Page 1 CONTROL CENTER Administrator Guide...
Page 2 © 2023, Avigilon Corporation. All rights reserved. AVIGILON, the AVIGILON logos, and AVIGILON ALTA are trademarks or registered trademarks of Avigilon Corporation. Allegion, ENGAGE technology and Schlage are trademarks of Allegion plc, its subsidiaries and/or affiliates in the United States and other countries. Safari is a trademark of Apple Inc., registered in the U.S. and other countries and regions. Mac and App Store are trademarks of Apple Inc., registered in the U.S. and other countries and regions. WORKDAY and the Workday Logo are trademarks of Workday, Inc., some registered in the United States and elsewhere. All other trademarks are the property of their respective owners. This document has been compiled and published using product descriptions and specifications available at the time of publication. The contents of this document and the specifications of the products discussed herein are subject to change without notice. Avigilon Corporation reserves the right to make any such changes without notice. Neither Avigilon Corporation nor any of its affiliated companies: (1) guarantees the completeness or accuracy t he information contained in this document; or (2) is responsible for your use of, or reliance on, the information. Avigilon Corporation shall not be responsible for any losses or damages (including consequential damages) caused by reliance on the information presented herein. Avigilon Corporation avigilon.com 20230808-en ...
Page 3: Revisions
Revisions Guide Description Rev. 4.9 Virtual directory for Video Intercom Reader Pro: Use QR codes to look up directories on phones (optional) on page 95 Rev. 4.8 Microsoft Azure AD updates: Microsoft Azure AD on page 105 Rev. 4.7 Okta integration updates: Okta on page 110 Revisions...
Page 4: Table Of Contents
Contents Revisions Contents Get started Terms Sign in Notifications Set your preferred language Set language at sign-in Set language in your profile Set language in organization-wide emails Set language in site-wide emails Alarm Management Workflow Muster Reports Workflow Dashboards Activity dashboard Filter by site Camera snapshots Alarms dashboard Filter by alarm severity or status Acknowledge, clear, or reactivate active alarms Export alarm history Contents...
Page 5 Entry dashboard Device dashboard Controller status Remote diagnostics Custom dashboards (Premium and Enterprise plans) Create custom dashboard Update dashboard title Add widgets Set dashboard as default Delete dashboard View custom dashboard Cameras View live video feeds Initiate call to intercom Play and download video Users User data model User management Export data to CSV Show or hide columns Add users Upload photos Import users by CSV file Issue credentials Edit user access Security Contents...
Page 6 Issue actions to users Generate guest access links and webhook URLs Access Groups management Export data to CSV Show or hide data Add Access Groups Role management Export data to CSV Show or hide columns Add roles Delete roles User schedules Multiple schedules Add user schedules Custom fields Sites Site management Export data to CSV Show or hide columns Add sites Building management Show or hide columns Add building details Zone management Export data to CSV Show or hide columns Contents...
Page 7 Zone sharing Add zones Anti-passback and occupancy management Entries management Export data to CSV Show or hide columns Add entries Entry settings Entry states Add entry state Entry schedules Create entry schedule Create holiday schedule Lockdown plans Export data to CSV Show or hide data Add lockdown plans Trigger lockdown plans Devices ACU management Export data to CSV Show or hide columns Add ACUs or SDCs Add expansion boards Edit ACU ports Reader management Contents...
Page 8 Export data to CSV Show or hide data Add reader Wireless lock management Export data to CSV Show or hide columns Update lock firmware Edit locks Wireless lock gateway management Video reader management Export data to CSV Show or hide data Add video reader Video intercom reader management Export data to CSV Show or hide data Add video intercom reader View activated video intercom reader Configure video settings Enable ONVIF Change cloud video storage plan View live video feed Configure two-way audio Configure call routing to users, units, or front desk Use QR codes to look up directories on phones (optional) Answer calls from intercom Contents...
Page 9 Device update management Show or hide device updates Apply available updates before maintenance window Reports Show or hide data Export report to CSV Configure reports (Activity logs, Alarms, and Portal audit report) View and mark users as safe in the Muster report (Premium and Enterprise plans) Schedule reports (Premium and Enterprise plans) View reports (Premium and Enterprise plans) App marketplace Google Workspace Set up integration Microsoft Azure AD Set up OAuth2 authentication Set up OAuth Client (Service Principal) authentication Okta OneLogin Single sign-on (SSO) Manually sync Workday reports Camio Rhombus Milestone Cisco Meraki Envoy Contents...
Page 10 Slack Zapier Webhooks Configurations Rules Add rules Alerts Alarms (Premium and Enterprise plans) Enable, disable, or silence alarms Configure alarms Mobile app Enable badge view Customize badge design Badge templates Add badge template Add custom fields (Premium plan only) Print badge Printing tips Administration Account Accept terms and conditions Edit organization information Edit security settings Quick start Profile Update your information Contents...
Page 11 Change password Add MFA devices Enable intercom notifications Play or mute alarm notification sounds Event descriptions Appendix A: Configure Avigilon Alta Control Center with legacy systems Contents...
Page 12: Get Started
Get started The Avigilon Alta Control Center is an online portal where Administrators c an configure the Avigilon Alta access control system through an internet b rowser. This guide covers how to get started in the Control Center, manage users and hardware, and provide access to your e ntries. Note: Some features in the Control Center are only available in c ertain software packages and as add-on features. Also, depending on y our role, not all of these features may be visible to you. Terms ACU: A cloud-based control panel that manages access to a s ecured area. Cloud Key Credential: A credential that lets users generate l inks to provide temporary access through the Openpath Mobile App or t hrough the Control Center. Control Center: An online portal that lets administrators m anage users, set up entries and permissions, and troubleshoot h ardware. Credential: A key presented to a reader to gain access to an e ntry. Examples include cards, key fobs, and mobile c redentials.
Page 13: Sign In
Request to Exit: A sensor that detects when someone is e xiting an entry which lets the Smart Hub ACU know to unlock the d oor. Schedule: A set of defined dates and times that can be used t o restrict access to entries or users. Site: A physical location (usually a building) that contains z ones and entries. Smart Reader: A device installed near an entry capable of r eading information stored on key cards, fobs, and Openpath mobile c redentials. Trigger Method: A combination of credential type and 1 FA/2FA. User: A person defined in the Control Center with c redentials. Wiegand Reader: A device installed near an entry capable of r eading information stored on a Wiegand card and transmitting to an a ccess control unit. Zone: Contains one or more entries within a site. Zones are t he units of physical access permissions that you assign to users ...
Page 14: Notifications
2. There are several ways to sign in. If you have not configured Multi-Factor Authentication (MFA) for your account, you are prompted to set it up. For more information, see Profile on page 139. If you received admin credentials t hrough Avigilon Alta Control Center, enter your email and password, click Enter two-factor authentication code to enter the code generated by your app. Click S ign in. To use the Single sign-on (SSO) method, your organization must have enabled authentication with an identity provider and sign-in using an identity credential, such as your Okta on page 110 account. If enabled, enter your email and click Continue. Enter the two-factor authentication (2FA) code and click Sign in. Note: If an error message asks for y our namespace, it means y our organization has enabled SSO for t wo or more identity providers. Ask the admin who set up the identity p rovider integrations for the correct namespace to use. See also User data model on page 33. Notifications Notifications (also referred to as popup or toast notifications) are system messages that need your attention, such as alarm events, intercom events, and more. A visual indicator (blue dot) in the browser tab indicates new notifications. Get started...
Page 15: Set Your Preferred Language
Tip: This indicator helps notify you when you have C ontrol Center notifications even if you are viewing a different browser tab. The dot is removed when you click a notification in the Control Center. Note: Ensure the audio on your device or machine is enabled when using the alarm notification sound. Set your preferred language Set your preferred language in the Avigilon Alta Control Center, which includes French, Spanish, Italian, German, or English. Set language at sign-in 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. Note: The Control Center is shown automatically in French, Spanish, Italian, German, or English, based on the language and locale set in your browser. 2. Select your preferred language in Language in the lower-left corner. 3. Log in. The selected language is shown in your current login session. Set language in your profile 1. Click your name in the upper-right corner and select Profile. 2. Select your preferred language in Language. 3. Click Save. The selected language is shown every time you log in to the Control Center. Get started...
Page 16: Set Language In Organization-Wide Emails
Set language in organization-wide emails 1. Go to Administration > Account. 2. Click Change settings in the Info section. 3. Select the preferred language in Organization language. 4. Click Save. All Control Center emails for the org will be sent in the selected language. Set language in site-wide emails 1. Go to Sites > Sites, and select a site or click the Add Site button. For multiple site creation, go to Administration > Quick start and follow the screen workflow. 2. Select the preferred language in Site language. 3. Click Save. A ll Control Center emails for the site will be sent in the selected language. Get started...
Page 17: Alarm Management
Alarm Management Note: A Premium or Enterprise plan is required. The Alarm Management app supports alarm configuration, m onitoring, and reporting for a larm monitoring operators and administrators. Use this app to configure and monitor visual and audible alarms, and take the necessary actions to resolve them. Figure 1 Triggered alarms in the Alarms dashboard Workflow 1. Go to App marketplace and install the Alarm Management app, if not already done. For more information, see App marketplace on page 103. 2. Go to Configurations > Alarms, configure the alarms, and assign them to roles or users. For more information about configuration, see Alarms (Premium and Enterprise plans) on page 127. Note: The Premium plan supports 100 alarm configurations. The Enterprise plan supports 500 alarm configurations. Alarm Management...
Page 18 Notifications to the assigned monitoring operator can be specified in an alarm action. For more information, see Action triggers & alarm notifications on page 130. 3. Go to Dashboards, and add the Alarm feed and Alarm statistics widgets to your custom dashboard. Or, change Activity to Alarms in the upper-right corner. For an example, see Figure 1 o n the previous page. For more information, see Alarms dashboard on page 22 and Custom dashboards (Premium and Enterprise plans) on page 26. Note: The Premium plan supports 100 open alarms. The Enterprise plan supports 1000 open alarms. Notifications are sent as these limits are approached, and again, when the limit is reached. After that, old open alarms are auto-cleared as new alarms are triggered. For more information, see Alerts on page 126. 4. Go to Reports > Alarms, and configure the data to be displayed in the report. For example, configure an Alarm report that includes the users who triggered the alarms (see Triggered column) and the assigned monitoring operators who acknowledged the alarms with notes (see Note Added column). For more information, see Configure reports (Activity logs, Alarms, and Portal audit report) on page 101. Alarm Management...
Page 19: Muster Reports
Muster Reports Note: A Premium or Enterprise plan is required. The Muster Reports app is an emergency response tool to quickly view the Avigilon Alta users who may be in your building during an emergency evacuation. Use this app to rapidly generate a report, identify who may be on site, and account for their safety. Figure 2 Mobile view of the Muster report Workflow 1. Go to App marketplace and install the Muster Reports app, if not already done. For more information, see App marketplace on page 103. 2. Optional. Go to Sites > Entries, and add an entry for the muster point. Note: Optional muster point entries can be installed at your emergency assembly locations. A credential reader is required to be installed at the entry. The reader should only be used in a muster event and not for any other purpose. For more information, see Add entries on page 56. Muster Reports...
Page 20 3. Go to Users > Roles and select the role that will view and edit muster reports. a. Scroll down to the REPORT section and find Muster report. b. Select the View and edit a muster report toggles. c. Click Save. 4. Go to Reports > Muster and generate a report. a. Select a time period for the report. b. Optional. Select sites and zones. c. Click Search. Do any of the following: Select the Mark as safe toggle in the generated report after you have ensured a user is safe. View the users who are automatically marked as safe in the generated report, if their credentials were scanned at the muster point entry before you generated the report. 5. Export the report to CSV for record keeping. Click the i con. Muster Reports...
