Groups

EdgeVis Server can utilise groups for improved and simplified roles and permissions management. A group can hold any number of encoders and users, where adding a user allows them to be assigned a role within the group which grants them that level of access to all encoders within the group.

For example, if there is a building with five encoders (providing video surveillance) and a number of security guards who must be provided access to those encoders there are two ways to provide the security guards access:

Without groups, it is necessary to assign each security guard the appropriate viewing permissions to each encoder individually. When a new guard is hired, they too must be given five permissions (one to each encoder), and if a new encoder is added to the building it is necessary to find each security guard’s account and individually grant them permission to view the new encoder.

With groups, it becomes considerably simpler to manage, as a group is created to hold all the encoders and all the security guards. When adding a new security guard to the group they are granted one viewing permission, to the group, meaning they have access to all encoders within the group. When a new encoder is added to the group, all security guards are immediately granted the same level of access.

An encoder and user can be added to multiple groups – in the example above a security guard may have permission to access encoders across multiple buildings by being a member of multiple groups.

Managing groups

From the domain homepage click the Groups icon to open the groups page, which lists all groups in the domain and provides the ability to create a new group using the Create group menu option. When creating a group, it is possible to enter a description which will be displayed as a subheading underneath the group’s name. To open the details page for the desired group, select the appropriate item from the list.

It is also possible to search for the group from the domain homepage, by entering part of the group’s name within the search box. The page will then find all assets (groups, encoders and users) within the domain that match the search string. Select the desired group from the search results to go directly to the detail page for the group.

Group details page

The group details page displays the group description (if set) and the list of all users that have been added to the group.

To view the encoders added to the group use the In this group list box to switch between displaying the encoders and users in the group.

Managing users in a group

To add a user to the group:
Use the Add user to group menu option to select the user to add to the group. After selecting the user, the second step is to assign a role to the user to grant the appropriate permissions to the encoders in the group. This process is described in more detail in ‘Assigning a user role to a specific group’.
To view a user’s role(s) and permissions:
The user’s role(s) is displayed below the username. To view the flattened permissions this grants within the group click the eye icon . This will show a permissions browser which outlines the permissions within the role.
To change a user’s role(s):
Use the pencil icon to modify the user’s role(s):

Tip: Removing all roles from the user will allow the user to remain in the group, but will not provide the user any access to the encoders in the group. This can be useful to create a notification-only group, where membership of the group is only used to determine who receives alarm notifications from the alarm management system.

To delete a user from the group:
Use the cross icon to delete the user from the group:

Managing encoders in a group

To add an encoder to the group:
Use the Add encoder to group menu option to select the encoder to add to the group. Adding an encoder to the group will immediately grant all users access to the encoder with the same permissions their roles provide (to all other encoders within the group).
To delete an encoder from the group:
Use the cross icon to delete the encoder from the group:

User Accounts

EdgeVis Server employs strict security rules, ensuring that before any user can connect to the server they have the appropriate login credentials to the server - there is no concept of guest or anonymous usage within EdgeVis. Once created a user account can then be granted a level of access (e.g. a specific domain) and permissions to access resources within that level (e.g. Encoder Administrator).

There are two kinds of users:

Server-wide Administrators
These users have server-wide access, and if given the appropriate role, can perform:
- Server administration and configuration
- Domain management
- Group, Encoder and User Account Management
- Encoder configuration
Domain Users
These users have specific access within a domain, and if given the appropriate role, can perform:
- Group, Encoder and User Account Management
- Encoder configuration

Given the server-wide access granted, in normal operation it would be expected to create a limited number of Server Administrators. Normal users should be created within a domain, and only granted access to the required encoders or account management permissions.

Managing Server-wide Administrators

From the server homepage click the Server-wide Administrators icon to open the users page, which lists users with server-wide access and provides the ability to create new Server Administrators using the Create single user menu option. When creating a user, it is possible to enter a description which will be displayed as a subheading underneath the user’s name. To open the details page for the desired user, select the appropriate item from the list.

