Directories for User & Group Management

Directories allow organizations to segment user and group management into scoped containers. Each directory can include a subset of an organization’s users or user groups (both Command user groups and access control user groups).

This structure allows organizations to delegate user management to regional or functional admins without granting organization-wide permissions. For example, an admin managing badge access for the San Francisco office can be limited to the "SF Directory."

Directories in Command

Directories allow organizations to segment user and group management, providing control over permissions, visibility, and administrative scope. With Directories, you can:

• Restrict permissions to view, edit, or create users and groups to a specific directory.

• Allow Access Control admins to manage users, access groups, and credentials for a location without affecting other sites.

• Limit visibility and edit rights so directory-scoped admins can only act on users and groups within their assigned directory.

• Optionally hide all users and groups outside an admin’s assigned directory.

Organize Directories

Organizations can move existing users and groups into a Directory or create new ones directly within a Directory. Users and groups are organized from Global, the organization-wide container, into individual Directories.

Global

Global contains all users and groups by default. Only roles granted at the org-wide level provide administrative control over Global and all Directories. SCIM-synced users sync to Global, and Global-level groups can serve as sources for assignment across Directories.

Directory

A Directory is a logical container for users and groups within an organization. It is typically used to represent locations, regions, campuses, business units, or tenants, enabling scoped administration.

Directories can:

• Contain a subset of users and groups (Command and access control groups).

• Exist only under Global (nesting is not supported).

• Be managed independently via directory-scoped roles.

• Automatically populate with users and groups via SCIM sync or existing Command/Access Control groups.

• Automatically update when users are added or removed from synced or source groups.

• Optionally restrict visibility so admins scoped to a Directory only see users and groups within their directory.

Manage Directories

Users

• Users can be members of one or more directories.

• Users created in or added to a directory will still be contained within Global.

• SCIM-synced users are always placed in Global by default.

Groups

Like users, groups (both Command groups and Access control groups) can be placed in Directories.

• Each group can exist in only one Directory.

• A group can contain only users who belong to the same Directory.

• Groups are scoped to their Directory and cannot be referenced in other Directories.

• Groups can be automatically populated using SCIM-synced groups or existing Command/Access Control groups as sources of assignment, ensuring membership stays updated without manual changes.

Roles and permissions

User management permissions in Verkada are granted through Command roles and Access User Management roles.

By default, these roles provide permissions over all users, Command groups, and access groups across the organization. With Directories, these roles can optionally be scoped to a specific Directory.

The organization-wide version of these roles remains available. Assigning a user an organization-wide role grants permissions over all users and groups in Global and across all Directories.

Users assigned one of these roles before Directories were enabled will automatically retain the organization-wide version of the role.

Directory-specific roles & permissions

With directory-scoped roles, admins can only view and manage users, groups, and credentials within their assigned directory. Access and visibility outside the directory are fully restricted.

Configuration

Enable Directories

All directory functionality is disabled by default. Directories can be enabled from Feature Manager. Once enabled, Directories can be created and managed from the Admin > User Management page in Command.

After enabling Directories:

• All existing users, groups, and role assignments remain visible in the Global view.

• You can create directories to manage users and groups within scoped areas.

• To fully hide out-of-scope users and groups for directory-scoped admins, enable Limited User Visibility for Site Roles in Feature Manager.

Create a Directory

After creating directories:

• Move existing users and groups from Global into the desired directories.

• Create new users or groups directly within a directory.

• Automatically populate directories using SCIM-synced groups or existing Command/Access Control groups as sources of assignment.

• When Limited User Visibility for Site Roles is enabled in Feature Manager, directory-scoped admins can only see users and groups within their assigned directory.

Add users to a Directory

Existing user

New user

Add groups to a Directory

Existing groups

New groups

Grant Directory-scoped roles

Command roles

Access User Management roles

Sync users to a Directory

Limit User Visibility

When Directories are enabled, Org Admins can activate the Limit User Visibility setting in Feature Manager. This setting restricts which users and groups are visible in both Command and access control based on the user’s assigned role.

With Limit User Visibility enabled, users with the following roles see only users and groups associated with their assigned sites:

• Site Admin

• Site Viewer

• Access System Manager

• Access Site Admin

• Access Site Manager

• Access Site Viewer

• Workplace Site Admin

This ensures that site-level and system managers cannot view users outside their assigned locations, improving privacy and maintaining proper access boundaries.