User Directories is an optional feature in Command that allows organizations to segment user and group management into scoped “Directories” that include only a subset of an organization’s users or user groups (both Command User Groups and Access Control User Groups).
This structure allows organizations to delegate user management to regional or functional Admins without granting global user management admin rights across the entire org. For example, an admin responsible for badge access at the San Francisco office can be limited to managing only the “SF Directory.”
By using Directories, organizations can:
Restrict permissions to view, edit, or create users and user groups to only a specific directory.
Maintain a secure, scalable access management structure aligned with sites or business units.
Allow Access Control administrators to manage users, access groups, and credentials for a specific location’s directory without giving them control over users or door access at any other location in your organization.
Organizing Directories in Command
After "Directories" has been enabled in a Command Organization, it will be possible to move existing users and groups into a Directory or create new users and groups directly inside of a Directory.
Organizations that have enabled Directories from Feature Manager will be able to organize users and user groups from "Global" (the full collection of users and user groups for the entire organization) into individual "Directories.
Global
“Global” is the org-wide container that all users and groups are always added to by default. Only roles granted at the “org-wide” level confer administrative control over Global (as well as all Directories). All SCIM-synced users currently sync to the Global Directory, and Global-level groups can be used across all directories (as assignment sources or synced groups).
Directory
A "Directory" is a logical container used to segment users and groups of users within a single organization. Directories are commonly used to represent specific office locations, regions, campuses, business units, or tenants, enabling scoped administration and logical organization of a relevant user subset.
Directories can:
Contain a subset of users and groups (command groups and access groups)
Do not support nesting (all directories live under Global)
Be managed independently via Directory scoped roles
Managing Users with Directories
Users can be members of one or more directories
Users created in or added to a directory will still be contained within Global
SCIM-synced users are always placed in Global by default
Managing Groups with Directories
Like users, groups of users (both Command Groups and Access Groups) can also be placed in Directories.
Unlike users, a group can only exist in a single directory
A group can only contain users that also belong to the same directory as the group
Groups created or put inside a directory are scoped to that directory only and cannot be referenced in other directories
Org-Wide and Directory Roles
User management permissions in Verkada's system are conferred to users by granting Command Roles and Access User Management roles.
Normally Command Roles and Access User Management roles grant permissions over all users, command groups, and/or access groups across the entire org. But with Directories, the permissions granted by these roles can now optionally be scoped to a specific Directory.
Even after Directories are enabled, the Org-Wide version of these roles is still available to grant. Granting a user an Org-Wide role will grant them relevant permissions over all users and groups in Global and across all Directories.
Users that were assigned one of the roles listed below before Directories is enabled will start out having the Org-Wide version of the role after Directories is enabled.
Role | Scope | Key User Management Permissions |
Org Admin | Org-Wide | Create/delete directories, manage all users and command groups |
Command User Admin (Org-Wide) | Org-Wide | Create, viewread, edit, and delete users and command groups in Global and across all directories |
Access User Admin (Org-Wide) | Org-Wide | Create, edit, and delete users, access groups, and credentials in Global across all directories |
Access User Manager (Org-Wide) | Org-Wide | Edit users and access group memberships in Global and across all directories |
Access Credential Manager (Org-Wide) | Org-Wide | Edit and delete user credentials (cards, PINs, mobile unlocks) in Global and across all directories |
Command User Admin (Directory-Scoped) | Directory | Create, edit, and delete users and command groups within the relevant assigned directory |
Access User Admin (Directory-Scoped) | Directory | Create, edit, and delete users and access groups within the relevant directory |
Access Group Manager (Directory-Scoped) | Directory | Edit users and access group memberships within the relevant directory |
Access User Credential Manager (Directory-Scoped) | Directory | Edit and delete user credentials (cards, PINs, mobile unlocks) for users within the relevant directory |
Setting Up Directories
All directory functionality is disabled by default. Directories can be enabled from Feature Manager. Once enabled, Directories can be created and managed from the User Management page in Command.
Step 1: Enable Directories
Navigate to Admin → Org Settings → Feature Manager
Under the “Command” section, toggle on Directories.
After "Directories" is enabled:
All existing users, groups, and role assignments remain visible in the Global View.
You can begin creating directories for scoped management.
Important: You will not be able to enable Directories if your org has users assigned any legacy Access Control roles. Refer to this knowledge base article to resolve legacy role issues before proceeding.
If your organization still has one or more users with legacy access control roles, it will not be possible to enable Directories in Feature Manager without first migrating these users to the current access control roles.
Step 2: Creating a Directory
Navigate to Admin → User Management (on the left side panel)
Alternatively, you can navigate to User Management Admin → Users & Permissions → Users
Click on “Global” to access the list of Directories from a left side panel
To add a Directory, click on +
Select New Directory to add a single new Directory manually
You’ll be prompted to enter a name (must be globally unique)
Alternatively, select Create Directories from Sites to auto-create one or more Directories having the same name as selected sites.
NOTE: Auto-creating a Directory from a site will only copy the site's name during Directory creation. Directory and site names will not be kept in sync after creation.
After creating one or more Directories:
You will be able to move existing users and groups from Global to desired directories.
You will be able to create new users or groups directly in one of your directories.
Step 3: Add Users to a Directory
To move existing users into a Directory:
Navigate to Admin → User Management → Users
Select one or more users and click Move to Directory
Select one or more specific Directories and click Done
To create a new user in a Directory:
Navigate to Admin → User Management → Users
Click Add User on the top right
Follow the on-screen instructions to create a new user.