Tip: Version 7.2 introduces the ability to quickly create multiple user accounts using the Create multiple users function. It is possible to either specify a single password to use with all supplied usernames, or to individually specify a unique password for every user. Each user can also be created with a chosen role – if selected each user is assigned the same role on a server/domain-wide basis.

Managing domain users

From the domain homepage click the Users icon to open the users page, which lists all users in the domain and provides the ability to create a new user using the Create user menu option. When creating a user account, it is possible to enter a description which will be displayed as a subheading underneath the user’s name. To open the details page for the desired user, select the appropriate item from the list.

It is also possible to search for a user from the domain homepage, by entering part of the user’s name within the search box. The page will then find all assets (groups, encoders and users) within the domain that match the search string. Select the desired user from the search results to go directly to the detail page for the user.

User details page

The user details page displays the user’s description (if set), and then the user’s account settings

password options (including set a password, reset password, resend welcome e-mail)
the contact details for the user (e-mails and phone number)
push notification settings (send via email/sms and/or push notification)
two-factor authentication (enrol or reset depending on server options)
app specific password (for creating special passwords to use on third-party systems that don’t support 2FA)

For Server Administrators the Permissions section displays a list of roles granted to the user on a server-wide basis, while for a domain user it displays:

a list of roles granted to the user on specific groups
a list of roles granted on a domain-wide basis

The Edit account menu option should be used to change the user’s password and description, while the Edit options menu option allows editing of an account’s login options – these can include:

disabling the account
forcing the user to change password on next login

A Move Domain option is present that allows a user with the appropriate permission (requires server-wide access) to move the user into another domain. Be aware that moving a user will remove their existing roles and permissions.

Setting contact preferences

The contact preferences are used by the server when the user is the recipient of a notification from the alarm management system. The server will send a notification to each enabled contact method:

SMS
For users who enter a phone number in their account, they can enable SMS notifications to that number.
Email
For users who have added an e-mail address to their account, they can enable e-amil notifications to that address.
Push notifications
A user with an iOS or Android device who connects to the server using EdgeVis Client will automatically be registered for push notifications on that device. This page will list all devices that have previously been registered to receive notifications for that user – the device will continue to receive notifications for as long as the app is installed.
This page allows you to either disable or delete devices – this will immediately stop those devices from receiving notifications via push.

Managing a user’s roles and permissions

The bottom section of the user details page lists:

Server-wide Administrator accounts only

The Server Wide Access section displays the roles the user has been granted on a server-wide basis.

See ‘Assigning a server-wide role to a user’ for details on how to assign/change the user’s role.

Domain users accounts only

The Group and Encoder Access section displays the roles granted on a group basis, signified by the group icon:

and on an individual encoder basis, signified by the encoder icon:

See ‘Assigning a user role to a specific group’ for details on how to assign/change group roles.
See ‘Assigning a user role to a specific encoder’ for details on how to provide access to encoders.

It is also possible to add a user directly to a group from the user detail page using the Add to group menu option.

The Domain Wide Access section lists the roles the user has been granted on a domain-wide basis

See ‘Assigning a user role to a specific domain’ for details on how to assign/change the user’s role.

It is security best-practice to only provide the minimum level of access required to any user. It is recommended to only provide domain wide access to users who are required to manage the accounts within a domain, and to use groups to provide access to users who use and manage encoders.

Encoder Accounts/Configuration

EdgeVis Server employs strict security rules, ensuring that before encoders can connect to the server it has appropriate login credentials to the server.

All encoder accounts must exist within a domain – an encoder account can not be created at the server level.

Managing encoder accounts

From the domain homepage click the Encoders icon to open the encoders page, which lists all encoders in the domain and provides the ability to create a new encoder account using the Create one encoder menu option. When creating an encoder account, it is possible to enter a description which will be displayed as a subheading underneath the encoder’s name.

