access control user guide4a54f0271b66873b1ef4-ddc094ae70b29d259d46aa8a44a90623.r7.c… · 2018. 10....

User GuideAvigilon Access Control Manager™ System

Version 5.12.0

© 2009 2018, Avigilon Corporation. All rights reserved. AVIGILON, the AVIGILON logo, AVIGILON CONTROLCENTER, ACC, ACCESS CONTROL MANAGER, ACM and ACM VERIFY are trademarks of Avigilon Corporation.HID, HID GLOBAL, APERIO, VERTX and VERTX EVO are trademarks or registered trademarks of HID Global,ASSA ABLOY AB, or its affiliate(s) in the US and other countries. Other names or logos mentioned herein may bethe trademarks of their respective owners. The absence of the symbols ™ and ® in proximity to each trademark inthis document or at all is not a disclaimer of ownership of the related trademark. Avigilon Corporation protects itsinnovations with patents issued in the United States of America and other jurisdictions worldwide (seeavigilon.com/patents). Unless stated explicitly and in writing, no license is granted with respect to any copyright,industrial design, trademark, patent or other intellectual property rights of Avigilon Corporation or its licensors.

This document has been compiled and published using product descriptions and specifications available at thetime of publication. The contents of this document and the specifications of the products discussed herein aresubject to change without notice. Avigilon Corporation reserves the right to make any such changes withoutnotice. Neither Avigilon Corporation nor any of its affiliated companies: (1) guarantees the completeness oraccuracy of the information contained in this document; or (2) is responsible for your use of, or reliance on, theinformation. Avigilon Corporation shall not be responsible for any losses or damages (including consequentialdamages) caused by reliance on the information presented herein.

