Home
Role-based access control
Learn about role-based access control.
Configuring role-based access control policies
To automate role assignments based on identity attributes and ensure access dynamically updates when an employee changes departments or locations, Account administrators and Role owners can configure role-based access control policies in Genetec ClearID™.

About ClearID
Learn about the ClearID self-service physical access management solution.
What's new
Check out what's new in the latest update to ClearID.
Deployment preparation
Check your compatibility and deployment requirements.
Account configuration
Learn how to configure and customize the ClearID portal.
ClearID plugin
Learn how to download and install the plugin.
Managing identities and users
Learn how to manage identities and users.
Credential synchronization
Managing sites
Learn how to manage sites.
Managing visitors
Learn how to manage visit requests and access requests.
Managing areas
Learn how to manage areas.
Managing visitor watchlists
Learn how to manage visitor access using watchlists.
Role-based access control
Learn about role-based access control.
- About role-based access control
  Genetec ClearID™ role-based access control is an automated security framework that assigns specific roles to identities. By dynamically provisioning access to physical spaces based on user attributes, role-based access control ensures the right people have the right access at the right time, minimizing security risks and administrative overhead.
- Adding roles
  To configure role-based access control policies and group people with the same access rights, Account administrators must first add roles in Genetec ClearID™.
- Creating exceptions to the role membership request approval workflow
  To bypass standard approval processes and auto-approve specific requesters such as VIPs, you can create exceptions to the role membership request approval workflow in Genetec ClearID™.
- Configuring role managers
  To define policies or manage role members, Role owners must first configure Role managers in Genetec ClearID™.
- Configuring role-based access control policies
  To automate role assignments based on identity attributes and ensure access dynamically updates when an employee changes departments or locations, Account administrators and Role owners can configure role-based access control policies in Genetec ClearID™.
  - Use case: Attribute-based IT role provisioning
    This example demonstrates how an attribute-based policy is used to automatically assign employees to an IT role in Genetec ClearID™.
  - Use case: Attribute-based provisioning for contractors
    This example demonstrates how a custom attribute-based policy is used to automatically assign eligible contractors to a certified engineering role in Genetec ClearID™.
  - Use case: Automated ADA personnel assignments
    This example demonstrates how an attribute-based policy is used to automatically assign employees requiring accessibility assistance to an ADA personnel role.
- Adding custom provisioning attributes to an identity
  To supplement default records and enforce specialized role-based access control policies, Account administrators can manually assign custom provisioning attributes to an identity in Genetec ClearID™.
- Adding role members
  To grant access to employees who do not meet automated provisioning policy criteria, Role managers can manually add role members in Genetec ClearID™.
- About role membership request workflow
  The Genetec ClearID™ role membership request workflow is an automated framework that manages the lifecycle of a request. By automating approvals and system state changes, this workflow reduces administrative overhead and allows reviewers to focus on critical tasks.
- Requesting role membership
  To simplify the approval process and request access for yourself or your team members, Employees, Managers, and Supervisors can request role membership using the Genetec ClearID™ self-service portal.
- Reviewing role membership requests
  To approve or deny pending access for employees, a Role manager, Role owner, and Supervisor can review role membership requests in Genetec ClearID™.
- Checking the status of role requests
  To ensure the organization remains security-compliant and audit-ready, Account administrators, Role managers, and Role owners can check the status of role requests in Genetec ClearID™.
- About role activity report
  In Genetec ClearID™, a role activity report is an audit trail of all activities related to roles. Each entry includes a timestamp, the type of activity performed, the user who initiated the action, and additional details such as the reason for the change.
- Viewing a role activity report
  To view a complete audit trail of system changes and monitor role-related activities, Account administrators, Role managers, and Role owners can view a role activity report in Genetec ClearID™.
Connecting to other systems
Learn how to connect ClearID to other systems.
Visitor management devices
Learn about the ClearID Self-Service Kiosk mobile app that simplifies visitor management and check-in.
Troubleshooting
Troubleshoot common issues that can occur.
Additional resources
Need tech support or product information? Check out these resources.
Glossary

Configuring role-based access control policies

2026-05-06

To automate role assignments based on identity attributes and ensure access dynamically updates when an employee changes departments or locations, Account administrators and Role owners can configure role-based access control policies in Genetec ClearID™.

What you should know

Each role can have up to 25 policies, each with up to 25 conditions.

Procedure

From the homepage, click Organization > Roles and select a role.
Click Provisioning policy, and then activate it.
Enter a meaningful description.
(Optional) Configure your automatic removal settings:
1. Select Automatically remove members that no longer match.
2. Choose:
- After a specified number of days.
- Immediately.
For example, an IT role member who changes to a Developer job can keep access for 7 days for transition support.
Add policy rules:
1. Select the Property type.
  The listed property types are identity field attributes that can be found in the general details of any identity.
  You can only select roles that you are a Role manager for.
  Provisioning attributes might include things like background check, drug and alcohol tests, NDA, Safety training, site induction training, and so on.
  Properties also include any identity custom fields configured in the system. You can enter or select values corresponding to the selected identity custom field property.
  The following custom field data types are not supported:
  - Date
  - Decimal
  - Date Time
2. Select an operator:
  - Contains
  - Does not contain
  - Is
  - Is not
3. Enter a value or select an option that relates to the property type you selected.
The operator and value options that are displayed depend on the selected property type.
(Optional) Add custom provisioning attributes:
1. Select the provisioning attributes property.
2. Select an operator:
  - Contains
  - Does not contain
3. Enter custom attribute values.
  
  The policy triggers only when the identity includes all specified attribute values.
(Optional) Disable a rule by setting the Enabled slider to Disabled.
(Optional) To duplicate a rule or set of rules, click .
(Optional) To remove any policy rules, click .
Click Save.

Users are now automatically added to or removed from roles based on their attributes.

Example

After you finish

Add role managers.