Skip to main content

 

Cisco Meraki Documentation

Restricting Access to Cameras

  1. Last updated
  2. Save as PDF

Overview

This article outlines the different camera and sensor permission levels within Dashboard, how to create camera roles or camera and sensor privileges and apply them to a user, and describes options available to these users.

Camera and Sensor Only Admin

There are 2 methods to manage IoT(MV and MT) permissions

Local Camera and Sensor Admins on Network Level

This method outlines the steps on how to create a camera and sensor privilege role and assign it to a specific Network Administrator:

  1. For MV only networks, navigate to Cameras > Configure > General. For combined networks, navigate Network-wide > Configure > Administration.

  2. Under the Camera and Sensor Only admins section, select an existing Network Admin from the dropdown or Create a new user. 

  3. Assign the appropriate permissions to the User:

 

 

Permissions

Scope

Camera Permissions

View and export any footage

All Cameras

Individual Cameras

Cameras by Tag

View any footage

View Live footage

No Access

Sensor Permissions

Full Sensor Access (includes write Access to Alert Profiles)

All Sensors

Read-only Sensor Access

No Access

 

  1. Click Save changes to save the User.

Camera Permissions are View-only. This means the user can only view the Cameras and cannot change any settings such as focus, zoom, aperture, etc.

Role-based Camera and Sensor Permissions for SAML/SSO

Initial Dashboard SAML/SSO configuration

First, you will need to configure your Organization to enable SAML 2.0 and configure your SAML Identity Provider (IdP) settings. You must have your Identity Provider configured to use this feature. OneLogin offers a free trial for a development environment to test with, as do other providers.

 

Follow this guide to get started:

Camera and Sensor Role Restrictions

Please note the following:

  • SAML user roles can consist of:

    • a single Organization or Network Administrator Role defined in Dashboard

    • one or many Camera Roles defined in Dashboard

    • SAML role attribute should be sent as a semi-colon separated list with no spaces

  • SAML roles will match a Network/Organization Admin role first if there are conflicting roles defined between Network/Organization Admin roles and Camera roles

  • Camera and Sensor role name(s) created do not need to be created under Organization > Configure > Administrators > SAML administrator roles

  • For best practice, an Organization/Network role should be passed first and camera role(s) afterward

    • Ensure to avoid conflicting permission sets between Organization/Network role and camera roles. For example, do not pass a read only network role while also passing a full video access role for the same network.

For additional information on resolving possible SAML/SSO authentication issues, please refer to the article on SAML Login History Events.

Creating a Camera and Sensor Role in Dashboard

Navigate to Organization > Configure > Camera and Sensor roles. Select `Add Role` to get started.

1_open_roles.png

Step 1: Role naming and Network access permissions 

2_role_naming.png

  • Enter the SAML Role to be mapped to these permissions precisely as configured in the Identity Provider.

  • Select Network permissions (either all or by tags) 

    • Selecting `All networks` provides users with this role access to all Networks contained within the current Organization.

    • Selecting `Networks by tag` provides users with this role access to Networks with the specified tag(s) contained within the current Organization.

The Role name should match the SAML role and is case sensitive as well.

Step 2: Set Camera Permissions
3_camera_permission.png

  • Configure camera viewing permissions

    • This value is set for all permitted cameras and cannot be configured to be a different value for a subset of resources.

  • Select camera permissions (either all or by tags) 

    • Selecting `All cameras` provides users with this role access to all cameras contained within the previously selected Networks in Step 1.

    • Selecting `Cameras by tag` provides users with this role access to cameras with the specified tag(s) contained within the previously selected Networks in Step 1.

    • Selecting ‘No Access’ allows users with this role to be completely restricted from accessing Cameras in the network.

Step 3: Set Sensor Permissions

4_senor_permission.png

  • Configure Sensor Permissions

    • Full Sensor access - Allows full View and Edit access to the sensors in the network the role is scoped to. This includes creating, editing and deleting Alert Profiles for sensors.

    • Read-only Sensor access - Allows only View access to the sensors in the network the role is scoped to. Users with this permission cannot view or edit Alert Profiles.

    • No Access - No sensor network access is granted to the role. Allows a role to be a Camera-only user.

Step 4 - Confirmation

5_confirmation.png

A simple confirmation page will summarize the proposed changes. Review and hit `Create role` when ready, or navigate back using the `Back` button to make changes.

After committing the changes, there will be a slight wait while saving before a confirmation dialog will appear.

You will return to the Roles overview page. Confirm your role is in the list with the correct parameters configured6_view_role.png

If the above steps are followed to completion and an identity provider is configured for the Organization, you are done! Users can now log in as a Camera role using the Meraki application within your identity provider.

Restricting and Enabling Meraki Support Access to Cameras

This will allow Cisco Meraki Support to view your Dashboard as well as Vision Portal

Cisco Meraki support technicians cannot view video or hear the audio by default. You may choose to allow temporary access to receive help with focusing, zooming, or other video or audio quality issues. Temporary access is automatically revoked when the time expires or can be manually revoked at any time. 

Temporary permission to view camera footage can be granted to Cisco Meraki support agents by navigating to Help ( ? symbol on the top right of Dashboard) > Get Help in the dashboard.

Help Page

First, ensure you have selected a network with cameras. Next, navigate to Help > Get Help & Cases. On this page, select MV smart cameras.

New_Get Help & Cases

From here, at the bottom of the page, if your organization contains cameras, there is an option to enable video access for Meraki support. Only Full Organization admin can Grant Access.

New_Grant Camera Access

If you cannot see this section, ensure you have selected a network with cameras.

If video access has already been granted, you can always revoke it on the same page by selecting Revoke Access.

Only organization admins can grant support access to the video feed.

Tracking Meraki Support Access 

Meraki Support access's granting, revoking, and expiring is logged on the organization changelog and the Video access logs keeps a track of which camera was viewed.

10_track_acess.png