Andover Continuum CyberStation C yberStation Access Control Essentials Guide
© 2010, Schneider Electric All Rights Reserved No part of this publication may be reproduced, read or stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Schneider Electric. This document is produced in the United States of America. Product Names are trademarks of Schneider Electric. All other trademarks are the property of their respective owners. Title: CyberStation Access Control Essentials Guide Revision: D Date: December, 2010 Schneider Electric part number: 30-3001-405 CyberStation version 1.92 The information in this document is furnished for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Schneider Electric. Schneider Electric assumes no liability for any errors or inaccu racies that may appear in this document. On October 1st, 2009, TAC became the Buildings Business of its parent company Schneider Electric. This document reflects the visual identity of Schneider Electric. However, there remain references to TAC as a corporate brand throughout the Andover Continuum software. In those instances, the documentation text still refers to TAC — only to portray the user interface accurately. As the software is updated, these documentation references will be changed to reflect appropriate brand and software changes. All brand names, trademarks and registered marks are the property of their respective owners. Schneider Electric One High Street North Andover, MA 01845 (978) 975-9600 Fax: (978) 975-9782 http://www.schneider-electric.com/buildings
Andover Continuum CyberStation Access Control Essentials Guide 30-3001-405 Revision D
December,
2010
Contents
About this Manual ................................................................. What’s new in this Manual ......................................................... Related Documentation ..............................................................
Chapter 1
Getting Started ...................................................................... Planning an Access Control System ........................................... Overview of an Access Control Network ....................................
Chapter 2
Configuring an Access Control System ............................. Task 1: Open Continuum Explorer ............................................ Open Continuum Explorer .......................................... More About Continuum Explorer ............................... Task 2: Create a Network and a Controller ............................... Containers and Parent/Child Objects ......................... Create a Network ......................................................... Web Configuration for Controllers ............................. Create a Controller ...................................................... More about Networks and Controllers ....................... Task 3: Configure IOU Modules ................................................. Creating an IOU Module Object ........................................ General Tab – IOUModule Editor .............................. Security Level Tab – IOUModule Editor .................... More about the IOUModule Editor ............................. Commissioning an IOU Module .................................. Task 4: Configure Controller Comm Ports ................................ General Tab – CommPort Editor ............................... Viewing the Status of an XDriver Device ................... Settings Tab – CommPort Editor .............................. Andover Continuum CyberStation Access Control Essentials Guide
9 9 10
11 12 17
19 20 21 21 22 22 23 24 27 29 30 30 31 32 32 33 34 35 37 38 5
SecurityLevel Tab – CommPort Editor ..................... Field Bus Controllers Tab – CommPort Editor ........ Task 5: Designate the Primary Access Server ........................... More about the Primary Access Server ...................... Task 6: Create CyberStation Points .......................................... Create an InfinityInput Point ..................................... Create an InfinityOutput Point .................................. Create an InfinityNumeric Point ................................ More about Points ....................................................... Task 7: Create Areas ................................................................... Factors to Consider When Defining Areas ................. Task 8: Create Doors ................................................................... When to Create a Door ................................................ Data that Defines a Door ............................................ Create a Door ............................................................... View Doors Assigned to an Area ................................. Task 9: Create Personnel ............................................................ Access-Control Information in a Personnel Object .... Methods of Creating Personnel Objects ..................... Open the Personnel Manager for the First Time ....... Create a Personnel Object in the Personnel Manager More about Personnel Objects .................................... Task 10: Create Schedules ......................................................... About Schedule Points ................................................ Create and Configure a Schedule ............................... Attach a Schedule Point to a Door .............................. Attach a Schedule Point to an Area in a Personnel Object ........................................................................... More about Schedules ................................................. Task 11: Configure Alarms ......................................................... About Event-Notification Objects ............................... Create an Event-Notification Object .......................... About Notification by E-mail and Pages .................... About AlarmEnrollment Objects ................................ Create an Alarm-Enrollment Object .......................... General Expressions for Security ............................... About Attaching Alarms to Objects ............................ Attach an Alarm-Enrollment to a Door ...................... Attaching Alarms to a Point ....................................... Using the Alarms / Advanced Alarms Tab of an Object Editor ........................................................................... 6
Schneider Electric
41 41 44 44 45 45 48 50 51 52 52 54 54 54 55 61 63 63 64 64 66 67 68 68 69 71 72 74 75 75 76 80 82 83 84 86 86 87 88
More about Alarms ...................................................... Task 12: Configure Video ............................................................ About Video Monitor and Video Administrator ......... About VideoLayouts .................................................... Configuring Video via Video Monitor and Video Administrator .............................................................. Configuring Video Using VideoLayout ....................... Task 13: Create Graphic Panels and Controls .......................... About Graphic Controls for Access Control ................ Create a Graphics Panel and a Door Control ............. More about Graphics Panels and Controls ................ Task 14: Configure Reports ........................................................ About Report Objects ................................................... Create a Report ............................................................ More about Reports .....................................................
Chapter 3
Monitoring an Access Control System ...............................
94 95 95 99 100 108 113 113 114 117 118 118 118 122
123
Responding to Alarms ................................................................. About the Alarm Status Bar ....................................... About the Active Alarm View Window ....................... Monitoring Live Access Events .................................................. About Creating EventView Objects ............................ More about EventView Objects ................................... Using ListView Windows ............................................................ About Predefined ListView Objects ............................ About Creating ListView Objects ............................... More about ListView Objects ......................................
Chapter 4
Advanced Topics for Access Control .................................
124 124 124 127 127 127 128 129 129 130
131
Security Groups for CyberStation Users ................................... About User Objects ............................................................ Before Configuring Users ............................................ Creating a User Object ................................................ About Security Groups ....................................................... Configuring User Security Groups ............................. Displaying Security Groups ........................................ Renaming Security Groups ......................................... Assigning Access Privileges for Security Groups ....... Copying Access Privileges Between Security Groups Andover Continuum CyberStation Access Control Essentials Guide
132 132 133 133 134 135 136 136 138 141 7
About SecurityLevel Objects ............................................. Creating a SecurityLevel Object ................................. Displaying Access Privileges in the Security Tab ...... Universal Unlock Folder ............................................. Assigning Access Privileges in a SecurityLevel Object .... Copying Access Privileges from a Single Security Group to Another Group ............................................................... More about Users and Security .................................. Using Area Lockdown ................................................................. About Area Lockdown ................................................. What Happens During Lockdown .............................. Locking down an Area ................................................. Locking down Individual Doors .................................. More about Area Lockdown ........................................ Controlling Access with Condition Levels ................................. About Changing the Condition Level ......................... Implementing Condition Levels and Clearance Levels Sending a Condition Level Message to Controllers ... Restoring Controller Condition Levels to Previous Levels ........................................................................... About Sending Condition Level Values to Individual Controllers ................................................................... More about Condition and Clearance Levels ............. Adding FIPS-PIV Card Credentials ........................................... Overview of FIPS-PIV ................................................. Overview of FIPS-PIV cards and readers .................. Configuring FIPS-PIV on a New System ................... Transitioning an Existing system to FIPS-PIV ......... More about FIPS-PIV ..................................................
8
Schneider Electric
142 143 143 144 144 147 148 149 149 150 150 151 152 153 154 154 155 155 156 156 157 157 160 162 164 168
:
About this Manual
What’s new in this Manual This manual provides basic, essential information for planning, configuring and monitoring an access control system consisting of Schneider Electric controllers and CyberStation software. This manual provides the following information:
An introduction to planning for an access control system
Step-by-step procedures for basic configuration tasks in CyberStation
Step-by-step procedures for monitoring your access control system using CyberStation
An overview of advanced access control features that you may want to implement in your facility
This manual is intended to be used with the CyberStation online help and the documentation that accompanies Schneider Electric controllers. For complete user-interface details (beyond the scope of the basic tasks in this manual), you must consult the online help and the other CyberStation documents listed in the next section. The procedural information in this manual assumes that your access control hardware and software are installed, online, and ready to be configured.
Andover Continuum CyberStation Access Control Essentials Guide
9
:
Related Documentation For additional or related information, you can refer to these documents.
10
Document
Document Number
CyberStation online help
n/a
HVAC Essentials Guide
30-3001-1000
CyberStation Installation Guide
30-3001-720
Continuum Remote Communication Configuration Guide
30-3001-814
ACX 57xx Series Controller Operation and Technical Reference
30-3001-999
NetController II Operation and Technical Reference Guide
30-3001-995
Schneider Electric
Chapter 1: Getting Started
Chapter 1 Getting Started
This chapter offers guidance on planning your access control system and includes the following topics:
A review of a sample floor plan for a manufacturing facility, its access control issues, and access control devices in place to address the issues for this sample site
A network configuration of controllers, servers, and CyberStation workstations that provides the access control infrastructure for the sample site
Andover Continuum CyberStation Access Control Essentials Guide
11
Chapter 1: Getting Started
Planning an Access Control System Schneider Electric’s access control products support the full range of access control needs:
Small buildings to multi-site facilities
Limited access validation and monitoring of personnel movement within a facility to extensive oversight
As you prepare to implement an access control system in your organization, you may want to work from floor plans of your facility to identify factors such as the following that will affect implementation:
12 Schneider Electric
Locations where access control is needed
Personnel who use these locations
The movement of personnel from one location to another
How you want to manage access permissions in each location
Chapter 1: Getting Started
The following illustration is a floor plan of a small office and manufacturing facility. Rear Entrance
Loading Dock
Warehouse
Emergency Exit
Manufacturing Floor
Office
Main Entrance
The following issues for this sample site determine the access control devices that are needed and the configuration of the system:
At the main entrance, a receptionist greets employees and visitors during business hours. The main entrance is locked during off hours, but employees may need to enter and exit at those times. The employer wants to monitor use of this door during off hours. Warehouse and manufacturing employees can use the rear entrance to enter and leave the building.
Andover Continuum CyberStation Access Control Essentials Guide
13
Chapter 1: Getting Started
The door in the manufacturing area to the outside is for emergencies only and should be closed and locked under normal circumstances.
Only authorized employees are allowed onto the manufacturing floor.
The employer wants to monitor manufacturing employees who exit the building through the warehouse to the rear entrance.
The following illustration shows the same floor plan, with access control devices in place. Single Reader at Rear Entrance
Emergency Exit: Door Switch is Supervised
Loading Dock: Door Switch is Supervised
Dual-Reader Door
Camera: Captures Video
Warehouse
Manufacturing Floor
Single-Reader Door Office
Motion Detector: Unlocks Door during Regular Hours Triggers Video during Off Hours
14 Schneider Electric
Main Entrance: Card Reader for Employee Access
Chapter 1: Getting Started
The following table describes how these access control devices address the issues identified for this facility. Note that the devices used in this example are only one of many possible access control solutions that can be implemented. Area or Door
Access Control
Card reader allows access to employees. No access to visitors unless the receptionist is present.
Motion detector unlocks door for exiting during regular hours, and triggers alarm with video during off hours.
Camera captures video if triggered during off hours. Security guard at CyberStation workstation is alerted and can view video.
Supervised input on door detects tampering and trigger an alarm.
Card reader allows access only to authorized employees.
No access-validation needed to exit Manufacturing through this door.
Door to Manufacturing from Warehouse
Card reader allows access to Manufacturing only to authorized employees, and requires employees to present access cards to exit Manufacturing through this door.
Rear Entrance
Card reader allows employees access to Warehouse.
No access validation needed to exit to the outside using this door.
Supervised inputs on door detect opening or tampering during off hours and trigger an alarm.
Main Entrance
Door to Manufacturing from Office
Andover Continuum CyberStation Access Control Essentials Guide
15
Chapter 1: Getting Getting Started Started
Area or Door
16 Schn Schnei eide derr Elec Electr tric ic
Access Control
Loading Dock
Supervised inputs on door detect opening or tampering during off hours and trigger an alarm.
Emergency Exit
Supervised inputs on door detect opening or tampering and trigger an alarm.
Chapter 1: Getting Getting Started Started
Overview of an Access Control Network This illustration represents a sample Andover Continuum Security architecture.
The following components are standard in a security setup:
CyberStation ACX 57xx Controller
NetController II
web.Client Server
Integral DVMS (Digital Video Management System)
Badge Printer
Andover Continuum CyberStation Access Control Essentials Guide
17
Chapter 1: Getting Getting Started Started
18 Schn Schnei eide derr Elec Electr tric ic
Chapter 2: Configuring an Access Control System
Chapter 2 Configuring an Access Control System
This chapter contains step-by-step procedures for configuring an access control network in CyberStation using ACX 57xx and NetController II controllers. The chapter presents basic configuration tasks in the sequence that you typically perform them. So that you can more readily understand how the elements of an access control network work together, the procedures in this chapter cover basic setup tasks for a simple network. Each procedure provides cross references to the CyberStation online help so that you can obtain complete, detailed information about all the options associated with a configuration task.
Andover Continuum CyberStation Access Control Essentials Guide
19
Chapter 2: Configuring an Access Control System
Task 1: Open Continuum Explorer Objects are the building blocks of your access control network. In CyberStation, objects are categorized by class. Area, Door, Schedule, and Personnel are examples of object classes. An object’s attributes are determined by its object class, although the attribute values are specific to the individual objects. Objects may represent:
Physical devices, such as a controller or a workstation
Folders that are storage locations for objects
Data, such as points, alarms, schedules, and personnel records
When you configure a network in CyberStation, you create the objects that correspond to the devices, folders, and data in your network, and you specify their attribute values. Continuum Explorer is the tool that you use to configure and manage your network.
Networks and their objects are organized in a hierarchy under Root.
Navigation Pane Select an object in this pane to display the objects it contains in the Viewing Pane.
Viewing Pane
20
Schneider Electric
Chapter 2: Configuring an Access Control System
Open Continuum Explorer 1.
Open CyberStation if it is not running at your workstation, and login.
2.
At the CyberStation main menu, click Explorer.
Note: You can also open Continuum by clicking: Start>Programs>Continuum>Continuum Explorer Continuum Explorer opens. The navigation pane does not yet contain any network objects or controllers. However, other predefined objects, created for you during installation, are displayed.
3.
Proceed to “Task 2: Create a Network and a Controller” on page 22.
More About Continuum Explorer See the topic, “Continuum Explorer” in the CyberStation online help.
Andover Continuum CyberStation Access Control Essentials Guide
21
Chapter 2: Configuring an Access Control System
Task 2: Create a Network and a Controller A network is a logical organization of controllers that know about each other and have the ability to exchange data. The ACX 57xx is a highly intelligent controller that is designed for access control. Each network contains one or more controllers, up to a maximum of 190 controllers. You can create additional networks to manage more controllers.
Containers and Parent/Child Objects Each network in CyberStation has a hierarchical structure of objects. Many objects can be containers for other objects. For example, a network object contains all the controllers in that network. A container object is also called a parent object. All objects within the container are child objects that are “owned” by the parent object. These relationships are important for organizing the many objects that make up a network. They are also significant because you can apply settings to container objects that affect all the child objects within them.
22
Schneider Electric
Chapter 2: Configuring an Access Control System
Create a Network When you configure an access control network, the first object you create is the network itself. 1.
In Continuum Explorer, right click Root, select New, and then select Network.
2.
Enter a name for the network for Object Name, and click the Create button.
CyberStation creates an alias from the object name that you enter. You can edit the alias if you wish. An alias cannot contain symbols or spaces.
3.
In the Network editor, enter the Universal Time Coordinate (UTC) offset in minutes for Time Zone. The UTC offset is the difference between your local time and Greenwich Mean Time (GMT). Enter “-” if local time is behind GMT.
Note: “-300” minutes is an example of the Time Zone offset for Eastern Standard time. 4.
Click OK.
CAUTION It is required that you locate Continuum controllers and workstations and Pelco video system in the same time zone. You should also ensure that they are time synchronized with each other. The system manager can act as a time server. Since the system manager is essentially a PC, however, be aware that the time of the PC may drift.
Andover Continuum CyberStation Access Control Essentials Guide
23
Chapter 2: Configuring an Access Control System
Web Configuration for Controllers The NetController II and the ACX controllers are commissioned and configured using your PC’s Internet Browser. To configure the controller, it must be installed and connected to your Ethernet network. IP configurable NetControllers and ACX controllers are shipped with default IP addresses and Subnet Mask values. These values must be changed to new values, which are assigned by your local IT personnel. The default values for all IP configurable controllers are:
IP Address: 169.254.1.1
Subnet Mask: 255.255.0.0
Prior to changing these values, the PC being used to commission the controllers must be configured to communicate with the controllers at their default address. The setup values for the PC are:
1.
IP Address: 169.254.1.(191-254)
Subnet Mask: 255.255.255.0
From Microsoft Internet Explorer, in the Address field, enter the controllers default IP address (169.254.1.1).
The Andover Continuum Embedded WebServer page appears.
2. 24
Schneider Electric
Select Controller Configuration Options.
Chapter 2: Configuring an Access Control System
The Controller Configuration Login dialog displays.
3.
In the login dialog enter the default controller user name and password:
Username: acc
Password: acc
Note: The password can be changed by right clicking the Continuum task icon 4.
and selecting Change your password...
