Introduction

About This Guide

This guide is intended to be used as a standard guide for the Primis Access Control System. General Linux knowledge and Primis Certification Training Knowledge are expected.

Additional Documentation

To find documentation available for all products, go to https://www.identiv.com/Primis.

To find related vendor documentation on Cisco Switches, go to www.cisco.com.

To find related vendor documentation on Veridt Readers, go to www.veridt.com.

Initial Software Configuration

Administration Management

Starting the Primis Administration System

Launch a web browser (Internet Explorer, Firefox, or other browser that allows pop-ups).

Open

In the Address field, type http://<Primis ip address>/ and press Enter.  For convenience, this page should be bookmarked.

Login and Log Out

To login to Primis:

Open

1. Enter the Default Username and the Password.

2. Click on the LOGIN button.

To log off, click on the Log Out button.

As a security feature, after a certain period of inactivity, Primis will automatically log you off. At that point, the login page will appear, and the user will have to log back in.

Navigating the Primis Software

Below is a screenshot of the Primis Administration software. It shows the optional Alert Level bar. Below the Alert Level bar, is the Navigation Tabs. It allows you to access the main areas of the Primis software – the current tab is underlined (i.e. the System tab below). To the right of the Navigation Tabs is the Site dropdown box where you can select the site to view or configure. The Log Out button is located beside the Site drop-down menu. The Actions Bar near the bottom of the screen contains buttons to add, delete, edit, and save. The Quick Links at the bottom of the page reveal company, service, contact, and version information. The manual can also be downloaded from the quick links bar.

Each Navigation Tab contains Navigation Links on the left-hand side. If a navigation link contains a blue arrow at the end of the line, it can be opened to reveal its own sub-links. The current link is highlighted, and its selected sub-link is indicated by a black arrow.

You can close an open link by clicking its orange down arrow.

Adding a New Administrator and Deleting the Default Account

The first Administrator account created should be given full permission to manage all aspects of a Primis installation.  Additional accounts can be given less control over the installation depending on the role that each user plays in managing or supporting the installation. Users with an Administrator Account for the installation cannot create, modify or delete other accounts that have more privileges than their own. The extent to which one can create, modify, or delete accounts is limited to users with fewer privileges than the account under which one is currently logged in.

To create an Administrator Account with full access and delete the default user:

1. Log in to Primis using the instructions in Login and Log Out above.

2. Click on the System navigation tab at the top of the screen.

3. On the left, click the Administration link.

4. Click the Admin Users sub-link.

5. In the Actions bar, click on Add Admin User. The following screen is displayed:

6. Enter the User ID, Last Name, and First Name.

7. Enter a Password that is different than the one provided.

8. Verify the Password.

9. Beside Business, select All.

10. Beside Sites, select ALL.

11. Select Full Access for all of the parameters from Suites to Active Directory.

12. For Mustering, select the required level.

13. Select the Language that this full administrator would like to use.

14. Select the View Suite/User Page Size 10, 25, or 50 to set the default number of suites/users per page this admin user sees when viewing the listing.

15. Click Save to save the full access admin user.

16. Click the [Log Out] button to log off and test the new user ID.

17. Log in with the user ID and password that was created in the previous steps.

18. Verify that you can log in successfully and that your new user has full privileges.

19. Log out once more and log in using the default user account name.

20. Click on the System tab, Administration, Admin Users and select the default “Primis” user account.

21. Change one of its privileges and click Save.

22. Log out and log in again as your newly created user.

23. Go to Admin Users again and select the default “Primis” user account.

24. Click on Delete and OK.

Once the admin user is saved, the user ID field cannot be edited.  This field specifies a unique admin user profile. You can change the other fields after an admin user profile has been saved.

Site Administrator Management

In addition to the full access administrator, there can be limited administrative users that can add/modify/delete cardholder access. The privileges of these admin users can be fine-tuned to restrict or grant access to certain functions of the software. These restrictions include the modification of Controlled Areas, Access Groups, Devices, and Users. Admin users can also be assigned to certain sites within Primis, further restricting and partitioning data, thereby limiting their Admin access.

To add an Admin User:

Follow Steps 1 to 15 above to add new Admin Users. Each of the software’s tabs or links is listed with the following options:

• No Access: the tab or action will not appear in the toolbar or action menu for this admin user

• Read Only: only read permissions are given to selected tabs or actions

• Full Access: the user can modify every aspect of the section

You will be able to assign Admin Users to the sites that they are allowed to administer (i.e. The user hoffjenn01 is limited to the control of the sites Distribution Centre, Huston Office, and Sales Office - Vancouver). Once the admin user logs in to the system, the sites that they have access to will appear in a dropdown list on the top-right corner of the screen. By selecting a Site from the dropdown list, the Admin User will only see data corresponding to that Site. Also, any data added (i.e. adding a controlled area) will be added to the Site that is currently selected.

System Management

Set Date, Time, Time Zone Settings

Date and time settings for Primis servers can be set either manually or by using a network time protocol (NTP) server. An NTP server is the recommended method for keeping the date and time in sync with other systems.

Setup Network Time Protocol (NTP) Settings

An NTP server is the recommended method for keeping the date and time in sync with other systems. However, it does require either a local NTP server or an internet connection. NTP Server could be an internal company-facing NTP server or an external public facing.

To set the system time and date using NTP Settings:

1. Click on the System navigation tab.

2. On the left, click the Utilities link.

3. Click the System Date/Time sub link. The following screen is displayed.

    

4. Select a Time Zone from the dropdown box.

5. Check the Enable NTP box.

6. Enter an IP address or a hostname for the NTP Server pool.ntp.org is a commonly used public NTP server. If no local NTP server is available this hostname can be used.

7. Click Save.

When changing the time or the date of a Primis/Enterphone System, the synchronizing of schedules and events are not done until the following day at midnight. For proper scheduling, please restart the Primis server using the reboot link from the Utilities section.

Change Date and Time Manually

If you are not using an NTP server, you can set the date and time manually.

1. Click on the System navigation tab.

2. On the left, click the Utilities link.

3. Click the System Date/Time sub link.

4. Select a Time Zone from the dropdown box

5. Select the date from Set Date.

6. Select the time from Set Time.

7. Click Save to save the date and time.

8. Once the date is set, click the Reboot link at the bottom of the Utilities list.

9. Click the Reboot button.

System Card Format Support

The Primis Server has a built-in set of Card Format Definitions that determine how Wiegand data is being translated (e.g. Wiegand 75 bit, FIP-201 200 bit).  Upon card swipe, Primis performs a sequential look-up of this list to find the best fitting definition.

To adjust this lookup behavior:

1. Click on the System navigation tab.

2. On the left, click the Manage Card Format link.

3. To speed up the card format search, put the most relevant definition at the top of the list. If the installation is using Indala 36-bit cards for example – put the Indala 36-bit definition above all other 36-bit formats to ensure correct Wiegand data translation. Use the up/down arrows beside each definition to adjust the order of format preferences.

In case no suitable definition is available, use the Default Card Format drop-down list to select a default format. To narrow down the search, type the card format, and it will list the results. You can click on the required card format directly. Please note that the card format definition in Primis is highly customizable. Please feel free to contact Identiv Technical Support (support@identiv.com ) should you require a custom format.

Customize Dealer and Installer Pages

The links for Dealer and Installer from the Primis Administration software can be configured to match the company that sold and installed the MESH system.

1. Click on the System navigation tab.

2. On the left, click the Administration link.

3. Click the System Parameters sub-link.

4. Edit the dealer.ini and installer.ini files using the in-browser editor or save and edit them locally and restore them. 

For more information, please refer to the instructions in the MESH Parameter Files section.

Primis Encryption Bridges

Identiv’s Primis Encryption Bridges allow door hardware to be connected to Primis servers. Bridges for card readers communicate with Primis software. Data is received from card readers, encrypted, and sent via IP to a Primis server for processing. Relays on the Primis Bridge are activated by commands from a Primis server to lock or unlock doors.

Discovering Primis Bridges on a Network

Primis Bridges can be discovered using one of two methods. Either using the Bridge Discovery Tool located in the Primis Administration Software or using the standalone Windows tool called Bridge Configuration Utility (BridgeUtil). For most systems, the built-in web-based discovery tool will be sufficient. If a Primis bridge is not located on the same LAN as the Primis server or is behind a switch/router where UDP MultiCast traffic is being blocked, the bridge utility application should be used on a PC located on the network where UDP traffic is not being blocked.

Finding a Primis Bridge on the Network

Once a Primis Bridge is connected to the network, you can scan the network for the added device and add it to the Primis Administration Software using the Primis Bridge Utility.

You can also find the Primis Bridge Utility at the bottom of the Devices - Main page, and click on the Primis Bridge Discovery Tool check box.

Using the Web-Based Primis Bridge Utility

1. Click on the System navigation tab.

2. On the left, click the Utilities link.

3. Click the Bridge Utility sub link.

4. Click the [Scan Devices] button. This process might take a minute or two.

5. Click on the MAC address of the device you wish to provision.

    

6. Assign the appropriate IP information to the device or choose DHCP. You may need to contact your system admin for this information. If the DHCP checkbox is checked, the IP, Netmask and Gateway fields are automatically populated once the bridge receives the DHCP information.

7. To update Bridge Configuration only, click on Save. Note that it might take up to two minutes to save.

8. To update and add the Bridge to Primis, check Save & Add Device To Primis checkbox and click Save.

    

9. Enter the name by which you’d like to refer to the device and click the Save button.

Lock Bridge Configuration

This is an option in Primis bridge configuration to lock the system configuration of the bridge. Once you choose to lock the configuration, no changes to the configuration can be made remotely. 

To remove the lock, it requires a manual reset of the bridge that will reset the IP address and require the IP’s be reset.

Windows-Based Bridge Discovery Utility

The Primis Bridge settings can be changed by using Identiv’s Bridge Utility. This program (BridgeUtil.exe) is self-contained, does not require a special install program, and should run on Windows XP, 7, 8.1 and 10.

Download BridgeUtil.exe from Primis Application

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click the Download sub link.

4. Click on the BridgeUtil link and save the executable on the PC.

5. Locate the BridgeUtil.exe from where it was downloaded. Right click on the executable and select “Run as administrator”

Once the utility starts, click on the [Scan Devices] button and all the bridges on the local network will be displayed by MAC and IP addresses.

6. Double-click on the MAC address of the bridge that needs to be configured.

The settings may be changed and updated as needed. When done hit the Save button

Device Properties

Each Primis Bridge model displays a different properties section. For example, a single port Primis Bridge will only have one reader, input and output properties section; two ports will have two, and so on.

The following tables describe the properties of Primis bridges.

Reader Properties

Input Properties

LED Properties

Description: Identifies the LED when adding to Port Trigger Actions or viewing in Activity Logs.

Buzzer Properties

Description: Identifies the Buzzer output when adding to Port Trigger Actions or viewing in Activity Logs.

Relay Properties

Schedules

Schedule Management

A Schedule is a given period of time that is applied to different aspects of the software. If a Schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that controlled area only to the users that are contained in that User Access Group.

A single schedule can contain more than one Period. For example, a schedule named Business Hours can contain a period Monday through Friday, 9 AM ON TIME and 6 PM OFF TIME. If needed, multiple periods can be added to a single schedule.

In addition, Special Days can be added to enable or disable access for certain days only. For example, if a special day is set to January first then that schedule can be turned off on every January first or it can be set to be active only on January first.

The current state (on or off) of all the schedules can be seen on the Schedule tab.

Adding a Schedule

1. Click on the Schedules navigation tab.

2. In the Actions bar, click on Add Schedule. The following screen is displayed:

3. Enter a Name and Description.

4. Select Weekdays OR Special Days.

   1. If you select Weekdays, check the box for each Week Day this schedule applies to and check the box for each Type of Special Day you would like to exclude from this schedule. To add a Special Day, see the instructions in the previous section.

   2. If you select Special Days then you wish to apply this schedule ONLY to the Type of special day that you select in the dropdown box.

