Skip to main content

User Directories (Beta)

Learn how to segment management of users and user groups with Directories

Updated yesterday

User Directories is an optional feature in Command that allows organizations to segment user and group management into scoped “Directories” that include only a subset of an organization’s users or user groups (both Command User Groups and Access Control User Groups).

This structure allows organizations to delegate user management to regional or functional Admins without granting global user management admin rights across the entire org. For example, an admin responsible for badge access at the San Francisco office can be limited to managing only the “SF Directory.”

By using Directories, organizations can:

  • Restrict permissions to view, edit, or create users and user groups to only a specific directory.

  • Maintain a secure, scalable access management structure aligned with sites or business units.

  • Allow Access Control administrators to manage users, access groups, and credentials for a specific location’s directory without giving them control over users or door access at any other location in your organization.

Organizing Directories in Command

After "Directories" has been enabled in a Command Organization, it will be possible to move existing users and groups into a Directory or create new users and groups directly inside of a Directory.

Organizations that have enabled Directories from Feature Manager will be able to organize users and user groups from "Global" (the full collection of users and user groups for the entire organization) into individual "Directories.

Global

“Global” is the org-wide container that all users and groups are always added to by default. Only roles granted at the “org-wide” level confer administrative control over Global (as well as all Directories). All SCIM-synced users currently sync to the Global Directory, and Global-level groups can be used across all directories (as assignment sources or synced groups).

Directory

A "Directory" is a logical container used to segment users and groups of users within a single organization. Directories are commonly used to represent specific office locations, regions, campuses, business units, or tenants, enabling scoped administration and logical organization of a relevant user subset.

Directories can:

  • Contain a subset of users and groups (command groups and access groups)

  • Do not support nesting (all directories live under Global)

  • Be managed independently via Directory scoped roles

Managing Users with Directories

  • Users can be members of one or more directories

  • Users created in or added to a directory will still be contained within Global

  • SCIM-synced users are always placed in Global by default

Managing Groups with Directories

  • Like users, groups of users (both Command Groups and Access Groups) can also be placed in Directories.

  • Unlike users, a group can only exist in a single directory

  • A group can only contain users that also belong to the same directory as the group

  • Groups created or put inside a directory are scoped to that directory only and cannot be referenced in other directories


Org-Wide and Directory Roles

User management permissions in Verkada's system are conferred to users by granting Command Roles and Access User Management roles.

Normally Command Roles and Access User Management roles grant permissions over all users, command groups, and/or access groups across the entire org. But with Directories, the permissions granted by these roles can now optionally be scoped to a specific Directory.

Even after Directories are enabled, the Org-Wide version of these roles is still available to grant. Granting a user an Org-Wide role will grant them relevant permissions over all users and groups in Global and across all Directories.

Users that were assigned one of the roles listed below before Directories is enabled will start out having the Org-Wide version of the role after Directories is enabled.

Role

Scope

Key User Management Permissions

Org Admin

Org-Wide

Create/delete directories, manage all users and command groups

Command User Admin (Org-Wide)

Org-Wide

Create, viewread, edit, and delete users and command groups in Global and across all directories

Access User Admin (Org-Wide)

Org-Wide

Create, edit, and delete users, access groups, and credentials in Global across all directories

Access User Manager (Org-Wide)

Org-Wide

Edit users and access group memberships in Global and across all directories

Access Credential Manager (Org-Wide)

Org-Wide

Edit and delete user credentials (cards, PINs, mobile unlocks) in Global and across all directories

Command User Admin (Directory-Scoped)

Directory

Create, edit, and delete users and command groups within the relevant assigned directory

Access User Admin (Directory-Scoped)

Directory

Create, edit, and delete users and access groups within the relevant directory

Access Group Manager (Directory-Scoped)

Directory

Edit users and access group memberships within the relevant directory

Access User Credential Manager (Directory-Scoped)

Directory

Edit and delete user credentials (cards, PINs, mobile unlocks) for users within the relevant directory


Setting Up Directories

All directory functionality is disabled by default. Directories can be enabled from Feature Manager. Once enabled, Directories can be created and managed from the User Management page in Command.

Step 1: Enable Directories

  1. Navigate to AdminOrg SettingsFeature Manager

  2. Under the “Command” section, toggle on Directories.

After "Directories" is enabled:

  • All existing users, groups, and role assignments remain visible in the Global View.

  • You can begin creating directories for scoped management.

  • Important: You will not be able to enable Directories if your org has users assigned any legacy Access Control roles. Refer to this knowledge base article to resolve legacy role issues before proceeding.

If your organization still has one or more users with legacy access control roles, it will not be possible to enable Directories in Feature Manager without first migrating these users to the current access control roles.

Step 2: Creating a Directory

  1. Navigate to AdminUser Management (on the left side panel)

    1. Alternatively, you can navigate to User Management Admin → Users & Permissions → Users

  2. Click on “Global” to access the list of Directories from a left side panel

  3. To add a Directory, click on +

  4. Select New Directory to add a single new Directory manually

    1. You’ll be prompted to enter a name (must be globally unique)

  5. Alternatively, select Create Directories from Sites to auto-create one or more Directories having the same name as selected sites.

    • NOTE: Auto-creating a Directory from a site will only copy the site's name during Directory creation. Directory and site names will not be kept in sync after creation.