Avigilon Corporationavigilon.com

PDF-ACM-USG-5.12.0-A

Revision: 1 - EN

20180625

ii

http://www.avigilon.com/patents

Table of Contents

Avigilon Access Control Manager System Fundamentals 1

The Avigilon Access Control Manager System 1

Logging into the Avigilon Access Control Manager Application 2

Navigating the Application 3

Logging Out of the Avigilon Access Control Manager Application 5

Help in the Avigilon Access Control Manager System 5

Using a Pop-Up Calendar 5

Setting Personal Preferences 6

Changing the Password in My Account 6

My Account screen - Profile page 7

My Account screen - Batch Jobs 8

My Account screen - Job Specification 9

Scheduling Batch Jobs 9

Generating a Batch Report 9

Applying an Identity Profile to a Group Using a Job Specification 11

Applying a Door Template to a Group Using a Job Specification 13

Scheduling a Global Action 14

Setting Batch Door Modes 16

Contacting Your Support Representative 17

For More Information 17

Technical Support 17

Upgrades 17

Feedback 17

Initial Setup 17

Accepting the End User License Agreement 17

Changing the Administrator Password 18

Creating a Super Admin Identity 18

Managing Appliances 20

Appliances - Changes 20

Adding Extra Appliances 20

Editing Appliances 20

Deleting an Appliance 21

Configuring Replication and Failover 21

Failover/Redundancy Feature 22

Automatic failover 22

Manual failover and failback 23

iii

Recommended System Architecture 23

System Architecture for Replication 23

System Architecture for Redundancy 24

Replication and Failover Requirements 26

1. Preparing Appliances for Replication and Failover 27

Setting Up the Primary Appliance 27

Setting Up Additional Appliances 28

2. Setting Up Replication Between Appliances 30

Enabling Replication on the Primary Appliance 30

Enabling Replication on the Second Peer or Standby Appliance 31

3. Adding a Replication Subscription 33

Testing Replication 36

Checking the Appliance Replication Status 36

Testing Two-Way Replication 38

4. Setting Up Failover 39

Configuring Email Notifications for Replication Events 41

Removing Replication and Failover 42

Failing Over and Failing Back 43

Automatic Failover 43

Manual Failover 43

Failback 44

Monitoring Transactional Replication to Hot Standby 45

Configuring Network Connections 45

Configuring Ethernet Ports 45

Appliances - Virtual Port Add page 46

Adding Ethernet Routes 46

Enabling Serial Ports 47

Appliances - Serial Port Edit page 47

Backups 48

Backing Up System Data 48

Manually Backing Up Data 48

Restoring Backups 48

Logs 49

Accessing Appliance Logs 49

Software Updates 49

Updating the Appliance Software 49

Viewing the ACM™ SSL Certificate 50

Appliances - About 51

iv

Applying License Upgrades 51

Viewing the End User License Agreement 51

Accepting the End User License Agreement 51

Reviewing the Appliance Status 52

Appliances - Listing page 52

Appliances - Add page 53

Appliances: Edit screen 55

Appliances - Access page 58

Appliances - Port Listing page 59

Appliances - Ethernet Ports page 59

Appliances - Ethernet Virtual Listing page 60

Appliances - Virtual Port Edit page 60

Appliances - Routes Listing page 61

Appliances - Route Add page 61

Appliances - Route Edit page 62

Appliances - Serial Port Edit page 62

Appliances - Replication page 63

Replication page 63

Appliances - Backups Listing page 65

Appliances - Backups Add page 66

Appliances - Backups Edit page 67

Appliances - Backup File List 69

Appliances - Logs Listing page 69

Appliances - Logs page 70

Appliances - Software Updates page 70

Appliances - Software Update Add page 70

Appliances - About page 71

Physical Access - Main page 73

Outputs 73

Output Modes 74

Operating Mode 74

Inputs 74

Outputs 75

Configuring Doors 75

Searching for Doors 76

Doors - Advanced Filtering 76

Controlling Doors 77

Adding Doors 78

v

Adding Simple Macros 78

Editing Doors 79

Doors - Editing HID® Doors 80

Doors - Editing Mercury Security Doors 80

Deleting Doors 81

Door Modes 81

Access Types 82

ACM Verify™ 82

Adding an ACM Verify Door 82

Doors - Avigilon New Parameters page 83

Paired Devices 84

Prerequisites for Pairing Devices 84

Precautions for Paired ACM Verify Stations 85

Pair a Device 85

Using ACM Verify 86

Anti-Passback 87

Anti-Passback Modes 87

Setting Up Anti-Passback 88

Granting a Free Pass 89

Global Anti-Passback 89

Global Anti-Passback Modes 90

Interlocks 91

Accessing Interlocks through Doors 91

Accessing Interlocks from Subpanel Inputs 92

Accessing Interlocks from Subpanel Outputs 92

Adding Interlocks 92

Editing Interlocks 93

Doors - Listing page 93

Doors - Add page 94

Doors - HID® New Parameters page 98

Doors - Mercury Security New Parameters page 100

Doors - Edit Screen 103

Doors - Mercury Security Edit screen 103

Doors - Mercury Security Parameters page 103

Mercury Security Operations page 106

Doors - Mercury Security Hardware page 109Doors - Mercury Subpanel Reader Edit page 111Doors - Subpanel Input Edit page 113Doors - Subpanel Output Edit page 113

vi

Doors - Mercury Security Elev page 114

Doors - Mercury Security Cameras page 114Live Video Window 116

Doors - Mercury Security Interlocks page 117Interlocks - Add page 117Interlocks - Door Edit page 118

Doors - Mercury Security Events page 119Doors - Creating Local Events for Mercury Security Doors 120

Doors - Mercury Security Access page 121

Doors - Mercury Security Transactions page 122

Doors - HID VertX® Edit screen 122

Doors - HID® Parameters page 122

Doors - HID® Operations page 124

Doors - HID® Hardware page 127Doors - HID® Subpanel Reader Edit page 128Doors - HID® Subpanel Input Edit page 128Doors - HID® Subpanel Output Edit page 129

Doors - HID® Cameras page 130

Doors - HID® Events page 131Doors - Creating Local Events for HID® Doors 132

Doors - HID® Access page 133

Doors - HID® Transactions page 134

Doors - Access page 134

Configuring Locks 134

Configuring Assa Abloy Aperio® Wireless Lock Technology 134

Configuring Allegion Schlage AD400 Series Locks 135

Configuring Allegion Schlage LE Series Locks 136

Configuring Allegion Schlage NDE Series Locks 138

Configuring SimonsVoss Wireless Locks 139

Door Templates 142

Door Templates - Batch Update 143

Door Templates - Listing page 143

Door Templates - Add page 144

Configuring Panels 146

Searching for Panels 146

Adding Panels 146

Adding HID VertX® Panels 146

Adding Mercury Security Panels 147

Configuring the Mercury Security MS Bridge Solution 147

Editing Panels 148

vii

Editing HID VertX® Panels 148

Editing Mercury Security Panels 148

Resetting Anti-Passback from the Panel 148

Downloading Parameters 149

Downloading Tokens 149

Lenel Panel Support 149

Resetting Doors/Subpanels 150

Updating Firmware 150

Updating Panel Time 150

Deleting Panels 151

Subpanels 151

Adding Subpanels 152

Editing Subpanels 152

Deleting Subpanels 152

Macros 153

Adding Macros 153

Editing Macros 154

Deleting Macros 154

Assigning Macros 154

Assigning a Macro to a Trigger 154

Assigning a Macro to a Macro 154

Assigning a Macro to a Door 155

Sorting Macros 155

Triggers 155

Adding Triggers 155

Editing Triggers 155

Deleting Triggers 156

Panels - Listing page 156

Panels - Panel Add page 157

HID® 157

Mercury Security 157

Panels - Batch Add HID® Subpanels page 158

Panels - Batch Add Mercury Security Subpanels page 159

HID VertX® Panel pages 159

Panels - HID VertX® Status page 159Subpanels - HID VertX® Status Listing page 160Panels - HID® Firmware Listing page 161Panels - HID® Firmware Upload page 161

Panels - HID VertX® Configure page 162

viii

Panels - HID VertX® Host page 162

Panels - HID VertX® Subpanels page 163Subpanels - HID® Subpanel Add page 164Subpanels - HID® Subpanel Edit page 164Subpanels - HID® Input Listing page 165Subpanels - HID® Input Edit page 165Subpanels - HID® Outputs Listing page 166Subpanels - HID® Outputs Edit page 167Subpanels - HID® Readers Listing page 167Subpanels - HID® Reader Edit page 168

Panels - HID VertX® Events page 168Panels - Create Local Events for HID® Panels 170Subpanels - HID VertX® Events page 171Subpanels - Create Local Events for HID® Subpanels 173Inputs - HID VertX® Events page 175Inputs - Create Local Events for HID® Inputs 176Outputs - HID VertX® Events page 178Outputs - Create Local Events for HID® Outputs 179

Mercury Security Panel pages 181

Panels - Mercury Security Status page 181Subpanels - Mercury Security Status Listing page 182Panels - Mercury Security Firmware Listing page 183Panels - Mercury Security Firmware Upload page 183

Panels - Mercury Security Configure page 184

Panels - Mercury Security Host page 184

Panels - Mercury Security Subpanels page 185Subpanels - Mercury Security Subpanel Add page 186Subpanels - Mercury Security Subpanel Edit page 187Subpanels - Mercury Security Input Listing page 188Subpanels - Mercury Security Input Edit page 188Interlocks - Input Listing page 190

Interlocks - Input Add page 191

Interlocks - Input Edit page 192Subpanels - Mercury Security Outputs Listing page 193Subpanels - Mercury Security Outputs Edit page 193Interlocks - Output Listing page 194Interlocks - Output Add page 194Interlocks - Output Edit page 195Subpanels - Mercury Security Readers Listing page 196Subpanels - Mercury Security Readers Edit page 197

Panels - Mercury Security Macros 199Macros - Macro Command Listing page 199Macros - Macro Command Add page 200Macros - Macro Command Edit page 200