Page 21: Dashboards
Dashboards The Dashboards page lets you monitor access control events in the default Activity, Alarm, Device, and Entry dashboards, and to create custom dashboards for your org. Activity dashboard After signing in, you'll see the Activity dashboard which shows a l ive feed of recent access events, as well as statistics a bout event activity and active users. Click the name of a user to view their details. Note: When the 1,000 event limit is reached in the dashboard, the events over the limit are cleared on an hourly basis. To view the cleared events, go to Reports > Activity logs. Figure 1 Activity dashboard Filter by site At the top of the Activity dashboard page, select a site to narrow down the list of event activity. Dashboards...
Page 22: Camera Snapshots
Camera snapshots If you have the Cisco Meraki integration enabled, or you have Video Reader Pro or Video Intercom Reader Pro installed, you'll see a Camera c olumn in the Activity dashboard, where you can view snapshots of entry e vents by hovering over the Play icon. Click on the Play icon to view t he video footage in the Meraki dashboard. Snapshots may take up to a m inute to appear in the Avigilon Alta Control Center. Figure 2 Camera snapshots in Activity dashboard Alarms dashboard The Alarms dashboard shows a l ive feed of alarm events and statistics for alarm monitoring operators and administrators. Dashboards...
Page 23: Filter By Alarm Severity Or Status
Filter by alarm severity or status Go to Dashboards and change Activity to Alarms in the upper-right corner. Click the SEVERITY column in the alarm feed, and select a P1 to P5 level. Click the STATUS column in the alarm feed, and select the Active, Acknowledged, Cleared, Cleared - False Alarm, or Auto Cleared status. Acknowledge, clear, or reactivate active alarms Monitoring operators can respond to an Active alarm either in the Alarms dashboard or below the ALARM DETAILS section of the alarm page, depending if notes are needed. On the Alarms dashboard page, select an Active alarm in the STATUS column and an action. Dashboards...
Page 24: Export Alarm History
(Reactivate takes an alarm out of a cleared state, back to an active state.) To view the alarm page, click the alarm row or View alarm in an open alarm notification in the lower- right corner. a. On the alarm page, read the Instructions for handling the alarm. b. Select the appropriate action in Action, and add a note. Note: The alarm page includes the additional Add note action and Reassign action for reassigning the alarm to another monitoring user. c. Click Save. Export alarm history In the HISTORY section of the alarm page: Click the i con. Entry dashboard The Entry dashboard shows a live status of every entry in your s ite. Figure 3 Entry dashboard Dashboards...
Page 25: Device Dashboard
This is where you can see your organization's usage statistics as well a s the current lock state for entries. The data on the Dashboard is real t ime, so as soon as an entry unlock request is made or denied or a lock s tate changes, the data displayed will update immediately. If you have a Cloud Key and remote unlock permissions (and the entry's s tate also allows remote unlock requests), you can unlock entries from t he Main Dashboard by clicking the Unlock button next to the entry's name. Note: If a door is ajar or not properly closed, the Door Ajar a larm will be prominently displayed in the Door State column. Device dashboard The D evice dashboard is where you can get a high-level overview of y our organization's Controllers (ACUs) and readers. Controller status The Devices page in the Control Center indicates the online status of ACUs and Video Readers (listed as Controllers and Video Controllers) in the STATUS column: A green dot indicates the ACU is online and communicating normally. A yellow dot indicates the last message received from the ACU is more than 12 minutes old and the VPN is down. A red dot indicates the ACU is offline: the last message received from the ACU is more than 60 minutes old OR more than 20 minutes old and the VPN is down. Figure 4 Device dashboard showing controller status Remote diagnostics In the Controller (and Video Controller) Status table under the REMOTE DIAGNOSTICS column, select an Action: Dashboards...
Page 26: Custom Dashboards (Premium And Enterprise Plans)
Identify: Identify a reader to verify that the physical w iring matches the Control Center configuration. Clicking this will c ause the following: The reader's outer ring LED will light up. The reader's center dot will light up green. The reader's buzzer will beep several times. Restart: Restart a reader to force a reboot. This will i nterrupt services provided by the reader for up to 60 s econds. Mute: Muting a reader changes its status icon to gray on t he Devices dashboard. It will not affect any alerts or rules r egarding the reader, and it will only appear as muted on your b rowser. Custom dashboards (Premium and Enterprise plans) You can create custom dashboards by adding widgets for use in your org in addition to t he Avigilon Alta default dashboards ( Activity, Alarm, Device, and Entry). Note: Your dashboard can be viewed and edited by all S uper Admin users in your org. Dashboards...
Page 27: Create Custom Dashboard
Create custom dashboard 1. Go to the Dashboards page, and click the button in the upper-right corner. 2. Enter a name for the dashboard and click S ave. 3. Click Add your first widget in the tool tip and choose a widget. Activity feed is a live feed of the entry activity l og. Alarm feed is a live feed of all alarm events. A Premium or Enterprise plan is required. Alarm statistics displays the open alarms, open P1 alarms, acknowledged alarms, and total alarms triggered. A Premium or Enterprise plan is required. Device count displays the number of controllers and r eaders configured in the system and their online ...
Page 28: Update Dashboard Title
You need a Cloud Key c redential and a ppropriate access to one or more entries in order to trigger u nlocks. Event feed is a live feed of entry events, door ajar a nd door propped open alarms, and lockdown activations. Lockdown displays all lockdown plans in the org with b uttons to trigger and revert plans. You need user permission to trigger and revert lockdown plans. For more information, see Assign user and group permissions on page 71. Occupancy shows you the occupancy of areas configured u sing anti-passback. You need to configure anti-passback and set o ccupancy limits to use this widget. For more information, see Anti-passback and occupancy management on page 53. Statistics displays the total events, number of a ctive users, and percentage of active users from the last 12 h ours. User verification lets you monitor access events a t a particular entry and displays a user's photo when they unlock an entry.
Page 29: Add Widgets
Add widgets 1. Select Add widget from the edit menu. 2. Choose a widget and do any of the following: a. Click and drag to place the widget anywhere on the d ashboard. b. Click in the upper-right corner; the widget flips over with more options. Click in the upper- right corner to delete the widget. c. Resize the widget by clicking and dragging the l ower-right corner. Set dashboard as default Select Make default from the edit menu. Dashboards...
Page 30: Delete Dashboard
Delete dashboard Select Delete dashboard from the edit menu. View custom dashboard Click Save changes when you're done customizing the d ashboard. The custom dashboard a ppears in the Dashboards dropdown. Dashboards...
Page 31: Cameras
Cameras The Cameras page shows all cameras in your org, including Cisco Meraki cameras, and Video Reader Pro and Video Intercom Reader Pro devices. Click a Cisco Meraki camera to go to the Cisco Meraki dashboard. Click a video reader or video intercom reader to view a live feed and list of events, including door unlocks, audio and motion detection, and tamper detection. You can initiate a call to the video intercom reader using the built-in microphone and speaker on your desktop or the Openpath Mobile app. Figure 1 Video Reader live feed Cameras...
Page 32: View Live Video Feeds
View live video feeds Go to Cameras and select a camera. A live video feed is shown at the top. Initiate call to intercom Click the phone button on the live video feed. Note: Calls are not supported in Safari and Firefox browsers. U sers can also click the phone button on the live feed in the Openpath mobile app. Play and download video 1. Play a recording and click the button in the upper-right corner. 2. Find the MP4 file in the Downloads folder on your desktop. Cameras...
Page 33: Users
Users The Users page lets you manage and import users, and c reate and define groups, credentials, and roles for users. User data model If you have access to more than one org in your Avigilon Alta online portal, or you're using m ultiple identity provider integrations with SSO enabled, you should be f amiliar with how the Avigilon Alta user data model works. Figure 1 User data model Users...
Page 34: User Management
A namespace is a contained pool of emails, all of which must be u nique within the namespace. These emails (along with first name and l ast name and other info) are called identities. Identities are u sed for authentication and are what allow you to log in to the Control Center. There are two types of namespaces: "identity provider" (e.g. G S uite, Active Directory), and "local org." Namespaces allow the flexibility of having multiple instances of the s ame email that might come from different sources or have different a uthentication mechanisms (i.e. local password authentication or SSO). F or example, you might have one identity (me@company.com) from when the o rg was created (under the local org namespace) that is authenticated t hrough email and password. If you sync with an identity provider that h as the same email (me@company.com) in it, another identity will be c reated under the identity provider namespace. Identities are separate from, but related to Users. A U ser is an instance of an identity that belongs to a specific org, so a single identity could have multiple Users. This model allows a s ingle identity (email and password) to be able to access multiple orgs, w hich is useful for resellers and installers that need to be able to log i n once but have access to many orgs. Identities are what let you log ...
Page 35: Show Or Hide Columns
Show or hide columns Click the icon to show or hide information. For example, the IDENTITY PROVIDER column lists the user database from w here the users were created, such as within the portal, from Active Directory, G Suite, and more. Toggle this column to show the namespace. F or more information, see User data model on page 33. Add users 1. Go to Users > Users. 2. Click the button in the u pper-right corner. 3. Enter the user's email and name. Note: If the user belongs to another organization, you can skip the name and enter a checkmark in the Add a user from an existing namespace box and the namespace in Namespace. For more information about namespaces, see User data model on page 33. 4. Enter the Start date and End date. 5. Enter other fields, as needed. External ID — For employee IDs or other u seful information. CUSTOM FIELDS — Additional fields that are configured by your administrator (for example, License Plate). Portal Access — For a user who is an admin and requires access to the administrator web portal. Toggle the slider and add the Super Admin role. ...
Page 36: Upload Photos
Figure 3 Edit User Upload photos To display the user's photo in the Control Center and in the user's Openpath mobile app: 1. Click the EDIT button in the Edit User page. 2. Click the + Add photo button. To take a new photo using your device's built-in camera or webcam, click Use camera and then Take photo and Save photo. To upload a new photo, click Upload photo, the photo and then Save photo. Users...
Page 37: Import Users By Csv File
Figure 4 Save photo Import users by CSV file You can import and update u sers by uploading a CSV file. To import users by using a directory s ervice integration, see App marketplace on page 103. 1. Go to Users > Import users. Or, click t he Import users button in the upper-right corner of the Users page. 2. Create the CSV file in one of the following ways: Click Download Sample CSV and fill out all required fields i n the supported formats. Save the file as a CSV file (for example, openpath-bulk-import-users.csv). Excel file extensions do not work. Click the Export to CSV icon in the upper-right corner of the Users page, and modify the downloaded file. Tip: Refer to t he Valid Fields tooltip for the supported values. 3. Click the Select CSV button and locate t he file. 4. Select the Namespace: Local — For adding new users or updating e xisting ones, and if you are not using an identity provider. Choose to Skip existing users or Update them in the How To Handle Existing Users field. Users...
Page 38: Issue Credentials
Google Workspace, Microsoft Azure AD, O kta, or OneLogin — For updating existing users you previously s ynced with the Avigilon Alta system. New users will not be added. 5. Click the Upload File button. The Upload Status field will log all users added, updated, a nd skipped. This step may take a few minutes. When finished, y ou'll see an IMPORT COMPLETE message along with any errors t hat may have occurred. Issue credentials You can issue credentials to a user. A credential is a key presented to a reader to gain access to an e ntry. Note: When adding card credentials, consider that h igh frequency (HF) readers require MIFARE®, DESFire®, or ISO14443A cards, and low f requency (LF) readers use Wiegand cards. Note: The Embedded USB Smart Reader supports only Avigilon Mifare or DESFire EV3 card credentials. Mobile credentials are not supported at this time.
