# Roles and Permissions for Access Control {% hint style="success" %} As of November 14, 2024, access control permissions have changed. Users with legacy access control roles will maintain their permissions until they are updated to the current roles detailed in this article. See [Legacy Access Control Roles](https://help.verkada.com/access-control/users-and-credentials/add-and-modify-access-groups/legacy-access-control-roles) for more information. {% endhint %} This article describes the set of roles and associated permissions for [Verkada Access Control](https://www.verkada.com/access-control/). For more information on roles and permissions for other Verkada product lines, see [Roles and Permissions for Command](https://app.gitbook.com/s/NRq5qDDjsYNxwNzF1bcB/users-and-permissions/roles-and-permissions-for-command). *** ### Permissions considerations * Subsites inherit permissions from all parent sites, including the ultimate parent. * Users can belong to multiple groups. When roles conflict, the user receives the **highest role** granted directly or through any group. * Group-assigned roles can be manually upgraded but not downgraded. Remove the user from the group with the higher role to downgrade their access. Permissions for access control are set at both the organizational level and the site level. There are two org-level roles and one site-level role that define a user’s permissions to view and manage access control permissions and devices: {% hint style="warning" %} Access control roles are granted to users independently of one another. {% endhint %} *** ## Organization-level roles Access System roles grant permissions to manage organization-wide access control settings for all sites. | Permission | Access System Manager | Access System Admin | | ---------------------------------------------------------------------- | :-------------------: | :-----------------: | | Create and edit door schedules, door exceptions, and access exceptions | ✅ | ✅ | | Create ane edit badge templates | | ✅ | | Receive access Site Admin privileges over all sites | | ✅ | | Manage organization-wide access control settings | | ✅ | | Create and edit buildings and floors | | ✅ | | Grant Access System roles to other users | | ✅ | #### Role overview
Access System Manager A user or group with Access System Manager can: * View, add, delete, and edit door schedules and door exceptions. * View, add, delete, and edit access exceptions.
Access System Admin {% hint style="info" %} Access System Admins are automatically granted [Access Site Admin](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) for **all sites**. {% endhint %} A user or group with Access User Admin can: * Do everything that an Access System Manager can do. * Grant [Access System Role](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) and [Access Site Role](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) permissions for any site. * Configure org-wide access settings, such as Bluetooth unlock. * Add, edit, and delete badge templates. * Edit and delete buildings, floors, and add floorplans to floors. * View the descriptions of and delete saved event reports created by other users. * [Enable support access](https://app.gitbook.com/s/NRq5qDDjsYNxwNzF1bcB/need-help/contact-verkada-support/enable-support-access) to Command for Organization.
None Does **not** have permission to manage org-wide access control settings for an organization.
*** ## User management roles Access User Management roles grant permissions to manage access users, credentials, and access groups. | Permission | Acces Credential Manager | Access User Manager | Access User Admin | | --------------------------------------------- | :----------------------: | :-----------------: | :---------------: | | Manage user credentials and print user badges | ✅ | ✅ | ✅ | | Suspend user access | ✅ | ✅ | ✅ | | Create and edit users | | ✅ | ✅ | | Edit access group membership | | ✅ | ✅ | | Create access groups | | | ✅ | | Grant Access User roles to other users | | | ✅ | #### Role overview
Access Credential Manager A user or group with Access Credential Manager can: * View all access users. * Add, edit, and delete credentials for access users. * Add and delete profile pictures for access users. * Print user badges. * Configure Pass app settings for access users. * Grant and suspend access for access users, including editing a user’s start and end date for temporary access.
Access User Manager A user or group with Access User Manager can: * Do everything that an Access Credential Manager can do. * Add and edit access users (not synced via SCIM), including updating all user profile information. * Add and remove users from existing access groups (not synced via SCIM).
Access User Admin A user or group with Access User Admin can: * Do everything an Access User Manager can do. * Grant [Access User Management Role](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) permissions for the organization. * Delete access users (not synced via SCIM). * Add, edit, and delete access groups (not synced via SCIM). * [Enable support access](https://app.gitbook.com/s/NRq5qDDjsYNxwNzF1bcB/need-help/contact-verkada-support/enable-support-access) to Command for Organization.
None Does **not** have permission to manage an organization’s access users or groups.
*** ## Site roles Access Site roles grant permissions to manage access control settings, devices, and door access. Site-level roles can be assigned to individual users or groups and apply only to a specific site. Subsites inherit permissions from parent sites above them in the hierarchy.
PermissionAccess Site ViewerAccess Site ManagerAccess Site Admin
View site's doors, inputs/outputs, and events
Remote unlock site's doorsOnly doors where granted access
Apply door schedules, door exceptions, and overrides to site's doors
Create and edit access levels and access exceptions for site
Create and edit roll call templates for site
View areas and clear anti-passback violations for site
Manage lockdowns for site
Manage area settings for site
Manage doors, inputs/outputs, and access controlers for site
Manage site's access control settings
Grant Access Site roles to other users
#### Role overview
Access Site Viewer A user or group with Access Site Viewer permissions for a site can: * View any door in the site. * Unlock doors from Command for doors the user has access to. * View a floorplan that has doors from the site added. * View live and historical access events for the site. * Run, save, export, and distribute reports of historical access events. * Add and edit alerts based on access events. * Run and end roll call reports from existing roll call templates and mark people as safe or missing on an active roll call report.
Access Site Manager A user or group with Access Site Manager permissions for a site can: * Do everything an Access Site Viewer can do. * Unlock any door in the site from Command. * Override the schedule for any door in the site from Command. * Change a door’s schedule to another preexisting schedule. * Apply or remove preexisting door exceptions. * Add, configure, and delete access levels. * View live and historical access events. * Run, save, export, and distribute reports of historical access events. * Create, configure, and delete roll call templates. * View areas and clear anti-passback violations.
Access Site Admin A user or group with Access Site Admin permissions for a site can: * Do everything an Access Site Manager can do. * Grant [Access Site Role](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) permissions for the site. * Add, configure, and delete access control devices. * Add, configure, and delete doors, AUX inputs, and AUX outputs. * Add, configure, and delete lockdowns. * Configure areas and anti-passback (APB) settings. * Manage site-level access settings for the site, such as Bluetooth unlock and scheduled firmware updates. * [Enable support access](https://app.gitbook.com/s/NRq5qDDjsYNxwNzF1bcB/need-help/contact-verkada-support/enable-support-access) to Command for Organization.
None Does **not** have permission to manage a site’s access control settings or devices.
*** ## Set permissions
Users #### Grant permissions 1. In Verkada Command, go to **All Products > Admin.** 2. Select **Users & Permissions** > **Users.** 3. Select a user to grant permissions. 4. Click **Manage** to the right of Organization Roles, User Management Roles, or Site Roles. 1. For site roles, select the relevant product. 2. Select the role to grant to the user. 3. Click **Save**. #### Revoke permissions 1. In Verkada Command, go to **All Products > Admin.** 2. Select **Users & Permissions** > **Users.** 3. Select a user to revoke permissions. 4. Click **Manage** to the right of Organization Roles, User Management Roles, or Site Roles. 1. For site roles, select the relevant product. 2. De-select the role to remove from the user. 3. Click **Save**.
For groups #### **Granting permissions** 1. In Verkada Command, go to **All Products > Admin.** 2. Select **Users & Permissions** > **Groups.** 3. Select a Command group to grant permissions. 4. At the top, click **Roles.** 5. Click **Manage** to the right of Organization Roles, User Management Roles, or Site Roles. 1. For site roles, select the relevant product. 2. Select the role to grant to the group. 3. Click **Save**. #### **Revoking permissions** 1. In Verkada Command, go to **All Products > Admin.** 2. Select **Users & Permissions** > **Groups.** 3. Select a Command group to revoke permissions. 4. At the top, click **Roles.** 5. Click **Manage** to the right of Organization Roles, User Management Roles, or Site Roles. 1. For site roles, select the relevant product. 2. De-select the role to remove from the group. 3. Click **Save**.
*** ### Common access control permission configurations | | | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | **Scenario** | **Role Configuration** | |