Select OK.
Andover Continuum CyberStation Access Control Essentials Guide
25
Chapter 2: Configuring an Access Control System
The Controller Configuration screen appears on the left menu.
5.
Select Controller Configuration.
6.
In the Configurable Properties section enter the following information:
ACCNet ID
IP Address
Subnet Mask
Gateway Address
Web Server Port
PPP IP Address
7.
26
Schneider Electric
Transport Type; use the drop down menu to make the proper selection.
In the Miscellaneous section, using the dropdown menu, select the following information:
IO Configuration
Comm4 Port Line
Chapter 2: Configuring an Access Control System
8.
Select Submit to Controller.
9. Exit the configuration setup. Note: Once you have finished commissioning your controller, your PC’ s IP address and Subnet Mask value can be returned to their normal settings.
Create a Controller Note: Before performing this procedure, you must first install the controller, connect it to your Ethernet network, and then commission the controller. Refer to “Web Configuration for Controllers” on page 24. 1.
In Continuum Explorer, right click the existing network object, select New, and then select InfinityController.
2.
Enter a controller name for Object Name, and click the Create button.
3.
In the InfinityController editor, enter a unique number from 1 to 190 for ACCNetID.
Note: This must match what was entered in the web configuration page. The ACCNetID value uniquely identifies the controller within the access control network. 4.
Select the controller model from the Controller Type dropdown menu.
Andover Continuum CyberStation Access Control Essentials Guide
27
Chapter 2: Configuring an Access Control System
For example, select 5740 for an ACX 5740 controller.
Serial Number and Version will be read from the controller after the Teach operation.
5.
Select the Network tab.
6.
Enter the IP address of the controller and subnet mask, and if required, enter the default router. You obtain this information from your IT administrator.
7.
Click Apply.
8.
Select the General tab, and then click the Teach button.
9.
In the Select Teach Mode dialog, select the InfinityController Teach radio button, and click OK.
Note: To confirm that the Comm Status is online, click the Refresh button. 10. Click OK to close the InfinityController editor. 11. Proceed to “Task 5: Designate the Primary Access Server” on page 44.
28
Schneider Electric
Chapter 2: Configuring an Access Control System
More about Networks and Controllers See the following topics in the CyberStation online help:
“Network Editor”
“InfinityController Editor”
Andover Continuum CyberStation Access Control Essentials Guide
29
Chapter 2: Configuring an Access Control System
Task 3: Configure IOU Modules After you finish configuring a controller with the Comm port editor, you can define your input and output. Start by defining the IOU modules with the IOUModule editor. IOU modules are electrical units that contain a number of input and/or output circuits that are electrically and sometimes physically attached to controllers. They provide controllers with the ability to interface with the outside world. There are four types of IOU Modules:
Input modules
Output modules
Mixed input and output modules
Special-purpose modules
Creating an IOU Module Object The following steps allow you to add an IOU Module object for an IOU Module connected to a controller.
30
Schneider Electric
1.
Right click the controller that you want to own this module, select New, and then select IOUModule.
2.
When the New dialog appears, name the IOUModule and click Create.
Chapter 2: Configuring an Access Control System
General Tab – IOUModule Editor Use the General tab to enter basic information about the IOU module.
Description
The description is optional, but a good description of the IOUModule object helps others when they need to test, modify or manipulate the network. To enter a description, type up to 32 characters (including spaces) in the text field.
IOU Number
Enter the IOU number here. You must manually assign a unique number (between 1 and 32) for each IOU module on a network controller. Physically label the IOU modules with the numbers you assign. This number is not the same as the 12digit module ID # assigned to the individual module at the factory. You will use this number when you configure points on this controller.
Model Number
The model number identifies the type of the IOUModule and is read from the module.
Andover Continuum CyberStation Access Control Essentials Guide
31
Chapter 2: Configuring an Access Control System
Comm Status
This displays Online or Offline, depending on whether the controller is in communication with the module.
Module ID and Program ID
These Schneider Electric-assigned numbers appear after the Learn process. The only time you will need these numbers is when speaking to a Schneider Electric Support Representative. These numbers will help our staff to answer your questions. You may manually enter the Module ID number in this field, (if you know it), rather than following the Learn process.
Learn
Use the Learn button to commission the IOU module on the network. See “Commissioning an IOU Module” on page 33 later in this chapter.
Wink
Use the Wink button after commissioning the IOU module to confirm that your system recognizes the IOU module. Click the Wink button. The Status light on the IOU module should flash. This indicates the IOU module was successfully commissioned.
Update IOU
Click the Update IOU button to browse for a *.iou file (a Schneider Electric-provided Flash File for individual modules) when updating IOU modules with new firmware.
Security Level Tab – IOUModule Editor The SecurityLevel tab shows the object security level and access privileges for the object.
More about the IOUModule Editor For more information, see the “IOUModule Editor” topic and its related subtopics in the CyberStation online help.
32
Schneider Electric
Chapter 2: Configuring an Access Control System
Commissioning an IOU Module Perform this procedure after installing the IOU module on the controller.
1.
In the IOUModule editor, click the Learn button. A dialog displays requesting the operator to press the Commission button on the physical module.
2.
At the IOU Module, press the Commission button on the front panel. The dialog at the workstation should disappear indicating that it received the information from the module. If the module is not easily accessible, you can enter the module ID found on the label inside the cover of the module into field, and click the Apply button.
3.
In the IOUModule editor, click the Refresh button. The ModuleID for commissioned module, the ProgramID field, and the IO model type (i.e., AO-4-8) are automatically entered. This information was received from the module. Also, the Comm Status should be Online. Andover Continuum CyberStation Access Control Essentials Guide
33
Chapter 2: Configuring an Access Control System
Task 4: Configure Controller Comm Ports The comm port you select to configure and the settings you choose in the CommPort editor depend on the model of network controller and the device you want to connect to it. Refer to the CommPort Editor topic of the CyberStation online help to identify the appropriate settings to use for your devices. To configure a comm port, follow these steps:
34
Schneider Electric
1.
In Continuum Explorer, expand the network controller whose comm ports you want to configure.
2.
CommPort objects appear in the list of objects in the viewing pane. Double click the CommPort class folder under the controller.
3.
Double click the CommPort object you want to configure.
4.
In the CommPort editor, select the appropriate settings in each tab as described on the following pages.
5.
Click OK.
Chapter 2: Configuring an Access Control System
General Tab – CommPort Editor In the General tab, enter basic information about the comm port. Description
Type in a description for the comm port. You can use up to 32 alphanumeric characters. This attribute is optional, but providing a good description can aid other users.
Comm Port Number
The CommPort attribute displays the number of the comm ports you are editing.
Default Mode
Each comm port has a default mode. To change the default mode, select a different one from the Default Mode dropdown menu. The Settings tab displays different attributes, depending on the default mode you select. Refer to the table of default modes and their descriptions for more information.
Note: In the event of a controller reset, each comm port reverts to it’s original default mode. For a complete list of default modes for each comm port on each controller, please see the help topics: “Configuring Settings for Infinet or MSTP,” “Default Modes for Controller Comm Ports,” and “Summary of Comm Port Characteristics.”
Andover Continuum CyberStation Access Control Essentials Guide
35
Chapter 2: Configuring an Access Control System
. Default Mode
Description
Printer
Select this option when connecting a serial printer to this port.
XDriver (XDriver option must be enabled to support this function)
Select this option to use a customized external equipment driver to connect to a third-party device. Note: Before you can select the XDriver, you must first install it using the instructions provided with the software. To select an XDriver file, click the browse button to locate and select the file for the XDriver.
NotConfigured
36
Schneider Electric
Select this option if the comm port is available. Indicates that the port is not preset to any other default mode configuration.
Chapter 2: Configuring an Access Control System
Viewing the Status of an XDriver Device In the General tab, click the XDriver Status button to view the status of the device that is using the XDriver. The XDriver Status button displays the following read-only information:
Status
Displays the status of the device, or XdrvNotInstalled when no XDriver file has been selected.
Error
Displays the last error to occur on the device.
Error Time
Displays the time and date that the last error occurred on the device.
Error Count
Displays the number of errors that have occurred on the device since you last set it to zero. Increments to 255 errors and remains set at 255 until you reset it to zero by clicking the Reset Count button.
Andover Continuum CyberStation Access Control Essentials Guide
37
Chapter 2: Configuring an Access Control System
Settings Tab – CommPort Editor The Settings tab is where you view or edit the communications speed and handshaking settings for the mode that you have chosen for the port. Depending on which Default Mode you select on the General tab, some of the attributes on this tab may be unselectable (appear gray).
Baud Rate
38
Schneider Electric
The Baud rate is the speed, measured in bits per second, at which the controller sends information to the device that you are connecting to the comm port. Select the baud rate that matches that required by the equipment connected to this port.
Chapter 2: Configuring an Access Control System
Track CXD
This option monitors a communications carrier detect signal called CXD. When selected, it enables the controller to detect when communication with connected objects has been lost. Depending on your modem configuration, the CXD (sometimes called DCD) signal (pin 8 on an RS_232 connector) is asserted “high” when the communications link is established between modems. Once the carrier signal is lost, CXD goes “low.” Track CXD looks for the high-to-low transition and makes the controller reset this comm port to its default mode. Track CXD “cleans up” the comm port by logging off the last user. Track CXD is selected by default, and it is required for comm ports that are connected to modems. If Track CXD is not selected, the controller cannot respond to the loss of the CXD signal.
Flow Control
The flow control type determines how the comm port handles the flow of data between the controller and its attaches device (usually a printer, modem, or terminal). This process is also known as “handshaking.” Select one of the following options from the dropdown menu:
NoFlowControl: Select this flow control type if you do not want to regulate the flow of information between the controller and its attached printer, modem, or terminal. Without a flow control type, buffers that hold data that is being transmitted or received could overflow, and some data could get lost.
Andover Continuum CyberStation Access Control Essentials Guide
39
Chapter 2: Configuring Configuring an Access Control System System
CtsRts: This flow control type uses hardware signals to send “clear to send” (Cts) and “request to send” (Rts) messages. Both of these messages must be acknowledged by the controller and its attached device before information can be transmitted.
Current Mode
40
Schne chneid ider er Ele Elect ctri ric c
XonXoff: This control flow type uses software signals in the form of characters that are sent as part of the data being transmitted. When the controller or its attached device detects that it has been sent an Xon an Xon character, it makes itself available to receive data. It considers all data received after the Xon the Xon character as valid. When it detects an Xoff an Xoff character character at the end of the data steam, the controller or attached device knows the transmission is complete.
XonXoff CtsRts: This flow control type uses both the software ( XonXoff XonXoff ) and hardware (CtsRts) handshake methods for regulating the flow of information between the controller and its attached device.
This is a read-only attribute that shows you the default mode selected in the General tab.
Chapter 2: Configuring Configuring an Access Control Control System
SecurityLevel Tab – CommPort Editor Refer to “CommPort Editor” topic of the CyberStation online help for details regarding attaching or detaching SecurityLevel objects.
Field Bus Controllers Tab – CommPort Editor When you set the General tab’s Default Mode to Infinet, Infinet, MS/TP, MS/TP, or Wireless, Wireless, the Field Bus Controllers tab appears on the CommPort editor. This tab displays the controllers that reside on their respective field bus network — Infinet, BACnet MS/TP, or Wireless — connected to this comm port. The controllers will not display, however, until you click the Learn button on the Settings tab. The CommStatus column displays either Online or Offline for controllers listed in the Name column. When a controller is Online, it is communicating with the rest of the network.
When a controller is Offline, it is not in communication with the rest of the network. This information is read only. Andover Continuum CyberStation Access Control Essentials Guide
41
Chapter 2: Configuring Configuring an Access Control System System
NetController II Model 9680
42
Schne chneid ider er Ele Elect ctri ric c
Comm Port
Default Mode
Other Modes
Infinet Port
-
-
User Port
-
-
COMM1
AutoSet
Printer; Infinet; Lbus; LON; PPP; Wireless; XDriver
COMM2
AutoSet
Printer; Infinet; Wireless; XDriver
COMM3
AutoSet
Printer; PP; XDriver
COMM4
AutoSet
Printer I; Lbus; XDriver
COMM16
LON
XDriver
Custom Port
-
-
Chapter 2: Configuring Configuring an Access Control Control System
ACX 57XX Series Comm Port
Default Mode
Other Modes
Infinet Port
-
-
User Port
-
-
COMM1
AutoSet
Infinet; Wireless; XDriver
COMM2
-
-
COMM3
-
-
COMM4
-
-
COMM16
-
-
Custom Port
-
-
Note: For additional information, in the Comm Port editor, see the help topics: “Configure Settings for Infinet”, “Default Modes for Controller Comm Ports”, and “Summary of Comm Port Characteristics”
Andover Continuum CyberStation Access Control Essentials Guide
43
Chapter 2: Configuring Configuring an Access Control System System
Task 5: Designate the Primary Access Server The Primary Access Server is the CyberStation workstation that you designate to record access events in the CyberStation database. If your network has multiple CyberStation workstations, you also should designate another workstation as a Secondary Access Server. 1. 2.
In Continu Continuum um Explo Explorer, rer, righ rightt click click the the workstat workstation ion that that you you want want to make the primary access server, and select Edit. Edit. In the General tab of the Device editor, check the Primary Access Server check box, and click OK. OK.
Select this check box.
3.
When prompted prompted to teach teach the the contro controlle llers rs and and worksta workstation tionss about about this workstation, click Yes click Yes..
4.
Proceed to “Task 6: Create Create CyberStation CyberStation Points” Points” on page page 45. 45.
More about the Primary Access Server See the topic “Device Editor” in the CyberStation online help.
44
Schne chneid ider er Ele Elect ctri ric c
Chapter 2: Configuring Configuring an Access Control Control System
Task 6: Create CyberStation Points A point is an object that stores a value, such as an input indicating the status of a door lock, an output that locks or unlocks a door, or a True-False condition that triggers an alarm. In access control systems, you most often work with the following types of point objects:
Point Type
Use in Access Control Systems
Supervised InfinityInput
Used to monitor contact status stat us as well as the condition of the wiring, allowing CyberStation to detect that wiring was tampered with.
Digital Digital Infinity InfinityOutp Output ut
Used to to specify specify a digit digital al (On or or Off) value value,, allowing CyberStation to change the status of a switch or a contact.
InfinityNumeric
Software point that stores a number value, including an On/Off value (1 or 0).
Infi nfinityDate DateTi Tim me
Soft oftwar ware point that hat stores ores a dat date and time value.
InfinityString
Software point that stores text.
Points enable you to monitor and control access events. You use these points with schedules, alarms, and other objects to establish routine access control and to respond to unauthorized access events.
Create an InfinityInput InfinityInput Point Supervised input points can monitor:
The status of a contact or switch, and
Whether the wiring for the contact or switch was tampered with.
Supervised points can have one of three values: On, Off, or Trouble.
Andover Continuum CyberStation Access Control Essentials Guide
45
Chapter 2: Configuring an Access Control System
You create a supervised input point for each input (for example, from a contact sensor) from the devices wired to channels at each controller in your network. 1.
In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityInput.
2. Enter a point name for Object name, and click the Create button. 3.
In the General tab of the InfinityInput editor, enter the units for this point. For example, define the meaning of the On value: “On = Closed.” Leave the Value field at 0. The system updates the value with the input from the associated controller channel.
Entering a description helps other users identify what this point represents.
46
Schneider Electric
4.
Select the Settings tab.
5.
Select Supervised for Elec Type.
6.
Enter the controller channel number (marked on the controller) to which this input is wired.
7.
Enter $####### for Format.
Chapter 2: Configuring an Access Control System
$ indicates a text value. Each # is a placeholder for one character. This format enables On, Off, or Trouble to be reported for the value.
$ indicates a text value. Each # is a placeholder for one character. Use a period to indicate the position of the decimal point, if needed An example for the Format value is “$#####.#” 8.
Select the appropriate input type based on the wired configuration of the switch (normally open with a resistor in series, normally closed with a resistor in series).
9.
Click OK.
Andover Continuum CyberStation Access Control Essentials Guide
47
Chapter 2: Configuring an Access Control System
Create an InfinityOutput Point An InfinityOutput point is a digital point that stores the value of a signal sent to an access control device. The value is sent via the controller channel to which the device is wired, and is used to control the device. For example, the output may lock a door. An output point can have a value of On or Off. You create an output point for each output (for example, to a door lock) to the devices wired to channels at each controller in your network. 1.
In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityOutput.
2. Enter a point name for Object name, and click the Create button. 3.
In the General tab of the InfinityOutput editor, enter the units for this point. For example, define the meaning of the On value: “On = Unlock.” Leave the Value field at 0.
48
Schneider Electric
4.
Select the Settings tab.
5.
Select Digital for Elec Type.
Chapter 2: Configuring an Access Control System
6.
Enter the controller channel number (marked on the controller) to which this output is wired.
7.
Enter $### for Format. $ indicates a text value. Each # is a placeholder for one character. This format enables On or Off to be reported for the value.
8.
Click OK.
