Skip to main content

Create a User and Assign Roles

Goal: add a person who can log in to GEM — web, mobile, or API — with the right level of access.

A user's access comes entirely from the roles assigned to it. You can also scope a user to specific sites and attach a notification profile.

Before you start

  • You're logged in as an administrator.
  • The roles this person needs exist (see Create a Role).

Steps

  1. Open Users and click Add.

    Open Users

  2. Basic information — set Username (lowercase_with_underscores), and optionally First/Last name (used in access logs and visitor badges) and a photo.

  3. Credentials — set how the user authenticates:

    • Password for web/mobile/API login.
    • PIN for touchpanel or access-device entry, if applicable.

  4. Roles — assign one or more roles. Permissions are additive — the user gets the combined grants of every role. Keep assignments minimal: add a second role rather than over-broadening one.

  5. Sites — restrict the user to specific sites if this is a multi-site deployment.

  6. Notification profile — attach a profile to control which channels (SMS/email/web push) and hours the user receives notifications (see Set Up a Notification Profile). Set Email / SMS here for those channels.

  7. Enabled — leave on to activate the account.

  8. Save.

:::note Users are disabled, not deleted User rows can't be deleted from the grid — clear Enabled or set Revoked instead, so audit history is preserved. Disabled/revoked/expired users are also automatically removed from access devices that support a sync API. :::

Verify it

Log in as the new user (or have them do it) and confirm they can reach exactly what their roles allow. If they can see too much or too little, adjust the role, not the user — that's the whole point of RBAC.