As of November 14, 2024, access control permissions have changed. Users with legacy access control roles will maintain their permissions until they are updated to the current roles detailed in this article. See Legacy Access Control Roles for more information.
This article describes the set of roles and associated permissions for Verkada Access Control. For an in-depth explanation of roles and permissions for other Verkada products, see Roles and Permissions for Command users for an in-depth explanation of the features and configurations available for overall Verkada Command usage and administration.
Permissions for access control are set at both the org-level and site level. There are two org-level and one site-level role that define a user’s permissions to view and manage access control within Command:
Org-level access control roles
Org-level access control roles can be assigned to individual users or groups.
Access System Role: Grants permissions to manage org-wide access control settings for all sites.
Access User Management Role: Grants permissions to manage access users, credentials, and access groups.
Site-level access control roles
Site-level access control roles can be assigned to individual users or groups to manage site-level settings. Subsites inherit the permissions from the subsites and parent sites above them.
Access Site Role: Grants permissions to manage access control settings, devices, and door access.
The access control roles are granted to users independently of each other.
Access System Role
At a high level, these are the permissions granted to each level of Access System roles:
None
None
Does not have permission to manage org-wide access control settings for an organization.
Access System Manager
Access System Manager
A user or group with Access System Manager can:
View, add, delete, and edit door schedules and door exceptions.
View, add, delete, and edit access exceptions.
Access System Admin
Access System Admin
A user or group with Access User Admin can:
Do everything that an Access System Manager can do.
Inherits Access Site Admin permissions for all sites.
Grant Access System Role and Access Site Role permissions for any site.
Configure org-wide access settings, such as Bluetooth unlock.
Add, edit, and delete badge templates.
Edit and delete buildings, floors, and add floorplans to floors.
View the descriptions of and delete saved event reports created by other users.
Access User Management Role
At a high level, these are the permissions granted to each level of Access User Management roles:
None
None
Does not have permission to manage an organization's access users or groups.
Access Credential Manager
Access Credential Manager
A user or group with Access Credential Manager can:
View all access users.
Add, edit, and delete credentials for access users.
Add and delete profile pictures for access users.
Print user badges.
Configure Pass app settings for access users.
Grant and suspend access for access users, including editing a user's start and end date for temporary access.
Access User Manager
Access User Manager
A user or group with Access User Manager can:
Do everything that an Access Credential Manager can do.
Add and edit access users (not synced via SCIM), including updating all user profile information.
Add and remove users from existing access groups (not synced via SCIM).
Access User Admin
Access User Admin
A user or group with Access User Admin can:
Do everything an Access User Manager can do.
Grant Access User Management Role permissions for the organization.
Delete access users (not synced via SCIM).
Add, edit, and delete access groups (not synced via SCIM).
Access Site role
At a high level, these are the permissions granted to each level of Access Site roles:
None
None
Does not have permission to manage a site's access control settings or devices.
Access Site Viewer
Access Site Viewer
A user or group with Access Site Viewer permissions for a site can:
View any door in the site.
Unlock doors from Command for doors the user has access to.
View a floorplan that has doors from the site added.
View live and historical access events for the site.
Run, save, export, and distribute reports of historical access events.
Add and edit alerts based on access events.
Run and end roll call reports from existing roll call templates and mark people as safe or missing on an active roll call report.
Access Site Manager
Access Site Manager
A user or group with Access Site Manager permissions for a site can:
Do everything an Access Site Viewer can do.
Unlock any door in the site from Command.
Override the schedule for any door in the site from Command.
Change a door's schedule to another preexisting schedule.
Apply or remove preexisting door exceptions.
Add, configure, and delete access levels.
View live and historical access events.
Run, save, export, and distribute reports of historical access events.
Create, configure, and delete roll call templates.
View areas and clear anti-passback violations.
Access Site Admin
Access Site Admin
A user or group with Access Site Admin permissions for a site can:
Do everything an Access Site Manager can do.
Grant Access Site Role permissions for the site.
Add, configure, and delete access control devices.
Add, configure, and delete doors, AUX inputs, and AUX outputs.
Add, configure, and delete lockdowns.
Configure areas and anti-passback (APB) settings.
Manage site-level access settings for the site, such as Bluetooth unlock and scheduled firmware updates.
Manage access control roles
Users
Org-level
In Verkada Command, go to All Products > Admin
.Under Org Settings, select Users.
Select your user.
On the left side panel, next to Access Control Roles, click
Edit. Grant the necessary org-level access control roles.
Click Apply Changes.
Site-level
In Verkada Command, go to All Products > Admin
.Under Org Settings, select Users.
Select your user.
At the top right, click Manage Roles.
From the Access Site Role dropdown, select the permission level for the needed sites.
Click Save.
Groups
Org-level
In Verkada Command, go to All Products > Admin
.Under Org Settings, select Groups.
Select your group.
On the left side panel, next to Access Control Roles, click
Edit. Grant the necessary org-level access control roles.
Click Apply Changes.
Site-level
In Verkada Command, go to All Products > Admin
.Under Org Settings, select Groups.
Select your group.
At the top, click Site Roles.
At the top right, click Manage Roles.
From the Access Site Role dropdown, select the permission level for the needed sites
Click Save.
Common access control permission configurations
Scenario | Role Configuration |
User needs total control over all access control system settings, devices, and users. | |
User needs to be able to create and edit door schedules or exceptions applied to doors in one or more sites.
For example, a security team member. | |
User is responsible for onboarding new users by printing badges and adding them to access groups. | |
User is only responsible for adding credential info and printing badges for new users, such as SCIM-synced users. | |
User needs to manage all site-specific access control settings but should not be able to edit user or access group settings (granted by User Management Roles). | |
User needs to manage which access groups have access to doors for a particular site but should not be able to edit other access control settings for the site. | |
User only needs to view and unlock certain doors for a particular site. |
Revisions
11/14/2024:
Added the new Access System, Access User Management, and Access Site roles.
Removed the legacy Access Control Admin, Access Control Manager, and Access Site Admin roles. See Legacy Access Control Roles for more information.
Need more help? Contact Verkada Support.