Andover Continuum CyberStation Access Control Essentials Guide
49
Chapter 2: Configuring an Access Control System
Create an InfinityNumeric Point An InfinityNumeric point stores a number value, such as: Value
Example
System constant
Maximum occupancy for a specific area
Result of a calculation
Current occupancy of the area
Logical value
On or Off value set by a schedule
1.
In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityNumeric.
2. Enter a point name for Object name, and click the Create button. 3.
In the General tab of the InfinityNumeric editor, enter the units for this point. For example, define the meaning of the point value: “Max. Occupancy = 100” or “On=Occupied.”
4.
Leave Value empty, or enter a value, depending on how you intend to use this point. For example, if the point will be a constant, enter the number. If the value will be the result of a calculation, do not enter anything in the field.
5.
Enter the format of the value for Format. $ indicates a text value. Each # is a placeholder for one character. Use a period to indicate the position of the decimal point, if needed
50
Schneider Electric
Chapter 2: Configuring an Access Control System
An example for the Format value is “$#####.#”.
6.
Click OK.
7.
Proceed to “Task 7: Create Areas” on page 52.
More about Points See the following topics in the CyberStation online help:
“InfinityInput Editor”
“InfinityOutput Editor”
“InfinityNumeric Editor”
Andover Continuum CyberStation Access Control Essentials Guide
51
Chapter 2: Configuring an Access Control System
Task 7: Create Areas An area is a space that can be accessed only by passing through an access control device, such as a card reader or keypad. Each area can be accessed through one or more doors where access control devices are configured.
Lobby/Offices
Manufacturing Floor
Stock Room
For example, the manufacturing floor of a small facility might have doors leading to other areas of the facility, such as an office area, stock room, and emergency exit to the outside.
Factors to Consider When Defining Areas Unlike Door objects, which correspond to actual doors in your facility, Area objects are not necessarily direct representations of each physical space in your facility. The number of Area objects that you need to create depends on many factors, including:
52
Schneider Electric
The size and physical layout of your facility
The movement of personnel into, out of, and through your facility
Chapter 2: Configuring an Access Control System
The degree of access control that you require for the movement of personnel within the facility
The types of personnel who need access to various locations in your facility and when access is needed
After you create an area object, you configure doors that access the area. You also assign the area to personnel who need access to it. In addition, you can attach schedule points to Door and Personnel objects to determine when access can occur.
Create an Area Because the doors accessing an area may be managed by different controllers, you typically create a folder for Area objects from Root. 1.
In Continuum Explorer, right click Root, select New, and then select Folder.
2.
Enter a folder name, and click the Create button.
3.
Right click the folder, select New, and then select Area.
4.
Enter an area name, and click the Create button.
5.
In the Area editor, click OK. You can now assign doors and personnel to this area.
6.
Proceed to “Task 8: Create Doors” on page 54.
More about Areas See the topic “Area Editor” in the CyberStation online help.
Andover Continuum CyberStation Access Control Essentials Guide
53
Chapter 2: Configuring an Access Control System
Task 8: Create Doors Door objects, along with Area and Personnel objects, are the fundamental elements of your access control system. Door objects are highly customizable, and you can configure doors to meet the access control requirements of specific locations. You can configure access control devices, such as card readers and keypads, on one side of a door (single-reader door) or on both sides (dual-reader door).
When to Create a Door You create Door objects only for doors that have access control devices associated with them. If you want to monitor a door that is simply closed or locked under normal circumstances, such as a fire door, you can do this by setting up supervised input points for the door switch and contacts.
Data that Defines a Door You will need the following information to define each door:
Card-format information for access-card sets
Site codes (Wiegand or ABA card formats only) accepted at the door
Area(s) to which the door provides access
Type of validation needed at the door (by site code, card number, personal identification number [PIN], etc.)
Channel numbers for card reader and keypad inputs
Channel numbers for door inputs and outputs
You can also attach schedule points to a door to determine when the door is locked or unlocked or when no access is allowed.
54
Schneider Electric
Chapter 2: Configuring an Access Control System
Create a Door You create Door objects in the controller to which the door and reader inputs and outputs are wired. 1.
In Continuum Explorer, right click the controller where you want to add the door, select New, and then select Door.
2. Enter a door name, and click the Create button. 3.
In the Door editor, select the Card Formats tab.
4.
If you use Wiegand cards, enter the site code(s) used with your access cards.
Note: You can have up to four site codes per door.
Andover Continuum CyberStation Access Control Essentials Guide
55
Chapter 2: Configuring an Access Control System
5.
Select the card format, Wiegand or ABA , and then select the individual formats that you want the reader to recognize.
Note: The FIPS-PIV options are included in the Wiegand Formats section. Cyberstation version 1.9 and higher supports this special personnel category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or “credential” holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control. Refer also to the CyberStation help topic, “Defining a Custom FIPS-PIV String Format.”
56
Schneider Electric
6.
Select the Entry Reader tab.
7.
Enter the channel number on the controller that is connected to the card reader at this door.
8.
Select the area to which the door provides access.
Chapter 2: Configuring an Access Control System
9.
Select the access validation options required at this door.
10. If the door has readers on both sides, select the Exit Reader tab, and repeat steps 7 - 9 to configure the second reader.
Andover Continuum CyberStation Access Control Essentials Guide
57
Chapter 2: Configuring an Access Control System
11. Select the Channels tab.
12. Enter the channel number where each input or output is wired.
Channel
Description
Door Output
Channel to which the door lock is wired.
ADA (Americans with Disabilities Act) Output
Channel to which an electronic door opener is wired.
Alarm Output
Channel that will be energized when an alarm condition is active at this door.
Exit Request Input
58
Schneider Electric
Channel that receives input from a motion detector, request-to-exit (REX) button, or other REX device.
Chapter 2: Configuring an Access Control System
Channel
Description
Door Switch Input
Channel to which the door switch is wired. The door switch monitors whether the door is open or closed. You also select the resistor type for the switch.
Bond Sensor Input
Channel to which a bond sensor is wired. A bond sensor determines the physical position of the door latch. You also select the resistor type for the sensor.
ADA (Americans with Disabilities Act) Exit Request Input
Channel for input that requests that the door be opened for a person to leave the area accessed by this door.
ADA (Americans with Disabilities Act) Input
Channel for input indicating that the card holder has ADA access enabled on his or her access card.
Andover Continuum CyberStation Access Control Essentials Guide
59
Chapter 2: Configuring an Access Control System
13. Select the Options tab.
60
Schneider Electric
Chapter 2: Configuring an Access Control System
14. Under Send Access Events, select the events you want to log for this door. The events that you select for this door can be shown in logs, ListView and EventView windows, and reports. Events not selected here are not captured and cannot be retrieved for later viewing and reporting. 15. Click OK. Note: Cyberstation version 1.9 and higher supports a special personn el category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or “credential” holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control.
View Doors Assigned to an Area 1.
In Continuum Explorer, expand the folder where you created areas, and double click the area to which you assigned the new door.
2.
In the Area editor, select the Doors to Area tab.
Andover Continuum CyberStation Access Control Essentials Guide
61
Chapter 2: Configuring an Access Control System
The door you created now appears in the list. The list indicates whether the door provides access to the area, exits the area, or both.
3.
Click Cancel.
4.
Proceed to “Task 9: Create Personnel” on page 63.
More about Doors See either the topic, “Door,” and its subtopics, or “Door Editor” in the CyberStation online help.
62
Schneider Electric
Chapter 2: Configuring an Access Control System
Task 9: Create Personnel A Personnel object stores the access information for each person authorized to enter your facility. Personnel objects can also store personal and employee data for each person.
Access-Control Information in a Personnel Object You can specify access control information for each Personnel object, such as:
Card format
Site code
Card number
Card expiration date
Areas to which the person has access rights Andover Continuum CyberStation Access Control Essentials Guide
63
Chapter 2: Configuring an Access Control System
Schedules points that determine when the person can access assigned areas
More advanced access control settings, such as area clearance levels and executive privilege, can also be defined in a Personnel object. T hese are described in greater detail in the CyberStation online help. In addition, if you have purchased the badging option, you can create ID badges for Personnel objects. The badges can include a photo, signature, fingerprint, etc., to identify the card holder.
Methods of Creating Personnel Objects You have several options for creating Personnel objects:
You can enter new Personnel objects in the Personnel Manager dialog.
You can use the Personal Import Utility to import personnel records from another application into CyberStation. Once imported, these records become Personnel objects that you can edit and manage in the Personnel Manager.
You can import personnel records from a .CSV file and save the imported data as Personnel objects.
You can create Personnel objects from templates.
You can add new Personnel objects from Continuum Explorer.
Open the Personnel Manager for the First Time The Personnel Manager automatically opens when you double click a Personnel object in Continuum Explorer. However, if you have not yet created any Personnel objects, you create a new Personnel object in Continuum Explorer, which also opens the Personnel Manager. You typically create one or more folders in which to store Personnel objects.
64
Schneider Electric
1.
To create a Personnel folder in Continuum Explorer, right click Root, select New, and then select Folder.
2.
Enter a folder name, and click the Create button.
3.
Right click the folder, select New, and then select Personnel.
Chapter 2: Configuring an Access Control System
4.
Enter a name for the Personnel object (for example, you might want to enter the last name and first initial of the person), and click the Create button. The Personnel Manager opens.
5.
In the Details tab, enter the person’s full name.
6.
Select the card format for Card Type.
7.
For Wiegand cards, enter the site code for the card. For FIPS-PIV cards, enter agency code and system code.
8.
Enter the card number. For FIPS-PIV cards, enter credential number.
9.
Under Access Rights, expand the UnAssigned areas list.
Andover Continuum CyberStation Access Control Essentials Guide
65
Chapter 2: Configuring an Access Control System
10. Select the check box next to areas this person can access.
You can expand an area to attach a schedule point. Schedule points are described in “Task 10: Create Schedules” on page 68. 11. Click Apply. Note: Cyberstation version 1.9 and higher supports a special personnel category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or “credential” holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control.
Create a Personnel Object in the Personnel Manager When the Personnel Manager is open, you can continue creating Personnel objects without closing and reopening it each time. 1.
In the Personnel Manager, click the Add Record button.
2.
Repeat steps 5 - 11 above to enter information for this person.
3.
When you finish adding Personnel objects, click OK to save the current object and close the Personnel Manager.
4.
Proceed to “Task 10: Create Schedules” on page 68.
Note: An alternate method for creating a Personnel object is with the Personnel Editor. Refer to the “Personnel Editor” topic in the CyberStation online help for more details.
66
Schneider Electric
Chapter 2: Configuring an Access Control System
More about Personnel Objects See the following topics in the CyberStation online help:
“Personnel Manager”
“Personnel Editor”
“Personnel Import Utility”
“Allowed Credentials Dialog”
Andover Continuum CyberStation Access Control Essentials Guide
67
Chapter 2: Configuring an Access Control System
Task 10: Create Schedules A schedule is a graphical calendar of events that CyberStation uses to determine when activities occur. Access-control activities that you can manage with schedules include:
When doors are locked or unlocked
When personnel have access to areas
About Schedule Points Schedules use the following points to determine when the schedule is active and which CyberStation objects are controlled by the schedule:
68
Schneider Electric
InfinityDateTime points that are updated with occupied and unoccupied times An InfinityNumeric or InfinityOutput point whose value is set by the schedule. Other objects that reference this point, such as a door, are controlled by the schedule that sets the point value.
Chapter 2: Configuring an Access Control System
Create and Configure a Schedule You create schedules in the controller where the schedule will be used. (Later, you can use the Schedule editor’s Mass Create feature to copy the schedule to other controllers in your network, if needed.) Note: Before creating a schedule, you must create the points called for in the schedule. See “Task 6: Create CyberStation Points” on page 45. 1.
In Continuum Explorer, right click the controller, select New, and then select Schedule.
2.
Enter a schedule name, and click the Create button.
3.
In the Schedule editor, select the Configuration tab.
Andover Continuum CyberStation Access Control Essentials Guide
69
Chapter 2: Configuring an Access Control System
4.
Under Point Configuration, use the browse button to locate each of the following points:
5.
An InfinityDateTime point that the schedule updates with the next occupancy time (the date and time at which an area will next be occupied) An InfinityDateTime point that the schedule updates with the next unoccupancy time (the date and time at which an area will next be unoccupied)
Use the browse button to locate the InfinityNumeric point that the schedule will set for Occupancy Point. The value of this point will be set to On (Occupancy Time is now.) or Off (Unoccupancy Time is now.).
6.
Check the Automatic Download check box, and select the day of the week and the time you want CyberStation to download the schedule to the controller.
7.
Click OK.
8.
In Continuum Explorer, right click the workstation that you want to perform the schedule download, and select Open.
9.
In the General tab of the Device editor, click the Auto Download check box, and click OK.
Select this check box.
Each week, at the day and time you selected in the schedule, this workstation downloads the next seven days of the schedule to the controller.
70
Schneider Electric
Chapter 2: Configuring an Access Control System
Attach a Schedule Point to a Door After you create and configure a schedule, you attach the point you selected for the Occupancy Point to the objects you want the schedule to control. 1.
In Continuum Explorer, double click the door to which you want to attach the schedule point.
2.
In the Door editor, select the Options tab.
3.
Click the browse button next to one of the schedule fields, and navigate to and select the schedule point you want to attach. You can use schedule points to control the door in two ways: Attach the point to . . . Door Force Lock Schedule
Door Force Unlock Schedule
To . . .
Lock the door, with access allowed to valid personnel when the schedule is On, and
Lock the door, with no access allowed when the schedule is Off.
Unlock the door, with no access validation required when the schedule is On, and
Lock the door, with access allowed to valid personnel when the schedule is Off.
4.
If you are using the Force Lock option, select the Entry Reader tab, and ensure that the Door Force Lock Schedule check box is selected for Normal under Access Validation. Repeat for the Exit Reader tab if this is a dual-reader door.
5.
Click OK.
Andover Continuum CyberStation Access Control Essentials Guide
71
Chapter 2: Configuring an Access Control System
Attach a Schedule Point to an Area in a Personnel Object Attaching schedule points to areas in a Personnel object enables you to specify when this person can access the assigned areas without affecting access to the areas by other personnel. For example, you may want permanent employees to have access to your facility at any time. You may also want temporary workers to have access only during the regular business day and be denied access after hours. You can limit the times of access for temporary workers by attaching schedule points to area assignments in their Personnel objects.
If . . .
Then . . .
A schedule point is attached to the person can access the area only an area in the Personnel object when the schedule associated with the point is active. No schedule point is attached to an area in the Personnel object
1. 2.
72
Schneider Electric
the person can access the area as determined by schedules (if any) that are attached to doors to the area.
In Continuum Explorer, double click the Personnel object that you want to edit. In the Personnel Manager, under Access Rights, expand Assigned, and then expand an area where you want to attach a schedule point.
Chapter 2: Configuring an Access Control System
3. Click the icon next to Add Schedule to display the Add Schedule dialog. Click here to display the Add Schedule dialog.
4.
Select the browse button next to Schedule Points Location to locate, and select the controller with the schedule point that you want to add.
5.
Select a schedule point, select the area(s) where you want to attach the point, and click OK.
. . . And in this pane, select the check box for each area that you want to use the point. Select a schedule point in this pane . . .
6.
Click OK.
7.
Proceed to “Task 11: Configure Alarms” on page 75.
Andover Continuum CyberStation Access Control Essentials Guide
73
Chapter 2: Configuring an Access Control System
More about Schedules See the following topics in the CyberStation online help:
74
Schneider Electric
“Schedule Editor”
“Options Tab” (located in the “Door Editor” topics)
“Editing a Personnel Object” (located in the “Personnel Manager” topics)
Chapter 2: Configuring an Access Control System
Task 11: Configure Alarms When you have configured your access control system to define when, where, and to whom access is permitted, your next task is to set up alarms that notify you when unauthorized access is attempted or other access-related conditions occur. Two CyberStation objects work together to define alarm conditions and the system’s response to the alarm:
An EventNotification object determines what happens in response to the alarm. These EventNotification objects define the response to alarms of different levels of severity.
An AlarmEnrollment object specifies the conditions that define the alarm state and the return to normal state. You attach an AlarmEnrollment object to the objects, such as doors and points, to configure the alarm for that object. These AlarmEnrollment objects define some typical door-related alarm conditions.
About Event-Notification Objects In an EventNotification object, you specify how the system responds to an alarm condition. You also specify how a user, when notified of an alarm, must respond to acknowledge the alarm. Actions the system can take include:
Displaying alarm messages in the Active Alarm View window or the Alarm Status bar at specific workstations
Beeping or playing an audio file at the workstations
Sending an e-mail message and/or paging one or more individuals
Andover Continuum CyberStation Access Control Essentials Guide
75
Chapter 2: Configuring an Access Control System
Displaying a video layout that shows video from cameras in locations affected by the alarm
Displaying a graphics panel associated with the alarm
You can also specify the notification actions that occur when the conditions that triggered the alarm return to normal.
Create an Event-Notification Object You create EventNotification objects in Root. Typically, you create a folder in Root to store both EventNotification objects and AlarmEnrollment objects. 1.
In Continuum Explorer, right click Root, select New, and then select Folder.
