Users and Services can be given a mix of the following roles:
Door
Required to have any sort of physical access to doors - that said, just having this role doesn't give you access to anything! You'll also need some Groups or some Rules to actually be able to use this role to open a door.
Auditor
Allows read-only access to all data in Watchmark - that means global data like Campuses and Settings, as well as Users/ Passes that can belong to different departments.
You can optionally restrict the Auditor role to only view data belonging to certain departments - for example, you might want to just let someone see the data that belongs to the Accounting department and the R&D department.
If you restrict an Auditor's access to particular departments, they'll still be able to view global data like Settings and Campuses, since those global-level records don't belong to particular departments.
Manager
Managers are responsible for day-to-day User and Pass management - they can create new Users/Passes and assign them to existing Groups.
You can optionally restrict the Manager role to only manage Users/Passes belonging to certain departments - for example, you might want to just let someone manage the Production department so that they can manage factory employees, but not be able to see or edit anyone in the Corporate department.
Managers can:
- View Users/Passes
- Search for Users/Passes
- Create, update, and delete Users/Passes
- This is only true for those Users/Passes with just the Door role
- Assign Users/Passes to Groups
- This is true even for Users with advanced roles, not just the Door role - since Managers are supposed to govern day-to-day access to doors, they're allowed to update an Admin user's Groups, for example, even though they cannot edit the Admin's username/Roles/etc
- Managers restricted to particular departments can only add or remove groups that are associated with those departments
Managers cannot edit Users with roles other than Door - this means if you give someone the Billing role, for example, a Manager will not be able to delete them or change their username (though they can still manage the Billing users's groups).
You'll often want to give Managers the Auditor role as well, so they can see account settings, account-wide logs, dashboards, etc. Without the Auditor role, Managers can only see Users and Passes.
The fact that managers cannot edit users with advanced roles can be a bit of a bother (if a Billing user is trying to change their username, for example, an Admin will need to do it), but this restriction on Managers is necessary to prevent account hijacking - so a manager cannot change someone's username to an email address under their control, for example.
Billing
Allowed to view invoices from Watchmark and update your company's payment info - typically this role will only be used if someone other than an Admin needs access to your billing information.
Admin
Can manage all the things, including:
- Setting up facilities: Campuses, Groups and Doors
- Manage Settings, Schedules and Departments
- Create groups and assign permissions
- Manage billing/payment information for your Watchmark account
- Manage Services
- Manage Users and Passes
As the most powerful role in the system, Admins cannot be restricted by department.
The only role Admin does not encompass is the Door role - so you can still have an Admin without physical Door access (though of course they would be allowed to grant themselves the Door role if they chose to).
It's a good idea to have at least two Admins - that way if one is unavailable you will still have someone who can do everything.