Triggers - Listing page 201Triggers - Add page 201

ix

Triggers - Edit page 202

Panels - Mercury Security Access Levels page 203

Panels - Mercury Security Events page 204Panels - Create Local Events for Mercury Security Panels 206Subpanels - Mercury Security Events page 207Subpanels - Create Local Events for Mercury Security Subpanels 209Inputs - Mercury Security Events page 211Inputs - Create Local Events for Mercury Security Inputs 212Outputs - Mercury Security Events page 214Outputs - Create Local Events for Mercury Security Outputs 215

Panels - Schedules tab 217

Areas 218

Areas - Adding 219

Areas - Editing 219

Areas - Deleting 220

Areas - Listing page 220

Areas - Add page 220

Areas - Edit page 221

EOL Resistance 222

Adding EOL Resistance for Mercury Input Points 222

Adding EOL Resistance to HID® Input Points 222

Editing EOL Resistance for Mercury Input Points 222

Editing EOL Resistance for HID® Input Points 223

EOL Resistance - HID® Listing page 223

EOL Resistance - Add page 223

EOL Resistance - Edit page 224

EOL Resistance - Mercury Security Listing page 224

EOL Resistance - Add Normal page 224

EOL Resistance - Add Advanced page 225

EOL Resistance - Edit page 226

Normal Edit page 226

Advanced Edit page 226

Mercury Security LED Modes - Listing page 227

Editing Mercury Security LED Modes 228

Mercury Security LED Mode Table screen 228

LED Modes for Mercury Security 229

Card Formats 231

Adding Card Formats 231

Editing Card Formats 231

Deleting Card Formats 231

x

Card Formats - Listing page 231

Card Formats - Add page 232

Card Formats - Edit page 233

Events - Introduction 234

Events - Searching 235

Events - Editing 235

Events - Assigning Priority Colors 235

Events - Listing page 237

Events - Edit page 237

Events - Colors Listing page 239

Events - Color Add page 239

Events - Color Edit page 240

Global Actions 240

Global Actions - Adding 240

Global Actions - Editing 241

Global Actions - Action Types 241

Global Actions - Deleting 241

Global Actions - Intrusion Linkages and Actions 241

Intrusion panel alarm due to an event in the ACM System 242

Disable/enable doors from keypad 242

Disarm Alarm on Access Grant with restricted authorities 242

Global Actions Listing page 242

Global Actions - Add page 243

Global Actions - Edit page 248

Global Linkages - Introduction 252

Global Linkages - Adding 253

Global Linkages - Editing 253

Global Linkages - Listing page 253

Global Linkages - Add page 254

Global Linkages - Edit screen 254

Global Linkages - Linkage page 255

Global Linkages - Devices page 256

Global Linkages - Events page 257

Global Linkages - Tokens page 258

Global Linkages - Actions page 259

Mustering - Introduction 260

Mustering - Requirements 261

Mustering - Creating a Dashboard 261

xi

Mustering - Using the Dashboard 262

Mustering - Manually Moving Identities 264

Setup & Settings - Main page 265

Schedules and Holidays - Introduction 265

Schedules 265

Holidays 266

Adding Schedules 266

Editing Schedules 267

Deleting Schedules 267

Holidays - Adding 267

Holidays - Editing 268

Holidays - Deleting 268

Holidays and Schedules - Examples 268

Example 1: Part-Day Holiday 268

Example 2: Additional Access Time 269

Schedules - Listing page 269

Schedules - Add New page 270

Schedules - Edit page 271

Holidays - Listing page 272

Holidays - Add New page 272

Holidays - Edit page 273

Event Types - Introduction 274

Adding Event Types 276

Editing Event Types 276

Deleting Event Types 276

Event Types - Listing page 277

Event Types - Add New page 278

Event Types - Edit page 278

User Defined Fields - Introduction 279

User Defined Fields - Adding a Field 279

User Defined Fields - Adding User Defined Tabs 280

User Defined Fields - Editing User Defined Tabs 281

User Defined Fields - Deleting Fields 281

User Defined Tabs - Deleting 281

User Defined Fields - Listing page 281

User Defined Fields - Add New page 282

User Defined Tabs - Listing page 282

User Defined Tabs - Add page 283

xii

User Defined Tabs - Edit page 283

User Lists - Introduction 283

User Lists - Adding Items to a List 284

User Lists - Editing Items 284

User Lists - Deleting Items 284

User Lists - User-Defined Lists 284

User Lists - User List Edit screen 285

System Settings 285

System Settings - General page 285

Remote Authentication from External Domains 288

About Certificate Pinning 289

System Settings - Configuring Remote Authentication Using SSL Certificates 289

Using Pinned Certificates 289

Using Trusted Certificates 290

System Settings - Remote Authentication 291

System Settings - External Domains Listing page 292

System Settings - External Domains Add page 293

System Settings - External Domains Edit page 293

System Settings - Certificates Listing page 294

Certificate Upload page 294

Badge Templates and the Badge Designer 295

Using the Badge Designer 295

Badge Templates - listing page 300

External Systems - Introduction 301

Supported External Systems 301

External Systems - Avigilon Server Listing page 301