2.
Enter a folder name, and click the Create button.
3.
Right click the folder, select New, and then select EventNotification.
4.
Enter a name, and click the Create button.
Note: The Fault state referred to in the EventNotification editor does not apply to access control events. 5.
76
Schneider Electric
In the General tab of the EventNotification editor, enter a number for the priority of the alarm state and the return to normal state.
Chapter 2: Configuring an Access Control System
Priority is used to sort events in the Active Alarm View window, with higher-priority events (events with a smaller priority numbe r) at the top of the list. For example, a certain kind of alarm may be priority 1, while the return to normal for the alarm is priority 10. You can choose how you want to assign priorities to alarms.
6.
Under Colors and Fonts, right click to select the colors and fonts used to display the alarm in the Active Alarm View window and the Alarm Status bar.
7.
If you want the notification to be reissued if the alarm continues, enter the number of minutes between notifications for Repeat.
8.
Select the Actions tab.
Andover Continuum CyberStation Access Control Essentials Guide
77
Chapter 2: Configuring an Access Control System
9.
Click the check box next to each action you want the system to take in notifying users of the alarm and the return to normal.
Note: You can receive an email notification of an alarm by choosing one of the email selections from the checklist. For more information about email notification of alarms see “About Notification by Email and Pages” on page 80.
10. Select the Delivery tab. 11. Click the Add Recipient button. 12. In the Recipients Configuration dialog, click the browse button to locate and select the CyberStation workstation to be notified of the alarm. Note: The “recipients” referred to in this dialog are the CyberStation workstations that you want to be notified of the alarm and that will then take the actions you selected in the Actions tab. 13. Specify the days and times of day that this workstation should receive the messages.
78
Schneider Electric
Chapter 2: Configuring an Access Control System
For example, you might designate Workstation 1 as the recipient of alarm notification during office hours Monday through Friday. You might then designate another workstation as the recipient of notification at night and on weekends.
14. Click the check box next to the actions the workstation should take if it receives notification during the times you selected. If you want the workstation . . .
Then . . .
Always to perform the action
Select the check box under Primary for the action.
To perform the action only if a workstation that was designated as primary for this action is offline
Select the check box under Secondary for the action.
To perform the action only if a repeat of the alarm has occurred
Select the check box under Backup for the action.
Andover Continuum CyberStation Access Control Essentials Guide
79
Chapter 2: Configuring an Access Control System
15. Click OK. 16. Select the Deactivate tab. 17. Select when to remove the alarm from the Active Alarm View window. 18. Click OK. You can now create an AlarmEnrollment object that uses this EventNotification object.
About Notification by E-mail and Pages If you want to use the e-mail and paging options in an EventNotification object, you also need to set up distribution lists in the e-mail application at the computer that distributes alarm notifications. For each EventNotification object, create a distribution list of the people you want to be paged or receive e-mail when an associated alarm occurs. Create the lists in the first address book that appears in the e-mail application, and use the formats shown in the following table for the list names. The list names in the Example column are for an EventNotification object named “dooralarms.” Requirements for forwarding CyberStation alarms via E-mail or page:
80
Schneider Electric
The CyberStation workstations that have been designated primary and backup E-mail and/or page handlers must have a MAPIcompliant E-mail client such as MS Exchange or Outlook.
The E-mail client application can communicate with an existing Email server application, such as MS Exchange Server.
The primary or backup E-mail/paging workstation must be running CyberStation at the time an alarm is generated.
Chapter 2: Configuring an Access Control System
Each EventNotification object associated with the alarms that you wish to E-mail or page must have its own E-mail distribution list in the personal address book or Contacts list of the client E-mail application using a specified naming convention as outlined in Step 4 below. This E-mail distribution list must be stored in the first address book shown in the list of available address books in the E-mail client application. For example, if you create an EventNotification distribution list in the Personal Address Book in Microsoft Outlook, then the Personal Address Book must be the first one showing in the address list dropdown menu when you open the Address Book.
Creating an EventNotification Distribution List To create an E-mail or page distribution list, proceed as follows: Note: The following steps are based on Microsoft Outlook. Other mail applications may have different menu names and choices but the general procedure is the same. 1.
2.
Open the Address Book for the E-mail account on the CyberStation workstation that will be providing the E-mail/paging service(s). Your toolbar may have a button for this. If not, use the Address Book option of the Tools menu. Select New Entry from the Files menu.
3. Select the entry type Personal Distribution List and put this entry in the Personal Address Book. 4.
In the Name field enter a name for the distribution list using the following format:
List Type
Format of List Name
Example
E-mail
acc.eventnotification.na me
acc.eventnotification.dooralar ms
Paging
acc.page.eventnotificatio n.name
acc.page.eventnotification.doo ralarms
Andover Continuum CyberStation Access Control Essentials Guide
81
Chapter 2: Configuring an Access Control System
For example, if your EventNotification object is named Severe, the personal distribution list for E-mail deliveries should be named: ACC.Severe. Likewise, your personal distribution list for page deliveries should be named: ACC.page.Severe. Note: Use the EventNotification object Name not the Alias, for example, Critical Temp, not CriticalTemp. 5.
Add members (the E-mail addresses or pager and service numbers of those to whom the notification of the alarm will be sent) to your personal distribution lists.
6.
Set address book options so that the address book where your personal distribution lists are stored is the first one to be searched when sending E-mails or pages. For example, in Microsoft Exchange, select Options from the Tools menu. Click the Addressing tab. When sending mail, check names using these address lists in the following order area, use the Add button, then the up or down arrow buttons to add the correct address book to this field and position it at the top of the list.
About AlarmEnrollment Objects An AlarmEnrollment object:
Defines the conditions that your access control system uses to determine that a point is in the alarm state
Defines the conditions that the system uses to determine that the point has returned to its normal state
Contains the text messages that are displayed in the Active Alarm View window or the Alarm Status bar
Has an attached EventNotification object that defines how the system responds to the alarm and notifies the appropriate people
You attach an AlarmEnrollment object to points, doors, and other objects that you want to alarm.
82
Schneider Electric
Chapter 2: Configuring an Access Control System
Create an Alarm-Enrollment Object You create AlarmEnrollment objects in Root or in an alarms folder that you previously created in Root for AlarmEnrollment and EventNotification objects. 1.
In Continuum Explorer, right click the folder that contains your AlarmEnrollment objects, select New, and then select AlarmEnrollment.
2.
Enter a name for the alarm (for example, doorisajar ), and click the Create button.
3.
In the General tab of the AlarmEnrollment dialog, click the browse button to locate and select the EventNotification object that determines how the system responds to the alarm. The EventNotification object you select here determines how the system responds if the alarm condition occurs.
4.
Select Value for Alarmed Attribute. This is the attribute that triggers the alarm, based on the parameters you define for Value in the Algorithms tab.
5.
Select Expression for Alarm Type. You define the expression used to define the alarm condition in the Algorithms tab. Most access control alarms use the Expression alarm type. Andover Continuum CyberStation Access Control Essentials Guide
83
Chapter 2: Configuring an Access Control System
6.
Under Send, select the Alarm check box. If you want to be notified at the return to normal, select this check box as well.
7.
Select the Algorithms tab.
8.
In the Expression field, enter the alarm condition that triggers the alarm. For example, enter DoorAjar = True to generate an alarm that occurs when the value for the attribute DoorAjar is equal to 1, indicating that the door has been left open.
General Expressions for Security
Expression
84
Schneider Electric
Description
State is Disabled
An alarm is generated when a user disables this object.
Override is True
An alarm is generated when this object has been manually overriden.
Chapter 2: Configuring an Access Control System
Expression
Description
DoorAjar is True
The door is held open for longer than the DoorAjar time and the Door Strike Time.
ForcedEntry is True
The door switch is open without a Valid Access, Request to Exit or Operator command.
InvalidAttempt is True
An individual without access to this area attempted to card in at this door.
Value = Trouble
A wiring fault on Supervised InfinityInput.
Doorswitch = Trouble
A wiring fault on the door switch input of the door.
ExitRequest = Trouble
A wiring fault on a Exit Request switch for the door.
and Point1 = On
Add to any of above expressions, only if true when a linked point for Point1 is on.
9.
Select the Feedback tab.
10. Enter the messages that you want to be displayed in the Active Alarm View or the Alarm Status bar.
Andover Continuum CyberStation Access Control Essentials Guide
85
Chapter 2: Configuring an Access Control System
Use wildcards as placeholders for the object name and description of the object to which you attach this alarm:
Enter %n in place of the object name. Enter %d in place of the object description (entered in the General tab of the object editor).
Using wildcards enables you to attach the same AlarmEnrollment object to multiple objects while still providing an alarm message that is unique to the object where the alarm has occurred. 11. Click OK.
About Attaching Alarms to Objects You can attach up to eight AlarmEnrollment objects to a Door object or a point object. For example, you might create and attach alarms to a Door object for door ajar, switch tampering, and forced entry conditions.
Attach an Alarm-Enrollment to a Door 1.
In Continuum Explorer, double click a Door object.
2.
In the Door editor, select the Alarms tab.
3.
Click the browse button in one of the empty fields, and locate and select the AlarmEnrollment object you want to attach.
4.
Select the Enabled check box.
Note: Unless the Enabled check box next to an alarm is checked, the alarm does not become active, even if the alarm condition occurs.
86
Schneider Electric
5.
Click OK.
6.
Proceed to “Task 12: Configure Video” on page 95.
Chapter 2: Configuring an Access Control System
Attaching Alarms to a Point Once you have created the appropriate EventNotification and AlarmEnrollment objects, you need to open a point object editor. From the navigation pane of the Continuum Explorer: 1.
Double click the Infinity controller that contains the points you want to alarm.
2.
In the viewing pane of Continuum Explorer, right click the icon for the point, and select Open from the drop down menu. The object editor for that point will appear.
3.
Select the Alarms tab (or Advanced Alarms tab on some object editors). The Alarms tab (or Advanced Alarms tab) appears. For example:
Andover Continuum CyberStation Access Control Essentials Guide
87
Chapter 2: Configuring an Access Control System
Using the Alarms / Advanced Alarms Tab of an Object Editor Use the Alarms tab (or Advanced Alarms tab) to browse for up to eight AlarmEnrollment objects to attach to the point. To attach an alarm to an object: 1.
Click the browse button in one of the empty alarm fields.
2.
Search and find the alarm you want.
3.
Click the Select button.
4.
Check the Enabled checkbox.
To delete an attached alarm, select its name in the text field and press the Delete key on your keyboard.
88
Schneider Electric
Chapter 2: Configuring an Access Control System
Additional information you can add from the Alarms tab include the following attributes:
Graphic
Click the browse button in the Graphic field to search for the desired graphic panel that you want to appear when the alarm goes off. Select the page number of the graphic panel you want first to appear.
Program
Click the browse button in the Program field to search for the desired report program or any other Plain English program to this object. Note: You cannot select an HTML report directly. To associate an HTML report with an object, you must select a program that uses the SHOWREPORT keyword to run an HTML report. An example of the SHOWREPORT keyword is: SHOWREPORT: “C:\PROGRAM FILES\CONTINUUM\REPORTS\SYSTEMCH K.HTM.” Note: For additional information on Plain English (PE) refer to the Andover Continuum CyberStation Plain English Language Reference guide, 303001-872.
Andover Continuum CyberStation Access Control Essentials Guide
89
Chapter 2: Configuring an Access Control System
Alarm Points
Alarm points allow any expression alarm that you attach on this tab to reference up to four "alarm points," named Point 1, Point 2, Point 3, and Point 4. Using alarm points saves you the trouble of having to change the expression (via the Algorithms tab of the AlarmEnrollment editor for that alarm object) every time you attach an expression alarm to a different point:
Note: For additional information on the Algorithm expressions refer to “General Expressions for Security” on page 84.
90
Schneider Electric
Chapter 2: Configuring an Access Control System
To configure these alarm points for an attached expression alarm, click the Alarm Points button to bring up the Alarm Points dialog:
Using the Alarm Points dialog, you must specify the actual point names for every alarm point the attached expression alarm references.
Andover Continuum CyberStation Access Control Essentials Guide
91
Chapter 2: Configuring an Access Control System
Follow this procedure: 1.
In the General tab of the AlarmEnrollment editor, for the alarm you want to attach, make sure that you select Expression for the Alarm Type. Any attached alarm to which you want to apply alarm points must be an expression alarm.
2.
In the Algorithms tab of the AlarmEnrollment editor, enter the expression in the Expression field. When you want to use alarm points, the alarm point name (point1, point2, point3, or point4) must be part of the expression. For example: ...value > point1 + 2...
92
Schneider Electric
3.
Save the AlarmEnrollment object after making these expression-alarm changes.
4.
On this tab of this editor, click the Alarm Points button to search for and select the name of an object for every alarm point referenced by attached expression alarm. The Alarm Points dialog appears, showing fields where you may specify up to four point names, Point 1 through Point 4.
5.
Click the browse button in one of the point's fields.
6.
Once you have found the point you want, click the Select button. That point specified in the field will be associated with that alarm point and applied to the attached expression alarm, which references the point.
7.
Click OK.
Chapter 2: Configuring an Access Control System
Video Points
Click the Video Points button to bring up the Video Points dialog, shown on the next page. Use the Video Points dialog to assign cameras to doors and points and configure parameters that control video images displayed in a VideoLayout or in the Video Monitor, during alarm conditions. Note: At Cyberstation Version 1.9 and higher, the Video Points dialog lists 16 video points. If you are using a VideoLayout, you can configure only points 1 through 4. If you are using the Video Monitor, you can configure points 1 through 16. See Task 12: Configure Video. Use the Video Points dialog to assign "video point" cameras. Use the Video Servers dropdown menu to select a video server on which the camera is located. Use the Cameras dropdown menu to select a camera for the numbered video point. (The camera must be configured and enabled on the selected video server.) Check the Rec. checkbox to enable the recording of a video clip from the selected camera. Recording begins at the moment the alarm goes off. In the Duration field, use the up and down arrows to select the number of seconds to record a video clip, once you check the Rec. checkbox. In the PTZ field, select the number of the preset camera view. These PTZ (pan, tilt, zoom) capabilities are configured on the Integral video servers, using Integral software.
Andover Continuum CyberStation Access Control Essentials Guide
93
Chapter 2: Configuring an Access Control System
If you are associating a VideoLayout with the video points for this object, then you must first reference these video points from the General tab of the VideoLayout editor. See Task 12: Configure Video.
More about Alarms See the following topics in the CyberStation online help:
94
Schneider Electric
“EventNotification Editor”
“AlarmEnrollment Editor”
“Alarms Tab” or “Advanced Alarms Tab” for the objects where you attach an alarm
Chapter 2: Configuring an Access Control System
Task 12: Configure Video Andover Continuum access control systems provide complete videosurveillance capabilities. You can configure video servers and cameras at your site to monitor and record activities at many locations. There are two main Andover Continuum video-surveillance tools:
Video Monitor (configured via its Video Administrator)
Video Layouts
The remainder of this section presents the following major video topics:
About Video Monitor and Video Administrator
About VideoLayouts
Configuring Video via Video Monitor and Video Administrator
Configuring Video Using VideoLayout
About Video Monitor and Video Administrator Video Monitor is CyberStation’s powerful tool for viewing and recording video surveillance images in an Andover Continuum access-control system. Video Monitor, available in CyberStation Version 1.9 and higher, allows you to view and record video images from cameras assigned to doors or points that trigger alarm events. It allows you to monitor doors, immediately capture video images from doors, monitor door status, monitor a person’s access to doors, and get alarm information as soon as it happens. You customize the way Video Monitor operates using its powerful configuration tool, Video Administrator. With Video Administrator, you can attach up to 16 cameras to a door or point. Video Monitor is then launched when an event associated with the door or point triggers an alarm.
Video Monitor Main Features This subsection summarizes Video Monitor’s main features. For more detailed information, see the CyberStation help topic, “Video Monitor” and its associated topics. Andover Continuum CyberStation Access Control Essentials Guide
95
Chapter 2: Configuring an Access Control System
The Video Monitor application’s main screen comprises the following main sections. Active Video Events List – The Active Video Events list, located along the top of the Video Monitor, lists recent alarm events (both door events and point events) as they happen. For each event, detailed information is displayed. In a door event listing, you can also actually unlock the door, momentarily. (The number of seconds the door is momentarily unlocked is determined by what was set in the Door Strike Seconds attribute on the Channels tab in the Door editor for that Door object.) Video Control Frames – The video control frames section, located in the middle of the Video Monitor, comprises the two frames in which video images are displayed. For the camera associated with a door or point, the right-hand frame displays live video images, while the lefthand frame displays recorded (or live) images. This frame area also has video-image search, record, and playback buttons, and controls for video resolution and visual aesthetics. Door Events, Door Status, and Person Events – These three tabs along the bottom of the Video Monitor display access-event and current-status information about a door and/or a person. Specifically, Door Events displays the latest access events for the door in alarm. Person Events displays access events of a person associated with doors. Video Monitor is shown on the next page
96
Schneider Electric
Chapter 2: Configuring an Access Control System
Video Administrator Main Features This subsection summarizes Video Administrator’s major features. For more detailed information, see the CyberStation help topic, “Video Administrator” and its associated topics. Points tab — This tab allows you to add doors/points, add, configure, and remove cameras, and preview a camera's video images. You can also arrange and customize the view of the points, servers, and cameras.