Page 39: Edit User Access
Card: Wiegand ID: Requires an Openpath LF key fob or c ard to access an entry. If you choose this option, see Add wiegand credentials below after saving. PIN: Requires a PIN on the keypad of an Avigilon Smart Keypad Reader to access an entry. 3. Enter the required information depending on the device and click Save. Add mobile credentials After saving a mobile credential: Click Send to email instructions to the user on how to set up their mobile device as a credential. The Activation Pending column indicates that an email has been sent, b ut the user has not yet activated their mobile credential. Or click Resend to issue another mobile credential to a new mobile device. Add wiegand credentials After saving a Wiegand credential: For Openpath LF cards, select Prox 26-bit ( H10301) in Card Format. If you're unsure of the card format, select Raw 64-bit in Card Format and enter the Card Number. Note: If you're unsure of the card number, you can s wipe the card at the reader and take note of the rejected access entry i n Reports > Activity logs. The card number will be displayed In t he Credential Detail column. If you'd like to send card credential data to a third-party control p anel, set Use for Gateway to Enabled. You must also c onfigure the Wiegand reader to enable this feature. See Wiegand device on page 61. ...
Page 40: Security
Enable Remote Unlock to let the user unlock a door remotely ( i.e. physically outside of Bluetooth range of the door reader) u sing the mobile app. The Group Schedules column will display any applicable Group S chedules if you assigned a group with a schedule. The User Schedule column lets you assign user-specific s chedules. See User schedules on page 46. Figure 5 User Access Security The Security tab is where you can manage Multi-Factor Authentication ( MFA) credentials. You cannot add MFA credentials for other users — o nly view and delete. You can add a MFA credential for yourself under Profile on page 139. Issue actions to users 1. Go to Users > Users. 2. Enter a checkmark next to one or more users. Users...
Page 41: Generate Guest Access Links And Webhook Urls
3. In Batch actions (activated by the previous step), issue any of the following actions to the selected users: Activate Users: Reactivates a suspended user. Suspend Users: Disables credential use and admin portal a ccess, if granted to the user. Delete Users: Revokes access from the user and keeps t he user in the system for reporting and record-keeping p urposes. Reset Anti-passback: Resets the anti-passback state of a user, i f using Anti-passback. See Anti- passback and occupancy management on page 53. Create Mobile Credentials: Automatically creates mobile c redentials for the selected users. Send Mobile Credentials: Sends mobile setup emails to the s elected users. If a user has multiple mobile credentials, they'll r eceive multiple setup emails. Disable Remote Unlock: Disables the remote unlock permissions f or the selected users. Enable Remote Unlock: Enables the remote unlock permissions for t he selected users. Generate guest access links and webhook URLs Users with Cloud Keys can share temporary Guest Access Links and ...
Page 42: Access Groups Management
4. Click Generate links. 5. Click Guess access link: Copy to clipboard and share the URL with the guest. Use the A PI Link for your own software or other external service. Figure 6 Webhook URL generated Note: A Cloud Key can have multiple webhooks for multiple e ntries associated with it. Deleting a Cloud Key credential will also r emove all the valid webhooks associated with it. Access Groups management The Access Groups page is where you can create and manage groups of users. Groups let you assign access and entry permissions for one or m ore users, and they're useful for organizing your user base by d epartment or role. Export data to CSV Click the i con. Show or hide data Click the icon to show or hide information. Users...
Page 43: Add Access Groups
Add Access Groups 1. Go to Users > Access Groups. 2. Click the button in the u pper-right corner. 3. Enter a name, description, badge template, and assign users. 4. Select the sites and/or zones the access group will have access t o. 5. Click Save. Role management A role is a set of portal access permissions that can be assigned to u sers. The following default roles cannot be edited: Super Admin — Gives full portal access with edit p ermissions. Note: Users with the Super Admin role can assign and revoke p ortal access for other users. Super Admin Read-Only— Gives full portal access with read p ermissions. MFA enforced Super Admin — Gives full portal access with edit p ermissions for users who use MFA. MFA enforced Super Admin Read-Only — Gives full portal access with read p ermissions for users who use MFA.
Page 44: Export Data To Csv
Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Add roles 1. Click the b utton in the u pper-right corner. Enter a name, description, and assign u sers. Enforce MFA — Require user to set up Multi-Factor Authentication at login. Limit to specific sites — Requires a package upgrade. 2. Select the permissions you'd like this role to have, and click S ave. Note: You cannot create a role with more permissions than you have, and you cannot assign a role with more permissions to yourself or another admin. Note: You can assign multiple roles to the same user. The user's p ermissions will be cumulative across all assigned roles. Assign permissions Permissions gives additional specificity when creating roles. ...
Page 45 Permissions Description Note: A Premium or Enterprise plan is required to use the Alarms dashboard. Users View and edit users. Roles View and edit roles and assign roles to users. Sites View and edit sites. View and edit entry state settings. View and edit general site settings. View and edit lockdown plans. View live feed View live feed from linked cameras.Openpath Pro series readers only. Playback video clips Play back video clips from linked cameras. Openpath Pro series readers only. Export video clips Export video clips for local storage. Devices View and edit devices. Openpath video device Adjust video settings. Openpath Pro series readers only. Reports View and edit reports. View and edit entry access audit. View and edit portal audit report. View and edit credentials. View and download report links. View and edit general report settings. Note: A Premium or Enterprise plan is required to use the Muster report. App marketplace View and edit app marketplace. Configurations View and edit configurations. View and edit rules. View and edit alert settings. View and edit mobile app settings. Administration View and edit administration. View and edit account. View and edit quick start page.
Page 46: Delete Roles
Delete roles 1. Select the role with no active users on the Roles page. 2. Click the icon. Note: If a user assigned to alarm monitoring is deleted, the alarms continue to be displayed in the Alarms dashboard and report history. You will be prompted to assign another user the next time you edit the alarm configuration. 3. Click Yes. User schedules The User schedules page is where you can define schedules for users and g roups. User and group schedules are useful if you want to restrict a ccess or trigger methods for certain users and groups. For example, you can define normal business hours for employees or require that certain users o nly use key cards. Users...
Page 47: Multiple Schedules
Figure 7 User schedules Multiple schedules You can assign multiple User or Group schedules to users or groups. Access is c umulative of the assigned schedules. For example, if a user has a group s chedule that gives access 9:00 am to 5:00 pm and a user schedule that g ives access 3:00 pm to 9:00 pm, then that user will have a combined a ccess of 9:00 am to 9:00 Add user schedules Tip: To disable remote unlock access to all users in a group, create a schedule with Onsite Only as the Scheduled State. 1. Click the b utton in the upper-right corner, enter a name, a nd click Next. 2. Click Add Event to create a new schedule. a. Choose between a Repeating Event and a One-Time Event. b. Enter a Name (optional). c. (Repeating Event) From the Frequency dropdown, select whether this schedule will recur daily, weekly, monthly, or annually. d. (Repeating Event) Select which days the schedule will occur on. e. Enter a Start and End Time. f. Select a Time Zone. g. ...
Page 48: Custom Fields
h. Select the Scheduled State from the dropdown. i. (Optional) Enable and set Trigger a fter an unlock method If enabled, the entry will not change to the scheduled state until the first person with access triggers a door to unlock. j. Click Save. Note: A user schedule cannot be more permissive than what t he entry allows. In this example, we've defined the Scheduled State as S tandard Security, which only works if the entry state is also set to Standard Security or Convenience (but not say, Strict Security). Figure 8 Edit User Schedule Custom fields You can create custom, optional fields that appear when you c reate and edit users, and filter them on the Users page. Note: A Premium or Enterprise plan is required. 1. Click the b utton in the upper-right corner. 2. Enter a name for the field and select a Field Type from the d ropdown: Users...
Page 49 Checkbox Date Dropdown Text 3. The field is enabled by default—if you do not want to use the f ield just yet, click the slider to disable. 4. Click Save. 5. If you selected a Dropdown field, click Create Dropdown I tem and enter a name, click Save, then repeat for the r emaining dropdown options. 6. The fields you create will appear at the bottom of User Details and c an be viewed in the User Management table by clicking Filter C olumns and clicking the checkbox next to the field. Figure 9 Custom Fields Users...
Page 50: Sites
Sites Sites are physical locations (like office buildings) comprised of zones a nd entries. You should create a site for every location where you have a n Avigilon Alta system installed. Site management The Sites page is where you can view and manage sites. Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Add sites 1. Click the b utton in the upper-right corner. 2. Enter a name for the site, the physical address, and a phone number. 3. If needed, set the l anguage of the Control Center emails for the site in Site language. 4. Click S ave.
Page 51: Show Or Hide Columns
Show or hide columns Click the icon to show or hide information. Add building details 1. Go to Sites > Buildings. 2. Click the b utton in the upper-right corner. 3. Enter the name of the building and the site. 4. Include the address and phone number. 5. Click S ave. Add floors to buildings 1. Click the Floors tab. 2. Click the b utton. 3. Enter the name of the floor and a description. 4. Click Save. Add units to floors & assign access 1. ...
Page 52: Zone Management
4. Select the users and groups that need access to the unit. 5. Click Save. Zone management The Zones page is where you can view and manage zones. Zones a re groups of one or more entries that you can assign to sites. Zones a re useful for breaking up large sites into smaller areas like floors or c ommon areas (in multi-tenant scenarios). Most significantly, zones are t he units of physical access permissions that you assign to users. Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Zone sharing Zones can be shared between multiple c ustomers. This is useful i f you're a landlord who wants to share a zone of common entries with m ultiple tenants. Recipients cannot edit shared zones. Add zones 1. Click the button in the upper-right corner.
Page 53: Anti-Passback And Occupancy Management
3. Add User Groups and Users to the zone (optional). 4. If you want to share this zone to a different Organization, enter t he Org ID(s) (optional). 5. Click Save. Anti-passback and occupancy management Anti-passback lets you define a sequence in which entries must be a ccessed in order to gain entry. Sequences are defined using A reas — each Area contains a set of inbound and outbound e ntries. For each Area, after every successful inbound entry the user m ust exit through an outbound entry before entering an inbound entry again. This feature is commonly used with parking gates and helps p revent users from sharing credentials with other users. You can also u se anti-passback to limit occupancy and prevent users from accessing i nbound entries until enough users exit through outbound entries. 1. To set up anti-passback on a zone, click on the zone to edit it, t hen click the Anti-passback tab. 2. Enter an Expiration Time in seconds after which the a nti-passback state will reset for the user. 3. ...
Page 54 Note: An entry can only be used once within an Area, either a s Inbound or Outbound but not both; however an entry can be u sed in multiple Areas. In addition, all entries within an Area must r eside on the same ACU, and all entries belonging to the parent zone m ust reside on the same ACU. d. If limiting occupancy, select either Alert or E nforce (definitions above) from the Occupancy Limiting Mode d ropdown, then enter the Occupancy Limit. Internally, the ACU tracks each user's most recent direction of m ovement (inbound or outbound) within each Area. When the user's most r ecent direction is known, then an attempt by that user to move in the s ame direction again will result in an Anti-Passback Breach event. When t he user's most recent direction is unknown, as in the case of a newly c reated Area, or following a scheduled or manual Reset action, then the u ser's next movement will be allowed in either direction, after which ...
Page 55: Entries Management
Figure 1 Anti-passback logic Entries management The Entries page is where you can add and manage entries. Generally s peaking, entries are doors, but can also be gates, turnstiles, and e levator floors. An entry is often secured with a reader or w ireless lock. Note: Your i nstaller may provision s ome or all of the following features for you during the installation process. Sites...
Page 56: Export Data To Csv
Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Add entries 1. Click the button in the upper-right corner. 2. Enter a name and select the zone. 3. In Cloud gateway device type, select the hardware that is configured at the entry. Openpath hardware Select the ACU in Controller. Select the video reader or video intercom reader in Controller. Schlage for Allegion Schalge® hardware Select the lock in Schlage wireless lock. 4. Optional. Select the Muster point toggle to designate the entry as a safe area, where personnel should gather in an emergency situation. Note: A credential reader is required to be installed at the entry. The reader should only be used in a muster event and not for any other purpose. 5. Click Save. Sites...