5. Enter an ON Time for this schedule.

6. Enter an OFF Time for this schedule.

7. Under Effective Dates, check the Always On box if this schedule is to remain in effect at all times or, if not, enter a Start Date and an Expire Date for this schedule.

8. Click Save.

Special Days (Holidays)

Special days are an optional addition to a schedule. They can be used for holidays or any other day where a schedule needs an explicit or relative period. Special days are added to schedules as a period so they may need to be configured before adding a schedule.

Adding a Special Day

1. Click on the Schedules navigation tab.

2. On the left, click the Days link.

3. In the Actions bar, click Add Special Day. The following screen is displayed.

    

    

4. Enter the Name of the Special Day.

5. Choose a number for this Type of special day, the number between 1 and 12. Special day types allow the grouping of different special days. For example, a Type 1 special day labeled First of Every Month could contain the first day of every month. In this case, there will need to be 12 special days added, all of them belonging to the Type 1 group.

6. Select Explicit or Relative. An explicit day is a particular day of the year while a Relative day is a day that will occur every month i.e. the first Monday of every month.

7. Enter the Month and Day of the special day if Explicit was selected; select the Day of the Week if Relative was selected.

8. Click Save.

Labels

Labels are an optional addition to Special Days. They can be used for holidays or any other day where a schedule needs an explicit or relative period. Labels are added to Days while adding Special Days.

Adding a Labels

1. Click on the Schedules navigation tab.

2. On the left, click the Labels link. The following screen is displayed.
   
   

3. Enter the Name of the Label. A maximum of 12 different Labels can be added.

4. Click Save.

5. Now while adding Special Days, choose a number for this Type of special day, the number between 1 and 12.
   
   

Assigning a Special Day to a Schedule

Once a special day is added, it can be programmed to be a part of a schedule.

Calendar Scheduler

Overview

This is the main workspace for calendar schedules. Here are the main components:

• Main screen - This is the calendar scheduler workspace. The main screen has a set of navigation buttons on the left top corner. Various view buttons, such as Day, Week, and Month views are available at the right top corner. The top row labeled as “All Day” can show All-Day events and Special days defined in the “Schedules” section. Special Days are highlighted with stripes and have different color tones.

• Left side pane - This area shows the controlled areas in the site. The checkboxes allow users to show and filter events on the main screen.

• Sync Button - This button allows users to refresh schedules and push updates to Primis devices. Usually, the schedules will be updated by the Primis server at 3AM every day. By clicking the Sync button, the updates will be sent to the Primis server, and the schedules will be activated immediately for today. Resize the web browser to see the Sync button.

• Calendar Events - Events can be recurring or one time. Recurring events are called “series” in the system. Users can create exceptions within a series to either skip certain days or adjust start/end hours.

• Show Full Day - This will display the full day hours, 12AM-12PM.

• Show Business Hours: By clicking this by button, it will display only business hours 8AM-5PM.

Views

Day View

Week View

Work Week View (5-days)

Month View

Year View

For the year view, every date that has a square border presents a special day (e.g. holiday). The one highlighted in blue marks today’s date. Any date that has a small “.” indicates that events are present on the day:

Agenda View

Managing Calendar Events

Create a Single Day Event

1. Navigate the calendar and locate the event date

2. Double-click on an empty hour slot that is closest to the start of the event. A popup dialog will appear.

    

3. Fill out the title, and use datetime pickers to select the start time and end time of the event.

    

4. Fill out the Description and Custom input boxes if applicable.

5. Select the Risk Levels under which the event can commence. By default, new events are effective at Low, Guarded and Elevated levels.

    

6. Select one or more Controlled Area(s) in the next drop down list.

    

7. Users may pick a different color other than the default Blue.

    

8. Click “Save” to create the event.

    

Create a Daily Recurring Event

1. Navigate the calendar and locate the event date.

2. Double-click on an empty hour slot that is closest to the start of the event. 

3. On the event dialog, click “Daily” option on the “Repeat” bar.

    

4. Once the “Daily” recurrence rule is selected, more options will appear below. 

5. Select a suitable recurrence rule for the event. For example, set “Repeat Every” to 1 day and “End” on Dec 6.

    

6. Click “Save”, now we have an event series that takes place 3 times in the week.

    

Update an Event Series

1. Double-click on an event block on the calendar.

2. Click “Edit the Series”

    

3. Update information in the event dialog and click “Save”

    

4. Event saved.

    

Remove an Occurrence in an Event Series

1. In the above example, change this 3-day event into a 2-day event that commences only on Dec 4 and 6.

2. Double-click the event block on Dec 5 in the calendar.

    

3. In the event dialog, click “Delete” to remove Dec 5 from the series.

    

4. Event Updated.

Reset an Event Series

1. To return the above example event to its original 3-day event, double-click on the event block.

2. Click “Edit the Series” button.

    

3. In the event dialog, click “Reset Series”.

    

4. Click “Reset Series” again in the confirmation box. The event should return to its former setting.

Adjust an Occurrence Within an Event Series

1. To adjust the configuration on an occurrence within a series, such as changing start/end times. Double-click on the occurrence event block and click “Edit Current Occurrence”.

    

2. Adjust start/end times.

    

    

3. Click “Save”.

    

Notice that the adjusted occurrence is now considered an exception although it is still part of the event. The event block has a slightly different icon

Other Recurrence Exceptions

1. Weekly Recurrence.

    

2. Monthly Recurrence - can have the event repeat on a specific date every month or a weekday on a certain week of the month.

    

3. Yearly Recurrence - can be a fixed date of a month, a day of a certain week of a selected month (e.g. first Monday of November).

    

Setting the Default Calendar Scheduler Risk Level

Primis Administrators can set the default Calender Scheduler Risk Level by following the steps below.

1. Click on the Administration link from the System navigation tab.

2. Click on the System Parameters sub link.

3. Click on the siteEngine.ini file to edit.
   
   

4. Set the default calendar schedule alert level as desired using one or more of the following, Low,Guarded,Elevated,High,Severe

5. Make any changes necessary to the text presented in the text area.

6. If you would like a backup of the existing file, choose Write Backup.

7. Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.

8. Click Save.

Controlled Areas

In general, Primis has two different types of Controlled Areas - Door and Floor Areas.

Door Areas are areas that have readers, in this case, the Door Area represents the in-cab reader. Floor Areas contain relay outputs that activate elevator access (e.g. button in the cab).

The administrator needs to first "link" a Door Area to its associated Floor Area(s). That means all floors that are accessible by the elevator need to be linked to the Door; in this particular case, the Door is simply the in-cab reader.

Floor Controlled Area is an Access Control Object that represents a floor. It contains the Primis Bridge output ports that are typically connecting to elevator control modules in the building. Floor areas can be linked to door areas in such a way that when Primis server grants access to a door, its associated floor area outputs can be activated. The cardholder’s floor access rights then determine which floor area should be activated.

How to set up

First, the administrator needs to create Door Areas to hold the elevator readers. Then for each controlled area, “link” the corresponding Floor Areas to it. In the above example, a Door Area called Elevator A is created that hosts “Cab A Reader”. This door needs to have linked Floor Areas “Cab A - FL 1”, “Cab A – FL 2” and “Cab A - FL3” that contain relays to elevator A’s control:

Elevator B would follow the same idea except that it is using Elevator B reader, Floor Area Cab B – FL 1 through to FL 3.

Primis offers two ways to handle Floor Access

Use separate Floor Access Groups

This is the original method implemented in 9.2 up to 10.1. The user will need to be assigned to a User Access Group that allows access to the various elevators. Floor Access Groups are then assigned to the user to give access to his floor.

This is how the User Access Group would look like for the above example:

This is what the Floor Access Group looks like for 1st Floor:

For the cardholder that has access to the 1st Floor, this is how his User and Floor Access Groups look like:

No separate Floor Access Group

This is a new option implemented in later versions of 10.1 and 9.2c. It reduces database migration effort from older systems such as 9.1, 8.7, and below.

To switch to this mode, in siteEngine.ini, set property “UseFloorAccessGroups” to “no”. Restart the server after the update (please note that once this mode is chosen, returning to the old method may require some database cleanup).

Once this mode is set, the “Floor Access Group” menu item will disappear from the Access tab:

In the above example instead of having one Resident User Access Group and 3 Floor Access Groups; we need 3 Resident user groups, each one covers elevator door access and one floor

Each Residents group would have access to Elevator A and Elevator B controlled area:

Floor Access is immersed into the User Access Group in the second tab labeled “Floor Access and Schedules”. In the “Resident FL 1” User Access Group, it includes access to the first floor for both elevators:

When assigning Access Group, the administrator will select a group that will give the cardholder access to both elevators and his corresponding floor. Note that in this mode, the Floor Access Group select box is not present.

Controlled Area Configuration

Configure a Door Controlled Area

Controlled Areas are areas in a facility that are controlled by one or more devices such as Card Readers. Any area within a facility that requires controlled entry or exit must be set as a Controlled Area. An area can also be set to change from Secure to Unsecure based upon schedules or manual control. 

Adding a Door Controlled Area

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area. The following screen is displayed:

    

3. Enter a Name that describes the controlled area.

4. Enter an optional Description.

5. Select Door Area as the Area Type.

6. Select a Reader for the controlled area.

7. By default, Primis assigns input 1 as Door Contact and input 2 as Request to Exit. To choose a custom setting, check Custom and select the desired input mapping.

8. Click Save.

Once the controlled area is saved, different aspects of it can be modified.

Config Tab

The Config tab allows the configuration of the reader that is assigned to the controlled area.

For a Door area:

1. Select a Card Format for the Reader; set it to Auto to default to the system settings.

2. For the Door Contact, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

3. Set the Door Contact Switch to Normally Open or Normally Closed.

4. For Request to Exit, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

5. Set the Request to Exit Switch to Normally Open or Normally Closed.

6. Check the Activate Relay to set the lock to trigger when the REX is fired and select a Relay and enter the number of seconds for it to remain active.

7. For each of the Outputs, enter a Delay time (the number of minutes/seconds the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open).

8. Select an Output for this door.

9. Enter an optional Description.

10. For each output, enter a Delay time (the number of minutes/seconds until the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open). Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time: this is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.

11. Check the Latch Allowed box to allow the corresponding output to remain open(latched) when it is set to Open state either by the Administrator or through Unlock Schedule.

12. To add another Output line, click the + button beside the first output line.

     

13. Click Save when all outputs are configured.

Unlock Schedule Tab

A Schedule is a given period of time that is applied to Controlled Areas and Access Groups and is used to schedule device activation and alarms. If a schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that Controlled Area only to the users that are contained in that User Access Group.

For more information about schedules, please refer to Schedules.

In the Unlock Schedule tab on the View/Edit Controlled Area screen:

1. Select a Schedule for this controlled area.

2. Select an ON action.

3. Select an OFF action.

4. Select the box below each Alert Level that corresponds to the users in this controlled area: Low, Guarded, Elevated, High, or Severe.
   
   

    

5. To add another Schedule line, click the button beside the first schedule line.

6. Click Save.

First Person In Configuration

The “First Person In Option” ensures the controlled area scheduled unlock is only activated if a user is granted access to the controlled area either before using the Early Bird Window option or during the scheduled unlock. This may be useful on day’s with inclement weather when employees cannot reach work. The controlled area is not automatically unlocked unless a badge holder is physically present. When the controlled area is accessed with a valid badge, the controlled area schedule is activated, and the controlled area will be unlocked.

The controlled area remains in default mode [Lock] until a valid badge is used to access the controlled area, even after the beginning time for the schedule.

A badge is required to activate the controlled area schedule anytime the controlled area mode is reset to Lock manually.

1. Login to Primis

2. Select Controlled Areas, as shown below

    

3. Select the controlled area to apply the First Person In Option

 Access Group:
The access group that has the privilege to unlock the controlled area when entered. This allows the schedule to be enforced only by users with that access group assigned to them.