Alarms tab — On this tab, for every video server and every camera belonging to a server, you can monitor certain server/camera events,
Andover Continuum CyberStation Access Control Essentials Guide
97
Chapter 2: Configuring an Access Control System
such as motion detection and loss of video images, and generate alarm messages established for Pelco brand video servers. Settings tab — This tab allows you to specify an executable program, so that you can execute it from Video Monitor's Run button. Video Administrator is shown below:
98
Schneider Electric
Chapter 2: Configuring an Access Control System
About VideoLayouts A video layout is CyberStation’s other video-surveillance monitoring tool (version 1.7 and higher) represented as a CyberStation VideoLayout object. You configure a VideoLayout object via the VideoLayout editor, as well as via the Alarms tab (or Advanced Alarms tab) of the Door editor and various CyberStation point editors. You assign cameras to up to four “video points” for a Door object or a CyberStation point. A VideoLayout is launched when a door or point goes into alarm.
For more information see Configuring Video Using VideoLayout
Andover Continuum CyberStation Access Control Essentials Guide
99
Chapter 2: Configuring an Access Control System
Configuring Video via Video Monitor and Video Administrator To create video via Video Monitor and Video Administrator, follow these procedures:
Allow Access to and Enable Video Monitor and Video Administrator
Create a VideoServer Object
Configure Video Using Video Administrator
Allow Access to and Enable Video Monitor and Video Administrator Follow this procedure to allow access to and enable Video Monitor and Video Administrator. 1.
Ensure that Video Monitor (and Video Administrator) are activated in your site’s Cyberstation security key (a key for version 1.9 or higher). Video Monitor is automatically enabled on all version 1.9 keys. If it is not activated in your 1.9 (or higher) key, or if you want it at your existing site, you must contact Schneider Electric for a special file to install.
2.
Grant or deny permission to one or more user groups to use Video Monitor and Video Administrator via the Security editor, as follows.
Note: Only the user groups containing one or more high-level system administrators at your site should have access to Video Administrator.
100 Schneider Electric
Open the Security editor, select the Actions tab. Beneath the Actions column, scroll down to the Miscellaneous tab in the tree. Expand the Miscellaneous tab, and look for Run Video Monitor and Run Video Administrator. Under the Locks column, scroll horizontally to the user group(s) you want. (Each group — 01, 02, and so on — is a vertical column containing graphical keys and locks.)
Chapter 2: Configuring an Access Control System
For the Run Video Monitor row, under the user group you want, assign a key to grant access or assign a lock to deny access. For the Run Video Administrator row, under the user group you want, assign a key to grant access to a user group with appropriate system administrators, and assign a lock to deny access to everyone else. Click OK.
Note: For each logged on user, a lock overrides the CyberStation security key and prevents the application from running. 3.
Grant system administrators at your site permission to access and configure video servers, as follows:
Open the Security editor, select the Actions tab.
Beneath the Actions column, scroll down to VideoServer.
Under the Locks column, scroll horizontally to the user group(s) containing system administrators. Click OK.
See also Create a VideoServer Object 4.
Grant system administrators at your site permission to access and configure Door objects and all points to which you must assign video. Use the Security editor Actions tab to do so, as you did in the last step.
5.
Enable Video Monitor and Video Administrator. From the Preferences tab of the workstation’s Device editor, ensure that the Use Video Monitor setting is set to TRUE. This launches Video Monitor (instead of a VideoLayout) on an alarm event or manually when you click the video button on an alarm in Active Alarm View. When this preference is set to FALSE, VideoLayouts are used.
Note: Video will only launch on an alarm event if the Display Video checkbox on the Actions tab of the EventNotification editor is checked. For more details, see Step 8.
Andover Continuum CyberStation Access Control Essentials Guide 101
Chapter 2: Configuring an Access Control System
6.
Create one VideoServer object for every video server (for example, DVR, or Endura System Manager) at your site. If you create at least one Endura video server object, then workstations that do not have Endura video support enabled will not launch Video Monitor or Video Administrator. Error messages will appear when both Video Monitor and Video Administrator are launched indicating that Endura video support is not enabled.
Note: As long as you have one Endura system with video enabled, video support becomes a site-wide requirement. Thus, you must ensure that all on-site workstations have Endura video support enabled. 7.
Set the IP address, user name, and password.
Note: A video server may have multiple users with different permissions. Ensure that the user entered when creating a video server object is able to search for and play back recorded video. Click the Test Connection or Learn Cameras button to verify connection to the video server. All of the recorded video clips are stored in DVR (Digital Video Recording) format. The supported platforms are:
8.
Digital Sentry including DS NVR, DS Express, and DS RealVue products Pelco Endura System version 1.x and 2.0, including Sarix
On the Actions tab of the EventNotification editor, for the EventNotification associated with each alarm, check the Display Video checkbox if you want the Video Monitor to launch when an alarm event occurs. (Video Monitor appears on those workstations where the alarm is delivered.)
Note: If you do not check the Display Video checkbox, Video Monitor must be opened manually, via the video button on an alarm, in the Active Alarm View. 9.
102 Schneider Electric
Assign cameras to each door or point using the Video Administrator. (See Configure Video Using Video Administrator.)
Chapter 2: Configuring an Access Control System
Create a VideoServer Object Before you can create video you must create a VideoServer object. This process enables you to then assign cameras. You create VideoServer objects in the Root or in a folder that was created in the Root. 1.
Obtain the IP address, username, and password of the video server from your IT administrator to create a VideoServer object.
2.
In Continuum Explorer, right click Root, select New, and then select Folder.
3.
Enter a folder name, and click the Create button.
4.
Right click the folder, select New, and then select VideoServer.
5.
Enter a name for the server, and click the Create button.
6.
In the VideoServer editor, enter the IP address, username, and password of the server.
CAUTION When planning your video system integration in CyberStation, ensure that video servers and cameras have final, fixed IP addresses before mapping cameras to objects through Video Administrator. Changing the IP address of the server or VAU will sever camera and object mappings and require you to manually reconfigure these points in Video Administrator.
7.
Select the Server Type — Pelco Type 1 (DS ConneX compatible) or Pelco Type 2 (Endura compatible).
Note: You cannot select the Pelco Type 2 Server Type unless Endura video support is already enabled in your CyberStation product key. See your site administrator or your Schneider Electric customer service representative to obtain this support. 8.
Click Apply.
9.
Click the Test Connection button to confirm that CyberStation can communicate with the server. “Connection successful” displays below the button when communication is established. If communication fails, “Error Connecting to Server” displays instead. Andover Continuum CyberStation Access Control Essentials Guide 103
Chapter 2: Configuring an Access Control System
10. Click the Learn Cameras button to learn the available cameras on the server whose IP address appears. Note: Before learning in Endura cameras, ensure that they have been renamed in the Endura system using legal characters. Andover Continuum only supports the use of spaces, numbers, and letters in camera names. Failure to follow these naming guidelines will result in generic camera names and channel numbers upon camera learn that do not clearly identify the corresponding camera. Note: When you initially configure a new video server, you must press Learn Cameras in order to discover the cameras on the video server. When pressed, this button initiates a connection to the server, builds a camera list, and populates the database with that camera list. If you make any subsequent changes to your video network, such as adding or removing cameras, you must relearn the video server object by clicking Learn Cameras once more. Should you fail to do so, the current cameras on the video server will not be available. If the learn operation is successful, “Learn Cameras Found (#) ” (where # is the number of cameras) displays. Should you learn Type 2 cameras, a Learn Endura Cameras dialog box displays with a progress bar showing the learn operation as it occurs.
104 Schneider Electric
Chapter 2: Configuring an Access Control System
Green indicators in the Camera, Encoder, Recorder, and Connection columns indicate that the video equipment is functioning normally. If there are any red indicators, you should check your Endura system to ensure it is operational, troubleshoot and make any necessary changes, and then attempt the learn operation again. Any camera that has a red indicator in any column will not be 'learned.' As long as their status indicators are green, the remaining cameras in the list will be added, however. If the learn is not successful, “Learn Cameras Failed” appears instead. 11. Verify that you entered the correct IP address, username, and password for the server, and that the server is online if the error messages in Steps 9 and 10 display. 12. Click Close.
Configure Video Using Video Administrator Follow this procedure to configure video using Video Administrator. (Video Administrator is Video Monitor’s configuration tool.) 1.
Determine whether or not it is in your site's best interest to use the Video Monitor (and its Video Administrator) as opposed to the other CyberStation video surveillance tool, VideoLayouts. Andover Continuum CyberStation Access Control Essentials Guide 105
Chapter 2: Configuring an Access Control System
If you choose Video Monitor, proceed to Step 2. 2.
Make a list of users at your site who should and should not have access permissions to the full functionality of both Video Administrator and Video Monitor. You will need to grant or deny access to this functionality.
Note: Typically, only system administrators should have access to Video Administrator. 3.
Allow system administrators access permissions to Video Administrator, and enable Video Administrator in CyberStation. For instructions, see Allow Access to and Enable Video Monitor and Video Administrator
Note: This step, in part, involves granting only system administrators at your site permission to configure Video Administrator, permission to configure all video servers, and permission to configure all doors and points to which video will be assigned. 4.
For every video server (DVR or System Manager for Pelco Endura) at your site, create a VideoServer object. (For instructions, see Create a VideoServer Object.)
5.
Determine how many new doors/points you need to configure for use with Video Monitor in your CyberStation system. Write down the names of these doors/points, and make a note of where in the system they are located.
6.
Determine the primary camera for each door/point, as well as how many additional cameras need to be assigned to that door/point. Write down the names of those cameras and note the doors/points to which they need to be assigned.
Note: Be sure to name the cameras in advance at the video system front-end since you will be unable to change those names in Video Administrator. 7.
Add a door or a point to Video Administrator. Click the Add Point button on the Points tab menu bar, and add the door or point for which you want to configure video.
106 Schneider Electric
Chapter 2: Configuring an Access Control System
Note: Existing doors and points configured with camera assignments already in the database are automatically added to Video Administrator when it is launched. 8.
Add a primary camera to the door or point in Video Administrator.
Note: The first camera you add (that is, the primary) is the default camera displayed when Video Monitor launches for that point. Click the Add Camera button on the Points tab menu bar. Set its configuration properties, and see a preview of this camera's images, in the configuration properties pane. These include server name, camera name, record times, and PTZ (pan-tilt-zoom) presets. 9.
Repeat Step 8 to add secondary cameras to the point or door.
Note: The maximum number of 16 cameras is allowed for each door or point 10. Repeat Steps 7, 8, and 9, to add more doors and points to Video Administrator. 11. Choose a view, or customize your own view, for the way in which doors/points, cameras, servers, and so on, are grouped and listed in the "pivot table" on the Points tab. You accomplish this task using the View dropdown menu, as well as the Select All, Expand All, and Collapse All buttons on the Points tab menu bar. You also use the drag-and-drop customization features in the Points tab pivot table. 12. Select the Alarms tab. On the Alarms tab, for every video server and for every camera belonging to a video server, designate certain types of alarm events to monitor (and if necessary send alarm messages). These events include such conditions as loss of video images, motion detection, video server offline/online transitions, and so on. Note: These are not CyberStation alarms, although they do appear in CyberStation's Active Alarm View. Rather, these are Pelco brand video server alarms, intrinsic to Pelco video system functionality. The Alarms tab simply allows you to activate these video alarms, if you wish to receive messages based on these types of events.
Andover Continuum CyberStation Access Control Essentials Guide 107
Chapter 2: Configuring an Access Control System
13. Select the Settings tab. On the Settings tab, you may specify an executable program (such as a Plain English program or a calculator or Note Pad) so that it runs in Video Monitor when you click the Run button in the Video Monitor's Video Events section. 14. In the Video Administrator application, click Apply or OK.
More about Video Monitor and Video Administrator See the following topics in the CyberStation online help:
“Video Monitor” and associated topics
“Video Administrator” and associated topics
“VideoServer Editor” and associated topics
Configuring Video Using VideoLayout A video layout, represented as a VideoLayout object, is CyberStation’s other video-surveillance tool (version 1.7 and higher). The information covered in this task assumes that you have installed and configured a video server and cameras in your facility for use with CyberStation. Note: If you choose to use VideoLayouts, instead of Video Monitor, make sure the Use Video Monitor setting, located on Preferences tab of Device editor, is set to FALSE. In CyberStation, you work with two video-related objects:
Each VideoServer object corresponds to a computer that you have set up as a video server and that manages one or more cameras. A network can have multiple video servers.
Each VideoLayout object displays live or recorded video from up to nine cameras.
When you attach an alarm to a CyberStation object, you can specify that a video layout be displayed with video feed from specific cameras.
Create a VideoServer Creating a VideoServer enables you to then assign any of the cameras managed by the server to video layouts in CyberStation. You create 108 Schneider Electric
Chapter 2: Configuring an Access Control System
VideoServer objects in the Root or in a folder that was created in the Root. For instructions, see Create a VideoServer Object, covered previously in this chapter.
Create a VideoLayout Object In a VideoLayout object, you define video control frames, which are the viewing areas for video feeds from selected cameras. You create VideoLayout objects in Root or in a folder that was created in Root. 1.
In Continuum Explorer, right click the folder that contains your video objects, select New, and then select VideoLayout.
2.
Enter a name for the video layout, and click the Create button.
3.
In the General tab of the VideoLayout editor, select the number and arrangement of video control frames that you want to display by clicking an option in the matrix in the right side of the editor. Click the graphic that corresponds to the way you want video frames to be arranged in this video layout.
Note: If you are creating a layout for use with alarms in multiple objects, each requiring different cameras, assign cameras in the alarmed objects instead of in the layout. Bypass step 4, and proceed to step 5 in this procedure. 4.
Right click a video frame, select Video Servers, select the video server, and then select the camera to assign to this frame. Repeat to assign cameras to the other frames in the layout.
5.
To assign video points to up to four frames in the layout, right click a frame, select Video Points, and then select one of the available numbers (video points 1 through 4 only). Repeat to assign video points to additional frames. Andover Continuum CyberStation Access Control Essentials Guide 109
Chapter 2: Configuring an Access Control System
The frames selected for video points will show the video feed when the video layout is displayed in response to an alarm.
Right click a frame to display the menu where you assign video points.
Note: Although 16 video points are listed, you may use only video points 1 through 4 with a VideoLayout. 6.
Click OK.
Add a VideoLayout to the Alarms Tab of an Object After you create a VideoLayout object and assign video points in it, you can add the video layout to the Alarms tab (or Advanced Alarms tab in some object editors) of an object so that the video layout is displayed when an alarm is triggered for the object. Note: The EventNotification object referenced in the AlarmEnrollment object(s) must have the Display Video option selected in the Actions tab of the EventNotification editor for a video layout to be displayed when the alarm occurs. Display Video is at the bottom of the list of actions in the Actions tab of the EventNotification editor.
If this option is not selected, the video layout attached to the object is not displayed, even if the alarm occurs. See Create an
110 Schneider Electric
Chapter 2: Configuring an Access Control System
Event-Notification Object for more information about actions in EventNotification objects. 1.
In Continuum Explorer, double click the object to which you want to attach a video layout.
2.
In the object editor, click the Alarms tab.
3.
Click the Video browse button, and locate and select the video layout you want to attach to this object.
4.
If the VideoLayout is configured using the video points, click the Video Points button.
Note: In the Video Points dialog, select the video server and the camera to display video in up to four frames. At Cyberstation Version 1.9 and higher, the Video Points dialog lists 16 video points, but only points 1 through 4 are used with a VideoLayout.
5.
To record video from a camera, select the Rec check box for that camera, and enter the number of seconds for Duration. Andover Continuum CyberStation Access Control Essentials Guide 111
Chapter 2: Configuring an Access Control System
6.
Click OK to return to the object editor.
7.
Click OK.
More about Video Layouts See the following topics in the CyberStation online help:
112 Schneider Electric
“VideoServer Editor” and associated topics”
“VideoLayout Editor” and associated topics
“Using Video Points”
“Alarms tab” or “Advanced Alarms Tab” topics for the objects where you attach a video layout.
Chapter 2: Configuring an Access Control System
Task 13: Create Graphic Panels and Controls The CyberStation application includes a graphics application, Pinpoint, that you use to create dynamic control panels that let you monitor and respond to access control events.
About Graphic Controls for Access Control Pinpoint has several dynamic controls that are intended for access control:
Pinpoint Control
Description Shows door status. You can also use the control to lock or unlock the associated door, and to obtain information about the card holder of the card most recently read at the door.
Door control
Area control
Shows area lockdown status. You can also use the control to initiate area lockdown or clear the lockdown state. In addition, you can access and control the doors associated with the area. Displays the photo associated with a Personnel object.
