Access Control & Permissions

Camera footage is sensitive by default, so access to it is layered: the module has to be enabled, the user has to belong to the facility, their role has to permit management actions, and guests get only what a link explicitly grants.

The layers

LayerRule
ModuleThe CCTV module must be enabled for the facility (it requires the Device Management module). No module, no surface — for anyone
FacilityUsers only ever see facilities their account is assigned to. Footage, cameras, settings, and logs are all facility-scoped
RoleViewing and managing CCTV is a management-level capability — facility managers and administrators. It is not exposed to member-level accounts
Guest linksPeople outside Performance Hub get access only through share links — scoped to chosen sections, time-limited, and audited

What staff can do

Facility managers and administrators get the full module: watching (Dashboard, Live View, Timeline, Recordings), acting (retain, download, share, snapshot), and administering (cameras, devices, settings, retention, storage region). Device claiming and camera add/remove live in Device Management and follow that module's permissions.

Administrators of multi-facility organisations see each facility's CCTV separately — cameras and footage never blend across facilities, and a user assigned to three of an organisation's ten facilities sees exactly those three.

What guests can do

Exactly what their link grants — and structurally nothing more. The boundaries worth repeating from Sharing & guest access:

  • Only the granted sections (Timeline / Live View / Recordings), inside a stripped-down viewer.
  • No people data, ever — guest access never exposes names, face matches, or people analytics, regardless of what the facility has enabled.
  • No settings, no retention actions, no device controls, no other modules.
  • Access dies with the link's expiry.

Where AI Insights & People permissions differ

The people features carry their own, stricter access rules (who may see identities, manage face recognition, and run reports) — documented with that feature. The rule of thumb: CCTV permissions get you to footage; people permissions get you to identities.

MCP and integrations

Programmatic access (Integrations & MCP) inherits the same model — keys act as the user they belong to, facility scoping applies to every call, and tools are gated by the modules and features the facility actually has. An MCP key can never see more than its owner could in the UI.

Reviewing access

  • Access Logs in the module record viewing sessions — staff and guest — with timestamps (Security & privacy).
  • Review who holds management roles at the facility periodically, and prefer share links over role grants for anyone who only needs to look at footage temporarily.
  • Door unlock actions taken from Live View require a reason and are written to the door unlock logs.