Early Bird Window:
User can enter the facility ahead of the unlock-schedule. Once Primis has determined that a valid user is in the area; it will unlock the door at the schedule time. This ‘early bird’ window can be between 30 minutes to 3 hours. A typical scenario will be that a school teacher enters the school an hour before it opens; the controlled area will remain locked until the scheduled unlock time for students to enter the facility. A card holder who enters the building before this window will not trigger the unlock-schedule.

Close Area on Double Swipe:
The card holder with the specified access group can lock the controlled area with a double card swipe when the option is selected.

Door Monitor Tab

There are two Door Monitor Alarms for a controlled Door area: a Door Held Open Alarm that indicates a door being held open for a given period of time and a Door Forced Open Alarm that indicates that a door is being forced open without the use of a reader or an entry/exit device.

Primis tracks the status of a monitoring device and tracks the state of an entry and an exit device.  Once an event is triggered, two output actions can be activated for generating a buzzer or an alarm.

In the Door Monitor tab on the View/Edit Controlled Area screen:

Door Held Open Alarm

1. Under Door Held Open Alarm, check the Enable box.

2. Enter the number of seconds in the Held Open Time box before the alarm will sound.

3. Select output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

4. Repeat Step 3 for Output 2 if necessary.

5. Select the Schedule from the dropdown box that you would like applied to the action, or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

6. Check the General Alarm box if you need this action to generate an alarm in the Events tab.

7. Check the Ack. Required box to require an acknowledgment from the AMS Server.

8. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

9. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

10. Once done, click save at the bottom of the window

Door Forced Open Alarm

1. Under Door Forced Open Alarm, check the Enable box.

2. Select output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

3. Repeat Step 2 for Output 2 if necessary.

4. In the Racing box, enter the number of seconds when the door contact state change is reported before the push button bar signal reaches the system.  If Racing is set to 1, then the DFO will not fire if a REX is detected within one second of the door contact change state.

5. In the Shunt Window box, enter the number of seconds. This option shunts the alarm when the REX opens the door (no card scan releases the door).

6. Select the Schedule from the dropdown box that you would like applied to the action or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

7. Check the Generate Alarm box if you need this action to generate an alarm in the Events tab.

8. Check the Ack. Required box to require an acknowledgment from the AMS Server.

9. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

10. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

11. Click Save.

Advanced Tab

The Advanced tab on the Controlled Areas screen contains additional configuration flags:

Multi Card Swipe Tab

The multiple swipe action is intended to place multiple actions to change the state of a single Controlled Area, or an entire zone group on a pre-set number of card scans, in a defined window of seconds.

It is a recommended best practice to have the least secure action as the lower number and the higher secure action as the higher number.

Assigning a Multi Swipe Action by Group

In the Multiple Swipe tab on the View/Edit Controlled Area screen:

1. Select the Card Swipe Interval: the number of seconds that you count the multiple swipes for this controlled area.

2. Select a specific User Group if only the identified user group will have access to take action on this reader; select ANY to allow all user groups to have access.

3. Select a Controlled Area or a Zone Group to activate.

4. Select Open, Close or LOCKDOWN in the Action dropdown box.

5. Select a Schedule or select Always On.

6. Click Save.

Floors Tab

The Floors tab allows you to link one Controlled area to floors. Typically the controlled area is an elevator reader area and the linked Floor Controlled Areas are the floors that the reader would provide access to.

In the Floors tab on the View/Edit Controlled Area screen:

1. Select a Floor Controlled Area from the Linked Floor Area dropdown box to link to this controlled area.
   NOTE: More details on Floor Controlled Areas can be found in Chapter Elevator Configuration.

2. Enter a Delay time (a pause before the relay fires, default is 0 seconds) and an Activation Time (the duration that the relay activates, default is 5 seconds).

3. Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time. This is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected on that user’s setup page. See Chapter Users for more information on setting up a User.

    

4. To link another floor to this controlled area, click the add button +

5. Click Save.

Assign a Device to a Controlled Area

The following steps allow the user to associate a device to a Door Controlled Area that has not been assigned a device previously.

1. Click on the Controlled Areas navigation tab and select the Controlled Area that was just created.

2. In the Actions bar, click Assign Device.

3. In the Assign/Replace Door Reader screen, select a Reader for this controlled area.

4. Select Default or Custom

Default: will assign Input 1 to Door Contact, and Input 2 to REX.

 Custom: Allows you to determine which input is the door contact, and which is the request-to-exit.

5. Click Save. The screen expands with more options. The administrator will be able to adjust Controlled Area parameters as described in the above sections.

Alarm Instructions

A customized message can be configured that will be passed to the AMS Server and displayed in the log when an Alarm is triggered.  Alarm instructions can be used by Controlled Area’s Door Monitors or Port Triggered Actions in the next chapter.

To create an alarm instruction:

1. In the Controlled Areas navigation tab, click the Alarm Instructions link.

2. In the Actions bar, click Add Alarm Instruction. The following screen is displayed:

    

3. Enter a Description of the alarm instruction.

4. Enter any Details that pertain to this instruction.

5. Click Save.

Alarm Resolutions

Alarm resolutions are for the clear step of the alarm response process.

To create an alarm resolution:

1. In the Controlled Areas tab, click the Alarm Resolutions link.

2. In the Actions bar, click Add Alarm Resolution. The following screen is displayed:

    

3. Enter a Description of the alarm instruction.

4. Enter any Details that pertain to the instruction.

5. Click Save.

Port Triggered Actions

Port-triggered actions are output actions, such as alarms, triggered by a conditional input or output event from a device. Port triggered actions are useful for alarm monitoring and requests to exit.

If a port is triggered and either of two conditions is true, the Output Action is triggered. This output action can have a delay and an activation duration.

E.g. If Input 1 from a Primis Bridge is closed and the Front Door Reader’s Output is Not-Active then Front Door Reader’s Output should be Activated.

Adding a Port Triggered Action

1. Click on the Controlled Areas navigation tab.

2. On the left, click the Port Triggered Actions link.

3. In the Actions bar, click Add Port Trigger. The following screen is displayed:

    

4. Enter a Name for this action.

5. Select a Port Event from the dropdown list and select the state of the event: For inputs, choose Reset, Set, Error Break, or Error Short.

   For outputs, choose Activate or Non Active.

6. Choose up to two Condition States for an output port and the condition of that device’s output port.

7. Combine two conditions with AND or OR from the dropdown list. For example, if Front Reader’s Output Port is Not-Active AND Front Door Trip Input 1 is Active then the Output Action is triggered.

8. Select an Output Action and select Deactivate, Activate, Buzzer On, Buzzer Off, Latch Active, Unlatch Active or No Action.

9. Enter the Delay before activation for the output action.

10. Enter the Activation Time for the output action.

11. Select a Controlled Area and its associated action: Open, Close, Enable panel, Disable panel, LOCKDOWN, or Toggle.

12. Select a Schedule that defines the time that the Port Triggered Action is going to be used or leave it as Always On.

13. Generate an Alarm enables or disables logging of this Port Triggered Action in the alarm logs, desktop alarm client, and AMS servers.

14. Choose the Severity of the alarm level: Info, Warning, Error, Critical, Alert, or Emergency, when set to Alarm this will log the action to the Alarm Log. 

15. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server.

16. Select an Alarm Area.

17. To lag an NVR camera clip to the Port triggered event, select the camera from the NetCam drop-down list. Before Event and After Event specify the time window (in seconds) of the clip relative to the event.

18. Click Save.

Zone Groups

Zone Group Management and Anti-Passback

Zone Groups allow users to group various Controlled Areas to form a Perimeter Security Zone where Anti-password rules can be applied.

Adding Zone Groups

1. Click on the Controlled Areas navigation tab.

2. On the left, click the Zone Groups link.

3. In the Actions bar, click on Add Zone Group.

4. Enter a Name for the zone group.

5. Enter an optional Description of the group.

6. Check the Anti Passback Enabled box to enforce anti-passback for this zone group.

7. In the Anti Passback Forgiveness dropdown box select from the following options:

8. Check the APB Enforced on Exit Readers box to enable this feature; anti-passback is imposed on exit readers also. You must set EnforceExitAccessRight to Yes in siteEngine.ini – go to the System tab, Administration, System Parameters page to edit this file.
9. Select a group of users in the Exempt Access Groups if you want them to be exempt from anti-passback rules.
10. Click Save.

Assigning Controlled Areas to Zone Groups

Once Zone Groups are created, controlled areas can be assigned to the zone groups.  A Zone Group is a security perimeter that contains multiple controlled areas.  Each zone group can exercise anti-passback rules in its controlled areas. For example, a building with two entrances can be seen as a zone group with two controlled areas (doors).  If the anti-passback rule is enforced in this building, a person cannot enter through one door and re-enter either door without first exiting the building.

To assign a Controlled Area to a Zone Group:

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Zone Groups link.

3. Click on the Zone Group to edit.

    

4. In the Controlled Areas drop-down box, select all the Areas that are to be included.

5. Click Save

 Resetting Anti-Passback Manually

Primis Administrators can manually reset Anti-passback locks by editing the zone group record:

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Zone Groups link.

3. Click on the Zone Group to edit.

4. In the Edit Zone Group page, click the [Forgive All] button.

5. Click Save.

Manually Reset a User’s, Anti-Passback Lock

Primis Administrators can manually reset a user’s anti-passback lock via the Users page:

1. Click on the Muster navigation tab.

2. Check the box in the Reset column next to the user and click the [Reset] button above it.

Mustering

The Muster tab has two sub-links: Muster/Anti Passback and Emer. Mustering. This functionality must be turned on in licensing.

Muster/Anti-Passback

This page shows a live view of the number of users who have entered or exited from a Controlled Area. You can also go here to identify who is in what areas for anti-passback.

Emergency Mustering Report

The Emergency Mustering Report tab allows you to create custom area reports by Access Group and Controlled Area to support operations. This report is useful when security staff want to find out who is in the designated safety area (e.g. a zone group) during an emergency.

To create a custom Mustering Report:

1. Click on the Muster navigation tab.

2. On the left, click on the Emer. Mustering link. The following screen appears:

3. Select the Zone Group which represents the designated safety zone.

4. Select Access Groups to report on.

5. Select User Categories to report on.

6. Enter an Alarm Message Token to identify when a tagged event is enabled; it will grab the last event date and time as an anchor point to help highlight users who have entered the safety zone before the alarm took place. If there is no alarm required, leave this input blank.

7. Select the Zone Groups to be excluded in Report and select In, Out, or Both from the State dropdown box for each Controlled Area selected. This feature helps to filter areas from the report that are not relevance to the alarm event.

8. Click the Add button to add this report to your list of Mustering Reports. These reports will list at the top of the screen and as sub-links on the left once they are created.

Access Groups

Access Group Management

An Access Group is an organizational unit in which users can be placed.  This lets the administrator apply access rights to groups instead of people, for ease of administration.  This also lets the administrator make changes to a group of people as opposed to having to change the rights individually.  An access group can have 1 or thousands of people (user accounts) assigned to it. There are also Floor Access Groups that allow access to specific floors and Guest Access Groups that work in conjunction with MESH panels. The instructions for adding each type of group are the same.

Adding a User, Floor or Guest Access Group          

1. Click on the Access navigation tab.

2. Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.

3. In the Actions bar, click on Add Access Group. The following screen is displayed:

    

4. Enter a Name and a Description.

    

5. Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Primis screen)
   For more information on Risk Levels see the Alert Level Management section.

6. Select a Controlled Area for this group.

7. Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.

8. If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the x button.

9. Click Save.

Global User Access Groups

In Primis version 11, User Access Groups can be global to all sites. This makes Access administration more efficient for large enterprise systems. For example, all employees within an enterprise are assigned a general Access Group “Employees”. This group can be associated with any controlled area/schedule pairs in any sites.