Page 57: Entry Settings
Entry settings Entry behavior Figure 2 Entry Behavior Entry Behavior is where you set the Default State for the entry. See ntry settings above. You can also a ssign an Entry Schedule, which is optional. See Entry schedules on page 65. Schlage wireless lock Note: Entries configured with Allegion Schlage NDEB and LEB wireless locks only s upport Unlocked, No Entry, and Convenience states. Entry states a re not supported by Schlage Control locks. Figure 3 Schlage Wireless Lock Sites...
Page 58 Entries configured with Schlage Wireless Locks have this additional s ection. (NDEB/LEB only) Ajar Detection and Forced Open Detection are always e nabled for wireless locks. Entry Open Duration determines how long the entry will remain unlocked (maximum 30 seconds). (NDEB/LEB only) Card Reader Sensitivity is set to Normal by default, but you c an select High or Max for more reliable reading of key fobs. Contact sensor Figure 4 Contact Sensor A contact sensor detects if an entry is open. Port — select the port for the contact sensor to which the e ntry is wired. Ajar Feature — if enabled, you can specify the maximum a llowed time the door can be ajar before an event is generated i ndicating the door is ajar. If disabled, there will be no system a ction if the door is ajar. Duration — the maximum allowed time the door can be ajar b efore events are generated. Unit — select whether to use seconds or minutes. Forced-Open Detection — if enabled, an entry opening w ithout first unlocking through Openpath or triggering the REX will ...
Page 59 Entry/exit hardware Figure 5 Entry/Exit Hardware Entry/Exit Hardware is where you can select a relay to use on the ACU ( or expansion board), like for controlling electric strikes or maglocks. Port — select which port to assign the reader, from Relay 1 -4. Technically, the electric strike is wired to one of the 4 ACU p orts, and the reader is wired to the strike. You will need to s elect the ACU relay for which this reader/entry is wired to the A CU. Entry Open Duration — enter a time (between 1 second and 10 m inutes) for how long the entry remains unlocked before reverting b ack to its default state. Unit — select whether to use seconds or minutes. Invert Output — this advanced setting is typically only n eeded for elevator relays; if enabled, it flips the NC/NO c onfiguration of the physical relay. Sites...
Page 60 Openpath reader Figure 6 Openpath reader Associate the entry with the Openpath Reader. Port — select the port on the ACU to which the Openpath R eader is connected. Card Reading — enable this to allow RFID/NFC cards at t his reader. Wave to Unlock — enable this to allow Wave to Unlock and T ouch Entry. Mobile Authorization Range — This range specifies how c lose the mobile device must be to the reader in order to register a W ave to Unlock. Set the range using the slider. Wave Detection Range — This range specifies how close the h and must be to the Openpath reader to initiate the unlock a ttempt—this behavior may vary depending on your environment and t his setting might require adjustment. Auto Proximity Unlock (Elevators Only) — enable this to u nlock the entry when a user with a valid mobile credential is in r ange of the reader. Set the range using the slider. Advanced Options — toggle this to configure advanced range ...
Page 61 Mobile Beacon Range — the distance that the beacon can d etect a mobile phone and "wakes up" the Openpath app. Request to exit Figure 7 Request to Exit Often, doors will have a Request to Exit button or sensor that will u nlock the door from the inside. Port — select the port for the Request to Exit device to w hich the entry is wired. Mode — this is an electrical term regarding how the R equest to Exit device sends the command to the ACU. Your installer w ill be able to give you guidance on whether the Mode should be set t o Normally Closed or Normally Open for a particular entry c onfiguration. Trigger Relay to Unlock Entry — if enabled, a triggered REX w ill open the associated Relay(s) and prevent forced-open alarms. Wiegand device Figure 8 Wiegand Device Openpath is compatible with legacy Wiegand Devices. Sites...
Page 62: Entry States
If an entry has more than one of any controls (Openpath Readers, E ntry/Exit Hardware, Contact Sensor, Request to Exit, or Wiegand D evice) installed, you can select which additional control(s) you w ould like to associate with the entry. Once you add an additional control, it will appear in the relevant s ection on this page. Figure 9 Additional Controls Entry states An Entry State defines whether an entry is unlocked and what access m ethods may be used to unlock it. Avigilon Alta Control Center provides the following d efault entry states: Unlocked — No credential is required for access. No Entry — No entry allowed, even with an otherwise valid c redential. Lockdown - Override Only — No entry allowed, even with an o therwise valid credential, except for override unlock r equests. Convenience — Allows all valid credentials and trigger m ethods.
Page 63: Add Entry State
Strict Security — Allows only interactive 2FA onsite mobile access a nd encrypted smart cards. Excludes all remote, 1FA, and n on-encrypted methods. Standard Security MFA- PIN — Allows most mobile access, cards, and PINs supported by Openpath readers, and excludes remote mobile 1FA and third-party Wiegand methods for MFA with PIN required as the second factor. Strict Security MFA - PIN — Allows only interactive 2FA onsite mobile access, PINs, and encrypted smartcards excluding all remote, 1FA, and non-encrypted methods for MFA with PIN required as the second factor. The Trigger Methods column refers to the number of ways that an e ntry can be unlocked in that particular state. Figure 10 Entry state management Click on an Entry State in order to view the trigger methods included in t hat state. Add entry state 1. Click the button in the upper-right corner. 2. Enter the name for the entry state and a description. 3. If the entry requires two credentials from each user, click the Enable Multi-Factor slider. Sites...
Page 64 A vigilon Reader. Over BLE: A mobile unlock request that is sent over BLE ( Bluetooth Low Energy) through the Avigilon Reader. Such a request i s always Onsite. Over WiFi: A mobile unlock request that is sent over the m obile device's WiFi connection over the local network directly to t he Avigilon Access Control Unit. Such a request may be considered O nsite or Remote depending on whether the mobile device is in range o f the entry's Reader. Over cloud: A mobile unlock request that is sent over the m obile device's WiFi or cell/LTE connection, and routed via the A vigilon Alta cloud back to the Access Control Unit. Such a request, if p ermitted, enables Remote unlock from anywhere in the world where t he mobile device has an internet connection, but also may be c onsidered Onsite if the mobile device is in range of the entry's R eader. Sites...
Page 65: Entry Schedules
Multi-Factor: An unlock request that requires two different credential types from a single user (e.g. card + PIN, etc). When enabled, users with permissions at the entry must present both credentials using the approved trigger methods for each type to gain access. Geofence: A mobile unlock or override request that is sent within the virtual geographic boundary of the Avigilon reader and uses the location-based service on the Openpath Mobile Access app over a Cloud, WiFi, or BLE connection. Entry schedules Entry Schedules allow for entries to be in a specific state (e.g. l ocked, unlocked, etc) based on date and time. For example, an entry c an be set to an unlocked state during normal business hours, Monday — F riday but remain locked (its Default Entry State) when the Schedule is i nactive. Note: Devices that do not support real-time communication with a gateway will not support this feature. Create entry schedule 1. Click the button in the upper-right corner, enter a name, and click N ext. Figure 11 Add Entry Schedule Sites...
Page 66 2. Assign this Entry Schedule to entries by either typing in the names o f the entries or using the dropdown. 3. Click Add Event to create a new schedule. a. Choose between a Repeating Event and a One-Time Event. b. Enter a Name (optional). Figure 12 Add Event Sites...
Page 67: Create Holiday Schedule
Create holiday schedule 1. Create an entry schedule or edit an existing one. 2. Click Create Event, then go to Repeating Event. 3. Enter a Name (optional). 4. From the Frequency dropdown select Annually. 5. Select which day the schedule will occur. 6. Enter a Start and End Time. For a 24 hour schedule, enter 12:00 am for the Start Time and 11:59 pm for the End Time. 7. Select a Time Zone. 8. Enter a Start Date and End Date (optional, the default repeats forever). 9. Select the Scheduled State from the dropdown. 10. Click Save. 11. Click and drag to reorder your holiday entry event – the holiday should rank higher than your normal schedule (see Figure 14 o n page 69). Sites...
Page 68 Figure 13 Holiday Example Sites...
Page 69: Lockdown Plans
Figure 14 Rank Holiday Schedule Lockdown plans The Lockdown plans page is where you can view and manage lockdown plans. Note: Lockdown is supported only for locks that are connected to an ACU or gateway. Export data to CSV Click the i con. Show or hide data Click the icon to show or hide information. Add lockdown plans 1. Click i n the upper-right corner. 2. Give the plan a useful name and assign a Rank. The rank is i mportant because it determines which plans take priority in the c ase of triggering multiple plans that share entries. The lower the n umber, the higher the rank. 3. Optionally, you can enter a time after which the plan will a uto-revert using Duration. If you do not want the lockdown p lan to revert automatically, leave this value blank. 4. Optionally, you can enable the Use standard zone c onfiguration slider to create a lockdown plan that includes ...
Page 70 Note: You cannot add zones that have been shared with you to a lockdown plan. 6. Select the desired Entry state for the zone. For lockdown scenarios, w e recommend using Lockdown - Override Only. This means only u sers with override permissions are able to unlock entries in this s tate. Figure 15 Create Lockdown Plan 7. Click Save. Sites...
Page 71: Trigger Lockdown Plans
Assign user and group permissions 1. Go to the User Config tab to select users and groups that can t rigger and revert the lockdown plan. 2. Click Save. Trigger lockdown plans Note: You must have a Cloud Key Credential to trigger and revert l ockdown plans from the Control Center. 1. Click Lockdown from the top right corner. 2. Click Trigger or Revert on the desired lockdown p lan. Sites...
Page 72 Sites...
Page 73: Devices
Devices You can use the Devices page to c reate and manage Avigilon ACUs and SDCs, r eaders, wireless locks, wireless lock gateways, video readers, and video intercom readers. ACU management The ACUs page is where you can view and manage ACUs and S DCs. Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Devices...
Page 74: Add Acus Or Sdcs
Add ACUs or SDCs Before you can provision an ACU using the Open Admin app, you must first c reate an ACU or SDC in the Control Center. Add multiple ACUs or SDCs using Quick start option 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. 2. Go to Administration > Quick start. 3. Enter a Site name and any other relevant site information. a. In Organization language, select the preferred language for the emails sent by the system. b. Click Next. 4. Enter the number of controllers located at your site: a. Enter names for the controllers. b. In Controller type, select the type used: First generation - Red Board (OP-AS-01) — For first generation Smart H ubs. Single Door Controller (SDC) Core series ACU — For Core Series Smart Hubs. c. ...
Page 75 Add one ACU or SDC 1. Go to Devices > ACUs. 2. To add a new ACU or SDC, click the b utton in the upper-right corner. 3. Enter a name for the ACU or SDC. 4. In Controller type, select the type used: First generation - Red Board (OP-AS-01) — For first generation Smart H ubs. Single Door Controller (SDC) Core series ACU — For Core Series Smart Hubs. 5. If your ACU or SDC also connects to an expansion board, add the appropriate types in EXPANSION BOARDS: Openpath 4-Port Expansion Openpath 8-Port Expansion Openpath 16-Port Elevator Tip: This configuration is most common w ith the Core Series Smart Hubs. 6. Optional. To connect your network to the Cloud using a static IP address and port on an allowlist, select the Enable Static Cloud IP toggle. Default port is 443.
Page 76: Add Expansion Boards
Figure 1 Create ACU After you add an ACU to the system, you need to register it (also known a s provisioning). For Smart Hubs, refer to the Avigilon Alta Installation G uide. F or Single Door Controllers, refer to the Avigilon Alta SDC Installation Guide. Disable the Static Cloud IP connection Go to the Edit ACU page, and deselect the Enable Static Cloud IP toggle. Normal cloud operation resumes after the Static Cloud IP connection is disabled. Add expansion boards You need to edit ACUs when you install additional expansion boards in e xisting Smart Hubs. 1. To edit an ACU, click on the ACU from the ACUs page. 2. From Add expansion board, select and add the e xpansion board. 3. Click Save. Edit ACU ports From the Edit ACU page, click the Ports tab to view and m anage ACU ports: Devices...