The encoder list uses colour and a status string to indicate the encoder’s live status:

To open the details page for the desired group, select the appropriate item from the list.

It is also possible to search for an encoder from the domain homepage, by entering part of the encoder’s name within the search box. The page will then find all assets (groups, encoders and users) within the domain that match the search string. Select the desired encoder from the search results to go directly to the detail page for the encoder.

Tip: It is possible to quickly create multiple encoder accounts using the Create multiple encoders function. Either specify a single password to use with all supplied encoder names, or individually specify a unique password for every account.

New encoder account details page

Once created, the encoder’s detail page will show that the encoder is offline and is unlicensed.

In addition to requiring an account to connect to the server, an encoder also requires a licence be installed on the server.

While some encoders can automatically obtain a licence from the server on first connection, certain licence types must be manually assigned (either using this page, or from the encoder’s web configuration). This is because they are licensed per-camera input, and several licence levels are available (offering different levels of functionality).

New in Version 8.5 - Auto-assignment of body worn / mobile encoder licences

As of EdgeVis Server version 8.5 and above it is no longer necessary to allocate EdgeVis Mobile encoder licences (or the recording/external camera extensions) to any account in advance. You simply have to create the account, and when the device comes online all licences will be assigned automatically (assuming you have the appropriate licences installed on your server(s)).

Click on the Licence icon to open the encoder’s licensing page and use the Edit Licence menu option to select the appropriate licence (and if appropriate, the number of camera channels to enable on the device.

If a licence is set using this web page, then the encoder’s web configuration interface can not override the licence choice.

What EdgeVis licence does each product require?

EdgeVis Specialist Licence (one per encoder)
Existing TVI Products [C200, C300, C310, U310, S400, I200, I300, R300, M350, R400]
S Series [HD-S600]
R Series [SD-R500 (formerly Tri-Star), HD-R700, 4K-R800]

EdgeVis Mobile Licence (one per encoder)
Mobile Encoder for iOS and Android
EdgeVis Lite, Enhanced or Enterprise Licence (one per camera channel)
IP Series [IP100, IP150, HD-IP200, HD-IP250, HD-IP350, HD-IP450, HD-IP470]
Q Series [SD-Q600 (formerly MiniCam), HD-Q800]
Video Router [Video Router 1, Video Router 4]

Use the encoder account details to configure the encoder

Once the encoder account has been created and, if necessary, a licence assigned the encoder should be configured using the details of the server. Refer to the encoder’s hardware installation guide for details on how to configure the encoder, however you should have the following information to proceed:

The server’s external IP address
The server’s encryption fingerprint (available from the server homepage) for web-based configuration
The server’s encryption pack (available from the server homepage) for USB-based configuration
The encoder name
The encoder password

Once configured the encoder should attempt to connect to the server, logging in using the account details provided. If successful, the encoder will appear with a green status icon in the encoder list.

Online encoder configuration options

When an encoder is online the encoder details page will contain a number of new icons, each signifying the status and settings for an area of functionality on the encoder.

Each encoder model supports different levels of functionality and features - the options available on this page will change depending on the model of encoder and the firmware that is installed on this encoder.

Additionally, the user performing configuration of the encoder must have been granted the appropriate permissions within each section.

The following sections provide an overview of each configuration section and how to use it. The pages shown should only be treated as examples, given the difference between encoder products - refer to the encoder’s manuals for more complete information on how to configure and get the best out of a specific encoder.

Section: Device Status

The first section provides a high-level overview of the encoder, with a summary view of:

Encoder model name – click to view the status and diagnostics pages (see next section)
Communications bearer – click to view the history of the encoder’s communications bearers and their connection to the server.
Firmware version – click to view the encoder’s current firmware version, and to upgrade the encoder to a newer firmware
EdgeVis licence – click to view the encoder’s assigned EdgeVis licence and any licence extensions (e.g. Safezone-2D licence extensions)

Additionally, the right hand options offer the ability to review which users have been granted direct access to the encoder, a list of who is currently viewing the encoder, and access to the encoder’s event log.