External Systems - Avigilon Server: Add page 301

External Systems - Avigilon Server: Edit page 302

External Systems - Dedicated Micros Listing page 303

External Systems - Dedicated Micros Add page 303

External Systems - Dedicated Micros Edit page 304

External Systems - Exacq Servers Listing page 305

External Systems - Exacq Server Add page 305

External Systems - Exacq Server Edit page 306

External Systems - Motion Smoothing 307

External Systems - IP-Based Camera Listing page 307

External Systems - IP-Based Camera Add page 307

External Systems - IP-Based Camera Edit page 308

xiii

External Systems- Enabling RTSP 309

External Systems - LifeSafety Power Listing page 309

External Systems - LifeSafety Power Add page 309

External Systems - LifeSafety Power Supply Edit page 310

External Systems - Milestone Servers Listing page 310

External Systems - Milestone Server Add page 311

External Systems - Milestone Server Edit page 311

External Systems - Salient Servers Listing page 312

External Systems - Salient Server Add page 312

External Systems - Salient Server Edit page 313

External Systems - Bosch Intrusions page 314

External Systems - Bosch Intrusions Areas page 315

External Systems - Bosch Intrusions Outputs page 315

External Systems - Bosch Intrusions Points page 315

External Systems - Bosch Intrusions Users page 316

External Systems - ViRDI 316

External Systems - ViRDI System Settings 316

External Systems - Adding 317

External Systems - Editing 318

External Systems - Deleting 318

External Systems - Integrating an ACM Appliance into an ACC™ Site 318

External Systems - Defining the Badge Camera for the System 320

Bosch Intrusion Panels 321

Integrating the ACM System with Bosch Intrusion Panels 321

Adding a Bosch Intrusion Panel 323

Editing a Bosch Intrusion Panel 323

Synchronizing Bosch Intrusion Panels 324

Deleting a Bosch Intrusion Panel 324

Viewing Bosch Intrusion Panel Areas 325

Viewing Bosch Intrusion Panel Points 325

Viewing Bosch Intrusion Panel Outputs 325

Viewing Bosch Intrusion Panel Users 326

Assigning Bosch Intrusion Panel Users to Identities 326

Supported Bosch Intrusion Panels 327

Maps - Introduction 329

Maps - Creating and Editing a Map 329

Maps - Linking Maps 330

Using a Map 331

xiv

Map Templates (Settings) - Listing page 335

Map Template: Add New page 336

Maps - Edit page 336

Map Properties 337

Map Details 337

Identities 339

Identities Overview 339

Adding an Identity 339

Searching for an Identity 340

Editing an Identity 341

Identities - Assigning Roles 342

Identities - Assigning Tokens 343

Identities - Assigning Groups 343

Capturing and Uploading Photos of an Identity 344

Identities - Creating Badges 348

Creating an Identity Report 349

To generate an identity report: 349

To generate an event report: 350

Deleting an Identity 350

Destroy Batch feature 350

Timed Access 350

Adding Timed Access to an Identity 350

Editing Timed Access 351

Deleting Timed Access 351

Identities - Identity Search page 352

Identities - Add page 352

Identities - Identity page 354

Identities - Roles page 356

Identities - Tokens Listing page 357

Identities - Token: Add New page 357

Identities - Token Edit page 359

Identities - Groups page 361

Identities - Photos page 362

Identities - Badge page 363

Identities - Timed Access page 363

Identities - Access page 365

Identities - Transactions page 365

Identities - Audit page 365

xv

Identity Profiles 366

Adding an Identity Profile 366

Editing an Identity Profile 367

Identity Profiles - Assigning Roles 367

Identity Profiles - Defining Token Settings 368

Identity Profiles - Assigning Groups 368

Identity Profiles - Batch Update 369

Deleting an Identity Profile 369

Identity Profiles - Listing page 369

Identity Profiles - Add page 370

Identity Profiles - Identity page 371

Identity Profiles - Roles page 373

Identity Profiles - Token Profile: Edit page 374

Identity Profiles - Token Profile: Add New page 375

Identity Profiles - Groups page 376

Identity Profiles - Access page 376

Collaboration - Introduction 377

Collaborations - Adding 377

Collaborations - Adding Events XML Collaboration 378

Collaborations - Events XML Definitions 379

Collaborations - Events XML Example 382

Collaboration - Editing 383

Collaboration - Types 383

Collaboration - Running 384

Collaboration - Deleting 384

Collaboration - Assigning Events to a Collaboration 385

Collaboration - Listing page 385

Collaboration - Add page 386

Collaboration - Edit Screen 389

Collaboration - ArcSight CEF Edit Screen 389

Collaboration - CSV One-time Edit screen 390

Short Format 390

Long Format 390

Collaboration - Preparing CSV files 391Avoiding Duplicate Identities and Errors 391

Collaboration - Fields 391Mandatory Identity Fields 391Optional Identity Fields 391Token Fields 393

xvi

Collaboration - CSV Upload 394

Collaboration - CSV Upload Template 394CSV One Time Short Format Collaboration 394CSV One Time Long Format Collaboration 395CSV Recurring Collaborations 396