Page 77 In the Options column, click on the Ports icon open Port O ptions. Click the Input Type dropdown to change a Contact Sensor, R equest to Exit input or AUX I/O to a different input type, Wiegand D evice, or to a Generic input. This is useful for creating rules. S ee Rules on page 124. You can only change the Input Type on a port that has not yet been a ssigned to an entry. End-of-line supervision The SDC and Core Series Smart Hubs support end-of-line (EOL) s upervision: Click the Cable icon to open Cable Options. Click the End of Line Supervision list to select Line S horted Detect, Line Cut Detect, or Both. The setting selected must match your physical wiring configuration, s ee the Openpath Access Control System Installation G uide for m ore information. Devices...
Page 78: Reader Management
Reader management The Readers page is where you can view and manage readers. Export data to CSV Click the i con. Show or hide data Click the icon to show or hide information. Add reader 1. Click the b utton in the u pper-right corner. 2. Enter a name for the reader — names are usually relevant to the l ocation where the reader is installed. 3. Select the ACU to which this reader belongs. 4. Select the port to which this reader is wired. 5. Click Save.
Page 80: Wireless Lock Management
Wireless lock management The Wireless locks page is where y ou can view and manage w ireless locks and gateways, if installed and configured by your integrator. Export data to CSV Click the i con. Show or hide columns Click the icon to show or hide information. Update lock firmware 1. Enter a checkmark next to one or more locks. 2. Click Batch actions to select Update firmware. Edit locks Note: Settings are dependent on the lock model and configuration. Configure NDEB or LEB locks 1. Go to Wireless locks and select the lock. 2. In BASIC SETTINGS set any of the following:...
Page 81 Power Failure Mode — How the lock b ehaves when the battery fails. As Is - Lock remains in the same state. Safe- Lock is unlocked. Secure - Lock is locked. Beeper Enabled — Beeping is emitted from the lock when a credential is scanned. Invalid Card Audit — L ogs invalid credentials. 3. In READER SETTINGS, set the type of card and fob c redentials supported by the l ock. For Openpath DESFire EV1, EV2, and EV3 select 14443 UID (CSN). For Openpath DESFire EV3-A, select 14443 Secure Mifare. Note: You cannot enable 14443 UID (CSN) and 14443 Secure M ifare/Mifare Plus/EV1 (NOC) at the same time. 4. Under Mobile Credential, choose whether to enable mobile c redentials on this lock. a. Adjust Communication Range to determine how close the mobile c redential needs to be to the lock before appearing as a nearby e ntry in the app. b. ...
Page 82 before appearing as a nearby e ntry in the app. 6. Adjust Performance to determine how often the mobile app s cans for locks.
Page 83: Wireless Lock Gateway Management
Wireless lock gateway management The Wireless lock gateways page provides the list of gateways synced using the Allegion E NGAGE™ app. From here, you can Sync Gateways and Update F irmware.
Page 84: Video Reader Management
Video reader management You can view and manage Video Reader Pro devices on the Video readers page. Export data to CSV Click the i con. Show or hide data Click the icon to show or hide information. Add video reader 1. Go to Devices > Video readers. 2. Click the b utton in the upper-right corner. 3. Enter a name for the video reader. 4. If Wiegand wiring is used to connect to existing legacy systems, select the Standalone Mode toggle. Note: Avigilon Alta licenses and internet access are not required. For more information, see How to set up a Standalone Mode Video Reader Pro. 5. In the CLOUD VIDEO STORAGE section, select a plan length. Note: The DETAILS section (read-only) will populate with info after the video reader is provisioned. 6. In the SETTINGS section: For more information, see: https://openpath.atlassian.net/servicedesk/customer/portal/16/article/1668284452?src=1724573529 ...
Page 85 Tamper sensor is enabled (default). When e nabled, the video reader will record Tamper Detected events when the video reader is touched or moved. Adjust the T amper sensor sensitivity, lower or higher, depending on your needs. Note: A higher sensitivity level may produce false tamper events, for example, when someone triggers a Touch to Unlock. 7. Click Save. For next steps, see: Add zones on page 52 if not created yet. Add entries on page 56 and enter the device in the Controller field. Note: During this step, you can configure the Wiegand port on the video intercom reader, as an input or output, for Mobile Gateway mode. Installing the Video Reader Pro / Video Reader Intercom Pro Or, see the Quick Start Guide in the box or the Openpath Access Control System Installation Guide. After provisioning, return to the Control Center to finish configuring video settings or to enable ONVIF. Configure video settings Edit video settings 1. Go to Devices > Video readers, and select a video reader. 2. Select the Video tab. In the VIDEO PROPERTIES section: Select High, Medium, or Low quality. Adjust Brightness, Contrast, Saturation, and Sharpness. ...
Page 86 Leave Wide Dynamic Range (WDR) as disabled (default), or enable to adjust for backlighting and other extreme lighting conditions. Leave Night mode as Auto (default), or set to Always on or Always off. Leave Anti-Overexposure as enabled (default) to reduce IR glare on persons and objects approaching the video reader. In the DETECTION SETTINGS section: Leave Enable motion detection as enabled (default) or disable to adjust sensitivity settings. In the live video feed, click and drag on the feed to add p rivacy areas or regions of interest. Privacy Mask — Hides sensitive areas of the feed from users. Region of Interest — Applies motion detection to only the marked areas. In the RECORDING SETTINGS section: Leave Burn current time into recordings and Burn camera name into recordings as enabled (default) or disable the settings. 3. Click Save. Enable ONVIF Enable ONVIF if you are exporting video to a third-party VMS. 1. Select the Enable ONVIF toggle (off by default). 2. ...
Page 87 Change cloud video storage plan You can change your cloud video storage plan length, however, plans are not retroactive. For example, if you are currently on a 30 day plan and you switch to a 180 day plan, you’ll still only have access to the past 30 days of clips (with 180 days of storage moving forward). 1. Go to Devices > Video readers, and select the video reader. 2. In CLOUD VIDEO STORAGE, select a different plan length. 3. Click Save.
Page 88: Video Intercom Reader Management
Video intercom reader management You can view and manage Video Intercom Reader Pro devices on the Video intercom reader management page, including configuring two-way audio and call routing to building occupants, and more. Export data to CSV Click the i con. Show or hide data Click the icon to show or hide information. Add video intercom reader Note: Before you start, go to the App marketplace and install the Video Intercom Voice Assistant app. 1. Go to Devices > Video intercom readers. 2. Click the b utton in the upper-right corner. 3. Enter a name for the device. 4. In the CLOUD VIDEO STORAGE section, select a plan length. Note: The DETAILS section (read-only) will populate with info after the video intercom reader is provisioned. 5. In the SETTINGS section:...
Page 89: View Activated Video Intercom Reader
Tamper sensor is enabled (default). When e nabled, the video reader will record Tamper Detected events when the video reader is touched or moved. Adjust the T amper sensor sensitivity, lower or higher, depending on your needs. Note: A higher sensitivity level may produce false tamper events, for example, when someone triggers a Touch to Unlock. 6. Click Save. 7. On the Ports tab, click the Port button to view and manage reader, relay, and Wiegand ports. For next steps, see: Add zones on page 52 if not created yet. Add entries on page 56 and enter the device in the Controller field. Note: During this step, you can configure the Wiegand port on the video intercom reader, as an input or output, for Mobile Gateway mode. Installing the Video Reader Pro / Video Reader Intercom Pro Or, see the Quick Start Guide in the box or the Openpath Access Control System Installation Guide. View activated video intercom reader 1. After provisioning, return to the Control Center to view the activated device in the DETAILS section. 2. Finish configuring video settings, intercom and routing profile settings, or to enable ONVIF. For more information, see: https://openpath.atlassian.net/servicedesk/customer/portal/16/article/1668284452?src=1724573529 ...
Page 90: Configure Video Settings
Configure video settings 1. Go to Devices > Video intercom readers, and select a video intercom reader. 2. Select the Video tab. In the VIDEO PROPERTIES section: Select High, Medium, or Low quality. Adjust Brightness, Contrast, Saturation, and Sharpness. Leave Wide Dynamic Range (WDR) as disabled (default), or enable to adjust for backlighting and other extreme lighting conditions. Leave Night mode as Auto (default), or set to Always on or Always off. Leave Anti-Overexposure as enabled (default) to reduce IR glare on persons and objects approaching the video reader. In the DETECTION SETTINGS section: Leave Enable motion detection as enabled (default) or disable to adjust sensitivity settings. In the live video feed, click and drag on the feed to add p rivacy areas or regions of interest. Privacy Mask — Hides sensitive areas of the feed from users. Region of Interest — Applies motion detection to only the marked areas. ...
Page 91: Change Cloud Video Storage Plan
3. Log in using the default username and password, then go to Configurations > Security > User accounts to change the password. Note: The Control Center always displays the default password, even if you change the password in the Camera UI. To reset the password back to the default, disable ONVIF, wait 10 seconds, then enable again. Change cloud video storage plan You can change your cloud video storage plan length, however, plans are not retroactive. For example, if you are currently on a 30 day plan and you switch to a 180 day plan, you’ll still only have access to the past 30 days of clips (with 180 days of storage moving forward). 1. Go to Devices > Video intercom readers, and select the video intercom reader. 2. In CLOUD VIDEO STORAGE, select a different plan length. 3. Click Save. View live video feed After provisioning the Video Intercom Reader Pro, you can view live video feed from the device in several places. Note: A cloud video storage license is required to view the recordings.
Page 92: Configure Two-Way Audio
Go to Devices, select the video intercom reader, and then the Video tab. Go to Dashboards and select the Activity dashboard. Go to Cameras page and select the video intercom reader. See Initiate call to intercom on page 32 and Play and download video on page 32. Configure two-way audio On the Intercom tab of a Video Intercom Reader Pro, you can configure two-way audio communication. Welcome greeting & message In the TEXT TO SPEECH section, enter: The Default message (similar to a voicemail message) that plays if routing profiles are not used, or no one is taking intercom calls. The welcome greeting in Initial greeting.
Page 93 Microphone & speaker In the AUDIO section: In Microphone setting, select an option: Enabled - always on — Audio is 'on' during intercom calls and in the live video feed. Enabled - On during intercom events — Audio is 'on' during intercom calls only. Disabled — Audio is disabled. Adjust the microphone level, lower or higher, as needed. In Audio recording, select the toggle to record audio during intercom events. In Audio detection, select the toggle to detect audio when the microphone is always on. Adjust the detection sensitivity, lower or higher, as needed. In Speaker enabled, adjust the speaker volume, lower or higher, as needed. In Privacy, deselect the toggle, as needed. SIP mode For SIP enabled and Voice over IP (VoIP) devices. For information about the installation and configuration of your PBX software and VoIP phone systems, see third-party vendor documentation. In the SIP section: SIP mode — Change SIP disabled (default) to S IP only to use SIP or SIP failover to use SIP only during internet outages. Note: When SIP is enabled on the video intercom reader, the voice assistant will be disabled. SIP address — The IP address of the PBX software. Authentication user — The extension number for the video intercom reader (for example, 5555). Authentication password — The password for the extension number for the video intercom reader.
Page 94: Configure Call Routing To Users, Units, Or Front Desk
Display name (optional) — The caller ID to be displayed on the video intercom reader (for example, OP intercom). ID/Call destination — The extension number for the VoIP phone system. Device SIP number — The extension number for the video intercom reader. Use the same value in Authentication user. Configure call routing to users, units, or front desk On the Routing profile tab of a Video Intercom Reader Pro, you can configure the call routing profiles used by the voice assistant to find users, units, or the front desk. Note: Ensure you are added to an active routing profile to receive notifications in the Control Center. Before you start Create access groups and access schedules for the Direct Connect profile. Note: This step is required for all routing profiles. Add building d etails and zones for multi-tenants for the Unit Connect profile. Add existing routing profile 1. Click the b utton in the upper-right corner. 2. Select the Use existing profile toggle. 3. In Intercom profile, select an existing profile. 4. Click Save. Add new routing profile 1. Click the b utton in the upper-right corner. 2. Leave the Use existing profile toggle deselected. 3. ...