Status and diagnostics page

The encoder’s Status page displays useful information about the current status of the encoder, including:

Encoder firmware version
Use the Upgrade firmware menu option to select from the compatible firmware on the server (firmware can be uploaded to the server by server-wide administrators).
Encoder model and serial number
Input Voltage
Internal CPU temperature

Connection details:

The communications bearer currently being used to connect to the server
The primary and secondary communications bearers
Secondary information on the communications bearers (e.g. the LAN MAC address)

Section: Video

The Video Inputs section lists all of the cameras/video inputs that are available on the encoder. This can include:

Physical camera inputs
(e.g. PAL/NTSC composite input or HD-SDI)
Built-in cameras
(e.g. mobile phone cameras, Q800 dome)
IP Cameras
(added during initial configuration)
Video layouts
(e.g. Picture-in-picture or Quad-view)

The right section offers additional settings (which may only appear on certain encoder models) for configuring the recording, audio and PTZ settings – these are described in the following sections.

If a user selects one of the listed video inputs they may be offered several options:

Enable/Disable the channel
This determines if the video input should be listed as an available channel within viewing clients
Make the input Available for recording
Should this video input be recorded when the encoder is instructed to record (either through 24/7 recording or recording on alarm).
For non-IP video inputs it is possible to set various recording parameters (e.g. frame-size, recording quality)
Audio source
On encoders with physical audio inputs it is possible to associate audio inputs with a corresponding video input – this affects both live and recorded video stream.

PTZ settings

The encoder’s PTZ settings page allows the user to configure the PTZ settings (for non-IP cameras).

For encoders that support composite or HD-SDI cameras the user must manually configure the PTZ protocol and port using the Configure PTZ menu option. Refer to the camera manufacturer’s documentation to determine the appropriate settings.

For encoders that support IP cameras, PTZ is set up automatically when adding the camera using the encoder’s local web interface (and, as a consequence, this menu option is not available).

Recording settings

The first setting controls how the encoder should behave - encoders can operate in one of two Recording modes:

Always recording
Recordings should be made 24/7, regardless of any alarm rules
Record on alarm action
By default the encoder should not record, and the user must create alarm rules to initiate recording (usually for a fixed duration).

Additionally, several other options can be present including:

Limit the maximum recording duration
For legal reasons it is often desired/required to limit the number of days the encoder should retain recordings for. This setting does not guarantee that the encoder will be able to record for this many days (as this is dependent on the size of the disk), only that it will automatically delete recordings once they are over the duration specified.

Storage devices

Within the Storage devices page the available recording devices are listed, along with their recording status. Click on a device to display further information and options including the disk space available, the option to enable/disable recording to the device, and the ability to remotely erase all recordings on the device.

Section: Streaming

List of output streams (V8.0+ encoder firmware only)

This section contains a list of output video streams on the left-hand side. For every encoder this will only contain one entry, except the 4K-R800 and Video Router 4 that will contain up to two (for 4K-R800) or four (for Video Router 4).

Each entry lists two items:

The name of the output stream
The number of viewers currently watching this video stream

Encoders have both:

An encoder name (this is fixed)
This is the name of the encoder’s account that is programmed into the encoder. This is displayed within EdgeVis server when listing and configuring encoders – and at the top of the encoder’s configuration page.
A stream name (this can be changed)
This is the name displayed within viewing clients – this is what is listed in this section.

Clicking on an item will allow you to configure the output parameters for this stream:

To rename the output video stream:
Click the name of the stream. This will allow you to select a new name that is shown to all viewing clients.

New stream names must be unique on the server (and this is checked against all existing stream and encoder names).
Version 8.0 clients will pick up any stream change automatically within the Home page, while older clients will need to log out/in.
Clients viewing a stream that is renamed will find that their video stream playback will stop. To continue they should close any tabs related to this encoder and reopen them using the new name.