Collaboration - LDAP Pull Edit Screen 398

Collaboration - Milestone Edit Screen 398

Collaboration - Oracle RDBMS Pull Edit Screen 398

Collaboration - SQL Server Pull Edit Screen 399

Collaboration - Syslog Edit Screen 399

Collaboration - XML Edit Screen 399

Collaboration - Identity CSV Export Edit Screen 400

Collaboration - Identity CSV Recurring Edit Screen 401

Collaboration - Source page 404

Collaboration - Schedule page 404

Collaboration - Identity CSV Export Schedule page 405

Collaboration - Identity CSV Recurring Schedule page 406

Collaboration - Identities page 406

Collaboration - Tokens page 407

Collaboration - Blob page 408

Collaboration - User Defined page 408

Collaboration - Roles page 409

Collaboration - Events page 409

Roles - Main screen 411

Configuring Roles 411

Adding a Role 411

Editing a Role 412

Assigning an Access Group to a Role 413

Roles - Assigning Delegations 413

Roles - Assigning Routing Groups 413

Roles - Assign Roles 414

Deleting a Role 414

Roles - Role Search page 415

Roles - Role: Add page 416

Roles - Role: Edit page 417

Roles - Access Groups page 418

Roles - Delegate page 418

Roles - Routing page 419

xvii

Roles - Assign Roles page 419

Roles - Access page 419

Roles - Audit page 420

Managing Policies 420

Adding a Policy 420

Editing a Policy 421

Deleting a Policy 421

Policies - Listing page 421

Policies - Policy Add page 422

Policies - Policy page 422

Policies - Mercury Security page 423

Policies - Input page 426

Policies - Output page 427

Policies - Audit page 427

Configuring Groups 427

Adding a Group 428

Editing a Group 428

Assigning Policies to Groups 428

Assigning Components to Groups 429

Creating a Hardware Group for Routing 430

Using Policies to Override Hardware Settings 430

Performing an Identity or Template Batch Update 431

Scheduling an Identity or Door Batch Update 431

Deleting a Group 432

Groups - Listing page 432

Groups - Group Add page 432

Groups - Group Edit page 433

Groups - Policies page 433

Groups - Members page 433

Groups - Audit page 434

Managing Door Access 434

Adding an Access Group 434

Editing an Access Group 435

Deleting an Access Group 435

Access Groups - Example 436

Assigning an Access Group to a Role 436

Access Groups - Listing page 437

Access Groups - Access Group Add page 437

xviii

Access Groups - Edit page 438

Access Groups - Access page 439

Access Groups - Audit page 439

Managing Access in the Application 440

Adding a Delegation 440

Editing a Delegation 440

Adding a Delegation to a Role 441

Deleting a Delegation 441

Delegations Listing page 441

Delegations - New page 442

Delegations - Edit page 442

Partitioning the System 443

Adding a Partition 443

Editing a Partition 444

Configuring Partitions 444

Deleting a Partition 445

Partitions - Listing page 445

Partitions - Partition Edit page 445

Routing Events to the Monitor Screen 446

Adding a Routing Group 446

Editing a Routing Group 447

Assigning a Routing Group to a Role 448

Deleting a Routing Group 448

Routing Groups - Listing page 448

Routing Groups - Add page 449

Routing Groups - Schedule page 449

Routing Groups - Event Types page 450

Routing Groups - Groups page 450

Managing Elevator Access 451

Adding an Elevator Access Level 451

Editing an Elevator Access Level 451

Assigning an Elevator Access Level to an Access Group 451

Deleting an Elevator Access Level 452

Elevator Access Levels - Listing page 452

Elevator Access Levels - Add page 452

Elevator Access Levels - Edit page 453

Priority Situations 454

Planning Priority Door Policies 454

xix

Priority Door Policies, Global Actions, and Modes 455

Priority Door Policies and Emergencies 455

Configuring a Secure High-Priority Emergency Response 456

Testing a Secure Priority Emergency Response in the ACM System 459

Activating the High-Priority Emergency Response 460

During a High-Priority Situation 461

Deactivating a Priority Door Policy 462

Limitations of Priority Global Actions 462

Priority Hierarchy 463

Monitor - Introduction 465

Monitoring Events 465

Pause/Resume Events 466

Clear Events 466

View Live Video 466

View Recorded Video 467

Create Event Notes 467

View Event Notes 468

View Event Instructions 468

View Event Identity Details 468

View Event History 469

Change Events List Settings 469

Reconnect to Events List 469

Searching for Events and Alarms 470

View Camera (Search) 471

View Recorded Video (Search) 471

Create Event Notes (Search) 472

View Event Notes (Search) 472

View Event Instructions (Search) 473

View Event Identity Details (Search) 473

View Event History (Search) 473

Change Transactions List Settings 474

Monitor Alarms 474

Acknowledge Alarms 475

View Live Video (Alarms) 475

View Recorded Video (Alarms) 476

Create Event Notes (Alarms) 476

View Event Notes (Alarms) 477

View Event Instructions (Alarms) 477

xx

View Event Identity Details (Alarms) 478

View Event History (Alarms) 478

Change Alarms List Settings 478

Monitor - Verification screen 479

Verifying Cardholders at Doors 479

Verification Events List 480

Monitor - Hardware Status Page 481

System Status 481

Door Actions 482

Door Mode 482

Forced 483

Held 483

Door Status 483

Panel Status 484

Subpanel Details 485

Input / Output Details 485

LifeSafety Panels 486

Controlling System Hardware 486

Status Colors 487

Monitor Screen - Map Templates page 488

Using a Map 488

Add Map 492

Monitor Intrusion Panels 493

Monitor Intrusion Panel Status 493

Monitor Intrusion Panel Areas 493

Monitor Intrusion Panel Points 495

Monitor Intrusion Panel Outputs 496

Monitor Events page 496

Monitor screen - Live Video Window 497

Monitor screen - Recorded Video Window 498

Monitor screen - Notes Window 499

Monitor screen - Instructions Window 500

Monitor screen - Identity Window 500

Monitor screen - History Window 500

Monitor screen - Viewing Camera Video 501

Monitor screen - Search 501

Wildcard Characters 503

Monitor screen - Alarms 503

xxi

Map Template: Add New page 504

Monitor Intrusion Status - Panels screen/tab 504

Monitor Intrusion Status - Areas screen/tab 505

Monitor Intrusion Status - Points screen/tab 507

Monitor Intrusion Status - Outputs screen/tab 508

Generating Reports 510

Reports - Generating Reports 510

Reports - Report Preview 510

Reports - Editing 511

Reports - Editing Audit Log and Transaction Reports 512

Reports - Listing page 513

Reports - Access Grant via Operator 513

Reports - Access Groups 514

Reports - Action Audit 515

Reports - Alarm 516

Reports - Appliance 517

Reports - Area Identity 518

Reports - Area 518

Reports - Audit Log 519

Reports - Cameras 520

Reports - Collaboration 521

Reports - Delegation Comparison 521

Reports - Delegation 522

Reports - Door Configuration 523

Reports - Door/Identities with Access 523

Reports - Event 524

Reports - Event Type 525

Reports - Group 526

Reports - Holiday 526

Reports - Identity Photo Gallery 527

Reports - Identity Summary 527

Reports - Identity/Doors with Access 529

Reports - Panel 529

Reports - Policy 530

Reports - Role 531

Reports - Schedule 531

Reports - Token 532

Reports - Tokens Pending Expiration Date 533

xxii

Reports - Transaction 534

Reports - Creating Custom Reports 536

Reports - Creating Custom Audit Log and Transaction Reports 536

Reports - Custom Reports Listing page 537

Reports - Custom Report Preview 537

xxiii

Avigilon Access Control Manager SystemFundamentals

The Avigilon Access Control Manager software gives you the ability to configure and control your local accesscontrol security system through a web browser. Once all of your access control components are connected tothe Avigilon Access Control Manager appliance, you can configure your system with ease.