To create a Global User Access Group:

1. Click on the Access navigation tab.

2. Click on the User Access Groups.

3. Enter a Name and a Description.

4. Click Global Group check box.

    

5. Click Save to create the Access Group.

Once a Global Group is added, it will be visible to all sites. Administrators can associate it with any controlled area-schedule pairs that are local to the selected site.
Notice the Icon that highlights the Global Access Group “Employees”.

Users

Configuring a User’s Access

A User’s right to access through a door or to a floor is set up by entering a person into an Access Group. This Access Group is set to have the right to gain access to certain areas (controlled areas) of a facility at certain times (schedules).  The following chart is a guide to setting up a person’s access rights.

Typically schedules are configured and then controlled areas are configured.  Once done these are attached to an Access Group.  The final step is to assign a User to an Access Group

Adding a User Account

In order to assign cards or key fobs to people, User Accounts must be set-up.  During this process, a User is assigned to an Access Group (or multiple Access Groups) which in turn defines their Access Rights.  To set up a User Account do the following:

1. Click on the Users navigation tab.

2. In the Actions bar, click on Add User.  The following screen is displayed. 

    

3. Enter the user’s Last Name.

4. Enter the user’s First Name.

5. Select Yes or No to Display this user’s name in the Directory if there is an intercom on the panel.

6. Select this user’s Suite. This is also for Intercom functionality

7. Enter the MESH Card Number.

8. Enter the Wiegand Card Number that is assigned to the user or click on the [Read Card] button and present the card to the reader - the Wiegand number will automatically fill in the field. If the number is unknown, a card reader can be set up as an enrolment reader. To set up an enrolment reader, click on Select Enrolment Reader from the left menu and select the appropriate card reader.

9. Enter a PIN number for the card. This is for Intercom functionality.

10. Enter the user’s Email address.

11. Enter the user’s Telephone number.

12. Select the User Access Groups in the Available box that should be assigned to this user and click the right arrow button to move the group to the Selected box.

13. Select the Floor Access Groups for this user.

14. Enter the Date that the user’s access rights will Start.

15. Select Never, or enter the Date that the access rights of this user will Expire.

16. Click the Accessibility box if this is a user with special needs (i.e. wheelchair or crutches) that requires the longer Accessibility Delay and Activation times configured in Controlled Areas.

17. Select Yes to Enable Admin Functions if this user is an administrator – the View/Edit Admin User options will become available.

18. Click Save.

User Categories

You now have the ability to filter a global database of users by user category. Admin Users can be configured to see specific user categories.

1. Click on the Users navigation tab.

2. On the left, click on the User Categories link.

3. To add a new user category enter a Category ID number and a Category Name and click the add button.

4. To remove a User Category click the delete button.

    

Once you have created all of your User Categories you can assign them to your Admin Users in order to filter the users they have access to. Please refer to the Admin Users section to assign the categories.

Badge Printer Setup

Facility Friend is an easy-to-use, web-based, Enterprise-class, visitor and parcel management system. A receptionist, concierge, or security officer can register and sign in visitors to track who, and where they are visiting within a facility.

Facility Friend now ships as a Primis module; Facility Friend logins sync with Primis. Hosts are integrated from Primis into Facility Friend to sync the cardholder database as your list of hosts with Site Support. You can sync Visitors within Facility Friend to a Default Access Group within Primis.

Currently Supported Printers:

• HID Fargo DTC4500

• HID Fargo DTC4500e

• Evolis Tattoo

• Evolis  Pebble

Badge Printer Service Setup

Primis Setup with Facility Friend

The Primis system must have some basic configuration completed before you can use the Facility Friend module. Please refer to Appendix A – Basic Primis Setup with Facility Friend to ensure you have set up the Primis system for using Facility Friend.

Printer Setup

Some printer and driver configurations must be done before you can proceed with printing Facility Friend Badge Cards. However, no special licensing is required.

To download the Facility Friend Print Utility installer:

1. Log into Primis.

2. Click on the System navigation tab.

3. On the left, click the Utilities link.

4. Click the Download sub link.

5. You will find the Print Utility installer (PrintUtilSetup92b.exe) under Downloads. If not there please contact technical support. Save it to a Windows folder such as c:\tmp.

6. Download the printer driver from the Internet for the printer you’ll be using to print your badges. E.g. for the HID

Fargo DTC 4500 or 4500e  go to http://www.hidglobal.com/drivers) and install the driver.

After installing the driver install the printer:

1. Click on the Search button at the bottom left of your computer and look for “Printers & Scanners”.
   
   

2. Click on Add Printers & Scanners.
   
   

3. Choose Add a local printer or network printer with manual settings
   
   

4. Select Create a new port and select DTC… in the Type of port dropdown box. Click Next.

5. Enter the TCP/IP Printer Port address of the printer you will be using to print the badge cards and click Next.
   
   

6. Click Next again.

7. Click Finish.

8. If you installed the printer driver successfully it will be listed under Manufacturer.
   Note: If installing a DTC4500 choose Fargo (not HID) and the desired printer model. In this case DTC4500e. Click Next.

9. Select Use the driver that is currently installed (recommended) and click Next.

10. Enter a name for the printer or keep the default. Make a note of the printer name – you will need to add this name to the Facility Friend Printer Utility later. Click Next.

11. Select Share this printer so that others on your network can find and use it and enter its Share name. Click Next.

12. Go back to the folder where you downloaded the Facility Friend Print Utility installer (ffPrintUtilSetup.exe), e.g. c:\tmp, and double-click on it.

13. Click on Next when you see the Welcome screen.
    
    

14. Choose an installation folder or stay with the program files default and click Next.
    
    

     

15. Click Install.
    
    

16. Once you see the final screen click Finish.
    
    

17. Click on the Show Hidden Icon that is located in the bottom right-hand corner of your screen. It looks something like this:
    
    

     

18. Right-click on the taskbar and click Taskbar settings and click on Select Which Icons appear on the taskbar.
    
    

     

19. Locate the (Identiv) ffPrintUtil.exe print utility and toggle the radio button to ON
    
    

20. Its icon will now appear on the bottom right where the other notification icons are displayed.
    
    

     

21. Right-click on it and choose Open.
    
    

     

22. In the Select Printer dropdown box, select the name of the printer you entered in Step 10 of these instructions.

23. Click on the Configuration tab and note the port number (1024 is the default).

24. Click the white x to close the Facility Friend Print Utility.

Primis Badging

Primis Badging Configuration

Please make sure that you have completed the basic Primis configuration as outlined in Appendix A so that you have a Primis device, a controlled area, a schedule, two user access groups, and two user categories called 0050C2CC37F2, ControlArea1, 24x7, HostUAG and VisitorUAG, and Visitors and Hosts respectively.

Badging Template

The Primis Badging tool is similar to other Vector drawing tools such as Illustrator and CorelDraw.

To create a Badging Template:

1. Log into Primis.

2. Click on the Users tab.

3. On the left, click on the Badging link.

4. In the Actions bar, click the Add Badging Template.

5. Enter the Name MainBadgeTemplate and the Description as Double-sided template.

    

6. Click on Save.

    

7. A default template is created with the site name (Main is the default), first name, last name, and card expiry date, all of which are defined when creating a user. Click on Edit Badge. The following screen is displayed:

8. Just like other vector drawing tools, in order to edit the template you must first click on one of the icons on the left and then execute the desired action. I.e. To enter text, click on the A icon on the left of the screen, click anywhere on the template you are editing, and add the text:

9. In the same manner you can add a standard Primis user data field. To enter a data field click on the A icon again, click anywhere on the template you are editing, and select a data field from its drop-down near the top of the screen:

The following data fields are supported:

• First Name

• Last Name

• Primis Site (the default site is Main)

• Photograph

• User Category

• Telephone

• Start Date

• Expiry Date

E.g. you can add a user’s telephone number:

…as well as the category and an image (Import Image):

10. Click on the save icon at the top:

11. Click the Save button:

The following screen is displayed. Note how the preview changed with the enhancements made while editing the badge.

12. Click on the Badging link and then the Add Badging Template button to create another template for the back of the double-sided card i.e. BackTemplate. Click Save.

13. Click on Edit Badge and enter the information for the back of the badge card. E.g.:

 14. Click on the save icon at the top: 

 15. Click the Save button. The following screen is displayed. Note again how the preview changes with the enhancements made to this second template.

16. Click on the Badging link to display the two templates that you have created.

17. Click on the MainBadgeTemplate and select the second template, BackTemplate, from the Back Side dropdown box to create a double-sided badge template.

18. Click Save.

Adding and Printing Badges for Users

We will now create a Host user with some of the data fields used to create the badges we defined.

1. Click on the Users link from within the Users tab.

2. In the Actions bar, click Add User.

3. Enter the Name of the user, as well as a Wiegand Card Number and a Telephone number.

4. Click the HostUAG  User Access Group to move it to selected.
   Note how Badge lists the templates (MainBadgetemplate and BackTemplate) we created before.  

5. Click Save.

6. Stay on the same screen and note how its title has changed to View/Edit. Confirm that the Badge is set to MainBadgeTemplate and the Category is set to (the previously created) Hosts (see Appendix A for more details on Categories.)

7. Click on Upload Photo to upload a photograph of the user.

8. Enter an Expire Date.

9. Click Save.

10. The options at the bottom of the screen change when the badge is saved. Click on Print Badge.

A preview is shown of the front (MainBadgetemplate) and back (BackTemplate) of the card with the actual user data fields completed.

11. Click on the Config button. The following screen is displayed:

12. Enter the IP Address of your Windows workstation (not the one for the printer unless they are the same) where you installed the Facility Friend Print Utility.

13. Enter the Port number used by the printer whose name you noted during configuration of the Facility Friend Print Utility (Step 23 in Printer Setup).

14. Click on the Test button.

If you don’t get a Connection Test Successful! message, double-check the IP address and the port number, and make sure that you can access the Windows workstation from the Primis Linux server or from another computer. If you believe that the IP address and the port number are correct and the Test button fails, double-check the Firewall on your Windows workstation.

15. If the Test above is successful click on Save.

16. Click on Back.

17. Click on Print Badge.

18. Go back to your Windows workstation and you will notice a blinking print utility icon and two consecutive message bubbles: 

19. If you click on the blinking (yellow) print utility icon you will see a preview of the information sent to the printer.

We will now create a Visitor User:

1. Click on the Users link.

2. In the Actions bar, click on Add User.

3. Enter a Name for the user as well as Wiegand Card Number and a Telephone number.

4. Select MainBadgeTemplate in the Badge dropdown box.

5. Select VisitorUAG as its User Access Group.

6. Click Save.

7. Edit the User and select Visitor from the Category dropdown box.

    

8. Set the Expire date to 26, August 2023.
   
   

    

9. Click Save.

10. Click on the Users link. Note how we’ve created two users each with different card #s and different access groups

Elevator Configuration

Elevator Management

In Primis each reader can only be assigned to one Door Area only. In order for Primis to activate floor relays upon a card swipe, it now has a new Floor Controlled Area type that can link to a Door Area where the elevator reader resides. Each Floor Area contains outputs that would activate its corresponding elevator controls. In order for users to obtain access to floors, they would need to have both User Access Groups (for card access) and Floor Access Groups (for elevator/floor access).

Installing Hardware

• Install a Wiegand reader in the cab, and connect its Wiegand wires to a FB9 adaptor.

• On the FB9 adaptor board, change the address to 1 using the dip switch.

• Run an RS485 cable long enough to connect the FB9 adaptor to the FB5 board which is located in the elevator/engine room of the building. This cable will likely run along the elevator shaft. Relays on the FB5 would be used to interface with the Elevator Control System in the elevator/engine Room.

Device Setup

In the Primis Software, make sure that the FB5 (Digital IO) device has been added in the System – Devices tab. See Primis Bridge Configuration for more information.

Create a Controlled Area - Type Floor

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area.

3. Enter a Name and Description for the Controlled Area.

4. Select Floor Area in the Area Type dropdown box.

5. Click Save.

Add All Outputs that Belong to that Floor

This is intended to trigger all of the outputs that a user has access to.  If a user has access to multiple floors, you would select all of the outputs that complete the circuit.