Personnel photo control
Andover Continuum CyberStation Access Control Essentials Guide 113
Chapter 2: Configuring an Access Control System
Other Pinpoint controls and tools let you customize the appearance and operation of graphics panels as needed. For example:
Use an image file of a floor plan as the panel background, and arrange door and area controls based on the physical location of the objects they represent.
Use text, switch, button, and other controls to display information or perform specific actions, such as opening a Listview window.
Create a Graphics Panel and a Door Control Create graphics panels in the controller that you want to own the panels. Typically, this controller also owns the doors that are shown in the graphics panel. 1.
In Continuum Explorer, right click a controller, select New, and then select Graphics.
2.
Enter a panel name, and click the Create button. The Pinpoint application opens and displays an empty panel.
114 Schneider Electric
3.
Arrange the Pinpoint window and the Continuum Explorer viewing pane so that both are visible on your screen.
4.
In Continuum Explorer, select a door, and drag it onto the graphics panel in the Pinpoint window.
Chapter 2: Configuring an Access Control System
A door control is created for you on the panel.
Select a door in the Continuum Explorer window, and drag it to the Pinpoint window. A door control is created for you in Pinpoint and is associated with the Door object you selected in Continuum Explorer.
5.
Click the door control to open the Door Control dialog.
6.
In the General tab, select the set of door graphics you want to use for Style.
7.
Select the User Entry check box if you want to be able to execute commands from the control. If the User Entry check box is not checked, the control is viewonly.
Andover Continuum CyberStation Access Control Essentials Guide 115
Chapter 2: Configuring an Access Control System
8.
Select the Switch Animation check box if you want to door control to reflect the state of the door switch, open or closed.
If the check box is not checked, the control reflects the state of the door lock, indicating whether the door is locked or unlocked. 9.
Select the Personnel Data tab.
10. Select the attributes that you want displayed, and select the check box next to each attribute to enable it.
The selected attributes will be displayed in the Details dialog, which you access from a door control by right clicking the control. The dialog also shows the photo, if available, of the last person requesting access at the door.
116 Schneider Electric
Chapter 2: Configuring an Access Control System
11. In the Standard toolbar, click the Run Mode icon prompted, save changes to the panel.
, and if
12. Right click the door control to display a menu of actions you can take to control the door and obtain information about access events at the door. 13. To close the Pinpoint editor, click the close button in the upperright corner of the window. 14. Proceed to “Task 14: Configure Reports” on page 118.
More about Graphics Panels and Controls See the “Pinpoint Graphics” topic in the CyberStation online help.
Andover Continuum CyberStation Access Control Essentials Guide 117
Chapter 2: Configuring an Access Control System
Task 14: Configure Reports CyberStation provides powerful report-generation capabilities that enable you to gather, view and distribute data about events in your access control system.
About Report Objects In a Report object, you specify the characteristics of the report that you want to generate:
The data to include
The report format (text, bar chart, pie chart, etc.)
The output format, including whether the report is viewed on screen, printed, or saved to a file
Whether the report is generated automatically or manually
Whether the report is automatically e-mailed to a list of recipients
Create a Report You can create reports in a folder or a controller. You may want to create a folder that stores all your reports.
118 Schneider Electric
Chapter 2: Configuring an Access Control System
1.
In Continuum Explorer, right click Root, select New, and then select Folder.
2.
Enter a folder name, and click the Create button.
3.
Right click the folder, select New, and then select Report.
4.
Enter a report name, and click the Create button.
5.
In the Source tab of the Report editor, select a data source. The following data sources are intended for access control: Report Data Source
Description
Access Event
Data associated with valid and invalid attempts to access doors or areas. If you select this data source, you can choose from 22 report types related to access events, such as “most accessed doors,” “invalid attempts of an area,” and “most active person.”
Alarm Event
Data from the AlarmEvent log in the CyberStation database. If you select this data source, you can choose from 22 report types related to alarms, such as “most active alarmed object” and “active alarms per object.”
Activity Event
Data from the ActivityEvent log in the CyberStation database. If you select this data source, you can choose from 11 report types, such as “login attempts per user” and “most common activities.”
6. Select a report type. 7.
Select a chart type and subtype, which determine the presentation of your data.
Andover Continuum CyberStation Access Control Essentials Guide 119
Chapter 2: Configuring an Access Control System
To generate a tabular report, select Text.
8.
Click the Configure Columns button.
9.
In the Selectable Columns dialog, select column settings:
Columns to include or exclude
Sequence of columns
Sort order of the data
10. Click OK. 11. Select the Filter tab. 12. Select the Log Filter radio button, and select a predefined filter for the time interval of the report OR The Time Interval radio button allows you to specify a custom time interval. 13. Select the Path browse button, and locate and select the controller with the objects that you want to include in the report.
120 Schneider Electric
Chapter 2: Configuring an Access Control System
14. Click the Add button to locate and select the objects in this controller that you want to include in the report.
15. Click the Output tab. 16. Options in this tab allow you to define the output format. You can use wildcards for the following data:
%r represents the report type.
%t represents the report date and time.
%p represents the page number.
17. Select options for e-mailing the report and saving the report to a file, as needed. 18. Click Apply.
Andover Continuum CyberStation Access Control Essentials Guide 121
Chapter 2: Configuring an Access Control System
19. Click the View Report button to generate the report and display the content in the Report Viewer window.
20. Click the close button to close the Report Viewer window. 21. Click OK.
More about Reports See “Reports and Report Editor” in the CyberStation online help.
122 Schneider Electric
Chapter 3: Monitoring an Access Control System
Chapter 3 Monitoring an Access Control System
When your access control system is configured and operating, CyberStation has numerous features that enable you to monitor access control activity. This chapter introduces the following features:
Alarm Status bar and Active Alarm View window
EventView windows
ListView windows
Andover Continuum CyberStation Access Control Essentials Guide 123
Chapter 3: Monitoring an Access Control System
Responding to Alarms When you configure alarms, you typically specify that an alarm message be displayed at one or more CyberStation workstations. At a workstation, alarm messages appear either in the Alarm Status bar or in the Active Alarm View window, depending on settings in the EventNotification object associated with the alarm.
About the Alarm Status Bar An alarm message is displayed in the Alarm Status bar when an alarm is triggered. If multiple alarms are active, the alarm displayed in the status bar is the first alarm that would appear in the list of alarms in the Active Alarm View window.
Buttons to the left of the message enable you to silence, mute, or acknowledge the alarm, and to perform other related actions.
About the Active Alarm View Window The Active Alarm View window notifies you of alarms and provides information about current alarm conditions. The window displays automatically when an alarm occurs if you selected the Display Alarm View option in the EventNotification object associated with the alarm. If the window does not display automatically, you can display it by clicking the Alarm icon in the Alarm Status bar. You can open this window whether or not any alarms are currently active.
124 Schneider Electric
Chapter 3: Monitoring an Access Control System
This window updates in real time as alarms occur, are responded to, and/or the affected objects return to their normal state.
By default, alarms are sorted by priority. Alarms with a priority of 1 are considered the most urgent. They appear at the top of the list. Use buttons to the left of the entries in the list to respond to alarm notifications: Button
Description Acknowledge the alarm. Click this button when you have seen the alarm message and have taken the appropriate action to address the alarm condition. Your username is recorded in the Acknowledged by field for the alarm. If the workstation was beeping or playing audio, and if the alarm message was flashing, these stop when you click the Acknowledge button. Silence the audio associated with the alarm at all workstations that received the notification. Silencing an alarm does not acknowledge the alarm. Your username is recorded in the Silenced by field for the alarm. To silence audio at your workstation only, click in the toolbar, or click Mute! in the menu bar at the top of the Active Alarm View window. Additional toolbar buttons and menu options enable you to obtain more information about alarms and the objects associated with them.
Andover Continuum CyberStation Access Control Essentials Guide 125
Chapter 3: Monitoring an Access Control System
More about Responding to Alarms See the “Active Alarm View” topic in the CyberStation online help.
126 Schneider Electric
Chapter 3: Monitoring an Access Control System
Monitoring Live Access Events Active EventView windows are objects that provide real-time information about access events at doors that you specify. Using EventView windows, you can monitor ongoing activity, both routine and unexpected.
About Creating EventView Objects You create EventView objects in the EventView editor. You can create multiple EventView objects, each customized to display selected events from specific doors. Settings you can define in the EventView editor include:
Sort criteria to determine the display order of events
Doors and events that you want to monitor
Fonts and colors for different event types
You can further customize an EventView window from menu options in the window itself. For example, the Add/Remove Columns option in the View menu lets you select the columns you want to display. You can also drag columns to change their sequence in the window.
More about EventView Objects See the “EventView Editor” topic in the CyberStation online help.
Andover Continuum CyberStation Access Control Essentials Guide 127
Chapter 3: Monitoring an Access Control System
Using ListView Windows ListView windows are objects that display a list of attribute values for an object class, such as Door objects or Personnel objects. You typically use ListView windows when you want to review the event history of an object or a person. For example, reviewing the event history may help you resolve a recurring problem, such as frequent Door Ajar events at a specific door.
128 Schneider Electric
Chapter 3: Monitoring an Access Control System
About Predefined ListView Objects Several predefined ListView windows for access events are available from the ListViews page of the CyberStation main menu. The Personnel page also has predefined Listview windows for personnelrelated lists.
You can customize ListView windows using menu options in the windows. You can create and edit ListViews in the ListView editor.
About Creating ListView Objects ListView objects are highly customizable. Settings that you can define include:
Object class, including special ListView object classes, such as AlarmInformation, that you can use to track system events
Whether the data displayed when you open a ListView window is the most recent available from the controllers or is retrieved from the CyberStation database (You can also update the window to get “live” data.)
Filters for time intervals
Path in which to look for objects of the selected class, which enables you to focus on objects of interest
Andover Continuum CyberStation Access Control Essentials Guide 129
Chapter 3: Monitoring an Access Control System
Columns included in the ListView window, their arrangement, fonts, and colors
Qualifiers that further refine the selection of objects whose data is shown in the ListView window
More about ListView Objects See the following topics in the CyberStation online help:
130 Schneider Electric
“ListView Editor”
“CyberStation Main Screen”
Chapter 4: Advanced Topics for Access Control
Chapter 4 Advanced Topics for Access Control
This chapter briefly describes additional features of CyberStation that can help you manage your access control system:
Security Groups for CyberStation Users
Using Area Lockdown
Controlling Access with Condition Levels
Adding FIPS-PIV Card Credentials
Andover Continuum CyberStation Access Control Essentials Guide 131
Chapter 4: Advanced Topics for Access Control
Security Groups for CyberStation Users Just as you can customize personnel access to specific areas of your facility, you can also customize the access that users have to features and data in the CyberStation application. You accomplish this using three types of objects:
User objects represent a real user in the CyberStation environment.
Security groups enable you to define the access privileges needed by different types of CyberStation users. You can then assign users to appropriate security groups. Access privileges that you define for object classes in the Security editor apply to all objects in that class (for example, all doors, all personnel).
SecurityLevel objects are CyberStation objects that you attach to other CyberStation objects or to containers. You use SecurityLevel objects if you want to further restrict security group access to individual objects, or to actions, such as deleting or editing, that may be taken with the individual objects. You attach a SecurityLevel object to each CyberStation container or object that you want to be controlled by those privileges. Access privileges that you define in the SecurityLevel editor for SecurityLevel objects apply only to the individual objects or containers that you attach them to. They do not apply to other objects in the same object class.
About User Objects A user is a person who logs into a CyberStation workstation to monitor or manage your access control system. For each user, you create a User object that must include the following information:
Username and password
Security group(s) to which the user belongs
The security group assignments of each user determine the objects and data the user can view and edit, and well as other actions they can perform, such as deleting objects. You can further define each user’s interaction with the CyberStation application by specifying the following in User objects: 132 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Programs that start when the user logs in or out
A graphics panel that is displayed when the user logs in
A CyberStation menu page that is displayed when the user logs in
A report program that runs when the user logs in
For example, you might assign a graphics panel representing a floorplan of your building, with Pinpoint controls for doors, areas, and other objects, to be displayed when a security guard logs in to CyberStation.
Before Configuring Users You’ll use the User editor to configure each user of your system. Before using the editor, you need to know the following information about the person to whom you are giving access to the system:
The user’s name. There are two name considerations: the name that is assigned to the User object that is created for the user and the Full Name that is entered in the User editor. The object name is the one that system recognizes.
The password this user will use when logging on to CyberStation. (It must be between 0 and 16 alphanumeric characters as determined by the General Preferences setting.)
What programs, reports, menu pages, or graphics panels you want to run when this User logs on.
The CyberStation User Security Group(s) that this user will be assigned to.
In order to use the User editor, you must first create a User object.
Creating a User Object Create a user object for each person who requires access to the CyberStation software. At a minimum, you specify the following information:
Object name, which is also the username the user enters to log on to CyberStation
Password, which is also required to log on
Security group or groups to which the user is assigned (See Chapter 4 for more information about security groups.) Andover Continuum CyberStation Access Control Essentials Guide 133
Chapter 4: Advanced Topics for Access Control
You can also enter personal information for the user. Perform the following steps to create a User object: 1.
In Continuum Explorer, right click the Root.
2.
Select New, and then select User from the popup menu.
3.
In the New dialog, enter the username in the Object name field. CyberStation fills in the Alias field, but you can change it if needed.
4.
Click the Create button.
About Security Groups A security group is an object that contains a collection of privileges for using CyberStation editors and applications and for viewing CyberStation data. Security groups enable you to define the access privileges needed by different types of users. After you set up security groups, you assign users to the appropriate security group(s) based on the access that each user needs. Note: You can assign multiple users to the same security group. You use the Security editor to specify the privileges of each security group. CyberStation provides 1024 security groups in which you can define access privileges. By default, the Security editor displays the first 128 of these. In the Actions tab of the Security editor, access privileges are organized in folders for object classes and actions. For example, the Area object class includes all the actions associated with Area objects and the list of tabs in the Area editor.
134 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Each column corresponds to one security group. The lock and key icons indicate whether the security group has the access privilege ( denied the privilege (
) or is
).
Each column corresponds to one security group. Move the cursor over a column to display a tooltip showing the name of the security group.
Configuring User Security Groups This section explains the process of configuring the security groups. This security also describes how to create SecurityLevel objects and use them with security groups to further customize CyberStation security. You use the Security editor to configure security groups. To access the Security editor, proceed as follows: 1.
Right click the Continuum icon in your tooltray.
2.
Select Security from the popup menu. This displays the Security editor.
Andover Continuum CyberStation Access Control Essentials Guide 135
Chapter 4: Advanced Topics for Access Control
Displaying Security Groups CyberStation provides 1024 security groups for which you can assign access privileges. By default, the first 128 groups are displayed. You can display the additional groups as needed in multiples of 128 (256, 384, 512, and so on) up to 1024. Note: If you reduce the number of displayed security groups, users assigned to groups that are no longer displayed lose all access to CyberStation. Be sure to assign all users to security groups that are currently displayed. Security groups that are not displayed retain their settings and user assignments. If you later display these security groups, the settings in these groups will apply to any users assigned to them. 1.
In the Group Names tab, select a value from the dropdown list for Number of Security Groups.
2.
Click the Change button. If you select a smaller number of groups, you are prompted to confirm the change. Click Yes to continue.
3.
Click Apply or OK.
Renaming Security Groups By default, the security group names are Group 01 through Group 1024. You can rename the groups that you use, if you wish.
136 Schneider Electric
1.
In the Group Names tab, use the vertical scroll bar to locate the security group name that you want to change.
2.
Double click the group name, enter a new name, and press the Enter key.
3.
Repeat steps 1 and 2 to rename other security groups as needed.
4.
Click Apply or OK.
Chapter 4: Advanced Topics for Access Control
Displaying Access Privileges in the Actions Tab 1.
Select the Actions tab.
2.
Expand a folder to display the object classes or tasks (actions) within that folder. Expand an object class to display the actions and editor tabs for that object class. For example, expand the Area class to display the actions for Area objects and the list of tabs in the Area editor.
Security groups are displayed to the right of the action or the tab name. The icon used to identify each group indicates whether the group has access privileges for it:
The Lock icon indicates that the users in the security group do not have access privileges; that is, the action or tab is locked for this security group.
Andover Continuum CyberStation Access Control Essentials Guide 137
Chapter 4: Advanced Topics for Access Control
The Key icon indicates that the users in the security group have access privileges; that is, the action or tab is unlocked for this security group.
Position your cursor over an icon to display the name of the security group and the action or editor tab it represents. Group names are defined in the Group Names tab. You can edit the names as needed, and also select the number of security groups that are displayed.
Assigning Access Privileges for Security Groups Use this procedure to assign or remove access privileges for security groups. You can also assign and remove privileges by copying access settings to other security groups and by importing security groups. Note: When you remove access privileges to view an object class for a security group, users in that group do not see that object in Continuum Explorer. If the objects are contained within a class folder, the class folder is not displayed when any of these users are logged into CyberStation. For example, if a user belongs to a security group that does not have access privileges to view Personnel objects, Personnel objects and the Personnel class folder are not displayed in Continuum Explorer when this user is logged into CyberStation. 1.
