Versions Compared

Version Old Version 13 New Version 14
Changes made by

Vinodhraj DP

Steven Lewis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Table of Contents
7
minLevel1
maxLevel6
outlinefalse
typelist
printablefalse

About This Guide

This guide is intended to be used as a standard guide for the Primis Access Control System. General Linux knowledge and Primis Certification Training Knowledge are expected.

...

The following tables describe the properties of Primis bridges.

Reader Properties

Options

Description

Description

Reader description identifies the reader.

Default Card Format

This field specifies the card that is being used with this bridge device. Auto card format will try to match the best fitting card format. The auto card format behavior can be managed by going to System, Devices and then Manage Card Format. For more information see the section on Managing Card Formats.

Input Properties

Options

Description

Description

This field identifies what input signal is being monitored.

Activate Relay Output

This option configures the Primis Bridge to activate the specified relay when the input is shorted.  Note: This feature is executed in the Primis Bridge hardware level and it does not require a connection to a Primis server. Thus, this is generally used as a “Request to Exit” function (e.g. via a push button).

Activate Relay Output: Relay:

This drop-down list specifies which relay is to be activated as input event occurs. This drop-down menu is only active if the above Active Relay Output checkbox is checked.

Default Activation Time

This drop-down list specifies the number of seconds that the relay activates as input event occurs.

Supervised Input Ready:

This checkbox is for Primis Bridge Devices that are equipped with supervised inputs. This field should be left uncheck, unless the optional Supervised Input Board is connected. For specific instructions on how to connect the supervised input board, please see the appropriate instructions.

LED Properties

Description: Identifies the LED when adding to Port Trigger Actions or viewing in Activity Logs.

...

Description: Identifies the Buzzer output when adding to Port Trigger Actions or viewing in Activity Logs.

Relay Properties

Options

Description

Description

Description of the relay output. Identifies the relay in the Controlled Areas and Port Triggered Actions.

Default Relay Position

Default power up position of the relay.

Schedules

Schedule Management

...

The Advanced tab on the Controlled Areas screen contains additional configuration flags:

Options

Description

Toggle

Sets the Controlled area to Secure or Unsecure based upon an event other than a schedule.  For example, an Authorized Card can change the state.  Check the box for this function. Also provides ability to Disable the Door Monitor Event.  Alarms are now enabled by default. This will not generate the alarm unless the Generate Alarm box is checked.

Multi-Factor

Sets the number of Authorized Card Reads necessary to allow entry to the Area. Allows ability to implement 2-Factor or 3-Factor identification.

Auth Mode

Relates to Multi-Factor. Sets the number of Users required for entry to the Area. Two Factor authentications for the number of factors to be used to activate an access granted: Single User, Multi-User, Guard Group.

Guard Access Group

Defines the access group required for two-authentication.

Auth Timeout

Relates to Multi-Factor. Set the number of seconds allowed between card reads. Note: a device that has Multi-Factor set can only reside in one Controlled Area. 

Exit Reader

Defines the exit reader. Required for counting for zone groups for Anti-passback and/or Muster reporting.

 

...

Multi Card Swipe Tab

The multiple swipe action is intended to place multiple actions to change the state of a single Controlled Area, or an entire zone group on a pre-set number of card scans, in a defined window of seconds.

...

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click the Zone Groups link.

  3. In the Actions bar, click on Add Zone Group.

  4. Enter a Name for the zone group.

  5. Enter an optional Description of the group.

  6. Check the Anti Passback Enabled box to enforce anti-passback for this zone group.

  7. In the Anti Passback Forgiveness dropdown box select from the following options:

Options

Description

Never

User cannot re-enter the perimeter until they pass through an exit reader or enter an area that is outside of the zone group. Otherwise Primis administrators have to manually reset the user’s anti-passback lock.

Midnight

Anti-passback lock will be forgiven at midnight.

Every 12 hours

This forgives anti-passback locks twice a day: at noon and midnight.

Every 6 hours

This forgives anti-passback locks every 4 hours (e.g. midnight, 6am, noon, 6pm).

Every 2 hours

This forgives anti-passback locks every 2 hours (e.g. midnight, 2am, 4am, etc.)

Every hour

This forgives anti-passback at the top of every hour.

Every 30 minutes

This forgives anti-passback at the top and 30 minutes of the hour.

8. Check the APB Enforced on Exit Readers box to enable this feature; anti-passback is imposed on exit readers also. You must set EnforceExitAccessRight to Yes in siteEngine.ini – go to the System tab, Administration, System Parameters page to edit this file.
9. Select a group of users in the Exempt Access Groups if you want them to be exempt from anti-pass back rules.
10. Click Save.

...

  1. Click on the Access navigation tab.

  2. Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.

  3. In the Actions bar, click on Add Access Group. The following screen is displayed:

  4. Enter a Name and a Description.

  5. Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Primis screen)
    For more information on Risk Levels see the Alert Level Managementsection.

  6. Select a Controlled Area for this group.

  7. Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.

  8. If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the button.

  9. Click Save.

Global User Access Groups

...

  1. Create a new Controlled Area with the elevator reader.

  2. In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.

...

