Skip to content

Role-Based Access Control

Meridian VMS uses a role-based access control (RBAC) system that governs which pages a user can access, which actions they can perform, and which cameras and locations are visible to them. Permissions are defined through roles, and users can be assigned one or more roles.

The RBAC system operates across three dimensions:

Page permissions control which sections of the web interface appear in the navigation and are accessible to the user.

PermissionPageDescription
dashboardDashboardSystem overview with customisable widgets
liveLive ViewReal-time camera grid with WebRTC streaming
playbackPlaybackRecorded footage review with timeline navigation
eventsEventsDetection and motion event browsing and clip playback
detectionLive DetectionReal-time AI detection monitoring view
heatmapHeatmapsDetection activity heat map overlays
settingsSettingsSystem administration (cameras, servers, users, etc.)
alarmsAlarmsAlarm dashboard, acknowledgement, and escalation

If a user does not have a page permission, the corresponding navigation item is hidden and direct URL access is denied.

Action permissions control specific operations within accessible pages.

PermissionDescription
export_clipsDownload recorded footage clips from playback and events
manage_alarmsCreate, edit, and delete alarm definitions; acknowledge and close alarms
edit_camerasAdd, modify, and remove cameras and their detection configuration
manage_usersCreate, edit, and delete user accounts and assign roles
ptz_controlOperate PTZ (pan, tilt, zoom) controls on supported cameras

A user can access a page but be restricted from certain actions on that page. For example, a user with playback page permission but without export_clips will be able to review footage but not download clips.

Each role can optionally define a set of allowed locations from the location tree. When location restrictions are configured:

  • The user only sees cameras that belong to the allowed locations and their descendants
  • Events, alarms, heatmaps, and statistics are filtered to only include data from allowed cameras
  • The location tree sidebar only shows branches that contain allowed locations

Location filtering expands each allowed location into its full subtree. Granting access to a parent location (e.g., a City node) automatically includes all child Areas, Sites, and their cameras.

Roles are created and managed under Settings > Access Control > Roles.

To create a role:

  1. Navigate to Settings > Access Control > Roles
  2. Click Add Role
  3. Enter a role name and optional description
  4. Select the desired page permissions
  5. Select the desired action permissions
  6. Optionally, select location restrictions from the location tree
  7. Save the role

Users are assigned roles under Settings > Access Control > Users.

  1. Navigate to Settings > Access Control > Users
  2. Select a user or create a new one
  3. In the Roles section, select one or more roles to assign
  4. Save the user

When a user has multiple roles, their effective permissions are the union of all assigned roles:

  • If any assigned role grants a page permission, the user can access that page
  • If any assigned role grants an action permission, the user can perform that action
  • Location restrictions are merged — the user can see cameras from the combined set of all allowed locations across all roles

Example:

RolePagesActionsLocations
Control Roomlive, events, alarmsmanage_alarmsJohannesburg
Playback Reviewerplayback, eventsexport_clipsCape Town, Johannesburg

A user assigned both roles would have:

  • Pages: live, playback, events, alarms
  • Actions: manage_alarms, export_clips
  • Locations: Johannesburg, Cape Town (and all their descendants)

The web interface reads the user’s permissions to:

  • Show or hide navigation menu items based on page permissions
  • Enable or disable action buttons based on action permissions
  • Filter the location tree sidebar to only show allowed branches

The admin user created during initial setup has full, unrestricted access to all pages, actions, and locations. This cannot be modified. Additional users should be assigned custom roles with the minimum permissions required for their responsibilities.