1. Once the Controlled Area is saved, the Outputs and Unlock Schedule tabs appear.

2. Select a device Output for this Floor controlled area. You may select and add multiple Floor Areas. Click the plus sign button to add the selected Output(s).

3. To create an unlock schedule, click on the Unlock Schedule tab. Please see the Unlock Schedules section of the Controlled Areas chapter earlier in this document for more information.

    

4. Click Save.

Link Floor Areas to the Elevator Reader’s Door Area

Create a Door Area and assign it to the elevator reader. Link all the Floor Areas that the reader can provide access to.

1. Create a new Controlled Area with the elevator reader.

2. In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

1. Click on the Access navigation tab.

2. On the left, click on the Floor Access Group sub link.

3. In the Actions bar, click Add Floor Access Group.

4. Enter a Name and a Description and click Save.

5. Check the box(es) beside the Risk Level allowed for this floor.

6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.

7. Click Save.

Assign Groups to the User

Add permissions to a floor access group in the User account.  This grants access to the floor access group relays defined under the floor group created.

1. Click on the Users navigation tab.

2. Click on a User.

3. Scroll down to the Floor Access Group boxes and click on the Available Floor Access Group to move it to Selected. Select all floor access groups for this user.

4. Click Save.

Example Scenario

The builder has 3 floors with one elevator cab. A reader is installed inside the elevator cab. As the tenant enters the elevator, he/she needs to present a card to access the floor(s) that he/she has rights to.

Controlled Area Configuration

1. Click on the Controlled Areas navigation tab.

2. In the Actions bar, click Add Controlled Area.

3. First, we want to create a Door Controlled Area for the Elevator Reader. In this example select FB5’s Reader 1 and this will be the cab reader.

4. Since there are 3 floors, you will create 3 Floor Controlled Areas. Name the first one Floor 1 Elevator Control and enter an extra Description line if necessary.

5. Select Floor Area in the Area Type dropdown box.

6. Select the FB5’s Reader 1 as its (Entrance) Reader. This Reader 1 will be the cab reader. 

7. Click Save.

8. The Outputs and Unlock Schedule grid will appear. In the Outputs tab, select the FB5 Relay that activates Elevator Control Access to Floor 1 (e.g. relay 1).

9. Click on the Unlock Schedule tab to assign a schedule for this elevator if desired. For more information, please refer to the Unlock Schedule section of Chapter Controlled Areas.

10. Click Save.

11. Repeat Steps 2 to 9 to create a Floor 2 Elevator Controlled Area and add the same FB5 Reader in it as its entrance reader. In the Outputs tab, add the FB5 Relay that activates Elevator Control Access to Floor 2 (e.g. relay 2).

12. Repeat Steps 2 to 9 to create Floor 3 Elevator Controlled Area and add the same entrance reader and Floor 3 relay (e.g. relay 3).

13. Return to the Door Controlled Area created in Step 3, go to the Floors tab, and add the three Floor Controlled Areas to it.

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

1. Click on the Access navigation tab.

2. On the left, click on the Floor Access Group sub link.

3. In the Actions bar, click Add Floor Access Group.

4. Enter a Name and a Description and click Save.

5. Check the box(es) beside the Risk Level allowed for this floor.

6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the + button to add another line.

7. Click Save.

Assign Groups to Users

You can assign a User Access Group to give general access to your users or a Floor Access Group to give them access to specific floors.

1. Click on the Users navigation tab.

2. Select a Floor 1 user from the list of users.

3. Scroll down to User Access Group or Floor Access Group. Click on the “Floor 1” Access Group in the Available box to move it to the Selected box.

4. Repeat Step 3 for all Floor 1 users.

5. Repeat Step 3 to add the “Floor 2” Access Group to all Floor 2 users and “Floor 3” Access Group to all Floor 3 users.

6. Click Save.

Operation

As a Floor 1 User presents the access card to the cab reader, the reader LED should light up (access granted) and allow elevator access to Floor 1 (e.g. Floor 1 button lights up).

Similarly, a Floor 2 User’s card would allow the user to access Floor 2 inside the cab.

Events

Event Management

Primis systems keep logs of certain activities and problems with devices under the Events tab.

The Events tab displays information such as the access attempts to the building and if they are granted or not.  Calls placed, answered and wrong numbers dialed from the panels are logged.  If a MESH Panel has the optional camera installed, a snapshot of the user is taken once access is granted by a suite. Scheduled opening or closing of a controlled area and any communication loss or device problems are also displayed. Alarm logs will also be displayed under the optional AMS Server. Preventative and proactive measures should include the scheduled review of these event logs.

Viewing Events

The Events page refreshes automatically depending on login settings and is divided into a grid. The grid sections contain information about the event that took place. Multiple devices whose states are changed as a result of one event are grouped together to help with readability. Expanding an event will show all the resultant device changes.

1. Click on the Events navigation tab. The following screen is displayed:
   
   

    

2. Check the boxes above the grid to display the following options:
   Live Update: check this box to update the table when there is live data or pause it for discussion and/or troubleshooting.
   Local Time: the local monitoring time of the system.
   Category: the final category of what is occurring.
   Event Code: the events that are supposed to occur.
   Current Site Only: the current site; leave unchecked to show data for all sites.
   Access Events Only: only show access-related events.  To see all I/O and logic leave this box unchecked.

3. From the Display dropdown box, select Today, Last 3 days, This Week or This Month.

4. Select the number of entries to Show on one page.

5. You can filter the view by entering Search criteria and/or selecting the Type of event you’d like to view from the dropdown box. Type in the search text and hit Enter.
   
   

    As user is entering search content, Primis will provide type-ahead hints for the user. If the user prefers using a wildcard search, type ‘*’ to suspend type-ahead and continue to enter search text.

Primis version 11 allows search criteria to contain multiple search categories. Implicate OR gate is applied to search criteria of the same category and an implicit AND gate is applied to search criteria of different categories. In the following example, the criteria reads: “Last Name is ‘Lee’ or Last Name is ‘Hudson’ AND controlled area is ‘Front Internal Door’”.

To search for a specific event of a particular time window, please refer to Searching Events in the next section.

Event Groups & Categories

All events fall into one of the following groups and categories. In addition, every event in the system has an event id associated for searching.

Searching Events

You can search events to track access or errors over several days. When searching events, it is possible to filter results by particular devices or events and it is also possible to generate a PDF or a CSV document from your search results.

1. Click on the Events navigation tab.

2. On the left, click on the Search Events link. The following screen is displayed: 
   
   

    

3. Enter a From and To Date and Times for the data you wish to search.

4. Enter Search Criteria in the Filters input box.

5. Click the [Search] button to retrieve result set records.

6. Result set will be shown on the area below the search criteria. The user may choose to download a copy of the result set in either CSV or PDF format by clicking the corresponding buttons.

Set Audit Data Search Criteria

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Audit Data sub link.  The following screen is displayed:
   
   

    

4. Enter a From and To Date and Times for the data you wish to search.

5. Enter a User ID.

6. In the Change box, enter a specified string from the audit logs to search through the data that has changed.

7. Select an Action.

8. In the Original Data box, enter a specified string from the audit logs to search through the original data. For example, you could search for a card number in the original field to find out who previously had this card.

9. Select a Function.

10. Click the [Search] button.

Export to a CSV File

You can export Event and User search data to a CSV file by clicking the CSV button.

Export to a PDF File

Data on the Device tab can be exported to a PDF file by using the PDF button.

Enhanced Access Denied Diagnostics

Primis now has the ability to display why a user was denied in the system with all of the possible complex options.  This data will also display in the activity details.

Reports

Reporting Management

In most sections of the Administration Software, it is possible to generate a report (or several types of reports) for that section. Reports are generally used for auditing purposes and to view the data for a section in one place making at-a-glance viewing and printing easier. Generated report files are in PDF file format. Adobe’s Acrobat Reader might be required to view these files.

Because generating reports requires accessing data that may be privileged, it is important that the user you are logged in as and under which you would like to generate a report has adequate permissions to access the report-generating functionality of Primis.

Creating PDF Report Files

PDF files can be generated from most pages by clicking on the [PDF] button beside the Search box. This will generate a PDF file and the user will be asked to save the PDF file on a local folder or the file will saved to a default location, depending on browser settings.

PDF reports can be generated for the following pages: System, Suites and Businesses, Users, User and Guest Access Groups, Controlled Areas and Port Triggered Actions, Schedules and Special Days.

Creating CSV Report Files

A CSV file can also be generated on the Users, Suites and Businesses, and Events pages. To download, click on the [CSV] button next to the Search box.

 Reports Available By Page

Time and Attendance Reports

The Primis System is capable of generating reports of who has entered a particular Controlled Area in a given time frame, and who is currently in a particular area. This controlled area needs to have an Entrance and an Exit reader programmed. A report can also be generated in PDF format or CSV to be imported into a spreadsheet or database application.

1. Click on the Events navigation tab.

2. On the left, click on the Reports link.

3. Click on the Attendance sub link.

4. Enter a From/To date and time.

5. Select the Zone Group(s) of interest.

6. Optionally select User Category of interest.

7. Optionally provide a Suite number, Card number, First or a Last name.

8. Select either CSV or PDF report type. The two additional types – CSV summary and PDF Summary reports would show daily card holder attendance summaries. All access transaction details are omitted.

9. Click the Search button.

System

Devices

Virtual Devices allows admin users to create virtual IO points. These IO points are not tied to physical devices but can be used as logical flags (e.g., Set / Reset) for Port Trigger Action operations. This device type is also used to work with custom applications.

To add a Virtual Device:

1. Go to System->Devices

2. At the bottom, click the submenu button and click “Add Virtual Device”

3. In the next page. A unique Device ID will be populated automatically. Please do not alter this ID unless it is used by customer applications. Enter the name of the virtual device and click “Save”:
   
   

4. A virtual device has 1 virtual reader, 2 inputs, and 4 outputs. They can be added to a controlled area as if it were a regular bridge/EG-2 device. Such a setup can be used by custom applications.

5. A virtual device output can be used by Port Triggered Action as a flag to trigger other actions:
   
   

In the above example, when Front Door Relay 1 is activated, the port trigger action will set “My Virtual Device” output 1 to the “Set/On” state. This new state can be used by other port-triggered actions to take further actions.

Backup & Restore

Manual Backup and Restore Configuration (Data)

It is recommended that regular backups of the database are made. Backup files should be stored on digital media such as flash drives or CDs and preferably kept in a secure place.  Because the backup files can contain sensitive information they should be protected from unauthorized access.

Manually Backup Data

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Backup Data sub link.

4. Find the location to store the file on the local computer.

5. Click Save

Manually Restore Data

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Restore Data sub link.

4. Click the Choose File button. This will display the contents of the local computer.

5. Find and open the backup file.

6. Select the type of Restore:

Select Data Only if using a backup file from another unit.

OR

Select All Settings only if using a backup file from the same unit.

7. Click the RESTORE button.

8. Reboot the system using the reboot link in the Utilities section.

Local Automatic Backup and Recovery Management

Mesh systems do an automatic backup every day. These backup files can be used to bring the system back to a previous state before a file corruption may have occurred. These are done locally, and are part of the standard internal operation of all Mesh and Mesh systems.

Restore Database from Local Automatic Backup

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Backup Data sub link.

4. Click the plus (+) sign beside Restore from a system backup. This will display a list of previously saved back up files. These files are sorted by date.

5. Click the Restore button beside the correct backup file.

6. Reboot the system using the Reboot link from the Utilities section.

 Manual Backup of History (Event Logs)

All activates a system performs such as dialing a suite from the panel, allowing PIN access, and allowing (or denying) access control activities. Anyone whose user profile grants them access to the log can view and search the logs, and if the optional camera is installed, view photographs of people who use a system to access a building. Once a date is specified for backup a compressed ZIP file is created.

This file can be uncompressed using standard compression utilities built in to Windows. After uncompressing the logs a program like Open Office or Microsoft Excel is needed to view the uncompressed comma separated value (CSV) file. The log backup file cannot be restored back. It is only for auditing purposes.

