Home
Role-based access control
Learn about role-based access control.
Adding roles
Before you can configure your role-based access control policies, an Account administrator must define your roles.

About ClearID
Learn about the ClearID self-service physical access management solution.
What's new
Check out what's new in the latest update to ClearID.
Deployment preparation
Check your compatibility and deployment requirements.
Account configuration
Learn how to configure and customize the ClearID portal.
ClearID plugin
Learn how to download and install the plugin.
Managing identities and users
Learn how to manage identities and users.
Credential synchronization
Managing sites
Learn how to manage sites.
Managing visitors
Learn how to manage visit requests and access requests.
Managing areas
Learn how to manage areas.
Managing visitor watchlists
Learn how to manage visitor access using watchlists.
Role-based access control
Learn about role-based access control.
- About role-based access control
  Role-based access control uses identities with various attributes to automatically manage access control. Defining provisioning policies ensures that people in your organization always have up-to-date access permission levels. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access when their identity attributes are changed.
- Adding roles
  Before you can configure your role-based access control policies, an Account administrator must define your roles.
- Creating exceptions to the role membership request approval workflow
  In Genetec ClearID™, a role membership request workflow is a series of activities performed by the system or authorized people during the life cycle of a role membership request. To bypass the request workflow for certain types of requesters, you can modify a role's request approval workflow settings.
- Configuring role managers
  Role managers include both owners and managers. Before defining policies or managing role members, you must assign one or more employees as role managers.
- Configuring role-based access control policies
  To ensure correct and up-to-date access permissions, you can define automatic provisioning policies. People in your organization to are automatically assigned roles based on their identity attributes. If an employee changes job title or department, or moves to a different site, the system automatically adjusts their access.
- Adding custom provisioning attributes to an identity
  When the default Genetec ClearID™ policy attributes do not meet your needs, you can manually assign custom provisioning attributes to an employee's identity record. These attributes can then be used in a role-based access control policy.
- Adding role members
  If a role member doesn’t meet the provisioning policy criteria, you can add them to a role manually.
- About role membership request workflow
  A role membership request workflow is a series of activities performed by the system or authorized people during the life cycle of a role membership request. The activities can change the state and properties of role membership requests, affect other entities in the system, or wait for a condition to be met.
- Requesting role membership
  To request role membership for yourself or another identity, you can use the Genetec ClearID™ self-service portal. By using a self-service portal with specified role owners, you can simplify the approval process and avoid delays from routing requests to the wrong approvers.
- Reviewing role membership requests
  To approve or deny a role membership request, a Role manager, a Role owner, or a Supervisor must review the pending approvals.
- Checking the status of role requests
  Account administrators, Role managers, and Role owners can check the status of role requests to ensure that the organization is security-compliant, audit-ready, and on time.
- About role activity report
  In Genetec ClearID™, a role activity report is an audit trail of all activities related to roles. Each entry includes a timestamp, the type of activity performed, the user who initiated the action, and additional details such as the reason for the change.
- Viewing a role activity report
  Account administrators, Role managers, and Role owners can view an audit trail of role-related activities. The report shows timestamp information, activity type, the user who performed the activity, and more.
Connecting to other systems
Learn how to connect ClearID to other systems.
Visitor management devices
Learn about the ClearID Self-Service Kiosk mobile app that simplifies visitor management and check-in.
Troubleshooting
Troubleshoot common issues that can occur.
Additional resources
Need tech support or product information? Check out these resources.
Glossary

Adding roles

2026-02-04

Before you can configure your role-based access control policies, an Account administrator must define your roles.

Before you begin

Familiarize yourself with role-based access control

What you should know

In ClearID™, a role is a group of people with the same access.
A person can belong to multiple roles.
Roles are linked to cardholder groups in Synergis™.
Role managers control access for the group.

Procedure

From the homepage, click Organization > Roles .
Click Add role.
In the General section, enter the following information:
- Name
- Description
- Internal notes
  Special instructions visible only to the Account administrator, Role owner, and Role manager.
- Example:
  Only permanent employees based in Montreal should be in this role. Discuss with security before adding employees to this role.
(Optional) In the Notifications section, select the email notifications sent to stakeholders when role membership is changed.
In the Advanced settings section, select the request approval workflow:

Automatic approval

Role membership requests are automatically approved.

Role manager or owner

Role membership requests need to be approved by the Role manager or Role owner.

Identity supervisor

Role membership requests need to be approved by the Supervisor of the identity receiving the role.

Two-step approval: First, the identity's supervisor; then the role manager or owner

Role membership requests need to be approved by the Supervisor of the identity receiving the role, then by the Role manager or Role owner.
Choose the role's visibility:

Public

The role is visible to everyone, and role membership requests can be created. This is the default setting.

Private

The role is private and should be hidden during role membership requests and role access requests.
Because of their higher permission level, Role owners, Role managers, and Account administrators can still see private roles when making requests.
(Optional) In the Expiry enforcement settings set a maximum duration for role membership.
1. Select Enforce a maximum duration for all role requests associated with an identity.
2. Enter a maximum duration for membership to the role.
Click Save.

Example

After you finish

Configure your role-based access control policies.