Create a Floor Access Group

...

All events fall into one of the following groups and categories. In addition, every event in the system has an event id associated for searching.

Event Groups

Category

Description

Access Control Activity

User

Cardholder activity on the system.

 

Port

Identifier to what device the activity occurred.

 

Door

The controlled area that the activity occurred.

System

System

The system that the activity occurred.

 

Device

The bridge or device the activity occurred.

 

Port

The port the system data occurred.

 

Database

The database the system data occurred.

 

Credential

The credential data or error information.

 

LDAP

Active Directory sync data and errors.

 

Network

Data errors and other critical network data.

Admin

Login/Logoff

Administrator authentication log.

 

Operator Action

Action done by the operator using AMS-Lite.

External System

Video

Video activity events and errors.

Searching Events

You can search events to track access or errors over several days. When searching events, it is possible to filter results by particular devices or events and it is also possible to generate a PDF or a CSV document from your search results.

...

Primis now has the ability to display why a user was denied in the system with all of the possible complex options.  This data will also display in the activity details.

Event ID

Description

10202

Denied - CA Locked Down

10203

Denied - Invalid License

10204

Denied - Anti Passback

10205

Denied - Card Disabled

10206

Denied - User Deactivated

10207

Denied - User Expired

10208

Denied - Access Expired

10209

Denied - Risk Level

10210

Denied - Start Date Error

10211

Denied - Certificate Revoked

10212

Denied - Certificate Chain Invalid

10213

Denied - Certificate Signature Invalid

10214

Denied - Certificate Timestamp Invalid

10215

Denied – SSL Validation Error

Reports

Reporting Management

...

 Reports Available By Page

Page

Report Name

Description

Users

Users Report

Creates a list of all of the users in the database for review.

Access

User Access

Creates a list of all of the user access groups in the list.

 

Guest Access

Creates a list of all of the guest access groups in the list.

Controlled Area

Controlled Areas

Creates a list of all of the controlled areas.

 

Port Triggers

Creates a list of all port triggered actions currently in the system.

Schedules

Schedule

Creates a list of all schedules and their respective periods.

 

Special Days

Creates a list of all of the special days currently in the system.

Events

Attendance

Working in accordance with anti-pass back for in-out readers to determine if someone was in the building.

 

Alarm Monitor

Reports all alarms that occurred on the system between the requested date and time.

 

Alarm Activity

Reports all alarms that occurred on the system between the activity and the real system.

Suites

Suites

Provides a list of all the suites in the system.

 

Businesses

Provides a list of all of the Business units in the system.

Time and Attendance Reports

...

  1. Login to Primis with the system account.

  2. Click on the System navigation tab.

  3. On the left, click on the Active Directory link.

Options

Description

Connection Timeout

The connection timeout in seconds to the active directory.

Audit Data Enabled

When this is enabled all changes made through the active directory integrations will be logged in the Audit logs. Enabling this option will dramatically increase the number of logs. The minimum hard disk space recommended is 500 GB when this feature is enabled.

Web Login Enabled

Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.
To allow the login from this group, you must have the Web Login Enabled box checked.

User Sync Start Time

The start time of the synchronization on users, organizational units, and groups from LDAP connections. Multiple synchronization can be scheduled to run at different time of the day.

User Sync Read Timeout

The timeout in seconds before the query issued by user sync is aborted.

Force Update Enabled

This will force user updates from the active directory structure.

Live Update Enabled

This feature enables an OU, Group, and Access Group attribute check against active directory on every card scan. If disabled it will rely on the data from the scheduled synchronization.

Live Update Read Timeout

The timeout in seconds before the query issued by live update is aborted.

Live Update On Imported LDAP Connection

This setting is only applicable when multiple LDAP connections are configured. When enabled, if the PIN/carddata is already imported to Primis, Live Update will be first performed on the LDAP connection where the PIN/carddata is imported from in order to speed up the Live Update process.

4. Click Save button to save the configuration

...

  1. On the Active Directory Configuration page, click the Add LDAP Connection button.


  2. On the LDAP Connection page, enter the connection information of the LDAP Server. 

Options

Description

Name

The name of the LDAP connection.

Server URL

The URL of the LDAP server.

Search Base

Using the query structure, this is the search base for all queries.

Domain

The DNS name of the domain that you would like to connect to.

Username (User ID)

This is a user that has permissions to query the active directory domain defined.

Password

Password of the active directory user.

3. Click the Test Connection button to confirm Primis can connect to the LDAP server.

...

  1. On the LDAP Connection page, click the Import Users button.

  2. Click the AD Users Import/Sync tab.

  3. On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.

Options

Description

Import All Users From Groups

Imports all users who are part of the selected AD groups.

Import All Users From OUs

Imports all users found in the OU, and all sub OUs.

4. Click Save button to save the import user configuration.

...

These fields are defined and statically mapped to AD attributes.

Primis User Attribute

Active Directory Name

Username (User ID)

objectSID

First Name

givenName

Last Name

Sn

Display Name

displayName

Email

Mail

Telephone

telephone number

 Primis Selected Mapped Fields

Primis User Attribute

Mapping Behaviour and Features

Start Date

The date must be a properly formatted date. If specified, it will be the start date of the user access.

