Skip to content

Users & Roles

Meridian VMS uses a role-based access control (RBAC) system that controls which pages a user can view, which actions they can perform, and which locations they can access. Users authenticate with a username and password, and can be assigned multiple roles whose permissions are combined.

User management is at Settings > Access Control > Users, and role management is at Settings > Access Control > Roles.

  1. Navigate to Settings > Users.
  2. Click Add User.
  3. Fill in the required fields:
    • Username — unique login identifier
    • Password — initial password for the account
  4. Optionally fill in profile fields and assign roles.
  5. Click Create User.

Each user account has the following profile fields:

FieldRequiredDescription
usernameYesUnique login name. Used for authentication.
passwordYes (on create)Hashed and stored. Can be changed later; leave blank when editing to keep the current password.
emailNoEmail address. Must be unique if provided.
first_nameNoFirst name, displayed in the user list and UI header.
last_nameNoLast name.
departmentNoOrganisational department, shown in the user list.
phoneNoPhone number for contact purposes.

Each user has an is_active flag:

  • Active — the user can log in and access the system according to their role permissions.
  • Disabled — the user cannot log in. Existing sessions will be invalidated shortly after the account is disabled.

Deleting a user permanently removes the account and all associated role assignments. Alarm comments and assignments from the deleted user are preserved but the author reference is set to null.

Meridian VMS uses secure token-based authentication:

  1. The user submits their username and password on the login screen.
  2. On success, the server establishes an authenticated session.
  3. Sessions are refreshed automatically by the web interface — no user action is required.
  4. Sessions expire after a period of inactivity, redirecting the user to the login screen.

Roles define a set of permissions that can be assigned to users. The system ships with a built-in admin role, and administrators can create custom roles.

  1. Navigate to Settings > Roles.
  2. Click Add Role.
  3. Enter a role name and optional description.
  4. Select the pages the role grants access to.
  5. Select the actions the role permits.
  6. Optionally restrict the role to specific locations.
  7. Click Save.
PropertyDescription
nameUnique role name (e.g., “Operator”, “Site Manager”, “Viewer”)
descriptionOptional description of the role’s purpose
is_systemWhether this is a built-in system role (cannot be deleted)
pagesList of pages this role grants access to
actionsList of actions this role permits
locationsOptional list of location roots this role is scoped to

Page permissions control which sections of the web interface a user can access:

PageDescription
dashboardMain dashboard with statistics and overview
liveLive camera view with grid layout
playbackRecorded video playback with timeline
eventsDetection event browser with thumbnails
detectionReal-time live object detection view
heatmapDetection heatmap visualisation
settingsSystem administration and configuration
alarmsAlarm management dashboard

Action permissions control specific operations a user can perform, independent of page access:

ActionDescription
export_clipsExport video clips from playback
manage_alarmsAcknowledge, assign, and close alarms
edit_camerasAdd, edit, and delete cameras
manage_usersAdd, edit, and delete user accounts
ptz_controlControl PTZ (pan-tilt-zoom) camera movements

A user can be assigned multiple roles. When a user has multiple roles, their effective permissions are the union of all assigned roles:

  • If Role A grants dashboard and live pages, and Role B grants playback and events pages, the user can access all four.
  • If Role A permits export_clips and Role B permits manage_alarms, the user has both actions.
  • Location restrictions are also unioned (see below).

Roles are assigned from the user edit form as checkboxes.

Roles can be scoped to specific locations in the hierarchy. When a role has location restrictions, users with that role can only see cameras, events, and data from those locations and their subtrees.

  1. A role is created with one or more location roots (e.g., a region or a specific site).
  2. When a user with that role makes an API request, the system expands each location root into its full subtree automatically.
  3. The resulting set of location IDs is used to filter all camera queries.

A role with no location restrictions (empty locations list) grants access to cameras at all locations. This is useful for global administrators and operators who need to see the full deployment.

When a user has multiple roles with different location restrictions:

  • If any of their roles is unrestricted, the user has access to all locations.
  • Otherwise, the accessible locations are the union of all location subtrees from all roles.

Location-based filtering is enforced on the following API endpoints:

EndpointEffect
GET /api/camerasOnly cameras at accessible locations are returned
GET /api/cameras/{id}403 if camera is not at an accessible location
GET /api/cameras/{id}/live403 if camera is not at an accessible location
GET /api/cameras/{id}/playback403 if camera is not at an accessible location
GET /api/cameras/{id}/heatmap403 if camera is not at an accessible location
GET /api/eventsOnly events from cameras at accessible locations

The system has two conceptual user levels:

Admin : Users with is_admin = true bypass all permission checks. They have access to every page, every action, and every location. The admin flag is set on the initial seed user and can be granted to other users.

Non-Admin (Operator) : All other users. Their access is entirely determined by their assigned roles. A user with no roles has no access to any page or action.