Backup Local Business Admin Users

Because business admin users can’t access the System tab, the backup log instructions are different. Please refer to the Backup of Logs for Business Users section for more information.

Open Log Files  

1. Decompress the Log file that was saved in the previous sections.

2. Use either Microsoft Excel or a CSV compatible application to view the CSV file.

 Setting Up Remote Automatic Backups

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Remote Backup sub link.
   
   

    

4. Select the Backup Method:

• CIFS/SMB  (Linux System Backup)

• FTP   

• SFTP

5. In the Server field, enter the IP address with the corresponding protocol.
6. Enter the Remote file system Path.
7. Enter the User name and Password that have permissions to write to the server and path.
8. Select the Frequency of backups to be sent to the file:

• Now – Sends when you select save. Recommended to be used for testing the initial backup testing.

• Hourly

• Daily

• Weekly

• Monthly

9. Click Save

Importing Data

To import data to the database, import a template from the Import Data screen under the System 🡪 Administration 🡪 Utilities tab. When importing data to the database it will be added to existing data. Existing data will not be replaced by this function. Suite, Suite Code, and Business Name have to be unique in the imported data and existing data. User field does not need to be unique, but it will create duplicates if identical names are imported.

Obtain a Data Template

1. Click on the System navigation tab.

2. On the left, click on the Utilities link.

3. Click on the Import Data sub link.

4. At the bottom of the page under To obtain a Data File Template, right-click on the template and select “Save Target As...”, ”Save Link As...”, or equivalent option from the pop-up menu that appears.

5. Select a directory to save the Mesh data backup file in the ”Save as” dialog box.

6. Name the template with the .xls extension. For example, user-template.xls.

7. If the “Download complete” dialog box persists after the copy completes, click Close. Follow these steps carefully to append data to the database.

Setting up a database file to import:

1. Open the template file using MS Excel, or a compatible spreadsheet application. Fill in the data.

2. Do not delete or change the header cells in the template or the import will fail.

3. Save the file to the comma-separated values (*.csv) format.

4. Always import the Business file first, followed by the Suites file, then the Users file.

5. The result page displays the imported lines that generated errors. To correct the errors, create a new data file with the corrected data of those lines only and import the new data file.

6. In the Users template, leave the User Id column blank.  This field is reserved for the Mesh system.

Importing Data

1. Select the type of data that is being imported from the Target Data table dropdown menu.

2. Click Browse.

3. Find the data file that is being imported; make sure it is in CSV format.

4. Click the Import button to add the data to the database, if no errors are displayed the importing is complete.

Commercial Database Replication

Database Replication Setup 

This is used for Primis Systems that are intended to be used as redundant systems that communicate all information to make a hot standby for all bridges and users to communicate to in the event of failure.   These are also the steps to deploy remote Primis cube appliances for the sections that are needed.

The instructions below are to setup database replication between 2 or more Primis servers.  Before starting, verify that the full version numbers between the Primary and the Secondary nodes are identical.  

Configuring the Primary Server

1. Configure the firewall to allow incoming connections on port 31415.

2. Login to the Primis administration software using the system user.  Call Identiv Support if you need the system password.  

3. Click on the System navigation tab.

4. On the left, click on the Administration link.

5. Click on the System Parameters sub link.
   
   

    

6. Click on the siteEngine.ini file to edit it.

7. Edit the line that reads DBMode=single and change it to DBMode=principal
   
   

8. Click Save.

9. Select and edit a different System Parameters file called start.ini

10. Edit the line that reads #sds.service=no and change it to sds.service=yes
    
    

11. Click Save and Reboot the server.

12. Once the system is rebooted, log back in with the system user and go to the System tab.

13. In the scope pane on the left, click on Utilities.

14. Click DB Replication.
    
    

     

15. Fill in the text boxes on the screen. 

    1. Host Name: This is the IP address of the principal server.

    2. Sync Name: Name for the configuration. Enter something that will identify the principal server. This field must be alpha-numeric.

    3. Sync Protocol: Select http or https. In order to use https, additional configurations are required to install SSL certificate on the principal and replica server.

    4. Sync Port Number: Select the TCP port number that replica servers will be connecting to.  The TCP port number selected must be configured in the firewall to allow incoming connection. The Primis server is preconfigured to support port 31415, additional configurations on the server are required if other port number is used.

16. Click the Save button.  The principal node configuration will be displayed in the Principal Node section. The Delete button of the principal node allows users to remove the principal configuration from the server. It will be disabled if there are replica nodes attached to the principal. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process. The Refresh Server Cache button allows users to refresh the Primis server cache to the replica nodes.
    
    

Configuring Replica Server

1. Login to the Primis administration software using the system user.  Call Identiv Support if you need the system password.  

2. Click on the System navigation tab.

3. On the left, click on the Administration link.

4. Click on the System Parameters sub link.
   
   

    

5. Click on the siteEngine.ini file to edit it.

6. Edit the line that reads DBMode=single and change it to DBMode=replica
   
   

7. Click Save.

8. Select and edit a different System Parameters file called start.ini

9. Edit the line that reads #sds.service=no and change it to Change to sds.service=yes
   
   

10. Click Save and Reboot the server.

11. Once the system is rebooted, log back in with the system user and go to the System tab.

12. In the scope pane on the left, click on Utilities.

13. Click DB Replication.
    
    

     

14. Fill in the text boxes on the screen.

    1. Principal Node Registration URL: The URL that the replica server will be connecting to for data replication. The URL should be set to the Sync URL configured on the principal server.

    2. Sync Name: Name for the configuration. Enter something that will identify the replica server. This field must be alpha-numeric.

15. Click the Attach button. The replica node configuration will be displayed in the Node section. The Detach button allows users to remove the node from the data replication. Detaching a replica node is a two steps process, refer to the Detaching Replica Server section below for details. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process.
    
    

     

16. To verify the replica server is configured properly, login to the principal server and go to the System tab. Click on Utilities on the left and select DB Replication.  The client node should be listed.
    
    

17. To verify that the configuration is good, add a controlled area on the principal node and verify that it appears on the replica.

Detaching Replica Server

Detaching a replica server from the principal server is a two steps process.

1. Logon to the replica server with the system user and go to the System tab.

2. In the scope pane on the left, click on Utilities.

3. Click DB Replication.
   
   

4. Click the Detach button to detach the node from the principal.

5. Logon to the principal server with the system user and go to the System tab.

6. In the scope pane on the left, click on Utilities.

7. Click DB Replication.

8. Find the client node and click the Delete button to detach the replica server.
   
   

Microsoft Active Directory (AD) Integration

Active Directory Overview

Active Directory integration is a way to integrate the Physical Access Control System with the existing logical infrastructure.  In order to configure Active Directory you must login with the system account.

This section covers how to converge the logical provisioning that exists in Microsoft Active Directory with the logical access control of Primis. It is intended to go over the basic configuration of Active Directory with Primis to get your system up and running.

Single Server Deployment Example

Primis Commercial or Primis Enterprise links the Primis application to each server; there are three methods of deployment.

Understanding Graceful Access

The Primis access control system uses graceful access to link multiple different systems together.

Design Consideration

When deploying Primis it is possible to deploy each server in a global environment to be an extension to be managed by a different administrator. 

For training on active directory implementation, please reach out to trainingsupport@identiv.com

Active Directory Configuration

To configure Active Directory in Primis:

1. Login to Primis with the system account.

2. Click on the System navigation tab.

3. On the left, click on the Active Directory link.
   
   

    

4. Click Save button to save the configuration

LDAP Connections

To add a new LDAP connection:

1. On the Active Directory Configuration page, click the Add LDAP Connection button.
   
   

    

2. On the LDAP Connection page, enter the connection information of the LDAP Server. 
   
   

    

3. Click the Test Connection button to confirm Primis can connect to the LDAP server.

4. Click Save button to add the LDAP connection.

5. After the LDAP connection is saved, click the Cancel button to return to the Active Directory Configuration page.

6. On the Active Directory Configuration page, click the One Time Sync button to import the OUs and LDAP groups from the LDAPserver.

7. Go to the Events tab and check the LDAP synchronization status. After the LDAP synchronization is finished, go back to the Active Directory Configuration page and click the LDAP Connection that you just added. From the LDAP Connection page, you can specify the criteria for importing users and admin users from the LDAP Server.

Active Directory User Import

Filter Import by Organizational Unit and Group

From the search index provided in the setup, the import screen populates with the Groups and Organizational Units (OUs).  When selected, it will filter and only pull the select users into the Primis System to manage. 

To Import Users:

1. On the LDAP Connection page, click the Import Users button.
   
   

    

2. Click the AD Users Import/Sync tab.
   
   

    

3. On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.
   
   

4. Click Save button to save the import user configuration.

User Attribute Mapping

There are two types of fields to map in the User Attributes Mapping tab.  Fields that are automatically mapped and user-selected fields.

1. On the Import Users page, click the User Attributes Mapping tab.
   
   

    

Automatically Mapped Fields

These fields are defined and statically mapped to AD attributes.

 Primis Selected Mapped Fields

 Users Import Exclusion Filters

To further refine the import criteria for importing users, you can use create exclusion filters based on the value of the user’s AD attributes.

1. On the Import Users page, click the AD Users Import Filters tab. 
   
   

    

2. There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Primis. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Primis.

3. Define Attribute Exclusion Filter
   
   

    

4. Define LDAP filter query
   
   

    

5. Click Save button to save the configuration.

Understanding Attribute Based Access Control

Leveraging the Access Group link to physical security allows the administration team to cut down on time associated with the users.

Active Directory Administrator Import

Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration.  It is recommended that for these types of accounts, you name them differently than your standard user base to support the integration.

For this section to allow login from this group, you must have the Web Login Enabled box checked on the configuration page.

Mapping Access Group Field to Physical Access Group

The Primis system will pull into the attribute list a list of all possible attributes that are currently loaded within the active directory.  On every card scan, Primis will ask the active directory if the user has the variable that is selected.

User Access Groups

The user access group can be linked to AD OUs, Groups or Access Linked AD attributes.

Attribute Based Access Control Use Cases

Besides associating a user access group to AD OU(s) and Group(s), you can select an AD attribute and use it as an Access Linked AD attribute.

This allows for several use cases around applying logical attributes to the physical space:

• Umbrella Company Management: By Company name for contractors, and employees, you can grant access to areas between time frames.

• Business Specific Attributes: Every business has attributes that can drive access to physical areas:

1. Title

2. Department

3. Training Level

• Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.

• Clearance Levels: Clearance in AD allows for internal controls on physical areas the same way you would allow AD.

Personal Identity Verification

When equipped with FICAM-capable readers, Primis can perform real-time PKI verifications during PIV card access.

Cardholder Registration Tool – VeriCert

VeriCert is a desktop application that registers PIV credentials into Primis PACS and Validation System. With VeriCert’s intuitive design, a PIV cardholder’s credential can be fully authenticated, validated, registered, and provisioned within seconds, allowing the cardholder access to a specified set of doors.

Using VeriCert

Before enrolling cardholders, it is important to configure a few settings:

1. Application Settings.

2. Connection Settings.

Application Settings

The Application settings for VeriCert allow administrators to select a USB smartcard reader. Preferences, such as name parsing patterns, may also be found in VeriCert’s application settings.

1. On the menu bar, click on Settings, and select Application Settings…

2. From the Enrollment Reader dropdown list, select the USB smartcard reader detected by the software. To detect a newly installed reader, click the Refresh button to update the dropdown list.

3. If the smartcard reader has a built-on keypad:

   1. Check Use Reader’s Keypad to Enter PIN to use the smartcard reader’s keypad to enter PIN.

   2. Uncheck Use Reader’s Keypad to Enter PIN to use the Workstation’s keyboard to enter PIN.

4. From the Printed Name Pattern dropdown list, select the name pattern that will be used to parse the printed name on a PIV credential. The user is able to test the selected pattern by clicking the Test button to test if the pattern can produce the expected result.