To change the list of video inputs that are listed within the clients:
Tick/untick each desired camera or video layout to show/hide it within clients. This only affects the live transmission capability and will not change any recording or alarming capability.

Device bandwidth usage

This page lists the bandwidth settings for the enabled communications methods on an encoder.

For each entry there are two settings:

Bandwidth cap
This is an admin setting that can be used to control the maximum bandwidth a user may set for live streaming. It is only configurable on EdgeVis Server, and by default is set to the highest supported bandwidth for that type of connection.
Maximum bandwidth
This is the live setting a user will use operationally when setting streaming bandwidths – users may set this within EdgeVis Server or EdgeVis Client up to the Bandwidth cap limit set.

Both of these settings are protected by different permissions. This allows an admin to manage costs by limiting the user’s ability to set higher rates, while still providing the end users the permission to set their desired bandwidth up to the desired bandwidth cap limit.

Minimum bandwidth

Users viewing an EdgeVis stream all receive the same stream from an encoder. The stream is transmitted once from the encoder to EdgeVis Server, and the server distributes that stream to all clients.

As part of the continual quality-of-service monitoring of each link, an individual client can detect it does not have enough available bandwidth to view the encoder’s stream at the current bitrate. It can request that the encoder temporarily lower the bandwidth so that it may continue to view the stream (based on what the client believes it can achieve).

As the same stream is received by all clients if one client requests to reduce the video bitrate, then all clients will receive the same lower quality stream. In order to stop one rogue viewer from dropping the video bitrate significantly for all users it is possible to set a minimum bandwidth level (as a percentage of the maximum bandwidth).

Should a viewer’s available bitrate fall below that level, then they will not be able to lower the bitrate any further and they will soon be unable to view the stream without interruption.

Manage streaming quality

This page allows the user to control the video resolution and frame rate of the live video stream. Version 8.0 encoders support two modes of operation:

Compatible (default for new and upgraded encoders)
For users who have legacy version 7 clients (or third-party applications that the v7 Decoder SDK, e.g. Milestone VMS [as of November 2020]). The automatic selection of video resolution and frame-rate is only performed:
- When the first viewer starts streaming
- When the user selects any new quality/ bandwidth setting
- When the encoder switches between communications methods
Enhanced (recommended)
For users who have no legacy viewers it is recommended to use the Enhanced video codec mode. This will allow the encoder to dynamically and continually alter the video resolution and frame rate based on live bandwidth conditions observed by the encoder. This powerful capability allows the encoder to maintain a consistent quality level during periods of difficult or ever-changing bandwidth conditions.
However older v7 clients will be unable to view the video stream produced in Enhanced mode.

To switch between codec modes use the Edit button.

Stream quality settings

This section provides controls for tailoring the video quality settings. The highest-level configuration option contains four different preferences - designed so that most customers will be best served with a fully automatic setting, with some alternative presets to satisfy more specific deployment scenarios.

While the four main preset options should satisfy most customers, you can also tailor the encoder’s behaviour further. Select Custom from the Stream quality menu to customise the encoder’s streaming settings:

You can choose between four schemes in Prioritise resolution / framerate:

Balanced (Enhanced mode only)
Similar to Automatic, but the encoder won’t select a value above the selected target resolution or frame rate.
Prioritise frame rate (Enhanced mode only)
Similar to Best frame rate, the encoder will increase the frame rate until it hits the target frame rate, and then it will increase the resolution up to the target resolution.
Prioritise resolution (Enhanced mode only)
Similar to Best resolution, the encoder will increase the resolution until it hits the target resolution, and then it will increase the frame rate up to the target frame rate.
Strict
The encoder will disable all automatic adjustment and will use target resolution and frame rate.

Notes:

The target frame rate and resolution options will filter out unavailable combinations. For example if you select 1080p then the target frame rates will be limited to 10fps, in line with the encoders’ capabilities.

