Users and roles
Accounts, permissions, per-camera scoping, and the audit log.
Accounts are managed on the Users page, permissions on the Roles page. Every action a user takes is checked against their role's permissions — and recorded in the audit log.
Built-in roles
CoreSight ships with three roles:
| Role | Intended for | Typical rights |
|---|---|---|
| Viewer | Guards, receptionists | Watch live video and playback. Read-only. |
| Operator | Control-room staff | Everything a viewer has, plus working alarms (ack/assign/clear), events, and exports. |
| Admin | Site administrators | Everything — cameras, storage, users, roles, licensing, updates. |
The built-in roles cover most sites. Give each person their own account with the least role that does their job — shared logins defeat the audit trail.
Custom roles
When the built-ins don't fit, create a custom role on the Roles page. A custom role is built from the permission matrix — a catalog of fine-grained permissions (view cameras, manage recording, export clips, manage storage, apply updates, and so on) that you toggle individually.
Examples:
- A "Reviewer" who can search events and export clips but never sees live video.
- A "Camera tech" who can manage cameras and view health, but touch nothing else.
Per-camera scoping
A role can be limited to specific cameras: a user with a camera-scoped role sees and operates only those cameras — in the live grid, playback, events, everywhere. Use it for tenants in a shared building, or contractors who should only see the areas they service.
If a user holds several roles, their access is the union — the broadest grant wins per camera.
The audit log
Every significant action — logins, camera changes, alarm handling, exports, settings changes, updates — is appended to the audit log, viewable on the Audit page with filters by user, action, and time.
The log is append-only and hash-chained: each entry is cryptographically linked to the previous one, so an entry cannot be altered or deleted without breaking the chain.
Verifying integrity
The Audit page includes a verify action that walks the chain and confirms it is intact. Run it when the log will be relied on as evidence — a clean verification demonstrates the trail has not been tampered with since it was written.
Audit history is a compliance asset. Pair it with individual accounts (no shared logins) and the log answers "who did what, when" for any incident review.
Practical setup for a typical site
- Keep one admin account for yourself (and a second admin as backup).
- Create an operator account per control-room member.
- Create viewer accounts for anyone who only needs to watch.
- Reach for custom roles and camera scoping only when a real need appears — fewer roles are easier to reason about.