5. Click Save to update the Application settings.

Other Application Settings

• Proxy server – the URL of the proxy server through which the OCSP server can be accessed.

• FICAM Compliance – this setting allows VeriCert to omit PKI validation during registration. This setting should always be checked during normal operation.

• Match Cardholder Fingerprint – the setting tells VeriCert to find a fingerprint match during registration. If this setting is enabled but no matching fingerprint is obtained; VeriCert will fail registration.

• Additional Validation Details – this setting lets VeriCert record additional certificate details during validation and is useful for troubleshooting.

• Site ID’s – this setting allows VeriCert to restrict the set of Access Groups that cardholders can be assigned to. By default, this field is empty meaning cardholders can be assigned to Access Groups from all sites.

Connection Settings

The connection settings denote the Primis API Server that VeriCert will connect to. VeriCert uses the Primis API to enroll PIV cardholders and retrieve Access Groups to/from Primis Access Control System.

1. On the menu bar, click on Settings, and select Connection Settings…

2. In the Protocol field, select the Primis API protocol. Default is HTTP.

    

3. In the Server Address field, enter the IP Address of the Primis API Server. Default is 192.168.123.101.

4. In the Port field, enter the port of the Primis API Server. Default is 9000.

5. In the Username field, enter a Primis Admin User’s Username. Default is primis.

6. In the Password field, enter a Primis Admin User’s Password. Default is Identiv.

7. Click on the Test Connection button to ensure that VeriCert can contact the Primis API using the given settings. A Connection Successful notification will be shown if settings are correct.

    

8. Click Save to update settings.

Enrolling Cardholders

1. Insert the PIV card into the USB smartcard reader. VeriCert will take a moment to download and verify all required credentials.

2. Enter PIN when prompted.

3. Once the PIV credential is fully processed, verify the information and click the Next button

4. Assign Access Group to the cardholder.

5. Click Save Change to send cardholder data to Primis.

Primis PIV

Primis can perform certification validation on PIV credentials during access. There are number of settings that can adjust the validation process such as status proxy update frequency, CRL download frequency, root and intermediate certificate store management, certificate policies, extended key usage extensions and PKI fault options.

PIV Configuration

In System tab, under PIV; the first menu item is OCSP/CRL Configuration that covers the back settings for PKI validation.

Enabled – this enables/disables real-time PKI/OCSP validation during card swipes. Note that when this feature is disabled, Primis at a minimal will revert to downloaded CRL information to determine the validity of a credential.

Path Discovery Timeout – this specifies the time out (in seconds) limit for Primis to discover certificate chains.

Status Proxy Update Frequency – this specifies the frequency in hours that Primis should update the status of cardholders’ certificates. The cached status will be used when real-time OCSP validation fails due to network errors.

Deny Access upon OCSP timeout/network error – when enabled, this prevents Primis from granting access when a network error occurs during OCSP query.

Falls back to cache upon network error – when enabled, Primis will look up cached status for a cardholder’s validity when there is an OCSP-related network error. Note that even when this feature is disabled, Primis will always revert to CRL information when no real-time OCSP information is available.

Additional Validation Result Details – when enabled, Primis will record additional validation details such as certificate serial numbers and URL information during PKI validation process.

Certificate Manager

Certificate Manager allow administrators to configure Primis’s certificate store. This certificate store holds both root and intermediate certificates.

To add a certificate to the store:

1. Go to System->PIV->Certificate Manage.

2. To add a certificate, click the Browse/Choose File button and select the certificate from the file system.

3. Click the + button to add the certificate.

To remove a certificate:

Click the X button beside the listed certificate.

Note that when a redundant certificate is added, Primis will ignore the new entry. A redundant entry means that the Issuer name and serial number of the certificate already exist in the store.

Certificate Policies

Primis can impose certificate policy constraints on the three major certificates – PIV, Card Auth and CHUID Signature. These constraints are assigned in the form or OID strings.

To add a certificate policy constraint to a certificate:

1. Go to System -> PIV -> Certificate Policies.

2. Click the tab that represents the certificate type of interest.

    

3. Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.11), enter the description text (optional), and click the + button.

 To remove a Certificate Policy OID:

Click the X button next to the OID.

Extended Key Usage Extensions

Similar to Certificate Policies, Primis allows administrators to specify required extended key usage extensions.

To add an extended key usage extension constraint to a certificate type:

1. Go to System -> PIV -> Ext. Key Usage.

2. Click the tab that represents the certificate type of interest.
   
   

    

3. Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.13), enter the description (optional) and click the +  button.

To remove an extended key usage extension constraint:

Click the X button next to the OID.

PKI Fault Options

1. Invalid CA Signature

2. Invalid CA notBefore Date

3. Invalid CA notAfter Date

4. Invalid Name Chaining

5. Missing Basic Constraints

6. Invalid CA False Critical

7. Invalid CA False not Critical

8. Invalid Path Length Constraint

9. keyUsage keyCertSign False

10. keyUsage Not Critical

11. keyUsage Critical CRLSign False

12. Invalid inhibitPolicyMapping

13. Invalid DN nameConstraints

14. Invalid SAN nameConstraints

15. Invalid Missing CRL

16. Invalid Revoked CA

17. ICAM Invalid CRL Signature

18. Invalid CRL Issuer Name

19. Invalid Old CRL nextUpdate

20. Invalid CRL notBefore

21. Invalid CRL Distribution Point

22. Valid requiredExplicitPolicy

23. Invalid requiredExplicitPolicy

24. Valid GeneralizedTime

25. Invalid GeneralizedTime

26. Invalid SKID

27. Invalid AKID

28. Invalid CRL format

29. Invalid CRL Signer

30. Golden PIV-I path

31. OCSP - Unable to get Issuer Cert Locally

To enabled or disable PKI Fault Options:

1. Go to System -> PIV -> PKI Fault Options.

2. Check or Uncheck fault options.

3. Click Save to update.
   
   

CRL Summary

Primis downloads CRL information for all cardholders in the database periodically. It provides a summary of the number of revoked certificates under each relevant issuer. See System -> PIV -> CRL Summary:

If CRL information cannot be obtained for more than 16 hours, this summary page will provide an alert that indicates ‘Download Overdue’.

PIV Card Single-Sign‐On Configuration

This section covers the steps to sign on to Primis Admin using PIV cards.

1. Enroll a PIV cardholder into Primis by VeriCert.

2. Go to Users, and edit the user profile.

3. Enable Admin function to the user.
   
   

    

4. Enter the logon User ID, password and appropriate privileges.

5. Click Save.

6. Add the PIV card's Root Certificate in System -> PIV -> Certificate Manager.

7. Restart Primis server (System -> Utilities -> Reboot).

8. In Windows, make sure “Certificate Propagation Service” is enabled and started.

9. Insert PIV card into reader.

10. In Chrome browser, go to https://<PrimisServerIP>:8443/

11. Select the PIV Authentication Certificate for the card.

12. Enter PIN.

13. Once PIN is validated, the browse will log in to Primis Admin.

Mobile Access

Primis now provides location based access with mobile devices such as iPhone or Android. Traditionally each controlled area has to be associated with a reader. With this new “Geo Location” based feature, a controlled area can simply be assigned with a GPS co-ordinate or a proximity device such as a Bluetooth Beacon. Primis first determines the user’s proximity to a door/controlled-area by comparing the location reported by the mobile. Once determined, Primis then performs the corresponding access control operation. This feature conveniently bypasses the need for readers and access cards; instead a mobile device is used as credential identification.

Configuring Geo Location

To configure Geographic information:

1. Select the Controlled Area

2. Click the Geo Location tab.

3. For GPS based access, select GPS radio button.

4. Enter Latitude, Longitude, radius, and the unit (e.g. Feet or Meter) that best cover the entrance area.
   
   

5. Click Enabled to activate Geo Location access for this area.

6. For Beacon based access, repeat steps 1 – 2 and click Beacon radio button instead.

7. Select the Unique ID from the Beacon dropdown list. For details on allocating Beacons in Primis, see the next section Configuring Beacon Access.

8. Click Enabled to activate Beacon access for the area.

Configuring Beacon Access

To configure Beacons in Primis:

1. Go to System.

2. Click Mobile to expand its sub-menus.

3. Click Beacon Config.

4. Enter the following information:

5. Click Sync checkbox to enable periodic updates to Beacon status information. The default behavior is every two hours.

Mobile Device Registration

To register a Mobile user in Primis, these are the general steps:

1. Create the user and set the Mobile flag to true.

2. Assign a mobile password for the user.

3. Primis server will automatically send the password to the mobile user via email.

4. Once the password is obtained, the user may log on to the Primis Mobile App and start enjoying the service.

Configuring email server on Primis

1. Go to System -> Mobile.

2. Click Email Config.

3. Enter the email server’s address and the sender address of the registration email.
   
   

    

Configuring the registration Email Template

1. Go to System -> Mobile.

2. Click menu item Mobile Onboard Email Template.

3. Enter Mail Subject Text, e.g. Mobile App Registration.

4. Enter Mail Content that shall contain links to download Mobile App, user password and any information that is valuable to the registration process.

5. A reserved token USER_PASSWORD can be embedded in the mail content which will then be replaced by the user password assigned during the registration process.
   
   

Managing Enterphone Panels

Enterphone panels provide visitors with a way to communicate with tenants from the front common entrance. Tenants then can grant or deny access to the building. Enterphone panels display a list of users that can be dialed. For hardware installation please view the Enterphone Installation Guide.

By default Enterphone panels are added to a single controlled area. This allows the panel to grant access if the tenant presses the relay activation digit when dialed.

Enterphone Panel Settings

Enterphone panel settings such as talk time, relay access digit and activation time can be configured. To access these settings;

1. Click on the System navigation tab.

2. On the left, click on the Enterphone link.

3. In the Actions bar, click Add Panel. The following screen is displayed:

4. Enter the Panel ID. This ID number can be found in the sitepanel.ini file for this panel.

5. Enter a Name: this identifies the panel when adding it to Controlled Areas. This field should be changed if there is more than one panel.

6. Enter the Relay 1 or 2 Access digit: The digit on the telephone that the tenant must press to activate the appropriate relay.

7. Enter the Relay 1 or 2 Activation Time (Seconds): This specifies in how many seconds the relay should be activated for once a tenant grants access.

8. Enter the Talk Time: This is the maximum duration the call can occur (in seconds) before automatically hanging up.

9. Click Save.

Enterphone (Controlled Area Tab)

The Enterphone tab allows you to attach Enterphone panels to Controlled Areas. NOTE: Enterphone panels must have already been created in the System -> Enterphone screen.

Please refer to the Enterphone Panel Settings section for more details regarding Enterphone panels.

In the Enterphone MESH tab on the View/Edit Controlled Area screen:

1. Select an Enterphone panel from the dropdown box.

2. To add a second panel to this controlled area, click the add + button. to

3. Click Save.

Changing Screen Saver Image File

When Enterphone Panels are idle for more than the time set for the default screensaver time out, the default screensaver graphic is displayed. This graphic can be changed from the media files. Use the instructions in the Media Files section to access and change screensaver_1024x768.gif file.

This is the default screensaver picture. Edit this file using any graphic editing software that supports the GIF format. Keep in mind that the edited file’s name, resolution, and color settings must match this file. Once the editing is complete use the Update Media Files from the System tab to upload the edited screensaver_1024x768.gif file. Restart the Panel using the Reboot link at the bottom of the Utilities page.

Changing Screen Saver Timeout

By default, the screensaver activates after 60 seconds of inactivity. This number can be changed from the file sitePanel.ini.

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the System Parameters sub link.

4. Click on the sitePanel.ini file.
   
   

    

5. Edit the line screensaverTimeOut=60; change 60 to any other value. Do not edit any other value.

6. Check the Reboot after save box. This will do a full restart of the panel after you save the file.

7. Click Save.

Calibrate Enterphone Screen

Enterphone parameter files are used to configure the software on both the server and the panel.

