Roles and permissions of a role (explained)
All users in Milestone XProtect VMS belong to a role.
Roles define users' permissions, including the devices the users can access. Roles also define security and access permissions within the video management system.
The system comes with a default Administrators role with full access to all system functionality, but in most cases you need more than one role in your system, to differentiate between users and the access they should have. You can add as many roles as you need. See Assign/remove users and groups to/from roles.
For example, you might need to set up different types of roles for users of XProtect Smart Client, depending on the devices you want them to have access to, or similar types of restrictions that require differentiation between users.
To create a differentiation between users, you must:
-
Create and set up the roles that you need to suit your organization's business needs
-
Add users and user groups that you assign to the roles they should belong to
-
Create Smart Client profiles and Management Client profiles to define what users can see in the XProtect Smart Client and Management Client user interface.
Roles only control your access permissions, and not what users can see in the user interface in XProtect Smart Client or the Management Client. You do not need create a specific Management Client profile for users that will never use the Management Client.
For the best possible user experience for XProtect Smart Client users or Management Client users with limited access to Management Client functionality, you should ensure that there is consistency between the permissions provided by the role and the user interface elements provided by the Smart Client or Management Client profile.
To have access to the Management Server, it is important that all roles have the Connect security permission enabled. The permission is located in Role Settings > Management Server > Overall Security tab (roles).
To set up roles in your system, expand the Security > Roles.
Permissions of a role
Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).
When you create a role in your system, you can assign that role to a number of permissions to the system components or features which the relevant role can access and use.
For example, you might want to create roles that only have permissions to access functionality in XProtect Smart Client or other Milestone viewing clients, with the permissions to view only certain cameras. If you create such roles, these roles should not have permissions to access and use the Management Client, but only have access to some or all functionality found in XProtect Smart Client or other clients.
To address this need for differentiation, you then set up a role that has some or most typical administrator permissions, for example, the permissions to add and remove cameras, servers and similar functionality. You can create roles that have some or most permissions of a system administrator. This may, for example, be relevant if your organization wants to separate between people who can administrate a subset of the system and people who can administrate the entire system.
Roles give you the possibility to provide differentiated administrator permissions to access, edit, or change a large variety of system functions. For example, the permission to edit the settings for servers or cameras in your system. You specify these permissions on the Overall Security tab (see Overall Security tab (roles)). To enable that the differentiated system administrator can launch the Management Client, you must grant read permissions on the management server for the role.
To have access to the Management Server, it is important that all roles have the Connect security permission enabled. The permission is located in Role Settings > Management Server > Overall Security tab (roles).
You can also reflect the same limitations in the user interface of the Management Client for each role by associating the role with a Management Client profile that has the removed the corresponding system functions from the user interface. See Management Client profiles (explained) for information.
To give a role such differentiated administrator permissions, the person with the default full administrator role must set up the role under Security > Roles > Info tab > Add new. When you set up the new role, you can then associate the role with your own profiles must similarly to when you set up any other role in the system or use the system's default profiles. For more information, see Add and manage a role.
When you have specified the profiles to associate with the role, go to the Overall Security tab to specify the permissions of the role.
The permissions you can set for a role are different between your products. You can only give all available permissions to a role in XProtect Corporate.