[Support]: v0.17 - 'Viewer' role no longer has access to birdseye view

[jmhunter]

Checklist

• I have updated to the latest available Frigate version.
• I have cleared the cache of my browser.
• I have tried a different browser to see if it is related to my browser.
• I have tried reproducing the issue in incognito mode to rule out problems with any third party extensions or plugins I have installed.
• I have asked the AI at https://docs.frigate.video about my issue.

Describe the problem you are having

I updated to v0.17 this morning - thank you!

I have a user with 'Viewer' permission for all cameras.

Since updating to v0.17 this user can no longer see Birdseye view in the UI.

If I change the user to an Administrator, the user can see Birdseye view again (and if I change the user to a Viewer, it disappears)

Steps to reproduce

1. Create user with 'Viewer' permission to all cameras
2. Run v0.16.x - the user can access Birdseye view
3. Update to v0.17 - the user can no longer see Birdseye view
   ...

Version

0.17.0-f0d69f7

In which browser(s) are you experiencing the issue with?

Fire Tablet Silk browser, plus tested in Chrome

Frigate config file

Looks like users are defined outside the config file. Can share config if needed?

docker-compose file or Docker CLI command

services:
  frigate:
    container_name: frigate
    restart: unless-stopped
    stop_grace_period: 30s # allow enough time to shut down the various services
    image: ghcr.io/blakeblackshear/frigate:stable
    shm_size: "512mb" # update for your cameras based on calculation above
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /data/docker/frigate/config:/config
      - /data/docker/frigate/data:/media/frigate
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 700m
    ports:
      - "8971:8971"
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: [redacted]
      PLUS_API_KEY: [redacted]

Relevant Frigate log output

none found

Relevant go2rtc log output

n/a

Operating system

Other Linux

Install method

Docker Compose

Network connection

Wired

Camera make and model

n/a

Screenshots of the Frigate UI's System metrics pages

n/a

Any other information that may be helpful

No response

[inkeep-ai-assistant[bot]]

Based on the available documentation, this appears to be a change in how Birdseye access works with role-based permissions in v0.17(1)(2).

In v0.17, the viewer role provides read-only access to cameras, but Birdseye is now treated differently from individual cameras in the permission system(2). The viewer role grants access to "Live, Review/History, Explore, and Export" for cameras(2), but Birdseye may require explicit configuration.

To resolve this, you have two options:

Option 1: Add Birdseye to a Camera Group

Birdseye can be viewed by adding it to a Camera Group in the Web UI(1). You can create a Camera Group by pressing the "+" icon on the Live page and choosing "Birdseye" as one of the cameras(1).

Option 2: Use Custom Roles

In v0.17, custom roles allow you to specify which cameras a user can access(2). You can create a custom role that includes access to the cameras you want, and this should allow the user to see those cameras in Birdseye view(2).

The configuration would look like:

cameras:
  front_door:
    # ... camera config
  side_yard:
    # ... camera config

auth:
  enabled: true
  roles:
    custom_viewer:  # Custom role
      - front_door
      - side_yard

(3), (2)

Then assign your user to this custom role instead of the default "viewer" role(2).

Note: The default viewer role in v0.17 is designed for read-only access to specific cameras(2), and Birdseye access may need to be explicitly configured through camera groups or custom roles that include all cameras the user should see.

📚 Sources:

1. Birdseye
2. Authentication
3. Full Reference Config

---

Have another question? Just tag @inkeep.

[NickM-27]

This is not a bug and is working as expected, the birdseye camera is done on the server side which means we can not guarantee that a user with access to limited number of cameras won't see a camera they don't have access to. So this means birdseye view can only be for admin users who are guaranteed to have access to all cameras.

[NickM-27]

@hawkeye217 may know more, but that is my understanding

[hawkeye217]

Right, the decision was made to be more restrictive with Birdseye in 0.17, since we cannot easily guarantee Birdseye will only have cameras that new custom viewer roles have access to.

[jmhunter]

In my head that's a bit of a regression - the Birdseye viewer worked fine until 0.17, and it seems a shame that I now need to leave a tablet logged in as an administrator, simply to use the Birdseye view.

Do we need an additional attribute of a viewer role, that explicitly controls access to Birdseye view; or a different permission? I don't think simply removing it is the best way (IMHO)

[hawkeye217]

Yes, as I said we did make the decision to be more restrictive for 0.17 because of the introduction of custom viewer roles. We can consider improving this in a future version of Frigate.

[NickM-27]

I'm not super familiar with where that logic is and exactly how that works. It is possible that we can check if the viewer has access to all cameras and if so make it available.

[jmhunter]

Yes, as I said we did make the decision to be more restrictive for 0.17 because of the introduction of custom viewer roles. We can consider improving this in a future version of Frigate.

Does this need an issue to track it - happy to raise if that helps?

Edit: Raised as #22155

[DaveL75]

Yes, as I said we did make the decision to be more restrictive for 0.17 because of the introduction of custom viewer roles. We can consider improving this in a future version of Frigate.

yes please! It makes sense from your explanation but eg for my 'anyone in the house can see it' display I don't really want an elevated priv user being on that monitor all the time. Viewer user + birdseye has been my usecase so far.

[hawkeye217]

This is improved in #22166 and should be available in Frigate 0.17.1.