These options do not reflect the incoming RTSP video stream for IP cameras. Should the camera present a lower resolution/frame rate the encoder will automatically reduce to match.

Audio Settings

There are two audio settings available to encoders who have a video stream that contains an audio source.

Audio source
Select whether the incoming audio stream should be transmitted as Mono or Stereo, or whether it should be disabled entirely. Be aware that stereo audio transmission will use twice as much bandwidth as mono.
Audio quality
The encoder can adjust the audio quality dynamically, should the overall live bandwidth drop to a point where the audio bitrates would negatively affect the video stream. This setting can be configured to one of three quality levels: Low / Medium / High. This dictates the minimum proportion of bandwidth the encoder should allocate to the audio from the chosen maximum bandwidth. Higher settings ensure, should the available live bandwidth drop, that more bandwidth is reserved for the audio.

Section: Lifecycle management

The pages within this section predominately deal with three interrelated sections of functionality

Physical alarm configuration
Alarm rules and scheduled actions
Encoder sleep modes

These are advanced capabilities and beyond the scope of this document. Further information on how to best utilise alarms and sleep modes can be obtained from the EdgeVis Alarm and Sleep Management Guide.

Additionally, some encoders can also provide power to external devices – the next section describes this configuration.

Power settings

Some encoders can provide power to external devices (e.g. to supply power to attached cameras). It is normally possible to enable/disable the power supply to these devices remotely.

Click on the desired power option to change the configuration. Some encoders only allow the power to be manually enabled/disabled, while others have additional options where the power can be intelligently enabled (e.g. when a viewer starts viewing the video stream).

This section also allows the user to toggle any relay output on/off.

Section: Advanced settings

Local Wi-Fi

If supported, the encoder may support the creation of a local Wi-Fi hotspot. This is primarily used to access the local web interface, or to perform ‘drive-by’ download of recordings.

Local Wi-Fi can operate in one of two modes:

Always on
Switched – where Wi-Fi is normally used to connect to a wireless router to provide a connection to the server, but can be switched to hotspot mode remotely, to allow local access

The Local Wi-Fi page allows the user to configure the settings of the wireless access point created, as well as switching in/out of Local Wi-Fi mode when in Switched mode.

SecureConnect

SecureConnect is a feature that allows IP cameras, video analytics and other edge devices to be remotely configured and controlled using the secure EdgeVis architecture. This allows a remote user to operate IP devices using EdgeVis Client.

The SecureConnect page lists the channels configured on the encoder, allowing the user to edit the channel, remove the channel, or add a new one using the Add channel menu option.

Using a SecureConnect channel (through EdgeVis Client) will use some of the same bandwidth that is normally allocated to the live video stream (lowering the video quality). Use the Edit bandwidth menu option to change the maximum percentage of bandwidth all SecureConnect users will share.

Further details on SecureConnect can be found in the article EdgeVis Encoder/MiniCam - Using SecureConnect to access remote devices.

Location Settings

The encoder’s Device Location page can be used to configure the time zone that should be used when reporting time from the encoder, and the settings used to transmit the encoder’s location to viewing clients.

There are three options available (depending on the encoder model):

Internal GPS module
External USB/Serial GPS module (e.g. the USB GlobalSat BU353 and Serial BU355 dongles – other NMEA 0183 devices may be compatible)
Static location (manually enter GPS longitude/latitude co-ordinates)

Most external GPS devices that require a baud-rate operate at 4800 baud.

Serial Pass–Thru

Serial Pass-Thru is a feature that allows remote serial devices, attached to the encoder, to be controlled remotely through the secure EdgeVis infrastructure. It is an advanced feature, and it is recommended to contact support for further information on its use.

The Serial Pass-Thru page displays the current settings and allows the user to select which serial port and baud-rate to use.

The Send out-bound serial data to all viewers option allows the user to broadcast all serial data (received on the encoder’s serial port) to all viewing clients, as opposed to the user who has the Serial Pass-Thru channel open.

Where next?