NOTE: Due to known issues with Chrome on the Linux operating system, the Access Control Manager softwaredoes not currently support the Chrome browser on Linux operating systems.

The Avigilon Access Control Manager software allows you to:

l Configure your access control system hardware and software

l Design and assign badges

l Monitor events

l Generate access control reports

l Perform required administrative tasks

The Avigilon Access Control Manager System

The Avigilon Access Control Manager system can be organized like this:

Avigilon Access Control Manager System Fundamentals 1

Logging into the Avigilon Access Control Manager Application

You can log in to the Access Control Manager system from any web browser that has access to the samenetwork.

1. Open your preferred browser.

2. In the address bar, enter the IP address of your Access Control Manager appliance.

3. Enter your username in the Login field.

If this is the your first time logging into the Avigilon Access Control Manager application, the defaultusername is admin.

Logging into the Avigilon Access Control Manager Application 2

4. Enter your password in the Password field.

If this is your first time logging in to the application, the default password is admin.

5. Click the Sign in button.

The application's Home page is displayed.

Navigating the Application

After you log in to the Avigilon™ Access Control Manager, the Home page is displayed.

The Home page may look different depending on your system preferences and the permissions you have. Thekey features of the application window are:

1 2 34

5

6

Figure 1: Typical features of the Access Control Manager application window.

Feature Description

1. Help

Help Click this link to view context-sensitive help for the current feature.

2. Setup and Settings

ApplianceClick this link to define the Access Control Manager system devices that mediate network trafficbetween the application and its connected security system.

Collaboration Click this link to configure the Access Control Manager system to share information with


Feature Description

supported database and directory structure protocols, such as Oracle RDBMS, SQL Server orLDAP directory structures.

SchedulesClick this link to define periods of time that can be used to control such things as when a door isaccessible, when a card is valid, or when a device is activated.

HolidaysClick this link to define specific days during which normal rules are suspended for one or moreschedules.

Event TypesClick this link to define additional event types and provide instructions on how to handle anevent generated in the Access Control Manager system.

User FieldsClick this link to create fields, in addition to the factory default fields, that are used for enrollingIdentities.

User ListsClick this link to define additional options for those fields on the Identity page with drop downoption lists.

SystemSettings

Click this link to define basic values within the system, like system settings language, tokenexpiration time, and required password strength.

BadgeDesigner

Click this link to create and customize a badge layout (a badge template) for use by badgeholders.

PairedDevices

Click this link to generate a one-time key to connect a browser-enabled device such as asmartphone to a door configured as an ACM Verify station so that it can function as a VirtualStation.

ExternalSystems

Click this link to define and configure a camera or other image capture device for use by thisapplication.

Maps Click this link to create maps and populate them with input, output, and alarm points.

3. Admin

My Account Click on this link to view your account page.

SupportClick this link to display information on how to obtain support for your Access Control Managersystem.

Log Out Click this button to log out of the application.

4. Task bar

MonitorThe application's oversight feature that enable the qualified operator to track events, alarms,and other system functions either by table or map.

IdentitiesUsers are defined as operators or cardholders of this system. This includes badges and relatedaccess groups that allow access to the Access Control Manager monitored facility.

Reports Generate and customize status reports of the Access Control Manager system.

PhysicalAccess

Define the access control field hardware, including doors, that are connected to the AccessControl Manager appliance. You can also configure anti-passback areas, card formats, eventsand EOL resistance values.

RolesRoles limit or regulate the number of tasks that a specific user can perform within the AccessControl Manager system.

5. Sub-options task bar

When you select one of the icon task bar options, the available sub-options for that task appear.


Feature Description

This section changes depending on the icon task bar option that is selected.

6. Feature pages and fields

When you select a link or an option from a Task Bar, the feature is opened in this area. This is theworkspace where you will be performing most of the tasks available in the Access ControlManager system.

Logging Out of the Avigilon Access Control Manager Application

From top-right, select > Log Out.

The Sign In screen is displayed.

Help in the Avigilon Access Control Manager System

To use this help, click from any page in the Avigilon Access Control Manager application.

This online help appears.

Use the navigation tools in your browser to go from topic to topic, just as you would with any browser. You canalso use the options, links, and navigation tools built into the application itself.

Using a Pop-Up Calendar

When you click a Date field, a calendar will pop up:

Date and time calendars have additional fields:

Logging Out of the Avigilon Access Control Manager Application 5

To use the calendar:

1. Click or to find the month/year.

2. Click the date.

3. If you are using a date and time calendar, adjust the Hour and Minute bars until the correct time appearsin the Time field.

If you want to select the current time, click Now.

4. When you're finished, click Done.

The date and time appears in the Date field.

Setting Personal Preferences

To set up your personal preferences, select > My Account from the top-right. Navigate through the tabbedpages and edit the details as required. The tabbed pages include:

l Profile: use this page to edit your account details and preferences.

l Batch Jobs: use this page to view the batch jobs that have been run from your account.

l Job Specification: use this page to add, edit, activate/ deactivate, or delete batch jobs.

Changing the Password in My Account

While you are logged into the system, you can choose to change your password any time from the My Accountpage.

Setting Personal Preferences 6

1. In the top-right, select > My Account.

2. On the following Profile page, enter your current password in the Old Password field.

3. In the Password field, enter your new password.

As you enter your new password, the status bar underneath will tell you the strength of your password.Red is weak, while green is very strong. Use a combination of numbers, letters, and symbols to increasethe password strength. The password must be at least four characters long.

4. Click to save your new password.

A system message tells you that you will be logged out.

5. When the login screen appears, log in with your new password.

My Account screen - Profile page

This is the first page you see after you select > My Account.

Feature Description

Name Displays your name as it is configured in the system.

Login Displays your login name.

OldPassword If you need to change your password, you must first enter your current password in this field.