Enterphone Parameters Files

Enterphone parameter files are used to configure the software on both the server and the panel. These files are located in the System Parameters link under the System -> Administration tab.  These files can be edited using the in-browser text field provided by clicking on the file or backed up by clicking on Download and edited with a text editor locally then uploaded back to MESH. Once the files are uploaded back to the Enterphone, the server must be restarted using the Reboot link at the bottom of the Utilities page or by checking the Reboot after save option on the Edit page.

The following parameter files are user-modifiable:

To Edit a Parameter file

1. Click on the Administration link from the System navigation tab.

2. Click on the System Parameters sub link.

3. Click on the file you would like to edit.

4. Make any changes necessary to the text presented in the text area.

5. If you would like a backup of the existing file, choose Write Backup.

6. Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.

7. Click Save.

Main and Peer Configuration (Sync Enterphone Units)

This form of replication only copies the Suite and User data to a remote panel to be loaded on the display.  This does not allow for a remote system to be working as a backup unit for bridge communication.

Main peer integration with a panel is intended to only be for one site, where the unit is on the same network.  Deploying multiple mesh panels across multiple sites is not support in Primis 9.1.  Please see Enterphone and Primis Application Note (AN9019) for more details.

Main and peer configuration creates a link between two Enterphone units. This can be multiple Enterphone Panels to a single Primis server or multiple Primis servers to one Primis server. The Main servers automatically start sharing data once a peer establishes communication.

To Setup a Main and a Peer

Follow the instructions below on any unit that needs to be configured as a peer. No configuration is necessary on the main units.

1. Open the siteEngine.ini using the instructions from System Parameters.

2. Locate the line MainPeers=

3. Add the IP address of the main server. For example, MainPeers=192.168.123.101

4. Locate the line SystemName=

5. Add an appropriate name for the peer. For example, SystemName=FrontPanel

6. Save the siteEngine.ini

7. Restart the Enterphone peer system

Once the configuration is done, connect to the Main server and log in. At this point there should be a button labeled with the names of Peer devices along the top of the Administration System’s interface. If there are any changes that need to be made to non-common data, these buttons can be used to connect to the Peer devices. If the button is absent from the Main Server or Panel, check over the configuration that was made up to this point then log out and log back in.

Copy Common Data

Once the connection is established between a peer and a main, there may be some data inconsistencies. To clear all the data on the peer and copy everything from the main a Copy Common Data needs to be done.

1. Click on the System navigation tab.

2. On the left, click on the Administration link.

3. Click on the Copy Common Data sub link.

4. From the list of Available Servers, select the main server.

5. Click Copy. 

Enterphone Panel File Configuration

On Enterphone Panels an additional configuration file exists that controls the configuration of Panel-specific options.

Use the steps described in Editing a Parameter file to edit the siteEngine.ini. The Panel will need to be restarted for any changes to this file to take effect.

Parameters in the sitePanel.ini file are:

Business Administrator Management

Enterphone Panels can be programmed to divide buildings into multiple businesses. Each business can control its own controlled area without affecting other businesses or areas. In order to divide buildings into businesses, controlled areas that will control a business’ physical access need to be created. When adding a new business to the Administration Software, areas that are controlled by that business can be selected. Then admin users can be added to be part of that business.

Business admin users are restricted on what they can add or view. Also, business admin users do not have access to the System tab and are therefore unable to manage the system or view any system related information.  In addition, business admin users cannot add or delete suites, controlled areas, or schedules.  They can add user access groups and link them only to the controlled areas that are associated with that business. Any of the activity logs that are related to other businesses are not viewable by that business admin user.  A single business can have more than one controlled area. Also, a single business admin user can belong to more than one business.

Create Business Users

1. Add a Business using the instructions in the Businesses section of Chapter Suites.

2. Add a new admin user using the instructions in the section: Site Administrator Management.

3. From the Add Admin User screen, select the business name from the Business list.

Backup of Logs for Business Users

Because business admin users can’t access the System tab, the backup log instructions are different.

1. Click on the Events navigation tab.

2. Select a range of dates in the From and To Dates. Note that the maximum number of days is 31.

3. Click Search
   
   

    

4. Download the search result in CSV Format.

Alarm Management System (AMS) Lite

Overview

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

In the System > AMS tab you can choose if you are able to view the Monitor tab.  This is also where you would go to disable the video prior to the setup of video.  AMS Server will not be covered in this section; for information on setup of the AMS application please see.

Navigation Overview: Monitor Systems without Mapping Setup

AMS-Lite supports the ability to monitor the system without maps.  The purpose of this mode is that if the end-user chooses not to use the mapping of devices, there is a clear way to list and report on the status of all of the devices.

This is how the system looks if there are no maps loaded into the system. Should you require maps for your site, please refer to Chapter Controlled Areas - Maps.

Navigation Overview: Controlled Area Display

With this version of Primis there were many enhancements to the ability quick search, and apply actions to the controlled areas.  Including the ability to acknowledge and clear the alarms listed.

Number Of Pending Alarms

A Live Alarm List Count displays on the alarm icon on all screens and will indicate if there is an alarm on the sites that you have access to see.

Number of Pending Alarms by Site

List Alarms by site by clicking on the Site link. These links will take you to the site map at any time.

Acknowledge and Clear

In the center panel of the alarm monitor tab, you will see the alarm data come into the system.  This is for the primary system.

Acknowledge and clear alarms with the ability to enable custom instructions for these acknowledge and clear alarms.

Once acknowledged the system will show the next step as clearing the alarm.

Clearing alarms allows for the setup of custom messages.

Once the alarm is cleared, the details of the alarm may be research on the events tab.

When a system is acknowledged and cleared, the documentation and notes of the operator show on the alarm monitor report. The following is shown in the report:

Navigation: Monitor With Maps And Video

This section does not cover how to set up and configure video services. Instead, this covers only the overview of how to navigate using video services.

Navigation Overview: Controlled Area Icon Supported Actions

Once the maps are installed, the center alarm monitoring screen shifts downwards, and allows for the mapping to show in the center, providing the following features:

• While in Alarm the controlled area icon will flash red

• While  Acknowledged the controlled area will have a solid red ring around the system:

• Clicking on the alarm in the bottom alarm tray will snap to the alarm, and pull the alarm video associated with the alarm on the right-hand video alarm panel:
  
  

   

• Right clicking the controlled area will give you the option to change the state of the controlled area, acknowledge and clear the alarms.

• Selecting a controlled area will also show the activity history of that controlled area in the bottom left corner under the Controlled Area Activities.

• Mapped live video streams may be scrolled over to display the live video feed.

• While the bridge is connected the reader shows a dark black. If the reader is offline it shows a grey.

• If the camera is online it shows black. If the camera is disconnected it will show a grey with a line through it.

Live Video For Mapped Cameras

Scrolling over the event video shows the video screen as shown below.

View All Cameras

The top of the live camera view has multiple options.

Select All Cameras (#) and this will bring up all cameras in the video panel to scroll through.

Navigation Overview: Login to NVR From Monitor Tab

Select the NVR Icon.  This icon links to the NVR of the selected video feed.  If you need to Export video from the NVR, or perform a more detailed review of the video, this is how you get there. Depending on the NVR, you may need a username and password.

Navigation Overview: Export View

Select the [Export View] Icon at the top right of the screen. This is known as the Export Video button which is covered later in this chapter. This does not export video, however, it exports the video to b monitor from a separate window.

This is to allow the operation of Primis System, and Video monitoring on the same system, or two different monitors.

Navigation Overview: Select Video and Send to Export View

You can also select video to be exported, and move it to the next screen in a two screen scenario:

1. Select the video that you would like to export.  This video feed will then be marked around it as red (see photo above as an example).

2. Select an area in the Primis Exported Video 4x4 that you would like the video to be displayed.

3. The video now appears in that area.

Once a configuration is set up, it may be saved to be recalled.  All video saves are available across all systems.

Navigation Overview: Save Video Export View

1. Export Video

2. Create a name and enter it into the system:

3. Select Save
   
   

Navigation Overview: Event Video

When an alarm comes in with an event clip associated the video will automatically be displayed in the alarm video.  This is that the Event video will show on the top, the alarm video will show on the bottom, and additional associated cameras will show below that.

The top video is event playback – in the above example it is showing the start of the video clip before the light is turned on.

Once an alarm occurs on the bridge it will show the event clip, live video, and up to 4 cameras if they are associated with the controlled area for a quick view.  You can click on the cameras to pull them up to view to track a person in the frames.

Navigation Overview: Event Clip Controls

In the bottom left corner there is a reply and pause for the event clips. In the bottom right hand corner you can click to save a snapshot of the image by pressing the camera in the bottom right hand corner of event clip screen as seen here:

Configure AMS Lite

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

Add a Map to AMS Lite

There are many web file formats supported.  Prior to trying to upload one of the files edit map files to support all web image formats:

• JPG

• JPEG 2000

• JPEG / JIIF

• GIF

• PNG

• TIFF

To add a map of a floor plan or other system (any web file format supported):

1. In the Controlled Areas navigation tab, click on the Maps link. The following screen is displayed:
   
   

    

2. Current maps are listed on the left and the controlled areas are listed on the right. Click on a map to view it; click on the edit button to change the file associated with this map.
   
   

    

3. To add a new map, click on the +Add Map button. The following screen is displayed:

4. Enter Name and a Description for the map.

5. Click the [Choose file] button beside Map Image to import the map file image.

6. Click the [SAVE] button.

Place Controlled Area Icon On Map

Maps have been placed in the Controlled area tabs.  You can simply drag and drop all controlled areas from the right to the map.  Only one controlled area is supported per system.  The controlled area may only exist in one location at a time.

To configure controlled area maps:

1. Click on the Controlled Areas navigation tab.

2. On the left, click on the Maps link. The following screen appears:
   
   

    

3. Drag and drop controlled areas onto the point.

Place Video Icon On Map

To set up the video portion of the system with video you must login as the system administrator account and ensure that the video is enabled.  If the video is not enabled, after turning this setting on, then you may need to check your server activation and ensure you have NVR Video licensing enabled.

This will allow the mapping of the camera as an individual device.  To attach a video feed to a controlled area, you must navigate to Controlled Area, select the controlled area, and select the Cameras tab.  This will then show the video icon attached to the controlled area:

Mapping Icons

Scrolling over an icon will show the name and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

Remove Icon From Map

Scrolling over an icon will show the name and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

Icons can be added to a map to indicate whether a controlled area is Closed, Open, or in Lockdown. Primis comes with three standard icons. Images of these icons can be changed on the Icons page.

Configure Custom Map Icons

Icons can be added to a map to indicate whether a controlled area is Closed, Open, or in Lockdown. Primis comes with three standard icons. Images of these icons can be changed on the Icons page.

To change a controlled area map icon:

1. In the Controlled Areas navigation tab, click on the Icons link. The following screen is displayed:
   
   

    

2. Click the [Choose file] button beside the icon to change and navigate to the new icon image and click Open.

3. The selected file name is displayed. Click the [Update] button to replace the icon image with this new image.

Alert Levels

Alert Level Management

Alert Levels allow the Primis server to adjust its access control behavior globally. Controlled Area Schedules and Access Groups can be restricted by alert levels. As a security level escalates, the Primis server can restrict access accordingly. For example, the front entrance of a building is open during office hours. However, when the alert level is escalated to HIGH, the system can automatically lock down the front entrance by overriding the open schedule.

Alerts Levels

When enabled in the license file Primis Admin, the current alert level is always shown at the top of the page.

In this example, Access Groups Standard Employees have no access when the alert level is “High” or “Severe”.

Controlled Area Configuration of Alert Levels

In this example, the Controlled Area is set to open during office hours only when the alert level is Low or Guarded. To configure alert levels for controlled areas, go to the Unlock Schedule tab on the View/Edit Controlled Area page.

Change of Alert Level

Primis Administrators can set the current Alert Level by going to the System tab under Administration and clicking Risk Level.