User needs total control over all access control system settings, devices, and users.

For example, a Security Director.

|

Access System Admin

Access User Admin

| |

User needs to be able to create and edit door schedules or exceptions applied to doors in one or more sites.

For example, a security team member.

| Access System Manager | |

User is responsible for onboarding new users by printing badges and adding them to access groups.

For example, an HR staff member.

| Access User Manager | |

User is only responsible for adding credential info and printing badges for new users, such as SCIM-synced users.

For example, an HR staff member.

| [Access Credential Manager](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) | |

User needs to manage all site-specific access control settings but should not be able to edit user or access group settings (granted by User Management Roles).

For example, an office General Manager.

| Access Site Admin | |

User needs to manage which access groups have access to doors for a particular site but should not be able to edit other access control settings for the site.

For example, an office facilities staff member.

| [Access Site Manager](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) | |

User only needs to view and unlock certain doors for a particular site.

For example, a front desk receptionist.

| [Access Site Viewer](https://help.verkada.com/access-control/getting-started/roles-and-permissions-for-access-control) | *** {% hint style="info" %} **Revisions** 11/14/2024: * Added the new Access System, Access User Management, and Access Site roles. * Removed the legacy Access Control Admin, Access Control Manager, and Access Site Admin roles. See [Legacy Access Control Roles](https://help.verkada.com/access-control/users-and-credentials/add-and-modify-access-groups/legacy-access-control-roles) for more information. {% endhint %} {% hint style="info" %} **Prefer to see it in action?** Check out the [video tutorial](https://www.youtube.com/watch?v=akeui7lbme0). {% endhint %}