VMS User Management GuideBy: Sarit Williams, Published on Dec 03, 2013
Properly managing user access to video management systems is a key factor, especially in larger systems that consist of dozens, hundreds or even thousands of recorders. In this guide, we explain tradeoffs of different approaches to user management and the common options available to do so.
User Management Options
Type: 4 main approaches exist: local recorder user management, proprietary enterprise user management, Active Directory / LDAP integration and multi-system user management
Default: All VMSes will have a default account created, usually named Administrator that is used as the first account to log into the VMS.
Groups: User grouping can be used to manage a set of users based on roles.
Privileges: When creating users each VMS will require selecting either specific pre-existing privileges assigned for a role/group the user is added to or selecting a custom set of privileges for the user. Furthermore, privileges for a specified user may differ across cameras or servers for the organization.
Auto Login: In some cases the VMS client will have the option to save the user's credentials and automatically login each time the client is used.
Multi-Server: The most common user management problem is when dealing with multiple servers / recorders so that users can be managed across those servers.
Most VMSes have several ways to create users in a VMS, some taking longer than others to setup.
- VMS User Manager: Using this method usually requires the user's full name, username, role and password
- Active Directory: This method leverages Windows domain management to import already created users and give them access to the VMS. This saves the administrators time by reducing the redundancy of creating the same user in multiple applications. Furthermore, it allows the end user to use a single password for domain and VMS for example.
Windows user import:
Privileges granularity and feature options will vary among VMSes and which features are available for specific security setting. Some VMSes may bundle feature privileges together;for example, if a user has access to PTZ, they will have access to view a camera live by default.
All VMSes will likely already have an 'Administrator' or 'Admin' account created that is used to create all other users. The account may or may not have a password assigned, check the VMS's manual for details.
Like all default passwords, be careful about changing the password. Otherwise, others can look up the default password online and get access to the entire system.
Some VMSes may already offer pre-created user groups with applicable privileges to allow admins to add users quickly by adding minimal user information. Other VMses don't offer pre defined groups and require the administrator to create them. Moreover, imported Domain groups will still need to have VMS privileges configured.
Additionally, some VMSes allow creating custom groups and associating specific privileges / features / cameras to that group.
Once a user has been created, most VMS clients will allow a configurable setting for end users to save the credentials in settings to bypass the login prompt and allow for faster login. The credentials may be Windows Domain or newly created VMS credentials.
Logging / Auditing Use
Creating and enforcing unique users is critical if one ever wants to audit activities in the VMS. For instance, if you want to know who exported a certain video clip or who changed a camera setting, letting everyone use a generic 'admin' account, will make that very difficult.
Multi Server User Management
In larger systems, users will frequently need access to dozens, hundreds or even thousands of recorders. They clearly will not want to remember / recall a unique password for each.
- Duplicate user: Create the same user with same credentials in each recorder. When this is done, usually the same password is shared by all and rarely, if ever, changed (since it is so time consuming to do so). This is almost as insecure as simply using the default admin password.
- VMS User Management proprietary software: provided by the manufacturer to manage security and access for all servers. This will usually be available for Enterprise level editions and may require an additional charge. An additional software or appliance is added that acts as a traffic cop between users and recorders, maintaining centralized user management. One downside is the risk of this piece being offline / unavailable.
- Use Active Directory and or LDAP: Create a domain user once and import to the proper server while setting server specific privileges. This can be done for users or group of domain users and will sometimes need to be synchronized.
- Multiple Systems proprietary integration: Called 'federation' by a number of VMSes, this allows sharing access to resources across different systems (e.g., airport and the police department) typically only from the same manufacturer. This is not commonly available and typically requires additional licenses / fees.