Role-Based Access Control
Meridian VMS uses a role-based access control (RBAC) system that governs which pages a user can access, which actions they can perform, and which cameras and locations are visible to them. Permissions are defined through roles, and users can be assigned one or more roles.
Permission Dimensions
Section titled “Permission Dimensions”The RBAC system operates across three dimensions:
Page Permissions
Section titled “Page Permissions”Page permissions control which sections of the web interface appear in the navigation and are accessible to the user.
| Permission | Page | Description |
|---|---|---|
dashboard | Dashboard | System overview with customisable widgets |
live | Live View | Real-time camera grid with WebRTC streaming |
playback | Playback | Recorded footage review with timeline navigation |
events | Events | Detection and motion event browsing and clip playback |
detection | Live Detection | Real-time AI detection monitoring view |
heatmap | Heatmaps | Detection activity heat map overlays |
settings | Settings | System administration (cameras, servers, users, etc.) |
alarms | Alarms | Alarm dashboard, acknowledgement, and escalation |
If a user does not have a page permission, the corresponding navigation item is hidden and direct URL access is denied.
Action Permissions
Section titled “Action Permissions”Action permissions control specific operations within accessible pages.
| Permission | Description |
|---|---|
export_clips | Download recorded footage clips from playback and events |
manage_alarms | Create, edit, and delete alarm definitions; acknowledge and close alarms |
edit_cameras | Add, modify, and remove cameras and their detection configuration |
manage_users | Create, edit, and delete user accounts and assign roles |
ptz_control | Operate PTZ (pan, tilt, zoom) controls on supported cameras |
A user can access a page but be restricted from certain actions on that page. For example, a user with playback page permission but without export_clips will be able to review footage but not download clips.
Location Restrictions
Section titled “Location Restrictions”Each role can optionally define a set of allowed locations from the location tree. When location restrictions are configured:
- The user only sees cameras that belong to the allowed locations and their descendants
- Events, alarms, heatmaps, and statistics are filtered to only include data from allowed cameras
- The location tree sidebar only shows branches that contain allowed locations
Location filtering expands each allowed location into its full subtree. Granting access to a parent location (e.g., a City node) automatically includes all child Areas, Sites, and their cameras.
Role Assignment
Section titled “Role Assignment”Creating Roles
Section titled “Creating Roles”Roles are created and managed under Settings > Access Control > Roles.
To create a role:
- Navigate to Settings > Access Control > Roles
- Click Add Role
- Enter a role name and optional description
- Select the desired page permissions
- Select the desired action permissions
- Optionally, select location restrictions from the location tree
- Save the role
Assigning Roles to Users
Section titled “Assigning Roles to Users”Users are assigned roles under Settings > Access Control > Users.
- Navigate to Settings > Access Control > Users
- Select a user or create a new one
- In the Roles section, select one or more roles to assign
- Save the user
Permission Resolution
Section titled “Permission Resolution”When a user has multiple roles, their effective permissions are the union of all assigned roles:
- If any assigned role grants a page permission, the user can access that page
- If any assigned role grants an action permission, the user can perform that action
- Location restrictions are merged — the user can see cameras from the combined set of all allowed locations across all roles
Example:
| Role | Pages | Actions | Locations |
|---|---|---|---|
| Control Room | live, events, alarms | manage_alarms | Johannesburg |
| Playback Reviewer | playback, events | export_clips | Cape Town, Johannesburg |
A user assigned both roles would have:
- Pages: live, playback, events, alarms
- Actions: manage_alarms, export_clips
- Locations: Johannesburg, Cape Town (and all their descendants)
Client-Side Routing
Section titled “Client-Side Routing”The web interface reads the user’s permissions to:
- Show or hide navigation menu items based on page permissions
- Enable or disable action buttons based on action permissions
- Filter the location tree sidebar to only show allowed branches
Built-In Admin Role
Section titled “Built-In Admin Role”The admin user created during initial setup has full, unrestricted access to all pages, actions, and locations. This cannot be modified. Additional users should be assigned custom roles with the minimum permissions required for their responsibilities.