Password

If you need to change your current password, first enter your old password in the Old Passwordfield, then enter the new password you want to use to access your account information.

The strength of the password you use is important. The more combinations of numbers, letters,and characters you use the more difficult it is for unauthorized individuals to break into the system.To enforce more stringent passwords, select Password Strength Enforced in the General tab ofthe System Settings screen.

The password must be at least four characters long.

ConfirmIf you need to change your current password, enter the new password again to confirm yourchoice.

Defaults:

Items/PageEnter the maximum number of items to be listed in standard tables.

NOTE: This does not apply to non-standard tables (e.g. the Monitor Events page).

Monitordflt rows Select the initial number of rows you can see on the Monitor screen.

BadgeCamera

Select the camera you want to use to capture images for this system from the drop-down list:

l Local Camera — Any camera connected directly to your computer or built into yourcomputer or monitor.

NOTE: Images cannot be captured with a local camera from an ACM client running in theInternet Explorer or Safari web browsers, or running on a mobile device.

l IP-based camera — Any IP-based camera previously connected to your network and addedto your ACM system.

My Account screen - Profile page 7

Feature Description

NOTE: You may be prompted to allow your web browser to access the local camera when youcapture an image for the first time. You must allow access the camera any time you are promptedby the web browser to allow access. This is expected behavior.

NOTE: An IP-based camera is available from any ACM client to any user with permission to accessthe camera.

Photo SizeEnter the format size you want for photos captured with the camera specified above. This size is inpixels with the length and width separated by a comma (no spaces required).

Locale

Select your preferred system language. This setting overrides the default system languagesetting.

NOTE: If you are using the Easy Lobby Integration plug-in, this requires the locale to be set asEnglish (United States).

HomePage

From the drop down pick list, select the page you would like to appear when you first open thisapplication. The available options are:

l Alarms

l Doors

l HW Status

l Identities

l Monitor

l Panels

l Reports

DefaultBadgeTemplate

Select the default badge template to use from the drop down list.

ShowTimezoneOffset?

Check this box to enable local time fields in Reports and Monitoring to report time with the timezone offset from the UTC time.

Do NotLog RESTCommand

Check this box to exclude internal system details from the transaction logs.

ClearCustomLayouts

Click this button to clear any previously configured custom layouts and return to the factory defaultsettings.

Click this button to save your changes.

My Account screen - Batch Jobs

When you click the Batch Jobs tab from the My Account screen, a list of all the batch jobs that have been runfrom this user account is displayed.

Batch jobs are created on the Job Specification page.

Feature Description

Click this button with one or more of the batch jobs highlighted and the selected batch job(s) willbe deleted.

My Account screen - Batch Jobs 8

Feature Description

Name The name of this batch job.

Status The current status of this batch job (completed, in progress, or halted).

Type The type of this batch job.

Results The results of this job indicated by an icon.

Started At Date and time when the job was begun.

CompletedAt Date and time when the job was completed.

In addition to these read-only columns, there are a group of navigation fields and buttons at the bottom of thisscreen. These enable you to scroll through the batch jobs list, specify a particular page of the list, go to thebeginning or end of the list, and refresh the list.

My Account screen - Job Specification

When you click the Job Specification tab, a list of all the batch jobs that have been defined for this system isdisplayed.

You can add, delete, edit, or immediately activate an existing batch by selecting the batch from the list and clickthe corresponding button.

Feature Description

Add Click this button to schedule a new batch job.

Click this button to delete a highlighted batch job.

Click this button to edit a highlighted batch job. The batch job wizard appears.

Click this button to toggle between activating or deactivating a highlighted batch job.

Name The name of the batch job.

Author The person who defined the batch job.

Type The type of batch job being run.

Script Any script that was created for this batch job.

Schedule When this job is scheduled to be performed.

Activated On The date/time when this job was first activated.

Scheduling Batch Jobs

Batch jobs are processes, such as generating reports, that are performed automatically, according to aschedule.

From the Job Specification page, you can create the following batch jobs:

Generating a Batch Report

Batch reports are custom reports generated on a schedule and which can contain more data than reportsgenerated from the Reports Listing page, the Report Edit page or from the Report Preview page.

My Account screen - Job Specification 9

There are no length limits on any batch reports generated in the CSV spreadsheet format. In PDF format, theAudit Log report is limited to 13,000 records, the Identity Summary Report is limited to 100,000 records, and theTransaction Report is limited to 50,000 records.

WARNING — Risk of system becoming unusable. Scheduling large reports on separate but overlappingschedules, may cause memory problems that can result in the ACM system being unusable. To avoid this risk,schedule the start times for large reports, such as audit logs in any format, to allow for each report to finishbefore the next starts.

Perform this procedure to generate a custom report on a schedule.

1. Select >My Account and click the Job Specification tab.

The Job Specification page is displayed.

2. Click the Add button.

The Job Specification - General dialog box is displayed.

3. In the Appliance drop down list, select the appliance on which this job will run.

Only those appliances previously defined for this system appear in this option list.

If only one appliance is used for this system (the default), this field is automatically populated.

4. In the Name field, enter a name for this batch job.

5. From the Type drop down list, select Report.

After you select the job type, additional options are displayed.

l From the Report drop down list, select the report you want to batch.

Only custom reports appear in this list.

l From the Output Format drop down list, select the format in which you want this job generated.

6. Click Next.

The following screen shows the select report definition. Click Back to select a different report.

7. Click Next to continue.

8. On the following page, select how often the batch report is generated. From the Repeat drop down list,select one of the following options:

l Once —- The report will be generated once. Click the On field to display the calendar and select aspecific date and time.

l Hourly — The report will be generated at the same minute of every hour. Enter the minute whenthe report is generated at each hour. For example, if you want the report generated at 1:30, 2:30,etc. then you would enter 30.

l Daily — The report will be generated every day at the same time. Enter the specific time when thereport is generated in 24 hour time format.

l Weekly — The report will be generated each week on the same day and time. Select the checkbox for each day the report will be generated, and enter the specific time in 24 hour format.

