set permissions for the role so it matches the VMS areas and devices they are responcible for. When this is done and the right Management Client profile is selected for the role, the administrators can only manage the VMS areas and devices they have permissions to, no matter what client is used, and the XProtect Management Client user interface will only show the user interface elements needed for it.