Contact Support

Roles and Permissions for Access Control

Learn about roles that define a user’s access control permissions in Verkada Command

As of November 14, 2024, access control permissions have changed. Users with legacy access control roles will maintain their permissions until they are updated to the current roles detailed in this article. See Legacy Access Control Roles for more information.

This article describes the set of roles and associated permissions for Verkada Access Control. For more information on roles and permissions for other Verkada product lines, see Roles and Permissions for Command.

Permissions considerations

  • Subsites inherit permissions from all parent sites, including the ultimate parent.

  • Users can belong to multiple groups. When roles conflict, the user receives the highest role granted directly or through any group.

  • Group-assigned roles can be manually upgraded but not downgraded. Remove the user from the group with the higher role to downgrade their access.

Permissions for access control are set at both the organizational level and the site level. There are two org-level roles and one site-level role that define a user’s permissions to view and manage access control permissions and devices:

Access control roles are granted to users independently of one another.

Org-level roles

Access System

The Access System role grants permissions to manage org-wide access control settings for all sites.

At a high level, these are the permissions granted to each level of Access System roles:

None

Does not have permission to manage org-wide access control settings for an organization.

Access System Manager

A user or group with Access System Manager can:

  • View, add, delete, and edit door schedules and door exceptions.

  • View, add, delete, and edit access exceptions.

Access System Admin

A user or group with Access User Admin can:

  • Do everything that an Access System Manager can do.

  • Inherits Access Site Admin permissions for all sites.

  • Grant Access System Role and Access Site Role permissions for any site.

  • Configure org-wide access settings, such as Bluetooth unlock.

  • Add, edit, and delete badge templates.

  • Edit and delete buildings, floors, and add floorplans to floors.

  • View the descriptions of and delete saved event reports created by other users.

  • Enable support access to Command for Organization.

Access User Management

The Access User Management role grants permissions to manage access users, credentials, and access groups.

At a high level, these are the permissions granted to each level of Access User Management roles:

None

Does not have permission to manage an organization’s access users or groups.

Access Credential Manager

A user or group with Access Credential Manager can:

  • View all access users.

  • Add, edit, and delete credentials for access users.

  • Add and delete profile pictures for access users.

  • Print user badges.

  • Configure Pass app settings for access users.

  • Grant and suspend access for access users, including editing a user’s start and end date for temporary access.

Access User Manager

A user or group with Access User Manager can:

  • Do everything that an Access Credential Manager can do.

  • Add and edit access users (not synced via SCIM), including updating all user profile information.

  • Add and remove users from existing access groups (not synced via SCIM).

Access User Admin

A user or group with Access User Admin can:

  • Do everything an Access User Manager can do.

  • Grant Access User Management Role permissions for the organization.

  • Delete access users (not synced via SCIM).

  • Add, edit, and delete access groups (not synced via SCIM).

  • Enable support access to Command for Organization.

Site-level role

Access Site

The Access Site role grants permissions to manage access control settings, devices, and door access.

At a high level, these are the permissions granted to each level of Access Site roles:

None

Does not have permission to manage a site’s access control settings or devices.

Access Site Viewer

A user or group with Access Site Viewer permissions for a site can:

  • View any door in the site.

  • Unlock doors from Command for doors the user has access to.

  • View a floorplan that has doors from the site added.

  • View live and historical access events for the site.

  • Run, save, export, and distribute reports of historical access events.

  • Add and edit alerts based on access events.

  • Run and end roll call reports from existing roll call templates and mark people as safe or missing on an active roll call report.

Access Site Manager

A user or group with Access Site Manager permissions for a site can:

  • Do everything an Access Site Viewer can do.

  • Unlock any door in the site from Command.

  • Override the schedule for any door in the site from Command.

  • Change a door’s schedule to another preexisting schedule.

  • Apply or remove preexisting door exceptions.

  • Add, configure, and delete access levels.

  • View live and historical access events.

  • Run, save, export, and distribute reports of historical access events.

  • Create, configure, and delete roll call templates.

  • View areas and clear anti-passback violations.

Access Site Admin

A user or group with Access Site Admin permissions for a site can:

  • Do everything an Access Site Manager can do.

  • Grant Access Site Role permissions for the site.

  • Add, configure, and delete access control devices.

  • Add, configure, and delete doors, AUX inputs, and AUX outputs.

  • Add, configure, and delete lockdowns.

  • Configure areas and anti-passback (APB) settings.

  • Manage site-level access settings for the site, such as Bluetooth unlock and scheduled firmware updates.

  • Enable support access to Command for Organization.

Set permissions

Users

Org-level

In Verkada Command, go to All Products > Admin .Under Org Settings, select Users.Select your user.On the left side panel, next to Access Control Roles, click Edit.a. Grant the necessary org-level access control roles. b. Click Apply Changes.

Site-level

In Verkada Command, go to All Products > Admin .Under Org Settings, select Users.Select your user.At the top right, click Manage Roles.a. From the Access Site Role dropdown, select the permission level for the needed sites. b. Click Save.

Groups

Org-level

In Verkada Command, go to All Products > Admin .Under Org Settings, select Groups.Select your group.On the left side panel, next to Access Control Roles, click Edit.a. Grant the necessary org-level access control roles. b. Click Apply Changes.

Site-level

In Verkada Command, go to All Products > Admin .Under Org Settings, select Groups.Select your group.At the top, click Site Roles.a. At the top right, click Manage Roles. b. From the Access Site Role dropdown, select the permission level for the needed sites c. Click Save.

Common access control permission configurations

Scenario

Role Configuration

User needs total control over all access control system settings, devices, and users. ​ For example, a Security Director.

Access System Admin

Access User Admin

User needs to be able to create and edit door schedules or exceptions applied to doors in one or more sites.

For example, a security team member.

Access System Manager

User is responsible for onboarding new users by printing badges and adding them to access groups. ​ For example, an HR staff member.

Access User Manager

User is only responsible for adding credential info and printing badges for new users, such as SCIM-synced users. ​ For example, an HR staff member.

Access Credential Manager

User needs to manage all site-specific access control settings but should not be able to edit user or access group settings (granted by User Management Roles). ​ For example, an office General Manager.

Access Site Admin

User needs to manage which access groups have access to doors for a particular site but should not be able to edit other access control settings for the site. ​ For example, an office facilities staff member.

Access Site Manager

User only needs to view and unlock certain doors for a particular site. ​ For example, a front desk receptionist.

Access Site Viewer

Revisions

11/14/2024:

  • Added the new Access System, Access User Management, and Access Site roles.

  • Removed the legacy Access Control Admin, Access Control Manager, and Access Site Admin roles. See Legacy Access Control Roles for more information.

Prefer to see it in action? Check out the video tutorial.

Need more help? Contact Verkada Support.

Last updated

Was this helpful?