Adding a new Hardware in an existing camera folder with full rights, does not inherit full rights eg the parent folder rigths, and need manully adjusment, eg going into the folder select cam and set the rights, is this a known limitation or bug?
Your understanding is correct: permissions are applied per device, not at the group level — this is by design.
In the Management Client (MC), when you adjust permissions for a group of cameras under Roles → Devices, the MC simply updates the permissions for each individual device behind the scenes. You can then override permissions on any single device afterward, even if that causes it to differ from the rest of the group — and this behavior is intentional.
@Bo_Ellegard_Andersen thx for clearifing that, its because its kinda missleading for the customer because he think he doing this on folder and not per device, i mean kinda for me aswell. Since now I know this is intentional and there would be no change etc on this, we can communicate this to the customer. =)
Thank you for the feedback. Let me explain the reasoning behind the design.
A device can belong to multiple groups. If a device ends up in two groups that have conflicting permissions, the Management Client should raise an error or warning and prompt an administrator to correct the configuration. Without this, certain permission combinations could effectively make it impossible for a device to belong to more than one group.
Groups in XProtect serve many purposes. For example, you might organize cameras by location—such as three cameras in the hall, which are also part of the “south wing” group—while simultaneously having another group for all cameras of model XYZ for maintenance purposes. As you can see, grouping in XProtect is very flexible and not limited to permission‑based grouping.
I hope this explanation helps clarify the design and makes it feel more logical or acceptable.
Very kind of you to give more insights.
Currently, you can also assign one user to multiple roles with different camera permissions.
To me, this sounds essentially like what you described with folders, so in a way, this kind of permission “clash” already exists. I created two roles and added the same user to both: in one role I allowed access to a camera, and in the other role I denied it. In Smart Client I can still see the camera. So the system decides that I’m allowed to see it, but I don’t know which rule/order is applied here.
I’m basically thinking out loud and poking around in the system. I’ve worked with Milestone for a long time, but I’ve never had a case like this customer: they need very dynamic permission handling on a daily basis across servers, recording servers. So please don’t get me wrong, I’m not complaining, I just want to discuss these topic.
I get the point that folders can be nested or spread out for configuration and display purposes.
First, it would be great if the Recording Server node itself also had permissions. That would already be really useful, because it would enable scenarios like: an admin can only add devices to a specific recording server and doesn’t even see the others. The federated architecture isn’t ideal for this use case, because I need to switch installations and maintain roles on each system, etc.
Since I can already mix roles and users with camera permissions, a similar mechanism could be applied to folders as well. There is already a mechanism that decides (based on roles and user memberships) whether I’m allowed or not, so I could imagine something new like a permission priority.
If you could assign a permission priority to a folder (and ideally also to other folder-like items such as the recording server), then mixing these elements would be awesome and could avoid clashes.
It also leads to many more possibilities for sophisticated permission handling. For example, when adding a new camera, you could select a folder and the camera would automatically inherit that folder’s permissions. And if someone later decides to override permissions on the single device, that device-level setting could have a different (higher) priority than the folder inheritance.
But that’s music to my ears for the future. =)
BR
@Bo_Ellegard_Andersen I found a solution for customer via an admin plugin.
I subscribe to detail config changes and can detect the new hardware and folder assignment. The plugin allow to add “Auto assignment profiles” where a role and folder, needs to configured.
Whit this approach the new hardware gets automatically a set of permissions in the role.
I want just to note this here for reference, if someone has a similar thingy.
1 Like
I think this is valuable input, thanks. I will put this post to the attention of Milestone Product Management
1 Like
@Bo_Ellegard_Andersen Just for reference.
Yeah this is a known issue, and Milestone just has not patched it according to my rep. I was able to find a way past it by using MilestonePSTools. If you know how to Use PSTools it can be a very handy tool! Just shoot me a reply if you want my help!
@Zelliey Thanks for your suggestion. The issue in my case is that I need to react to the change immediately, so PS Tools was not really an option.
The solution now runs as a plugin within the event server, where it detects permission changes and updates them instantly. I did look into using PS Tools, but it seems more like a manual utility or something that can be triggered by a scheduled task.
Can PS Tools also run as a constant service that continuously monitors configuration changes and triggers actions automatically? I’m not very experienced with PS Tools, I’ve mainly used it for simple import/export tasks.