After creating one or more Directories:

  • You will be able to move existing users and groups from Global to desired directories.

  • You will be able to create new users or groups directly in one of your directories.

Step 3: Add Users to a Directory

To move existing users into a Directory:

  1. Navigate to AdminUser Management → Users

  2. Select one or more users and click Move to Directory

  3. Select one or more specific Directories and click Done

To create a new user in a Directory:

  1. Navigate to AdminUser Management → Users

  2. Click Add User on the top right

  3. Follow the on-screen instructions to create a new user.

    1. On the Directory Location step, select one or more Directories.

Step 4: Add Groups to a Directory

To move existing groups into a Directory:

  1. Navigate to AdminUser Management → Groups

  2. Select one or more groups and click Move to Directory

  3. Select a single Directory and click Done

NOTE: If you move a group into a Directory, all users that are members of that group will be added to the same Directory (if not already added).

Removing the group from the Directory after this happens will not remove the group's members from the Directory.

To create a new command group or access group in a Directory:

  1. Navigate to AdminUser Management → Groups

  2. Click Create on the top right

  3. Select Command Group or Access Group

  4. Follow the on-screen instructions to create a new group.

    1. On the Directory Location step, select a specific Directory.

Step 5: Grant Directory-Scoped Roles

To delegate user or group management permissions that are scoped to a Directory:

  • Navigate to AdminUser Management

  • Select a specific User or Command Group

  • To assign Command Roles over a directory:

    • On the left side under Command Roles, select Edit

    • Under the Command Role section, find the relevant Directory

    • On the relevant Directory, select Command User Admin.

  • To assign Access User Management roles over a directory:

    • Under Access Control Roles, select Edit

    • Under the User Management Role section, find the relevant Directory

    • On the relevant Directory, select the Access User Management role


FAQ

I already have users and groups in my organization. Can I use Directories for them without recreating anything?

Yes. Existing users and groups can be moved into Directories via the User Management list page, as described above under Add Users to a Directory and Add Groups to a Directory.

What happens if I disable Directories in Feature Manager after having enabled it?

All users and groups added to a directory will maintain their directory memberships even if directories are disabled. If Directories are later re-enabled, users and groups will remain in the same directories they were previously added to. retained. All entities are now visible and manageable again from the Global View only. Directories are hidden, not deleted, and can be re-enabled at any time.

All users or command users that have been granted a directory-scoped role will have these roles revoked when Directories is disabled. If later re-enabled, directory-scoped roles will need to be granted again.

Why are Access Groups listed with Command Groups on the User Management page?

In order to streamline management of all user groups (with or without Directories), Access Groups are now listed along with Command Groups on the Groups tab in User Management.

Only users granted sufficient permissions to view, create, or edit Access Groups will be able to view Access Groups on the groups page.

How can I assign SCIM-synced users or groups to a Directory?

SCIM-synced users land in the Global Directory by default. To assign them to a Directory,move SCIM users into Directories via the UI.

What happens when I delete a Directory?

The directory is permanently deleted, but all users or groups in the directory will not be deleted and will remain in Global.

Does a user need to be in a Directory in order to be granted a directory-scoped role for that Directory?

No. A user does not need to be a member of a directory to be granted a role that confers permissions to manage it.

What roles have permission to grant other users roles over a Directory?

Org Admin, Command User Admin, and Access User Admin can assign user user management roles to others.

If granted an org-wide role, roles can be granted over any directory.

If granted a directory-scoped role, role can only be granted over the relevant directory.

What roles have permission to grant other users org-wide user management roles?

Only Org Admin, Command User Admin (org-wide), and Access User Admin (org-wide) can grant or revoke org-wide user management roles.

How do I remove users from a Directory (individually or in bulk)?

  1. Navigate to AdminUser Management Users

  2. Click on “Global” to access the list of Directories from a left side panel

  3. Select a specific Directory

  4. Select one or more users

  5. Click Remove from Directory

Alternatively, an individual user can be removed from a Directory from its own user profile page (Admin → User Management → Users → Select specific user).

Note: Removing a user from a directory does not delete the user from the organization. It only removes them from that directory.

How do I remove groups from a Directory (individually or in bulk)?

  1. Navigate to AdminUser Management Groups

  2. Select one or more groups

  3. Click Move to Directory on the upper left side

  4. Select Global only (or a different directory)

  5. Click Done.

Alternatively, an individual group can be removed from a Directory from it own details page (Admin → User Management → Groups → Select specific group).

What happens if I move an existing Command Group or Access Group into a Directory?

As mentioned above under "Add Groups to Directories", moving a group into a Directory will automatically add all members of the group to the same directory (if they are not already added to the Directory).

This is a one-time push, so if the group is later removed from the directory then the affected users will remain in the directory. You should make sure you want all users that are currently members of the group you are moving to be added to the directory and manageable by users with permissions for that directory.

If I grant someone one Site Admin or Access System/Site roles, why are they are able to see all users and/or groups?

For the Directories beta, granting someone one of the following roles will still allow them to view all users, access groups, and/or command groups (depending on the specific role). However, these roles will not allow them to edit any users or groups.

  • Site Admin

  • Access System Admin

  • Access System Manager

  • Access Site Admin

  • Access Site Manager

  • Access Site Viewer


Did this answer your question?