Expiry Date

The date must be a properly formatted date, and will disable the user credentials after the defined expiry date.

Card Data

Map to multiple AD attributes. When a card is deleted from active directory, it will be deleted in Primis. Likewise, when a new card number is added to an user in active directory, it will be added to Primis.

Pin

Select mapping to a single AD attribute. This attribute will be mapped to the User PIN in Primis.  The value in this AD attribute must be unique.

Access Linked AD Attributes

Map to multiple AD attributes.  It will show up in a list of all possible assigned values across all users to assign to an access group.  So assigning of values to users can be mapped to access groups. If the user has this attribute, they will be granted access.

User Category

Select mapping to multiple AD attributes. The first value found in the mapped AD attributes will be used as the user’s category.

Custom Fields

Select mapping to a single AD attribute. If an attribute is a multiple value string, attribute is chosen in active directory.  Supporting a Custom Mapping Name.

 Users Import Exclusion Filters

...

 To remove a Certificate Policy OID:

Click theX button next to the OID.

...

Extended Key Usage Extensions

...

To remove an extended key usage extension constraint:

Click the button next to the OID.

...

PKI Fault Options

...

  1. Go to System.

  2. Click Mobile to expand its sub-menus.

  3. Click Beacon Config.

  4. Enter the following information:

Options

Description

Server

URL for the Beacon Server Portal

API Key

Key to access portal’s API.

API Version

Version of the portal’s API.

UUID

UUID for the Beacon count.

5. Click Sync checkbox to enable periodic updates to Beacon status information. The default behavior is every two hours.

...

  1. Click on the Administration link from the System navigation tab.

  2. Click on the System Parameters sub link.

  3. Click on the file you would like to edit.

  4. Make any changes necessary to the text presented in the text area.

  5. If you would like a backup of the existing file, choose Write Backup.

  6. Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.

  7. Click Save.

To Backup Parameter Files

  1. Click on the Administration link from the System navigation tab.

  2. Click on the System Parameters link.

  3. Select the file you would like to back up.

  4. To back up, click the Download link next to the file.

  5. Select a location to back up the file.

  6. Name the file with the extension *.ini.

  7. Click Save.

Main and Peer Configuration (Sync Enterphone Units)

...

Parameters in the sitePanel.ini file are:

Options

Description

serverName

localhost or the IP address of the panel

panelId

The panel ID. This field should not be changed.

screensaverTimeOut

The number of seconds before the screensaver becomes active (0 deactivates the screensaver).

codeprefix

Filters suites codes based on this digit so that only suites with codes beginning with this number (or range of numbers) are displayed on this panel.

switchDigit

Calling suites with codes beginning with this digit or range of digits (ex. ”1-5” or ”1,3,6”) will trigger the Call Redirector Board to use a second line.

 

ringAltCount

The number of rings the dialer will wait before calling a suite’s alternate number.

hbCode

If set, a button will be displayed at the top of the directory and when it is pressed, the suite whose code is entered will be dialed.

activateOnDialPanelId

The Panel ID of a panel that is in a Controlled Area whose devices should activate whenever a panel is in use.  This requires that a second panel be added to the local panel and that second ID used in the aforementioned Controlled Area.

directoryRows

The number of rows of suites displayed in the directory listing.

 

directoryColumns

The number of columns of suites displayed in the directory listing.

SSButtonHeight

Vertical placement of language buttons expressed in pixels from the top.

listBusTextCenter

Yes or No option to centre business names.

 

directoryFont

Resize the directory font. 0 is the default, +1 will increase the size, -1 will decrease.

businessFont

Resize the business listing font.  0 is the default, +1 will increase the size, -1 will decrease.

displaySuiteCode

Yes or No option to display each suite’s code in the directory.

rightAlignSuiteCode

Yes or No option to place suite codes on the left or right side of the display.

Display Call Button 

Yes or No option that allows for removal of the call button beside a tenant’s name.

Search Only

Yes or No option that allows a user to use the panel only for searching for a tenant, no calling.

listTextColor

An RGB triplet that sets the colour of the suites listed in the directory.

listBusTextColor

An RGB triplet that sets the colour of the businesses listed in the directory.

listBGColor

An RGB triplet that sets the background colour of listings in the directory.

alternateBGColor

An RGB triplet that sets the alternating colour of listings in the directory.

cancelButtonColor

An RGB triplet of the color applied to the cancel button.

cancelButtonTextColor

An RGB triplet of the color applied to the text of the cancel button.

logoColor

An RGB triplet that sets the colour of the logo area.

buttonSelect

An RGB triplet of the colour applied to a button when it’s selected.

sbTrackColor

An RGB triplet of the colour applied to the back of the scroll bar.

keyColor

An RGB triplet that sets the colour of the touch keypad.

sbThumbColor

An RGB triplet that sets the color of the directory scroll button.

sbTrackColor

An RGB triplet that sets the colour of the directory scroll bar.

Business Administrator Management

...