Expand a view or folder. To assign access privileges to object classes, expand the Classes folder, and then expand an object class. A list of actions is displayed. If you expanded an object class, a list of the tab names in that object editor is displayed after the actions. Use the vertical scroll bar to locate the action for which you would like to assign access privileges. In addition to actions specific to that object class, if any, the following actions are listed for most object classes: Change Out of Service — Users belonging to security groups with this privilege can enable and disable objects of this class. Create —Users belonging to security groups with this privilege can create objects of this class.
138 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Delete —Users belonging to security groups with this privilege can delete objects of this class. Edit —Users belonging to security groups with this privilege can open the editors of objects of this class, and modify object values in the editor. View — Users belonging to security groups with this privilege can open the editors of objects of this class, but cannot modify any values unless they also have Edit privileges. These users will also be able to view the class folder for any objects for which they have view access (provided the users also have access to Continuum Explorer). Send To Text File — Users belonging to security groups with this privilege can import and export object data to text files. 2.
Assign or remove access privileges.
If you want to...
Then...
assign an access privilege for an action or an editor tab to a security group
In the row that contains the action or tab name, click the Lock icon for the security group that you want to have the privileges. The Key icon is now displayed for this security group, indicating that the group has access to the action or tab.
remove an access privilege for an action or an editor tab from a security group
In the row that contains the action or tab name, click the Key icon for the security group where you want to remove the privileges. The Lock icon is now displayed for this security group, indicating that the group does not have access to the action or tab.
Andover Continuum CyberStation Access Control Essentials Guide 139
Chapter 4: Advanced Topics for Access Control
assign access privileges to all actions within a view, object class, or folder
Right click the view, object class, or folder, and select Unlock Actions from the popup menu. In the Unlock Actions for Groups dialog, select the checkbox next to each security group that you want to have access, and click OK. The Key icon is now displayed for the selected security groups, indicating that the groups have access to all the actions (and editor tabs) in the view, object class, or folder.
remove access privileges to all actions within a view, object class, or folder
Right click the view, object class, or folder, and select Lock Actions from the popup menu. In the Lock Actions for Groups dialog, select the checkbox next to each security group that you do not want to have access, and click OK. The Lock icon is now displayed for the selected security groups, indicating that the groups do not have access to any of the actions (and editor tabs) in the view, object class, or folder.
3.
140 Schneider Electric
Click OK.
Chapter 4: Advanced Topics for Access Control
Copying Access Privileges Between Security Groups Use this procedure to copy the access privileges assigned to one security group to another security group. This is useful when you want to define privileges for a security group that are only slightly different from another security group. When you paste the copied access privileges to the destination security group, the privileges for all actions in all folders are replaced with the new privileges. You can then assign or remove privileges as needed. 1.
In the Actions tab, expand a view or folder.
2.
If needed, use the horizontal scroll bar to display the icon for the security group whose access privileges you want to copy.
3.
Right click the security group, and select Copy Group from the popup menu.
4.
If needed, use the horizontal scroll bar to display the icon for the security group where you want to paste the access privileges.
5.
Right click the security group where you want to paste the privileges, and select Paste Group from the popup menu.
6.
Assign or remove privileges as needed for the security group where you copied the access privileges.
7.
Click Apply or OK. Andover Continuum CyberStation Access Control Essentials Guide 141
Chapter 4: Advanced Topics for Access Control
About SecurityLevel Objects SecurityLevel objects define access privileges for individual objects or containers. You use the SecurityLevel editor to specify the privileges assigned to security groups in each SecurityLevel object. (This process is very similar to assigning security group privileges in the Security editor.) You then attach a SecurityLevel object to CyberStation objects to further refine the access privileges that users have to those objects. If you attach a SecurityLevel object to a container object, such as a controller or a folder, access to all objects in the container is also controlled by the SecurityLevel object. An object, such as a door, can have only one SecurityLevel object attached to it.
For example, by creating SecurityLevel objects that you attach to the controllers in each of your buildings, you could allow security guards in one building access to the doors in their building but not to doors in buildings monitored by other security staff.
142 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Creating a SecurityLevel Object Note: You cannot delete or move SecurityLevel objects. In Continuum Explorer, they must reside in Root. 1.
In Continuum Explorer, right click Root.
2.
Select New, and then select SecurityLevel from the popup menu.
3.
Enter a name for the object, and click Open.
4.
The SecurityLevel editor is displayed. You define access privileges for the SecurityLevel object in the Security tab of this editor.
Displaying Access Privileges in the Security Tab Expand Classes to display the object classes. Expand an object class to display the actions and editor tabs for that object class. For example, expand the Area class to display the actions for Area objects and the list of tabs in the Area editor. Security groups are displayed to the right of the action or the tab name. The icon used to identify each group indicates whether the group has access privileges for it:
The Lock icon indicates that the users in the security group do not have access privileges; that is, the action or tab is locked for this security group.
The Key icon indicates that the users in the security group have access privileges; that is, the action or tab is unlocked for this security group.
Position your cursor over an icon to display the name of the security group and the action or editor tab it represents. Group names are defined in the Group Names tab of the Security editor.
Andover Continuum CyberStation Access Control Essentials Guide 143
Chapter 4: Advanced Topics for Access Control
Universal Unlock Folder Using the Universal Unlock folder, you can deny one or more user groups universal access and viewing privileges to all features of all objects to which the SecurityLevel object is attached. When you deny a security group access privileges (place a lock) in this folder, it overrides any other key (unlock) on any features throughout the system for that security group. It is a quick way to prevent access to every object to which the SecurityLevel object is attached for users in the security group. (Users are assigned to security groups in the Groups tab of the User editor.) When the universal lock is unlocked, all objects owned by a parent (folder or device) inherit the security level of the parent; security levels of each class are applied. To deny all access to any security group, lock the universal lock for that group. This simplifies the task of locking all access for a security group from a folder or a device.
Assigning Access Privileges in a SecurityLevel Object Note: To protect your Andover Continuum system, reserve user security groups 1 and 128 (or the highest-numbered user security group your site uses) to have all keys unlocked for all classes. Do this for the “base-level” security and all “object-level” security (security levels). Be sure at least one user is assigned to both the first and your highest-numbered security groups. This ensures that at least one user will have full access to the system in case of an inadvertently locked action.
Use this procedure to assign access privileges to security groups in a SecurityLevel object.
1.
In the Security tab, expand the Classes folder, and then expand an object class. A list of actions is displayed, followed by a list of the tab names in that object editor.
144 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Use the vertical scroll bar to locate the action for which you would like to assign access privileges. In addition to actions specific to that object class, if any, the following actions are listed for most object classes: Change Out of Service — Users belonging to security groups with this privilege can enable and disable objects of this class. Create —Users belonging to security groups with this privilege can create objects of this class. Delete —Users belonging to security groups with this privilege can delete objects of this class. Edit —Users belonging to security groups with this privilege can open the editors of objects of this class, and modify object values in the editor. View — Users belonging to security groups with this privilege can open the editors of objects of this class, but cannot modify any values unless they also have Edit privileges. These users will also be able to view the class folder for any objects for which they have view access (provided the users also have access to Continuum Explorer). Send To Text File — Users belonging to security groups with this privilege can import and export object data to text files. 2.
Assign or remove access privileges.
If you want to...
Then...
assign an access privilege for an action or an editor tab to a security group
In the row that contains the action or tab name, click the Lock icon for the security group that you want to have the privileges. The Key icon is now displayed for this security group, indicating that the group has access to the action or tab.
Andover Continuum CyberStation Access Control Essentials Guide 145
Chapter 4: Advanced Topics for Access Control
remove an access privilege for an action or an editor tab from a security group
In the row that contains the action or tab name, click the Key icon for the security group where you want to remove the privileges.
assign access privileges to all actions within a view, object class, or folder
Right click the view, object class, or folder, and select Unlock Actions from the popup menu. In the Unlock Actions for Groups dialog, select the checkbox next to each security group that you want to have access, and click OK.
The Lock icon is now displayed for this security group, indicating that the group does not have access to the action or tab.
The Key icon is now displayed for the selected security groups, indicating that the groups have access to all the actions (and editor tabs) in the view, object class, or folder. remove access privileges to all actions within a view, object class, or folder
Right click the view, object class, or folder, and select Lock Actions from the popup menu. In the Lock Actions for Groups dialog, select the checkbox next to each security group that you do not want to have access, and click OK. The Lock icon is now displayed for the selected security groups, indicating that the groups do not have access to any of the actions (and editor tabs) in the view, object class, or folder.
3.
Click OK. You attach a SecurityLevel object to individual CyberStation objects in the SecurityLevel tab in their respective object editors. For more information, see the help topics for SecurityLevel tabs in the editors.
146 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Copying Access Privileges from a Single Security Group to Another Group Use this procedure to copy the access privileges assigned to one security group to another security group. This is useful when you want to define privileges for a security group that are only slightly different from another security group. When you paste the copied access privileges to the destination security group, the privileges for all actions in all folders are replaced with the new privileges. You can then assign or remove privileges as needed. 1.
In the Security tab, expand an object class.
2.
If needed, use the horizontal scroll bar to display the icon for the security group whose access privileges you want to copy.
3.
Right click the security group, and select Copy Group from the popup menu.
4.
If needed, use the horizontal scroll bar to display the icon for the security group where you want to paste the access privileges.
Andover Continuum CyberStation Access Control Essentials Guide 147
Chapter 4: Advanced Topics for Access Control
5.
Right click the security group where you want to paste the privileges, and select Paste Group from the popup menu.
6.
Assign or remove privileges as needed for the security group where you copied the access privileges.
7.
Click Apply or OK.
More about Users and Security See the following topics in the CyberStation online help:
148 Schneider Electric
“User Editor”
“Security Group Editor”
“SecurityLevel Editor”
Chapter 4: Advanced Topics for Access Control
Using Area Lockdown The area lockdown feature in the Area editor enables you to immediately prevent entry or exit through all doors to an area.
When the Lockdown state is in effect, only personnel with executive privilege access to the area can enter or leave it. You can also lock down individual doors instead of an entire area.
About Area Lockdown The area lockdown feature is intended to help you quickly control access in emergencies:
You can issue a lockdown message to prevent access through all doors assigned to an area.
You can clear the Lockdown state to restore routine access to an area.
You can lock down and restore access to individual doors in an area that is not locked down.
You can view the lockdown status of an area and of the doors assigned to an area.
Andover Continuum CyberStation Access Control Essentials Guide 149
Chapter 4: Advanced Topics for Access Control
What Happens During Lockdown When an area is locked down, the Lockdown state overrides the following access control features, and doors to the area are locked:
Use of valid cards or keypad entries
Requests to exit
Schedules that unlock doors or allow access with valid cards or keypad entries
Attempts to force unlock a door in the Door editor, through a Pinpoint control, or using a Plain English program
Only personnel who are assigned executive privilege access and are assigned access rights to the area can enter or exit through a door in the Lockdown state. You select executive privilege access and assign area access rights in the Personnel object for each person that you want to have this access. Enable the Executive Privilege attribute in personnel profiles to display and edit the value in Personnel objects.
When the Lockdown state is cleared from an area, routine access resumes at doors to the area (if adjacent areas are not in the Lockdown state).
Locking down an Area Use this procedure to lock down all doors assigned to an Area object. This procedure describes how to lock down an area from the Area editor. Depending on how your CyberStation system is configured, you can also lock down areas using a Pinpoint area control, a Plain English program, or command line entry.
150 Schneider Electric
1.
Open the Area object for the area that you want to lockdown.
2.
In the General tab of the Area editor, click the Lockdown Area button.
Chapter 4: Advanced Topics for Access Control
3.
To verify that all doors to the area are locked down, select the Doors to Area tab, and view the lockdown status of each door:
A door is locked down when the value for ForceLock is True. A door is not locked down when the value for ForceLock is False. The value may be false because the controller for the door did not receive the lockdown message, or because the controller does not support the area lockdown feature.
If a door could not respond to the lockdown message (for example, because its controller was temporarily offline), in the General tab you can click the Lockdown Area button to send the message again. 4.
To remove the Lockdown state from the area, in the General tab, click the Clear Lockdown Area button. When you remove the Lockdown state, all doors to the area resume their normal states. A door that provides access to another area that is still locked down remains locked down until the Lockdown state is cleared from the other area.
Locking down Individual Doors Use this procedure to lock down one or more doors that are assigned to an area that is not locked down. This procedure describes how to lock down doors from the Area editor. Depending on how your CyberStation system is configured, you can also lock down doors using a Pinpoint area control, a Plain English program, or command line entry. 1.
Open the Area object for an area that is assigned the door that you want to lockdown.
2.
Click the Doors to Area tab of the Area editor.
3.
Select one or more doors, and click the Lockdown Selected Doors button. You can select multiple doors by holding down the Ctrl key or the Shift key while you select doors in the list.
4.
To verify that all doors to the area are locked down, view the lockdown status of each door:
Andover Continuum CyberStation Access Control Essentials Guide 151
Chapter 4: Advanced Topics for Access Control
A door is locked down when the value for ForceLock is True. A door is not locked down when the value for ForceLock is False. The value may be false because the controller for the door did not receive the lockdown message, or because the controller does not support the area lockdown feature.
If a door could not respond to the lockdown message (for example, because its controller was temporarily offline), in the General tab you can click the Lockdown Selected Doors button to send the message again. 5.
To remove the Lockdown state from doors, select one or more doors, and click the Clear Lockdown Selected Doors button. When you remove the Lockdown state, doors resume their normal states. A door that provides access to an area that is locked down remains locked down until the Lockdown state is cleared from the other area.
More about Area Lockdown Refer to the following related Area Lockdown topics in the CyberStation online help:
152 Schneider Electric
“Area Editor”
“Personnel Manager”
“Pinpoint Graphics” topics
Chapter 4: Advanced Topics for Access Control
Controlling Access with Condition Levels ConditionLevel is an InfinitySystemVariable object that is supported in ACX 57xx controllers. You use controller condition levels with personnel clearance levels to control access during different categories of emergency. Typically, the controller condition level corresponds to security alert levels that your company has established for emergencies. For example, a public facility in the United States might define condition levels that correspond to the five levels of the Department of Homeland Security (DHS) Advisory System, as shown in the following table.
Clearance Level Needed for Access
DHS Level
DHS Color
Condition Level
Severe
Red
Level_01
1
High
Orange
Level_02
2 or 1
Elevated
Yellow
Level_03
3, 2, or 1
Guarded
Blue
Level_04
4, 3, 2, or 1
Low
Green
Level_05
5, 4, 3, 2, or 1
In Personnel objects, you can specify clearance levels that correspo nd to these condition levels. Enable the Default Clearance Level attribute in personnel profiles to view and edit the value in Personnel objects.
Andover Continuum CyberStation Access Control Essentials Guide 153
Chapter 4: Advanced Topics for Access Control
About Changing the Condition Level You can quickly change the condition level at all controllers by sending them a new value for the ConditionLevel variable using the Global Condition Level dialog. This is a faster method of changing the values than manually changing the condition level at each controller. You can also restore the previous condition level at all controllers using this dialog.
Implementing Condition Levels and Clearance Levels You can set up highly customized access that is tailored to the needs of your facility and the people who need access in normal and emergency situations. You can use up to 255 condition levels and clearance levels:
154 Schneider Electric
1 is the clearance level that allows the most access. That is, when the condition level is 1 (most severe alert), only personnel with a clearance level of 1 who are assigned to the area will have access.
255 is the clearance level that allows the least access. That is, the condition level must be 255 for personnel with a clearance level of 255 to be allowed access.
Condition levels may also be turned off.
Chapter 4: Advanced Topics for Access Control
Sending a Condition Level Message to Controllers Use this procedure to send a new value for the ConditionLevel system variable to all controllers. All controllers that receive the message and support the ConditionLevel system variable update the value of the variable with the new condition level. CyberStation also saves each controller's original value for ConditionLevel in the DB Value field in the CyberStation database. 1.
In the CyberStation tool tray, right click the Continuum task icon, and select Global Condition Level.
2.
Select a new condition level for Change To. You can select Level_0 for the value if you do not want the controllers to use the condition level value when validating access.
3.
Click Change.
4.
When prompted to confirm the change, click Yes.
5.
When prompted that the condition level is changed, click OK.
Restoring Controller Condition Levels to Previous Levels Use this procedure to send the ConditionLevel value that was saved in the DB Value field for each controller to the controllers. This is the ConditionLevel value that was in effect at each controller before CyberStation sent the new ConditionLevel value. For example, if the value for ConditionLevel at Controller A was originally 4, the value at that controller is once again 4. 1.
In the task bar, right click the Continuum task icon, and select Global Condition Level.
2.
Select Local for Change To.
3.
Click Change.
4.
When prompted to confirm the change, click Yes.
5.
When prompted that the condition level is changed, click OK.
Andover Continuum CyberStation Access Control Essentials Guide 155
Chapter 4: Advanced Topics for Access Control
About Sending Condition Level Values to Individual Controllers Using the Global Condition Level dialog enables you to change the value for ConditionLevel at multiple controllers with one command. You can also change the value for individual controllers:
You can edit the ConditionLevel variable in the InfinitySystemVariable editor. You can enter a command to change the value from the command line. You can use a Plain English (PE) program to change the value. You can use PE script attached to a Pinpoint control to change the value.
