Skip to main content
All CollectionsAccess Control
Roles and Permissions for Access Control
Roles and Permissions for Access Control

Learn about roles that define a user's access control permissions in Verkada Command

Updated this week

As of November 14, 2024, access control permissions have changed. Users with legacy access control roles will maintain their permissions until they are updated to the current roles detailed in this article. See Legacy Access Control Roles for more information.


This article describes the set of roles and associated permissions for Verkada Access Control. For an in-depth explanation of roles and permissions for other Verkada products, see Roles and Permissions for Command users for an in-depth explanation of the features and configurations available for overall Verkada Command usage and administration.


Permissions for access control are set at both the org-level and site level. There are two org-level and one site-level role that define a user’s permissions to view and manage access control within Command:

Org-level access control roles

Org-level access control roles can be assigned to individual users or groups.

  • Access System Role: Grants permissions to manage org-wide access control settings for all sites.

Site-level access control roles

Site-level access control roles can be assigned to individual users or groups to manage site-level settings. Subsites inherit the permissions from the subsites and parent sites above them.

  • Access Site Role: Grants permissions to manage access control settings, devices, and door access.

The access control roles are granted to users independently of each other.


Access System Role

At a high level, these are the permissions granted to each level of Access System roles:

None

Does not have permission to manage org-wide access control settings for an organization.

Access System Manager

A user or group with Access System Manager can:

  • View, add, delete, and edit door schedules and door exceptions.

  • View, add, delete, and edit access exceptions.

Access System Admin

A user or group with Access User Admin can:

  • Do everything that an Access System Manager can do.

  • Inherits Access Site Admin permissions for all sites.

  • Grant Access System Role and Access Site Role permissions for any site.

  • Configure org-wide access settings, such as Bluetooth unlock.

  • Add, edit, and delete badge templates.

  • Edit and delete buildings, floors, and add floorplans to floors.

  • View the descriptions of and delete saved event reports created by other users.

  • Enable support access to Command for Organization.


Access User Management Role

At a high level, these are the permissions granted to each level of Access User Management roles:

None

Does not have permission to manage an organization's access users or groups.

Access Credential Manager

A user or group with Access Credential Manager can:

  • View all access users.

  • Add, edit, and delete credentials for access users.

  • Add and delete profile pictures for access users.

  • Print user badges.

  • Configure Pass app settings for access users.

  • Grant and suspend access for access users, including editing a user's start and end date for temporary access.

Access User Manager

A user or group with Access User Manager can:

  • Do everything that an Access Credential Manager can do.

  • Add and edit access users (not synced via SCIM), including updating all user profile information.

  • Add and remove users from existing access groups (not synced via SCIM).

Access User Admin

A user or group with Access User Admin can:

  • Do everything an Access User Manager can do.

  • Grant Access User Management Role permissions for the organization.

  • Delete access users (not synced via SCIM).

  • Add, edit, and delete access groups (not synced via SCIM).

  • Enable support access to Command for Organization.


Access Site role

At a high level, these are the permissions granted to each level of Access Site roles:

None

Does not have permission to manage a site's access control settings or devices.

Access Site Viewer

A user or group with Access Site Viewer permissions for a site can:

  • View any door in the site.

  • Unlock doors from Command for doors the user has access to.

  • View a floorplan that has doors from the site added.

  • View live and historical access events for the site.

  • Run, save, export, and distribute reports of historical access events.

  • Add and edit alerts based on access events.

  • Run and end roll call reports from existing roll call templates and mark people as safe or missing on an active roll call report.

Access Site Manager

A user or group with Access Site Manager permissions for a site can:

  • Do everything an Access Site Viewer can do.

  • Unlock any door in the site from Command.

  • Override the schedule for any door in the site from Command.

  • Change a door's schedule to another preexisting schedule.

  • Apply or remove preexisting door exceptions.

  • Add, configure, and delete access levels.

  • View live and historical access events.

  • Run, save, export, and distribute reports of historical access events.

  • Create, configure, and delete roll call templates.

  • View areas and clear anti-passback violations.

Access Site Admin

A user or group with Access Site Admin permissions for a site can:

  • Do everything an Access Site Manager can do.

  • Grant Access Site Role permissions for the site.

  • Add, configure, and delete access control devices.

  • Add, configure, and delete doors, AUX inputs, and AUX outputs.

  • Add, configure, and delete lockdowns.

  • Configure areas and anti-passback (APB) settings.

  • Manage site-level access settings for the site, such as Bluetooth unlock and scheduled firmware updates.

  • Enable support access to Command for Organization.


Manage access control roles

Users

Org-level

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Users.

  3. Select your user.

  4. On the left side panel, next to Access Control Roles, click Edit.

    1. Grant the necessary org-level access control roles.

    2. Click Apply Changes.

Site-level

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Users.

  3. Select your user.

  4. At the top right, click Manage Roles.

    1. From the Access Site Role dropdown, select the permission level for the needed sites.

    2. Click Save.

Groups

Org-level

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Groups.

  3. Select your group.

  4. On the left side panel, next to Access Control Roles, click Edit.

    1. Grant the necessary org-level access control roles.

    2. Click Apply Changes.

Site-level

  1. In Verkada Command, go to All Products > Admin .

  2. Under Org Settings, select Groups.

  3. Select your group.

  4. At the top, click Site Roles.

    1. At the top right, click Manage Roles.

    2. From the Access Site Role dropdown, select the permission level for the needed sites

    3. Click Save.



Common access control permission configurations

Scenario

Role Configuration

User needs total control over all access control system settings, devices, and users.

For example, a Security Director.

User needs to be able to create and edit door schedules or exceptions applied to doors in one or more sites.

For example, a security team member.

User is responsible for onboarding new users by printing badges and adding them to access groups.

For example, an HR staff member.

User is only responsible for adding credential info and printing badges for new users, such as SCIM-synced users.

For example, an HR staff member.

User needs to manage all site-specific access control settings but should not be able to edit user or access group settings (granted by User Management Roles).

For example, an office General Manager.

User needs to manage which access groups have access to doors for a particular site but should not be able to edit other access control settings for the site.

For example, an office facilities staff member.

User only needs to view and unlock certain doors for a particular site.

For example, a front desk receptionist.


Revisions

11/14/2024:

  • Added the new Access System, Access User Management, and Access Site roles.

  • Removed the legacy Access Control Admin, Access Control Manager, and Access Site Admin roles. See Legacy Access Control Roles for more information.


Need more help? Contact Verkada Support.

Did this answer your question?