On the Directory Location step, select one or more Directories.
Step 4: Add Groups to a Directory
To move existing groups into a Directory:
Navigate to Admin → User Management → Groups
Select one or more groups and click Move to Directory
Select a single Directory and click Done
NOTE: If you move a group into a Directory, all users that are members of that group will be added to the same Directory (if not already added).
Removing the group from the Directory after this happens will not remove the group's members from the Directory.
To create a new command group or access group in a Directory:
Navigate to Admin → User Management → Groups
Click Create on the top right
Select Command Group or Access Group
Follow the on-screen instructions to create a new group.
On the Directory Location step, select a specific Directory.
Step 5: Grant Directory-Scoped Roles
To delegate user or group management permissions that are scoped to a Directory:
Navigate to Admin → User Management
Select a specific User or Command Group
To assign Command Roles over a directory:
On the left side under Command Roles, select Edit
Under the Command Role section, find the relevant Directory
On the relevant Directory, select Command User Admin.
To assign Access User Management roles over a directory:
Under Access Control Roles, select Edit
Under the User Management Role section, find the relevant Directory
On the relevant Directory, select the Access User Management role
FAQ
I already have users and groups in my organization. Can I use Directories for them without recreating anything?
I already have users and groups in my organization. Can I use Directories for them without recreating anything?
Yes. Existing users and groups can be moved into Directories via the User Management list page, as described above under Add Users to a Directory and Add Groups to a Directory.
What happens if I disable Directories in Feature Manager after having enabled it?
What happens if I disable Directories in Feature Manager after having enabled it?
All users and groups added to a directory will maintain their directory memberships even if directories are disabled. If Directories are later re-enabled, users and groups will remain in the same directories they were previously added to. retained. All entities are now visible and manageable again from the Global View only. Directories are hidden, not deleted, and can be re-enabled at any time.
All users or command users that have been granted a directory-scoped role will have these roles revoked when Directories is disabled. If later re-enabled, directory-scoped roles will need to be granted again.
Why are Access Groups listed with Command Groups on the User Management page?
Why are Access Groups listed with Command Groups on the User Management page?
In order to streamline management of all user groups (with or without Directories), Access Groups are now listed along with Command Groups on the Groups tab in User Management.
Only users granted sufficient permissions to view, create, or edit Access Groups will be able to view Access Groups on the groups page.
How can I assign SCIM-synced users or groups to a Directory?
How can I assign SCIM-synced users or groups to a Directory?
SCIM-synced users land in the Global Directory by default. To assign them to a Directory,move SCIM users into Directories via the UI.
What happens when I delete a Directory?
What happens when I delete a Directory?
The directory is permanently deleted, but all users or groups in the directory will not be deleted and will remain in Global.
Does a user need to be in a Directory in order to be granted a directory-scoped role for that Directory?
Does a user need to be in a Directory in order to be granted a directory-scoped role for that Directory?
No. A user does not need to be a member of a directory to be granted a role that confers permissions to manage it.
What roles have permission to grant other users roles over a Directory?
What roles have permission to grant other users roles over a Directory?
Org Admin, Command User Admin, and Access User Admin can assign user user management roles to others.
If granted an org-wide role, roles can be granted over any directory.
If granted a directory-scoped role, role can only be granted over the relevant directory.
What roles have permission to grant other users org-wide user management roles?
What roles have permission to grant other users org-wide user management roles?
Only Org Admin, Command User Admin (org-wide), and Access User Admin (org-wide) can grant or revoke org-wide user management roles.
How do I remove users from a Directory (individually or in bulk)?
How do I remove users from a Directory (individually or in bulk)?
Navigate to Admin → User Management → Users
Click on “Global” to access the list of Directories from a left side panel
Select a specific Directory
Select one or more users
Click Remove from Directory
Alternatively, an individual user can be removed from a Directory from its own user profile page (Admin → User Management → Users → Select specific user).
Note: Removing a user from a directory does not delete the user from the organization. It only removes them from that directory.
How do I remove groups from a Directory (individually or in bulk)?
How do I remove groups from a Directory (individually or in bulk)?
Navigate to Admin → User Management → Groups
Select one or more groups
Click Move to Directory on the upper left side
Select Global only (or a different directory)
Click Done.
Alternatively, an individual group can be removed from a Directory from it own details page (Admin → User Management → Groups → Select specific group).
What happens if I move an existing Command Group or Access Group into a Directory?
What happens if I move an existing Command Group or Access Group into a Directory?
As mentioned above under "Add Groups to Directories", moving a group into a Directory will automatically add all members of the group to the same directory (if they are not already added to the Directory).
This is a one-time push, so if the group is later removed from the directory then the affected users will remain in the directory. You should make sure you want all users that are currently members of the group you are moving to be added to the directory and manageable by users with permissions for that directory.
If I grant someone one Site Admin or Access System/Site roles, why are they are able to see all users and/or groups?
If I grant someone one Site Admin or Access System/Site roles, why are they are able to see all users and/or groups?
For the Directories beta, granting someone one of the following roles will still allow them to view all users, access groups, and/or command groups (depending on the specific role). However, these roles will not allow them to edit any users or groups.
Site Admin
Access System Admin
Access System Manager
Access Site Admin
Access Site Manager
Access Site Viewer