Page 95: Use Qr Codes To Look Up Directories On Phones (Optional)
Direct Connect — Visitors call users by stating their name. Unit Connect — Visitors call the unit name and number of the building. For more information, see Building management on page 50. 4. In the RECIPIENT CONFIGURATION section, enter the access groups that can be searched by name at the intercom. 5. In the BACKUP CONFIGURATION section, enter the timeout in seconds before using the fallback profile when the recipient can't be reached. For example, if a visitor can't reach a user (Direct Connect) after 15 seconds, the visitor will hear the Farewell message . 6. Click Save. Use QR codes to look up directories on phones (optional) On the Virtual directory tab of a Video Intercom Reader Pro, you can generate and print a QR code that visitors can scan to look up a directory on their phone and then tap the icon to speak to the user or unit through the intercom. If nobody answers, they can leave a voicemail message (if enabled) or tap Front desk to let them in. Figure 1 Overview of QR code placement (a), QR code scanning and directory retrieval (b), and intercom communication (c) Create user directory and/or unit directory Before you start, ensure the Direct Connect and/or Unit Connect settings are defined on the Routing profile tab, as described on the previous page. ...
Page 96 Generate QR code 1. Select the Enable virtual directory toggle (deselected by default). A QR code is generated and additional fields are shown. 2. In Directory title, enter the title of the directory. Example: "Welcome to our building" 3. In Notes for visitors, enter instructions. Example: "Select the person from the directory to initiate a call with them through the intercom" 4. In User directory values to display, enter the user directory values. Examples: "Building, Floor, Unit" 5. In Unit directory values to display, enter the unit directory values. Example: "Floor, Tenant" 6. Click Save and then Preview to preview the user and unit directories (shown below). ...
Page 97 Tip: If the preview window expires, click Preview again to redisplay the directories. Download and print QR code 1. When you are satisfied with the preview, click Download QR code image. 2. Find the JPG file in the Downloads folder on your desktop. 3. Incorporate the QR code into signage to be placed near the Video Intercom Reader Pro. Tip: Printing the QR code onto a waterproof sticker is recommended. You may find ready-to-use labels and templates at your local supplier. Regenerate QR code 1. Click Regenerate and confirm the operation. Note: Regenerating the QR code will delete the former QR code. 2. Download and reprint the new QR code.
Page 98: Answer Calls From Intercom
Disable directory 1. Deselect the Enable virtual directory toggle. 2. Click Delete to confirm the operation. Note: Disabling the directory will delete it. Answer calls from intercom If configured, you can receive notifications in the Control Center when a visitor calls a user, group, or unit from the intercom. 1. Click the notification in the lower-right corner to view the intercom device. 2. Do any of the following: Answer the call Unlock the entry For the required configuration, see the Enable intercom notifications toggle in Profile on page 139 and Configure call routing to users, units, or front desk on page 94.
Page 99: Device Update Management
Device update management The Device updates page provides a list of the software updates for the devices managed in the Control Center, including when their default maintenance windows are scheduled to run. Updates are typically small and do not introduce noticeable downtime. Show or hide device updates Click the icon to show or hide information. All information is read-only and cannot be edited. Field Description Device ID The ACU or Video device ID. Device name The configured name of the device. Device type Controller or Video controller. Update status Unavailable — The device is offline or a connection issue has occurred between the device and the cloud. For more information on the device status, go to Dashboards > Device dashboard. Up to date — The device has the newest software version. Update available — The device has a new software version available. Update type Automatic is the default. Maintenance window The weekly maintenance window for applying software updates at the beginning of the hour shown. Apply available updates before maintenance window 1. Enter a checkmark next to one or more devices that display the Update available status. 2. Click Batch actions to select Update device(s). The updates are applied.
Page 100: Reports
Alarms — Displays the severity levels of alarms, the actions of the user or role that resolved them, video camera recordings, and more. A Premium or Enterprise plan is required. Credentials — Displays all credentials within your o rganization, filtered by credential type. Entry access audit— Displays the users that have access to any g iven entry. Entry activity (by user), Entry activity summary, User activity (by entry), User activity summary — Displays user activity, entry activity, and external ID of the entry or user, in helpful charts and diagrams. Muster — Used during an emergency evacuation or drill to view the users who may be on site, and account for their safety. A Premium or Enterprise plan is required. The user must be assigned the Muster report role. Portal audit report— Displays a log of the changes in the C ontrol Center or through the Avigilon Alta API. User access audit — Displays all entries that a selected user has accessed. A Premium or Enterprise plan is required. Scheduled reports — Displays reports scheduled for specified time periods and data categories and includes the history of report requests. Visual activity report — Displays video snapshots of entry events, which are filtered by user, site, entry, and time. Note: Before using this report, you must set up the Cisco Meraki integration or have Video reader management on page 84 installed. Show or hide data Click the ...
Page 101: Export Report To Csv
Export report to CSV Click the i con. Configure reports (Activity logs, Alarms, and Portal audit report) 1. Go to Reports and select the report type. 2. Select a time period for the report. 3. Select a Report delivery option: Deliver to current browser tab — When using this method, do not r efresh or close the browser tab. Reports may take a few minutes to g enerate. Not recommended for large datasets. Deliver via email — Useful for large datasets, select this m ethod to run the report in the background and receive an email when t he report is done. You can deliver the report to multiple email a ddresses. 4. ...
Page 102: Schedule Reports (Premium And Enterprise Plans)
Note: A credential reader is required to be installed at the entry. This reader should only be used in a muster event and not for any other purpose. Schedule reports (Premium and Enterprise plans) 1. Go to Reports > Scheduled reports. 2. Click i n the upper-right corner. 3. Enter a name for the scheduled report. 4. Select the type of report. Note: Only Activity logs and Portal audit report logs are supported. 5. Select a time period for the report and configure report settings. 6. Enter email addresses to send the reports to and select a Frequency. 7. Click Save. View reports (Premium and Enterprise plans) 1. Go to Reports > Scheduled reports. 2. Go to the Request History tab. 3. Previously generated scheduled reports will appear here. A scheduled report will expire after 30 days. Click Download to download a CSV file of the report.
Page 103: App Marketplace
App marketplace Note: Depending on how your account is configured, you may need your integrator to help set up App marketplace apps. Apps are programmatic links to third-party software and s ervices, that let you sync users and add functionality to Avigilon Alta Control Center and other systems that you use. Get apps is where you can add and configure apps for your system. Click an app to l earn more about setup and configuration. My apps is where you can view your installed apps. Click an app to edit or configure settings. Identity Management / HR Software apps let you add and sync users from identity providers y ou already use. Currently, Openpath integrates with Google Workspace™ productivity and collaboration tools, and Microsoft Azure Active Directory, OneLogin Trusted Experience Platform™, O kta, and Workday® Human Capital Management applications. Google Workspace Note: To enable this feature, you must have administrative p rivileges in your Google Workspace account: Directory User Read-Only: https://www.googleapis.com/auth/admin.directory.user.readonly Directory Group Read-Only: ...
Page 104 Administration > A ccount for subscription details. Auto-create mobile credential — Creates a mobile c redential for every user. Auto-create cloud key credential — Creates a c loud key credential for every user. Enable Single Sign-On (SSO) for users with portal access — T his will let users log into the Control Center with their Google c redentials. Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. Figure 1 Sync settings To map a specific group from the identity provider to Control Center, click Create Access Group Mapping. App marketplace...
Page 105: Microsoft Azure Ad
Note: Complete this step if you enabled the Only import users from groups that have an Avigilon Alta group mapping setting. a. Select the group from the identity provider. b. Select the group from Avigilon Alta Control Center. c. Click Create Access Group Mapping. d. Repeat for all the groups that need to be mapped. Figure 2 Group mapping Microsoft Azure AD You can integrate Microsoft Azure Active Directory (Azure AD) with Avigilon Alta Control Center to import and sync users and access groups automatically. OAuth2 and OAuth Client (Service Principal) authentication are supported. Set up OAuth2 authentication below Set up OAuth Client (Service Principal) authentication on page 108 Note: To enable this integration, you must be assigned the Application Administrator role in Azure AD. Set up OAuth2 authentication 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. 2. Go to App marketplace > My apps, and click Microsoft Azure AD or Microsoft Azure AD Advanced. App marketplace...
Page 106 Auto-sync every 1 hour or Auto-sync every 15 minutes— Syncs Control Center with the identity provider system, once every hour or once every 15 minutes, d epending on your subscription. See Administration > A ccount for subscription details. Auto-create mobile credential — Creates a mobile c redential for every user. Auto-create cloud key credential — Creates a c loud key credential for every user. Enable single sign-on (SSO) for users with portal access — L ets users log into the Control Center with their Azure c redentials. Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. App marketplace...
Page 107 Figure 3 Sync settings for OAuth2 5. To map a specific group from the identity provider to Control Center, click Create Access Group Mapping. Note: Complete this step if you enabled the Only import users from groups that have an Avigilon Alta group m apping setting. a. Select the group from the identity provider. b. Select the group from Avigilon Alta Control Center. c. Click Create Access Group Mapping. d. Repeat for all the groups that need to be mapped. Figure 4 Group mapping App marketplace...
Page 108: Set Up Oauth Client (Service Principal) Authentication
Note: Syncing will stop at the end of the expiration period. Remember to update the client secret before this occurs. d. Configure your application permissions in Configured permissions. At a minimum, Group.Read.All and User.Read.All must be granted admin consent in the API / Permissions name column. e. Go to the Overview page. Record the Application (client) ID and Directory (tenant) ID to be entered in the Control Center. 3. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. 4. Go to App marketplace > My apps, and click Microsoft Azure AD or Microsoft Azure AD Advanced. 5. Microsoft will prompt you to sign in. Sign in with your Azure AD a ccount and click Accept to allow the Avigilon Alta system to access your users and groups. Note: The Avigilon Alta system can only read data from your Azure account; it cannot write data or make any changes within the Azure system. The token the Avigilon Alta system uses only has read permissions for Azure users, groups, and directory data. 6. Now you can enable the following settings: 1 For more information, see Microsoft documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service- principalportal 2 For screen illustrations, see Avigilon Alta article: https://openpath.atlassian.net/wiki/spaces/EHC/pages/2023391259/How+do+I+sync+users+using+OAuth+Client+Service+Principal+with+Microsoft+Azur e+Active+Directory#service...
Page 109 Administration > A ccount for subscription details. Auto-create mobile credential — Creates a mobile c redential for every user. Auto-create cloud key credential — Creates a c loud key credential for every user. Enable single sign-on (SSO) for users with portal access — L ets users log into the Control Center with their Azure c redentials. Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. Figure 5 Sync settings for OAuth Client (Service Principal) 7. To map a specific group from the identity provider to Control Center, click Create Access Group Mapping. Note: Complete this step if you enabled the Only import users from groups that have an Avigilon Alta group m apping setting. ...
Page 110: Okta
Figure 6 Group mapping Okta You can integrate Okta with Avigilon Alta Control Center to import and sync users and access groups in the US or EU region. Note: Before you start, contact your integrator to install and configure the Okta and Avigilon Alta Control 1 Center SAML integration for the required region. For more information, see the Avigilon Alta article a bout using the Okta Administrator Dashboard. Go to Sign on > Edit > Advanced Sign-on Settings, and enter in Region Base URL: https://api.openpath.com for US users https://api.eu.openpath.com for EU users To use the API token (API key) authentication method, you need admin p rivileges in your Okta account. We 2 recommend using a dedicated service account that uses only the Okta group membership admin role to 3 synchronize your users and access groups. You also need to generate an Okta API key (token ) for the Okta service account. To use the OAuth 2.0 method, you need the Okta super administrator (admin) role to add the API Service 4 Integration. 1. Go to ...
