Managing UniFi Fabric People, Roles, and Permissions

UniFi Fabrics provide a flexible way to centrally manage people and assign granular permissions across multiple UniFi sites. By defining access at the Fabric level, administrators can scale both user and administrative access without duplicating configuration per site.

Requirements

• A UniFi Fabric with Consolidated People Management enabled. See Getting Started with UniFi Fabrics for more information.
• If you want users to access UniFi services through the Identity Endpoint app, then Identity Endpoint services must be configured for the Fabric. See Configuring UniFi Identity Endpoint & Zero-Trust Network Permissions for more information.

Overview of Key Terms

People

Individuals managed within a Fabric. People can be added manually or synchronized from an Identity Provider.

Permissions

Define what a person is allowed to do. Permissions fall into two categories:

• Admin Permissions: Control access to the UniFi management interface at unifi.ui.com, ranging from full administrative access to view-only or granular, application-specific permissions.
• User Permissions (Identity Endpoint Services): Control access to UniFi services through the Identity Endpoint app, including One-Click WiFi, One-Click VPN, and Smart Door Access.

Roles

Logical groupings of permissions and the sites they apply to. People can be assigned multiple roles, and their effective access is the most permissive combination of all assigned roles.

Adding People

People can be added to a Fabric in two ways.

Identity Provider (IdP) Binding

When an Identity Provider (IdP) is integrated, users and groups are synchronized automatically using SCIM, enabling seamless onboarding and off-boarding. Group metadata from the IdP can be used to simplify role and permission assignment within the Fabric, reducing manual access management.

Binding an IdP also enables SAML-based authentication for the Identity Endpoint app, ensuring users authenticate securely before accessing UniFi services.

For supported providers and configuration steps, See UniFi Fabrics Identity Provider (IdP) Integration for more information.

Manual

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to People.
4. Click Add New Person.
5. Enter the required information.
6. Click Create.

Creating Roles

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to People > Roles.
4. Click Create New Role. 
5. Enter a role name.
6. Select the applicable site(s).
7. Choose the admin permissions and/or Identity Endpoint services to include.
8. Save the role.

Assigning Roles & Permissions

Assign Roles To A Group

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to People > Roles.
4. Select a role.
5. Click Assign People.
6. Select the people or user group(s) to assign.
7. Click Done.

Assign Roles To An Individual

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to People.
4. Select a person.
5. Click select Assign Roles.
6. Select the role(s) to assign.
7. Click Apply Changes.

Assign Permissions To An Individual

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to People.
4. Select a person.
5. Click Assign Sites.
6. Select the sites your permissions will apply to.
7. Enable Admin Permissions and/or Identity Services, and configure them to meet your desired outcome.
8. Click Apply Changes.

Sending An Identity Endpoint Onboarding Email

By default, an Identity Endpoint invitation will automatically be sent to people once they are assigned their first permission. If, however, you disabled this setting then you must manually click Send Invitation Email within the property panel of a specific person. See Configuring UniFi Identity Endpoint Services For Zero-Trust Network Access (ZTNA) for more information.