As of November 14, 2024, access control permissions have changed. Users with legacy access control roles will maintain their permissions until they are updated to the current roles. Users added or modified after this date will be granted the new access control permissions. See Roles and Permissions for Access Control for more information.

There are two sets of legacy roles that define a user’s permissions to view and manage access control within Command:

Access Control Role (Legacy). This role is set at the org level and is either Access Control Manager or Access Control Admin.
Access Site Admin (Legacy). This role is set at the site level for each site. For a user to be an Access Site Admin of any site, their Access Control Role must be set to either Access Control Manager or Access Control Admin.

If a user has a legacy access control role, they need to migrate to the current roles before any changes to their access control permissions can be made.

Permissions comparison

Below are diagrams comparing the permissions of the legacy access control roles (shown in blue) to the current access control roles (shown in white).

Org-Level Access System Permissions

Org-Level Access User Management Permissions

Site-Level Access Control Permissions

Detailed Legacy Role Descriptions

Access Control Manager

A user with their org-level Access Control Role set to Access Control Manager can:

Do everything an Access Control Member can do.
Unlock the doors they have been given access to.
View, add, suspend, and edit access users, including updating user information (not synced via SCIM), granting and suspending access, and adding and deleting credentials.
View, edit, and delete access groups (not synced via SCIM).
View, edit, and delete buildings.
View, edit, delete, and add floors within buildings.
If you are an Org Admin, view the descriptions of and delete saved event reports created by other users.

For the sites that an Access Control Manager is an Access Site Admin of, they can:

View and unlock doors.
Change the schedule for a door to a door schedule that has already been created.
To a door, add a door schedule exception that has already been created.
View live and historical access events. Run, save, export, and distribute reports of these events. Add and edit alerts based on access events.

Access Control Admin

A user with their org-level Access Control Role set to Access Control Admin can:

Everything an Access Control Manager can do.
View, add, edit, and delete access groups (not synced via SCIM).
View, add, delete, and edit door schedules, door schedule exceptions, and access schedule exceptions.
Update the Access Control Role of other users.
For any sites that the user has visibility into, update the Access Site Admin role of other users.
Configure org-wide access settings, such as Bluetooth unlock.

For the sites that an Access Control Admin is an Access Site Admin of, they can:

Perform everything an Access Control Manager can do.
Add, edit, and delete doors, AUX inputs/outputs, lockdowns, and access controllers.
Add, edit, and delete access levels and access schedule exceptions.
Manage site-level access settings, such as Bluetooth unlock and scheduled firmware updates.

Access Site Admin

When a user is an Access Site Admin of a given site, their permissions for that site depend on whether their org-level Access Control Role is as an Access Control Manager or Access Control Admin. The following table outlines which permissions are granted when a user is made an Access Site Admin of a given Site X:

Access Control Manager	Access Control Admin
View live door events for doors in Site X View reports for doors in Site X View door event history View user event history for doors in Site X Change the schedule for a door in Site X to another schedule that already exists Override the schedule for a door in Site X Unlock a door in Site X from Verkada Command	Does everything an Access Control Manager can, in addition to: Change the Access Control Role of other users Add/remove Access Site Admins for Site X Add/remove access control devices in Site X Add/configure/remove doors and AUX devices in Site X Add/configure/remove access levels in Site X

Access Admins who are not also Org Admins cannot grant themselves Access Site Admin permissions.

Migrate legacy access control roles

You must be an Org Admin or both an Access System Admin and Access User Admin to migrate a user with legacy access control roles to the current access control roles.

In Verkada Command, go to All Products > Admin .
Under Org Settings, select Users.
Select the user with a legacy access control role.
On the left side panel, next to Access Control Roles, click Update Roles.
Click Assign New Roles.
1. Select the Access System, Access User Management, and Access Site roles that you want the user to have.
2. Click Finish and Apply Roles.

After migrating the new access control roles, all of the user's legacy access control roles will be removed. Going forward only the current access control roles can be granted to this user.

FAQ

What if a user with legacy access control roles is added to a Command group that grants them current access control roles?

If a user with legacy access control roles is added to a Command group that has current access control roles, then the user will receive all permissions granted to them by the combination of their legacy and current access control roles.

While this state is supported, it's recommended to migrate a user's legacy access roles to the current access control roles before assigning permissions through a Command group. This helps streamline tracking of the user’s current access permissions.

Need more help? Contact Verkada Support.

View Access Control Doors

Roles and Permissions for Command

Assign a User Access to a Door

Roles and Permissions for Intercom

Roles and Permissions for Access Control