Page 111 b. In the window popup, select License in Item Class, your Organization, and a License Term. C lick Submit. 3. Go to App marketplace > My apps, and click Okta. 4. To use API key authentication, do the following: 1 a. In API URL, enter the O kta d omain for y our organization (for e xample, https://yourcompanyname.okta.com). b. Enter the API key that was generated for the service account dedicated to the integration. Note: After you save the API key, Avigilon Alta does not use, or o therwise expose, the API key anywhere except when using it to call O kta to synchronize users and groups. 5. To use OAuth 2.0 authentication, do the following: 1 For more information, see Okta documentation:https://developer.okta.com/docs/guides/find-your-domain/main App marketplace...
Page 112 Auto-sync every 1 hour or Auto-sync every 15 minutes— Syncs Control Center with the identity provider system, once every hour or once every 15 minutes, d epending on your subscription. See Administration > A ccount for subscription details. Auto-create mobile credential — Creates a mobile c redential for every user. Auto-create cloud key credential — Creates a c loud key credential for every user. Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. 7. To let Okta super admin users log in to the Avigilon Alta Control Center with their Okta credentials, click the toggle next to Enable single sign-on (SSO) w ith portal access. 8. To let users log in to the Avigilon Alta app using Okta credentials, click t he toggle next to Enable single ...
Page 113 e. In the Settings box, click View Setup Instructions. f. Copy Sign on URL, Issuer, and Signing Certificate from the Okta portal into their corresponding locations in the Avigilon Alta Control Center portal. Tip: Go to Sign on > More details in the Okta portal. Figure 7 SSO required information 9. To map a specific group from the identity provider to Control Center, click Create Access Group Mapping. Note: Complete this step if you enabled the Only import users from groups that have an Avigilon Alta group m apping setting. a. Select the group from the identity provider. b. Select the group from Avigilon Alta Control Center. c. Click Create Access Group Mapping. d. Repeat for all the groups that need to be mapped. Figure 8 Group mapping App marketplace...
Page 114: Onelogin
2. In App marketplace > Get apps, click the OneLogin t ile. 3. Enter the Subdomain for your OneLogin account (for example, yourcompanyname.onelogin.com). 4. Click Get API credentials to go to the OneLogin page, and click New C redential on the API Access page. 5. Enter a name for the credential, select Read Users, and click Save. For more information, refer to Working with API Credentials in O neLogin 6. Copy and paste the Client ID and Client secret to A vigilon Alta Control Center and click Save. 7. Enable the following settings: Auto-sync every 1 hour or Auto-sync every 15 minutes— Syncs Control Center with the identity provider system, once every hour or once every 15 minutes, d epending on your subscription. See Administration > A ccount for subscription details. Auto-create mobile credential — Creates a mobile c redential for every user.
Page 115 Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Note: After saving the integration and enabling it using your O neLogin API credentials, you can select OneLogin groups to map to O penpath groups. Or, you can map All Users to Openpath groups. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. Figure 9 Sync settings 12. (After saving API credentials) To map a specific group from OneLogin to Openpath (required if you enabled Only import users from groups t hat have an Openpath group mapping), click +Create Group Mapping. a. Select the group from OneLogin. b. Select the group from Openpath. c. Click +Create Group Mapping. 13. Repeat step 12 until all groups that need to be mapped have been c reated.
Page 116: Single Sign-On (Sso)
Figure 10 Group mapping Single sign-on (SSO) Google G Suite, Microsoft Azure Active Directory, Okta, and OneLogin i ntegrations support Single Sign-On (SSO). If enabled, users with portal a ccess can log into the Control Center with their identity provider credentials. Note: The Control Center requires that you keep at least one A vigilon Alta-native administrative account in case there are ever any issues c onnecting to your identity provider. Manually sync After setting up an identity provider integration, you now have an o ption to Manually Sync. You can perform this action at any time by clicking the Synchronize button on the app's settings page. Workday reports You can integrate Workday® Human Capital Management reports with Avigilon Alta Control Center to import and sync users and access groups, automatically. Note: Workday Web Service API v39.1 or newer is required. In addition, you must have admin p rivileges in your Workday account to configure custom reports. Custom reports must be configured before you start this procedure. For more information, refer to the Workday support a rticle 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to ...
Page 117 a. Click the Workday o r Workday Advanced tile, depending on your subscription. b. Click + Get app in the upper-right corner. c. Choose the appropriate license for your organization. d. Click Submit. 3. Enter the Workday account details. Report URL — The URL of your Workday custom report for users. Note: In the Workday application, go to CR - OpenPath Data Interface and click the ... Actions menu. Select Web Service > View URLs and right-click on JSON to select Copy URL. Report Username — The username. Report Password — The password. (Optional) Groups URL — The URL of your Workday custom report for access groups. Note: In the Workday application, go to View Custom ReportOpenPath - Group Names and click the ... Actions menu. Select Web Service > View URLs and right-click on JSON to select Copy URL. 4. Manually trigger the first sync. Click the Synchronize button to display the active users and access groups on the Users page. Note: With the Workday Advanced package subscription, you can enable alerts for sync failures. For more information, see the Identity Provider toggle in Alerts on page 126. 5. Enable the following settings, as needed. ...
Page 118: Camio
Auto-create cloud key credential — Creates a c loud key credential for every user. Sync Person Id — Syncs the employee ID from the identity provider system. Sync Department — Syncs the department from the identity provider system. Sync Job Title — Syncs the job title from the identity provider system. Only import users from groups that have an Avigilon Alta group m apping — If e nabled, no users are imported f rom the identity provider if they are not assigned to a group. Auto-remove users from groups — Removes users f rom g roups if they no longer exist in the identity provider's groups. 6. To map a specific group from the identity provider to Control Center, click Create Access Group Mapping. Note: Complete this step if you enabled the Only import users from groups that have an Avigilon Alta group m apping setting. a. Select the group from the identity provider. b. Select the group from Avigilon Alta Control Center.
Page 119: Rhombus
Rhombus The Rhombus integrations links Avigilon Alta entry events and users with v ideos in Rhombus. To enable this integration, designate a user with r ead-only portal access and use those credentials to enable the i ntegration in the Rhombus console. Refer to the Rhombus s upport a rticle. Milestone To set up the Milestone VMS integration, you'll need to log into the C ontrol Center, go to App marketplace > Get apps and click on the Milestone tile. Download and install Microsoft .NET 4.8, ACX, and M ilestone Plugin. To set up the Avigilon Alta system integration on the Milestone server: 1. Run the Openpath_ACX_Plugin exe. 2. Find the Openpath_ACX exe and run as administrator. 3. Change the following settings under Milestone C onfiguration: Figure 12 Milestone Configuration Local port is required, and it must match the port defined in the M ilestone Access Control settings.
Page 120 Figure 13 Openpath Configuration User and Pass is required. Enter the login credentials of an O penpath Super Admin user. Openpath recommends creating a dedicated u ser for this purpose. 5. Click Save and then Close. Milestone Management Client Configuration: 1. Go to Site Navigation. Figure 14 Site Navigation 2. Right-click on Access Control and click Create New. App marketplace...
Page 121 Figure 15 Create Access Control System Integration Note: Leave User name and Password as the default. Ensure the P ort field matches the ACX Plugin. 3. Click Next and follow the prompts to tie cameras to d oors. 4. Restart Milestone Event Server, then open Openpath_ACX exe and c onfirm everything is connected: Figure 16 Confirm connection 5. Open XProtect Client. There should be an Access Control tab in the c lient now, and you can add information to live views as well. App marketplace...
Page 122: Cisco Meraki
You can integrate Cisco Meraki to view video snapshots within the C ontrol Center and enable the Visual activity report under Reports. To set up this integration, refer t o the Cisco Meraki support a rticle. Envoy If you use Envoy for your visitor management system, the Avigilon Alta system can a utomatically assign access to Envoy visitors. You do this by creating a n "Envoy Bot" in the Avigilon Alta Control Center that will generate guest a ccess links for visitors in the Envoy system that can be shared by e mail or SMS. Refer to the Envoy support a rticle. ...
Page 123: Zapier
Zapier You can integrate the Avigilon Alta system with Zapier to trigger Zaps when new users a re created, as well as automatically generate Guest Access Links, C redentials, and Users when Zaps are triggered. To enable the integration, log in to Zapier, and then click this link: h ttps://zapier.com/developer/public- invite/3857/9330f625fabe427520bf9ba8a21d1ea5/ Webhooks The Webhooks page provides information on setting up webhooks for users a nd unlock events. App marketplace...
Page 124: Configurations
Configurations Rules A rule lets you create conditional rules that trigger actions b ased on Control Center events. Tip: For advanced alarm management, refer to Alarms (Premium and Enterprise plans) on page 127. Add rules 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. 2. Go to Configurations > Rules and click in the upper-right corner. 3. Enter a name and description, then select a Trigger Type from the d ropdown: Input triggers include events like input state changes. Event forwarder triggers include events from the previous c ategories, as well as billing activity, user creation and deletion, a nd identity provider sync issues. To learn more, refer to How to create Event Forwarder rules in O penpath. Entry triggers include events like entry unlocks, ajar d oors, and unlock failures. ...
Page 125 a. If Trigger Type is Input, choose from Input State, ACU Port F ilter, or ACU Filter. b. If Trigger Type is Entry, choose from Entry Filter, Zone F ilter, or Site Filter. c. If Trigger Type is Reader or Relay, choose from ACU P ort Filter or ACU Filter. d. If Trigger Type is Lockdown, choose from Lockdown Plan F ilter or User Filter. 6. (Optional) To apply a time constraint on this rule, choose from a O ne-Time Schedule Event or a Repeating Schedule Event, then enter d ate and time information. 7. To specify what the rule will do once triggered, select an Action T ype: a. For Relay actions, you'll need to provide the ACU Relay P ort Number To Trigger: Single Door Controller: 1 or 2 4 Door Controller: 1, 2, 3, or 4 Core Series expansion boards: (Expansion number x 10000) + Relay N umber Auxiliary relays are (Expansion number x 10000) + (Max Port ...
Page 126: Alerts
Entry Authentication Failure — An entry unlock request f ailing due to an invalid credential being used (e.g. a card with a n umber or CSN unknown to the ACU). Entry Authorization Failure — An entry unlock request f ailing due to a user not having access to that entry, using the w rong trigger method, or making an unlock request outside of a ssociated schedules. Entry Unlock Failure — An entry unlock request failing d uring the physical unlock phase, either due to a hardware issue or a failed webhook API call. Entry Forced Open — An entry opening without first u nlocking through the Avigilon Alta system or triggering the REX. Note: To receive this alert, you must also enable t he Forced-Open Detection feature in Contact sensor on page 58 settings on the entry. Entry Anti-Passback Breach — A user attempting to re-enter a defined Anti-Passback Area without first exiting and vice v ersa. Configurations...
Page 127: Alarms (Premium And Enterprise Plans)
4. Enter the email addresses and/or US-based phone numbers that you want to receive alerts. Note: Enter phone numbers using the following format: +15556667777 (no hyphens and a +1 before the number). Note: If the alert is enabled, but no email addresses or phone numbers are specified, the alert will be sent to all Super Admins’ emails within the org. 5. Click Save. Alarms (Premium and Enterprise plans) Note: A Premium or Enterprise plan is required. The Alarm configurations page is used by administrators to configure alarms that notify monitoring operators about a security situation (for example, a door forced open). After configuration is completed, monitoring operators can receive popup notifications in the Control Center, or emails and SMS notifications, and acknowledge and resolve them. Enable, disable, or silence alarms 1. Enter a checkmark next to one or more alarm configurations. 2. Click Batch actions to select: Configurations...
