Users & Roles
Meridian VMS uses a role-based access control (RBAC) system that controls which pages a user can view, which actions they can perform, and which locations they can access. Users authenticate with a username and password, and can be assigned multiple roles whose permissions are combined.
User management is at Settings > Access Control > Users, and role management is at Settings > Access Control > Roles.
User Accounts
Section titled “User Accounts”Creating a User
Section titled “Creating a User”- Navigate to Settings > Users.
- Click Add User.
- Fill in the required fields:
- Username — unique login identifier
- Password — initial password for the account
- Optionally fill in profile fields and assign roles.
- Click Create User.
User Profile
Section titled “User Profile”Each user account has the following profile fields:
| Field | Required | Description |
|---|---|---|
username | Yes | Unique login name. Used for authentication. |
password | Yes (on create) | Hashed and stored. Can be changed later; leave blank when editing to keep the current password. |
email | No | Email address. Must be unique if provided. |
first_name | No | First name, displayed in the user list and UI header. |
last_name | No | Last name. |
department | No | Organisational department, shown in the user list. |
phone | No | Phone number for contact purposes. |
Active/Disabled Toggle
Section titled “Active/Disabled Toggle”Each user has an is_active flag:
- Active — the user can log in and access the system according to their role permissions.
- Disabled — the user cannot log in. Existing sessions will be invalidated shortly after the account is disabled.
Deleting a User
Section titled “Deleting a User”Deleting a user permanently removes the account and all associated role assignments. Alarm comments and assignments from the deleted user are preserved but the author reference is set to null.
Authentication
Section titled “Authentication”Meridian VMS uses secure token-based authentication:
- The user submits their username and password on the login screen.
- On success, the server establishes an authenticated session.
- Sessions are refreshed automatically by the web interface — no user action is required.
- Sessions expire after a period of inactivity, redirecting the user to the login screen.
Roles define a set of permissions that can be assigned to users. The system ships with a built-in admin role, and administrators can create custom roles.
Creating a Role
Section titled “Creating a Role”- Navigate to Settings > Roles.
- Click Add Role.
- Enter a role name and optional description.
- Select the pages the role grants access to.
- Select the actions the role permits.
- Optionally restrict the role to specific locations.
- Click Save.
Role Properties
Section titled “Role Properties”| Property | Description |
|---|---|
name | Unique role name (e.g., “Operator”, “Site Manager”, “Viewer”) |
description | Optional description of the role’s purpose |
is_system | Whether this is a built-in system role (cannot be deleted) |
pages | List of pages this role grants access to |
actions | List of actions this role permits |
locations | Optional list of location roots this role is scoped to |
Page Permissions
Section titled “Page Permissions”Page permissions control which sections of the web interface a user can access:
| Page | Description |
|---|---|
dashboard | Main dashboard with statistics and overview |
live | Live camera view with grid layout |
playback | Recorded video playback with timeline |
events | Detection event browser with thumbnails |
detection | Real-time live object detection view |
heatmap | Detection heatmap visualisation |
settings | System administration and configuration |
alarms | Alarm management dashboard |
Action Permissions
Section titled “Action Permissions”Action permissions control specific operations a user can perform, independent of page access:
| Action | Description |
|---|---|
export_clips | Export video clips from playback |
manage_alarms | Acknowledge, assign, and close alarms |
edit_cameras | Add, edit, and delete cameras |
manage_users | Add, edit, and delete user accounts |
ptz_control | Control PTZ (pan-tilt-zoom) camera movements |
Multi-Role Assignment
Section titled “Multi-Role Assignment”A user can be assigned multiple roles. When a user has multiple roles, their effective permissions are the union of all assigned roles:
- If Role A grants
dashboardandlivepages, and Role B grantsplaybackandeventspages, the user can access all four. - If Role A permits
export_clipsand Role B permitsmanage_alarms, the user has both actions. - Location restrictions are also unioned (see below).
Roles are assigned from the user edit form as checkboxes.
Location-Based Access Restriction
Section titled “Location-Based Access Restriction”Roles can be scoped to specific locations in the hierarchy. When a role has location restrictions, users with that role can only see cameras, events, and data from those locations and their subtrees.
How Location Scoping Works
Section titled “How Location Scoping Works”- A role is created with one or more location roots (e.g., a region or a specific site).
- When a user with that role makes an API request, the system expands each location root into its full subtree automatically.
- The resulting set of location IDs is used to filter all camera queries.
Unrestricted Roles
Section titled “Unrestricted Roles”A role with no location restrictions (empty locations list) grants access to cameras at all locations. This is useful for global administrators and operators who need to see the full deployment.
Combined Location Access
Section titled “Combined Location Access”When a user has multiple roles with different location restrictions:
- If any of their roles is unrestricted, the user has access to all locations.
- Otherwise, the accessible locations are the union of all location subtrees from all roles.
Where Location Filtering Applies
Section titled “Where Location Filtering Applies”Location-based filtering is enforced on the following API endpoints:
| Endpoint | Effect |
|---|---|
GET /api/cameras | Only cameras at accessible locations are returned |
GET /api/cameras/{id} | 403 if camera is not at an accessible location |
GET /api/cameras/{id}/live | 403 if camera is not at an accessible location |
GET /api/cameras/{id}/playback | 403 if camera is not at an accessible location |
GET /api/cameras/{id}/heatmap | 403 if camera is not at an accessible location |
GET /api/events | Only events from cameras at accessible locations |
Admin vs Operator
Section titled “Admin vs Operator”The system has two conceptual user levels:
Admin
: Users with is_admin = true bypass all permission checks. They have access to every page, every action, and every location. The admin flag is set on the initial seed user and can be granted to other users.
Non-Admin (Operator) : All other users. Their access is entirely determined by their assigned roles. A user with no roles has no access to any page or action.