When you use the command line or a PE program to send a value for this variable, you must use the numeric value that corresponds to the condition level that you want to set. Do not use a text string. For example, if you want to use the SET command to change the value for ConditionLevel to Level 5, use the following syntax: SET \[pathname]\ConditionLevel = 5
More about Condition and Clearance Levels See the following topics in the CyberStation online help:
156 Schneider Electric
“Global Condition Level”
“Personnel Manager”
Chapter 4: Advanced Topics for Access Control
Adding FIPS-PIV Card Credentials Andover Continuum access control systems fully support sites that are required to have a special identification credential based on the Federal Information Processing Standard 201-1 for Personal Identity Verification (FIPS-PIV). This standard mandates United States government executive departments and agencies to have secure and reliable forms of identification for federal employees and contractors who gain physical access to controlled facilities and gain logical access to controlled information systems. Powerful access-control features are added to Andover Continuum systems to accommodate FIPS-PIV access-control requirements — card formats, readers, verification processes, and so on — in full compliance with the standard. To get started in understanding FIPS-PIV security identification, as well as how it is implemented in Andover Continuum access control systems, please read the following topics:
Overview of FIPS-PIV
Overview of FIPS-PIV cards and readers
Configuring FIPS-PIV on a New System
Transitioning an Existing system to FIPS-PIV
See also all the referenced CyberStation online help topics.
Overview of FIPS-PIV In 2004, Homeland Security Presidential Directive 12 (HSPD 12), entitled Policy for a Common Identification Standard for Federal Employees and Contractors, mandated executive departments and agencies to require secure and reliable forms of identification for federal employees and contractors when they attempt to gain physical access to controlled facilities and logical access to controlled information systems.
Andover Continuum CyberStation Access Control Essentials Guide 157
Chapter 4: Advanced Topics Topics for Access Control Control
The HSPD 12 standard further specified that “secure and reliable” identification must be:
Issued based on sound criteria for verifying an employee’s identity.
Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.
Rapidly authenticated electronically.
Issued only by providers whose reliability has been established by an official accreditation process.
FIPS 201-1 Standard for Personal Identity Verification (PIV) In response to HSPD 12, the National Institute of Standards and Technology (NIST) developed the Federal Information Processing Standard 201-1 for Personal Identity Verification (FIPS-PIV). This standard includes two parts:
PIV I – Meets the control objectives of HSPD 12
PIV II – Meets the technical interoperability requirements of HSPD 12
PIV Middleware Providers To meet the requirements of the standard, NIST has certified a number of PIV middleware providers that offer identity- and card-management services. These certified providers are responsible for enrolling personnel and issuing PIV cards via a process that adheres to the standard. This process includes services such as identity proofing, document validation, background checks, card enrollment, card issuance, and card activation, termination, and renewal. Schneider Electric has a partnership with middleware provider, ImageWare Corp., which supplies the Identity Management System/ Card Management System (IDMS/CMS). For more information, please see Identity Management System (IDMS). (IDMS).
Physical Access Control System (PACS) Once a valid PIV credential has been activated, terminated, or updated, the relevant PIV credential information must be transferred to a Physical Access Control System (PACS) for use in access control decisions. A PACS supports FIPS 201-1 PIV credentials and FIPS 2011 card readers, and makes access control decisions based on the access control policies configured and the credentials presented at the reader. 158 Schneid Schneider er Elect Electric ric
Chapter 4: Advanced Topics Topics for Access Control Control
The PIV credential is securely stored on the smart card in the Card Holder Unique Identifier (CHUID) container. Contactless readers, used in PACS applications, operate in transparent mode and retrieve the Federal Agency Smart Credential Number (FASC-N) from the PIV smart card and present the FASC-N via Wiegand output to the access control panel. (The output format of the contactless readers may vary and must be supported by the PACS.
Identity Management System (IDMS) In addition to the PACS, a FIPS-PIV compliant access control system must also have an Identity Management System (IDMS). The IDMS is a central data repository for employee data, contractor data, and related credential status data. The IDMS, which adheres to the FIPS 201-1 standard and is certified by NIST, is not only a database but also a workflow management system that provides the following services:
Verify the identity of employees and contractors Print/encode FIPS-PIV cards
Activate FIPS-PIV cards
Revoke FIPS-PIV cards
Maintain FIPS-PIV cards and cardholder data
Issue FIPS-PIV cards
Export FIPS-PIV credential data to a PACS
The IDMS is separate from the PACS system and most often from a different vendor. Because the FIPS-201-1 standard does not specify a method for exporting FIPS-PIV credential data to a PACS and synchronizing information between the two systems, Andover Continuum CyberStation provides the following methods for exporting IDMS data to the PACS and updating the Continuum database with new data from the IDMS:
Manual entry of personnel/credential data
CSV import of personnel/credential data
CyberStation's Personnel Import Utility (PIU).
Andover Continuum CyberStation Access Control Essentials Guide 159
Chapter 4: Advanced Topics Topics for Access Control Control
The PIU provides direct integration between the IDMS/CMS middleware (ImageWare Corp.) and the Continuum database. You can configure the PIU to import into the Continuum database any additions, changes, or updates to FIPS-PIV credential data stored in the ImageWare IDMS. You can also configure the PIU to monitor changes from the IDMS continuously to keep the Continuum database up to date. For more information on the PIU, see the CyberStation help topic “Personnel Import Utility (PIU).”
Overview of FIPS-PIV cards and readers This topic provides an overview of FIPS-PIV cards and readers.
FIPS-PIV Cards A FIPS-PIV card must be issued by a vendor that has be en approved by the United States General Services Administration (GSA) and it must conform to the FIPS-201-1 standard for layout and printing requirements. To be considered secure and reliable identification, FIPS-PIV cards must be:
Issued based on sound criteria for verifying a person's identity
Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation
Rapidly authenticated electronically
Issued only by providers whose reliability has been established by an official accreditation process
The physical credential is a smart credential that contains a processor, memory, storage capacity, and an interface for accessing the credential data.
FIPS-PIV Readers Physical access control systems typically use a contactless FIPS-PIV reader to read credential information from a FIPS-PIV card. Several vendors provide contactless FIPS-PIV readers. These readers must be on the GSA-approved list to conform to the FIPS-201-1 standard. 160 Schneid Schneider er Elect Electric ric
Chapter 4: Advanced Topics for Access Control
Contactless FIPS-PIV readers read the CHUID data from the FIPSPIV credential via a 13.65 mHz radio-frequency interface. The reader's output to the access control panel is a Wiegand signal that contains the credential information that is verified in access control decisions. FIPS-PIV readers may be purchased with various Wiegand output formats. The most common output formats are:
75-bit Wiegand signal
200-bit Wiegand signal
An Andover Continuum system can be configured to handle either of these default outputs. A Continuum system may also be configured to handle a custom output Wiegand signal from the FIPS-PIV reader. For more information on custom FIPS-PIV format, see the CyberStation help topic, “Defining a Custom FIPS-PIV String Format”. The 75-bit Wiegand signal provides the access control panel with the following elements of the FASC-N on the FIPS-PIV card:
Agency Code
System Code
Credential Number
Expiration date
The 200-bit Wiegand signal provides the access control panel with all of the elements of the FASC-N, but does not provide the expiration date of the credential. Some readers also provide the ability to read multiple card formats. These readers are typically known as multi-technology readers that read older credentials, as well as FIPS-PIV credentials. This provides flexibility when transitioning an existing system to use FIPS-PIV credentials.
Andover Continuum CyberStation Access Control Essentials Guide 161
Chapter 4: Advanced Topics for Access Control
Note: FIPS-PIV readers typically have higher power requirements than standard proximity readers. Be sure to check the power requirements of the readers, before they are installed, to determine if the Andover Continuum hardware (ACX 57xx controller, AC-1, AC-1 Plus) can supply ample power to your particular reader. In some cases, the readers may need to be externally powered.
Configuring FIPS-PIV on a New System When configuring CyberStation for access control using FIPS-PIV credentials, use the following four major steps as a guideline for getting started: 1.
Specify the appropriate set of Allowed Credentials in the system.
2.
Enter or import the FIPS-PIV credentials for use in Access Control Decisions.
3.
Configure a reader for the appropriate FIPS-PIV wiegand format
4.
Set up access validation logic, as appropriate.
Specifying the Allowed Credentials CyberStation version 1.9 and higher allows you to configure each Personnel object with multiple credentials/cards. The global setting, Allowed Credentials, controls which credential(s) may be configured for Personnel objects in the Continuum database. You access the Allowed Credentials global setting via the Allowed Credentials dialog:
162 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Right click the Continuum icon in the system tray, and select Allowed Credentials, to display the Allowed Credentials dialog. For more information, please see the CyberStation help topic, “Allowed Credentials Dialog.” If you are configuring the site for access control using FIPS-PIV credentials only, the appropriate Allowed Credentials global setting would be: CredentialFIPS-PIV If the site uses a mix of FIPS-PIV and non-FIPS-PIV readers and credentials, the Allowed Credentials global setting may be set to: Credential1andFIPS-PIV or Credential2andFIPS-PIV Assigning dual credentials to a Personnel object allows you to configure the system so that a user may be configured with both a FIPS-PIV credential and a legacy credential (for example, Infinity37 proximity card).
Entering or Importing FIPS-PIV Credential Information After selecting the appropriate Allowed Credentials setting, the FIPSPIV credential information is accessible via the Personnel Editor and the Personnel Manager. You may enter FIPS-PIV credential information manually or you may import it directly into the Continuum database via the CSV import function in the Personnel Import Utility (PIU).
Configuring a Door/Reader When configuring the reader(s) of a door that is under the control of a FIPS-PIV reader, you must specify the output format of the FIPS-PIV reader. You may only specify one of the FIPS-PIV reader formats per reader. You may specify additional Wiegand formats if the physical reader attached to the panel is a multi-technology reader. All readers that are attached to a single network controller (ACX 57xx series or NetController II via IO Modules) must have the same FIPSPIV output format. Andover Continuum CyberStation Access Control Essentials Guide 163
Chapter 4: Advanced Topics for Access Control
The following selections are available on the Card Formats tab of CyberStation's Door editor:
FIPS_PIV_75 Bit – Physical reader outputs 75 bit Wiegand signal
FIPS_PIV_Full_FASC-N – Physical reader outputs 200 bit Wiegand signal
FIPS_PIV_Custom – Physical reader outputs 75-254 bit Wiegand signal
For more information, please see the CyberStation help topic, “Defining a Custom FIPS-PIV String Format.”
Transitioning an Existing system to FIPS-PIV CyberStation's FIPS-PIV implementation can accommodate a smooth transition from a non-FIPS-PIV system to a system that uses FIPS-PIV credentials and readers. Since most sites that transition to FIPS-PIV already have cardholders and personnel with an existing credential (for example, Infinity37), those existing credentials will likely still be used to access areas whose readers have not yet been replaced with FIPS-PIV-compatible readers. Moreover, FIPS-PIV credentials may not have yet been issued to personnel, and they must use their Infinity37 credentials for access in the meantime. The following transitioning procedures/examples assume that existing personnel have Infinity37 cards and that the readers are configured for the Infinity37 card format. It also assumes that, during the transition period, personnel may have two credentials for access control. Once the transition period is over — whereby all personnel have been issued a FIPS-PIV credential and all readers have been updated to FIPS-PIV readers — the site may cut over to FIPS-PIV only. Note: The same steps outlined in the topic, Configuring FIPS-PIV on a New System, also apply when transitioning a site to FIPS-PIV, but with the following additional considerations.
164 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Updating to FIPS-PIV Revision Follow these major steps when updating an existing site to allow access with FIPS-PIV credentials 1.
Upgrade all CyberStation workstations to version 1.9.
2.
Upgrade all network controllers (ACX 57xx series, NetController II, and IO Modules) to FIPS-PIV-compatible revisions.
3.
Reload the controllers.
4.
Update/replace existing readers.
Note: If readers are replaced with multi-technology readers, both Infinity37 and FIPS-PIV credentials may be used to access the area. If readers are replaced only with FIPS-PIV readers, only FIPS-PIV credentials can be read by the reader. Once the workstation software and controller firmware have been updated, verify that normal access control operations are still operational. In order to use FIPS-PIV credentials and readers, you site must have purchased (and the CyberStation security keys must have been enabled for) the Critical Security product option. Additionally, the ACX 57xx and NetController II controllers must have been purchased with or updated with the Critical Security product option.
Specifying the Allowed Credentials After updating to the appropriate versions of workstation and controller software, all existing credential information for personnel objects is maintained. Continuum version 1.9 and higher allows you to configure each personnel object with multiple credentials/cards. The global setting, Allowed Credentials, controls which credential(s) may be configured for Personnel objects in the Continuum database.
Andover Continuum CyberStation Access Control Essentials Guide 165
Chapter 4: Advanced Topics for Access Control
You access the Allowed Credentials global setting via the Allowed Credentials dialog. Right click the Continuum icon in the system tray. (For more information, please see Allowed Credentials.) If you are configuring the site for access control using FIPS-PIV credentials only, the appropriate Allowed Credentials global setting would be: CredentialFIPS-PIV If the site uses a mix of FIPS-PIV and non-FIPS-PIV readers and credentials, the Allowed Credentials global setting may be set to: Credential1andFIPS-PIV orCredential2andFIPS-PIV Note: Changing Allowed Credentials to a new value that does not include Credential1 causes all personnel information stored in Credential1 to be permanently deleted. Assigning dual credentials to a Personnel object allows you to configure the system so that a user may be configured with both a FIPS-PIV credential and a legacy credential (for example, Infinity37 proximity card).
FIPS-PIV Credential Information After selecting the appropriate Allowed Credentials setting, the FIPSPIV credential information is accessible via the Personnel Editor and the Personnel Manager. You may enter FIPS-PIV credential information manually or you may import it directly into the Continuum database via the CSV import function in the Personnel Import Utility (PIU). Personnel that have not yet been enrolled in an Identity Management System (IDMS) and have not yet been issued a FIPS-PIV credential have no data stored in their personnel records for their FIPS-PIV credentials. However, their Infinity37 credential data remain intact. These personnel may continue to user their Infinity37 credential for access. Personnel that have had their FIPS-PIV credential issued and their FIPS-PIV credential data imported into CyberStation may use their FIPS-PIV credential for access control.
166 Schneider Electric
Chapter 4: Advanced Topics for Access Control
Any readers that have not yet been updated with a FIPS-PIV reader may still be used with the Infinity37 credential.
Configuring a Door/Reader When configuring the reader(s) of a door that is under the control of a FIPS-PIV reader, you must specify the output format of the FIPS-PIV reader. You may only specify one of the FIPS-PIV reader formats per reader. You may specify additional Wiegand formats if the physical reader attached to the panel is a multi-technology reader. All readers that are attached to a single network controller (ACX 57xx series or NetController II via IO Modules) must have the same FIPSPIV output format. The following selections are available on the Card Formats tab of CyberStation's Door editor:
FIPS_PIV_75 Bit – Physical reader outputs 75 bit Wiegand signal
FIPS_PIV_Full_FASC-N – Physical reader outputs 200 bit Wiegand signal
FIPS_PIV_Custom – Physical reader outputs 75-254 bit Wiegand signal
For more information, please see the CyberStation help topic, Defining a Custom FIPS-PIV String Format.
Medium Assurance Profiles Note: This topic is for the more advanced system administrator. In order to meet the requirements for Medium Assurance Profiles in a PACS, some FIPS-PIV reader manufacturers allow readers to be configured to generate and output a Hashed Message Authentication Code (HMAC) of the data contained within the CHUID on a FIPS-PIV credential. The HMAC provides assurance that the data programmed on the card has not been tampered with. If you have purchased a FIPS-PIV reader that provides an HMAC as part of the Wiegand output, you must configure the reader format in the Door editor to use the FIPS_PIV_Custom format. Additionally, you must set the appropriate value of the PIVReaderFormat system variable to tell the controller how to interpret the Wiegand data generated by the reader. Andover Continuum CyberStation Access Control Essentials Guide 167
Chapter 4: Advanced Topics for Access Control
For more information on configuring the PIVReaderFormat system variable, please see the CyberStation help topic, Defining a Custom FIPS-PIV String Format. Once the PIVReaderFormat system variable is set appropriately, you must specify the HMAC value in each Personnel object's FIPS-PIV credential. To do this, you must read the person's FIPS-PIV credential via a FIPS-PIV reader that generates the HMAC. Schneider Electric recommends you assign a FIPS-PIV reader as an enrollment reader for this purpose. Once the enrollment reader is created, add the door to a CyberStation Active Event View and present a FIPS-PIV credential to the reader. From the Cyberstation Active Event View, you must then copy the HMAC for the invalid attempt and add it to the Personnel object's HMAC value in the person's FIPS-PIV credential.
More about FIPS-PIV See the following topics in the CyberStation online help: “Access Credentials Dialog” “FIPS-PIV Attributes for Personnel Manager” “FIPS-PIV Tab for Personnel Editor” “Defining a Custom FIPS String Format”
168 Schneider Electric