Page 128: Configure Alarms
Enable to show alarms in the Control Center. Disable to disable alarms and notifications. No alarms are logged in the Control Center. Silence to disable alarm notifications only. Alarms are still visible in the Alarms dashboard, and report history if enabled, in the Control Center. Configure alarms 1. Go to ontrol.openpath.com/login and s ign in. To access the European Control Center, go to control.eu.openpath.com/login. 2. Go to Configurations > Alarms and click in the upper-right corner to create an alarm. Or, double- click an existing alarm to select it. 3. In the INFO section, enter a name and description for the alarm. Severity & instructions for resolution In Severity, enter the priority of the alarm to be shown in the Alarms dashboard and popup notifications. P1 displays as (highest priority). P2 displays as P3 displays as P4 displays as P5 displays as (lowest priority).
Page 129 To require the user to acknowledge the alarm in a note in the Control Center, enter a checkmark in Require notes for acknowledgement. Note: Only one user or one role can be assigned, however, you can enter multiple users to receive notifications about the alarm, as described in Action triggers & alarm notifications on the next page. For example, enter Cameras for video monitoring In Camera(s), select any installed video intercom cameras that is relevant to the alarm. Event triggers & advanced filtering 1. In the TRIGGER section, s elect the Type, Event, and Filter event by fields. 2. Select filter details in the <object> to match field and click Add filter. Type Event Filter event by Input Contact Sensor State Changed, Generic Input State Changed, REX State, ACU port, State Changed Tamper Detector State Changed Entry Entry Ajar Ended, Entry Ajar Started, Entry Unlock Authentication Entry, Zone, Site Failed Entry Anti-Passback Breach, Entry Unlock Authenticated*, Entry Entry, Zone, Site, Unlock Authorized* User Reader Reader Fault State Changed* ACU port, ACU Relay Relay Fault State Changed* ACU port, ACU Lockdown Lockdown Plan Revert Authorized*, Lockdown Plan Reverted*, ...
Page 130 Schedules 1. Click Add schedule to put the event triggers on a schedule. Tip: If the event triggers need to be active at all times, do not add a schedule. 2. In Type, select One-time schedule event or Repeating schedule event. 3. Fill out the dates and times. 4. Click Add schedule to add another schedule. Action triggers & alarm notifications In the ACTIONS section, s elect the action in the Type field and fill out the related fields. Type Related fields Relay In ACU relay port number to trigger, enter the port number. The triggered relay is on the same ACU that the trigger event occurred on. To obtain the port number, see the examples in Rules on page 124. In State, choose Engage or Disengage. In Duration (seconds), enter the duration in seconds. On-screen In Send to, enter one or more users who will receive email notifications. notification Email / SMS In Subject, enter the subject of the notification. In Body, enter the body of the notification. In Recipients, enter phone numbers or emails. Webhook In URL, enter the URL for the webhook API call. In HTTP method, enter the GET or POST method. Lockdown In Lockdown plan, enter the lockdown plan. In Lockdown action, enter Trigger lockdown or Revert lockdown. For all types Select when the action is triggered by the user: In Delay before action (seconds), enter the delay in seconds. ...
Page 131: Mobile App
Type Related fields Select when one or more actions are performed by the monitoring operator: When alarm is Created When alarm is Acknowledged When alarm is Cleared manually When alarm is Auto cleared When false alarm is Cleared - false alarm When alarm is Reassigned Mobile app The M obile app page is where you can enable badges on the Openpath mobile app and design your organization's badge. Enable badge view Badge UI is a simplified UI for the Openpath mobile app. When enabled, users will see a digital ID badge with their name, photo, a nd other organizational information on their home screen of the O penpath app. If they are in proximity of a reader, the entry will a ppear below their badge. Users can also view a list of all entries they have access to by tapping View All. Go to Configurations > Mobile app and select the Enable badge view toggle. Note: Users may need to update their Openpath mobile app to the latest v ersion in order to see the badge in their app. Configurations...
Page 132: Customize Badge Design
Customize badge design 1. Click the Badge UI tab to design t he digital badge. 2. On the Name tab, adjust the size, position, and text f ormatting. 3. On the Photo tab, adjust the position of the user's photo a nd select a color for the photo's border. Note: A user without a photo will instead display their i nitials. 4. On the Logo tab: Click Select Logo to upload an image in PNG, JPG, or JPEG format. Click R eplace Logo to replace an existing one, or remove the i mage to use text instead. Note: You cannot edit the Text settings if an image is s elected. 5. On the Background tab: Click Select Image to use your o wn background image. ...
Page 133: Badge Templates
Tips for badge design You can enable or disable any of the fields using the E nabled sliders. You can customize the placement of any field by adjusting the P osition settings, increasing or decreasing the Center X (px) and C enter Y (px) coordinates as desired. Dimensional coordinates are based on the default badge size of 300 x 188px. If you're trying to center a field, try inputting Center X (px): 150 and Center Y (px): 94. For text fields, you can customize the font family, size, weight, l ine height, alignment, color, case (lower, UPPER, or Capitalize E ach Word). You can also choose whether first and last name appear o n two lines or one. At any point you can click Restore defaults within a tab to r evert changes made to that particular field. Clicking Restore defaults will only affect the current field you are ...
Page 134 Tip: To use the default template without customizing f urther, click Save and proceed to printing your badges. To set the template as the default for the organization, click the Org default slider. 4. On the Name tab, adjust the size, position, and text f ormatting. 5. On the Photo tab, adjust the position of the user's photo a nd select a color for the photo's border. Note: A user without a photo will instead display their i nitials. 6. On the Logo tab: Click Select Logo to upload an image in PNG, JPG, or JPEG format. Click R eplace Logo to replace an existing one, or remove the i mage to use text instead. Note: You cannot edit the Text settings if an image is s elected. 7. On the Background tab: Configurations...
Page 135: Add Custom Fields (Premium Plan Only)
Click Select Image to use your o wn background image. To use a solid color background i nstead, click the color tile in Background color to select a color using the color p icker (see example below), or click the arrows to enter your color in the HEX, RGBA, or H SLA color model. 8. On the External ID tab, select the External ID toggle, and adjust the size, position, and text f ormatting. 9. Click Save to publish your changes. Add custom fields (Premium plan only) 1. Go to Users > Custom fields and add your custom fields. 2. On the Custom Field 1 or Custom Field 2 tabs, adjust the size, position, and text formatting. Note: Custom fields are only available on the Premium plan.
Page 136: Printing Tips
d. Select the badge printer from the browser's print utility, or close a nd save the high res image to print via a different method. 2. From Users > Users: a. Click on the name of the user whose card credential you want to p rint. b. On the Credentials tab, click the Print icon next to the c ard credential. Note: If you don't see the Print icon, click the Edit icon next to the c ard, assign a Badge Template, then click Save. c. Select the badge printer from the browser's print utility, or close a nd save the high res image to print via a different method Printing tips Badge templates should work with any printer, but you may need to a djust print settings for your printer. For the Evolis Primacy card printer, we recommend printing at 96 DPI at 1 00% scale. If using a high definition printer, you may need to adjust the s cale of the image in the printer settings. Badge templates are designed for use with Openpath key ...
Page 137: Administration
Administration The Administration page is where you set up an account for the organization; choose a subscription p lan depending on the number of users, devices and entries in your organization; and s et up billing information. Account Use the Account page to define organization details, set u p purchasing and billing information, and review and accept the T erms of service. Accept terms and conditions 1. Go to Administration > Account. 2. Review the terms and conditions and click Agree and submit. Edit organization information 1. In the Info section, click Change settings. Enter your Organization name and A ccounts payable email. Set the language of the Control Center emails in Organization language. 2. Click Save. Edit security settings 1. In the Security Settings section, click Change settings. Offline timeout setting (days): The number of days t hat an ACU can be offline before the token expires. After this t ime, credentials will not authenticate. The maximum duration is 60 days. ...
Page 138: Quick Start
Allow your parent org to have VIEW access to this org: Enabled by default. Disable at anytime to prevent your parent org from viewing y our organization. Note: Setting is shown only your integrator is configured as a parent org. Allow Avigilon Alta Support to have VIEW access to this organization: Enabled by default. Disable at anytime to prevent Avigilon Alta Support from viewing your o rganization. Allow Avigilon Alta Support to have EDIT access to this organization and Allow Avigilon Alta Support to have UNLOCK access to this organization: These settings cannot be enabled; you must escalate changes to Avigilon Alta Support or Engineering. Enable remote unlock by default for new users Note: Existing users are not impacted by changes to this setting. 2. Click Save. Quick start Use the Quick start page to set up a site with ACUs and readers all on one page. T his is useful if you're already familiar with setting up s ites a nd hardware. Administration...
Page 139: Profile
Profile View and edit your profile as follows. 1. Go to in t he upper-right corner of the Control Center. 2. Click Profile. Update your information On the Info tab: 1. Edit your email and name. Note: An account imported from an identity provider cannot be edited. 2. Select your preferred language in Language. 3. Click Save. Change password On the Password tab: 1. ...
Page 140: Enable Intercom Notifications
4. Set up the app on your mobile or desktop device by scanning the QR code. If your device can't scan, click (show secret) to display the contents of the QR code. Go to your app and type the code. 5. Enter the code generated by the app in the Enter 2FA code field. 6. Click Activate MFA device. The device is added. Enable intercom notifications On the Settings tab: 1. Select the Enable intercom notifications toggle to receive notifications from the Video Intercom Reader Pro. 2. Click Save. When enabled, the following is shown: A visual indicator (blue dot) in the browser tab indicates new notifications. Tip: This indicator helps notify you when you have C ontrol Center notifications even if you are viewing a different browser tab. The dot is removed when you click a notification in the Control Center. Play or mute alarm notification sounds Note: A Premium or Enterprise plan is required. E nsure the audio on your device or machine is enabled when using the alarm notification sound. On the Settings tab:...
Page 141 To play the default sound when an alarm is generated, select the Play alarm notification sounds toggle (default). To mute the default sound, deselect the toggle and click Save.
Page 142: Event Descriptions
Event descriptions For the event descriptions for the Avigilon Alta access control system, see help.openpath.com/space/EHC/1504247809/Avigilon+Alta+event+definitions. Event descriptions...
Page 143: Appendix A: Configure Avigilon Alta Control Center With Legacy Systems
Appendix A: Configure Avigilon Alta Control Center with legacy systems You can configure Avigilon Alta Control Center to support existing legacy access control s ystems. In this setup, Avigilon Smart Readers replace the legacy W iegand readers and Avigilon Smart Hub ACUs are installed between the S mart Readers and the legacy panel, with the Wiegand ports configured as o utputs to the legacy panel. In this setup, the legacy panel makes the a ccess control decisions while the Avigilon hardware allows the use of O penpath credentials (including mobile and Cloud Key credentials). Note: The Avigilon Pro series readers (Video Reader Pro and Video Intercom Reader Pro) do not require the Avigilon Access Control Unit (ACU). Figure 1 Mobile Gateway diagram If you're supporting a legacy system, there are a few items you need to c onfigure in the Control Center: Under Entry settings, configure the Wiegand Device to Output ( Gateway) mode. See Wiegand device on page 61. Appendix A: Configure Avigilon Alta Control Center with legacy systems...
Page 144 If you want users who make authenticated unlock requests with valid O penpath credentials but do not have dedicated Use for Gateway W iegand IDs to be sent to the legacy panel, define a Default G ateway Card Number that will be sent instead. If you want to send individual user credentials to the legacy panel ( instead of setting up a Default Gateway Card Number for the entry) y ou can create a Wiegand card credential (physical card not required) for the user and enable Use for Gateway. This way, t hat card number will be sent to the legacy panel whenever the user m akes an authorized unlock request using any of the user's valid O penpath credentials. This is useful if you want to use one-to-one c redential mapping for accurate user-level reporting within the l egacy system. See ADD A WIEGAND CREDENTIAL. Appendix A: Configure Avigilon Alta Control Center with legacy systems...