Generating a Batch Report 10

l Monthly — The report will be generated each month on the same day and time. Select the dayswhen the report is generated and enter the specific time in 24 hour format. Shift + click to selecta series of days, or Ctrl + click to select separate days.

9. Click Next.

A summary is displayed.

Select the Send Email check box if you want to receive an email copy of the report after it has beengenerated. In the following field, enter your email address.

10. Click Submit to create this job.

11. To activate or deactivate this job, select the job and click Activate/Deactivate

Applying an Identity Profile to a Group Using a Job Specification

Create and schedule an Identity Updatebatch job to apply a new, updated or temporary identity profile to all ofthe identities in a predefined group.

After you make changes to an identity profile, the identities previously created from the identity profile are notautomatically updated. Using a job specification and scheduling the job is one of the ways that these changescan be applied.

Scenarios to apply an identity profile to a group of identities include:

l To apply a set of standard settings. When you have many identities defined with non-standard settings,create a group containing these users and a new profile containing the standard settings. Then apply thenew profile to the group of identities.

l To apply modified settings in a commonly used identity profile. After you make changes to an identityprofile, the identities created from the identity profile are not automatically updated. You need to createa batch job to apply these changes. Create a group of all the users that were created using this profile,and then apply the modified profile to that group. If the profile is frequently modified, you can create arepeating schedule.

l To apply a profile temporarily to a group. When you have identities that require a different profile for ashort time that cannot be cannot be satisfied using a policy, you can use an Identity Update batch job to"turn on" a temporary profile for a specified duration, and then "turn off" that profile by replacing it with apermanent profile. If the temporary profile is used repeatedly in a predictable manner, you can create arepeating schedule.

NOTE: A group containing all of the identities previously created from the identity profile must be createdbefore the changes can be applied to the group. If the required groups have not been created, contact yourSystem Administrator.

When you choose to create an Identity Update job, you have the option to apply a new, updated or temporaryidentity profile to the group.

A temporary door template is one that is applied for a specific period of time (either once or repeating) You canapply a temporary door template to a group by using the Off Identity Profile option. Once the new identityprofile expires, the original identity profile is applied.

To create an Identity Update job specification:


1. Select > My Account and click the Job Specification tab.



The Job Specification dialog box is displayed.





5. From the Type drop down list, select Identity Update.

After you select the job type, more options are displayed.

l From the Group drop down list, select the group of identities that you want to change.

l From the Identity Profile drop down list, select the identity profile that you want to apply to thegroup. If you are applying a temporary profile, this is the "on" profile.

l From the Off Identity Profile drop down list, select the identity profile to be applied if you want anidentity profile applied temporarily (that is, you want the identity profile to expire).

l From the Output Format drop down list, select the format for the report that is generated whenthe job is complete.


The Job Specification - Schedule dialog box is displayed.

7. From the Repeat drop down list, select how often this batch job is run. Then specify the time you want theprofile to be applied. If you selected an Off Identity Profile, you also specify when the Off profile isapplied.

l Once —- The batch job is run once. Click the On and Off fields to display the calendar and select aspecific date and time.

l Hourly — The batch job is run at the same minute of every hour. Enter the minute when the batchjob is run at each hour. For example, if you want the job to run at 1:30, 2:30, etc. then you wouldenter 30.

l Daily — The batch job is run every day at the same time. Enter the specific time when the job is runin 24 hour time format.

l Weekly — The batch job is run each week on the same day and time. Select the check box foreach day the job will run, and enter the specific time in 24 hour format.

l Monthly — The batch job is run each month on the same day and time. Select the days when thejob will run and enter the specific time in 24 hour format. Shift + click to select a series of days, orCtrl + click to select separate days.

8. Click Next.




10. To activate or deactivate this job, select the job and click Activate/Deactivate.

Applying a Door Template to a Group Using a Job Specification

Create and schedule a Door Update batch job to apply a new, updated or temporary door template to all of thedoors in a predefined group.

After you make changes to a door template, the doors previously created from the door template are notautomatically updated. Using a job specification and scheduling the job is one of the ways that these changescan be applied.

Scenarios to apply a door template to a group of doors include:

l To apply a set of standard settings. When you have many doors defined with non-standard settings,create a group containing doors and a new template containing the standard settings. Then apply thenew template to the group of doors.

l To apply modified settings in a commonly used door template. After you make changes to a doortemplate, the identities created from the door template are not automatically updated. You need tocreate a batch job to apply these changes. Create a group of all the doors that were created using thistemplate, and then apply the modified template to that group. If the template is frequently modified, youcan create a repeating schedule.

l To apply a template temporarily to a group. When you have doors that require a different template for ashort time that cannot be cannot be satisfied using a policy, you can use an Identity Update batch job to"turn on" a temporary template for a specified duration, and then "turn off" that template by replacing itwith a permanent template. If the temporary template is used repeatedly in a predictable manner, youcan create a repeating schedule.

NOTE: A group containing all of the doors previously created from the door template must be created beforethe changes can be applied to the group. If the required groups have not been created, contact your SystemAdministrator.

When you choose to create a Door Update job, you have the option to apply a new, updated or temporary doortemplate to the group.

A temporary door template is one that is applied for a specific period of time (either once or repeating). You canapply a temporary door template to a group by using the Off Door Template option. Once the new doortemplate expires, the original door template is applied.

To create a Door Update job specification:

1. Select > My Account and click the Job Specification tab.



The Job Specification - General dialog box is displayed. All options marked with * are required.




Applying a Door Template to a Group Using a Job Specification 13


5. From the Type drop down list, select Door Update.


l From the Group drop down list, select the group of doors that you want to change.

l From the Door Template drop down list, select the door template that you want to apply to thegroup.

l From the Off Door Template drop down list, you have the option to select to an alternative doortemplate when the first door template expires.



The Job Specification - Schedule dialog box is displayed.

7. Select how often this batch job is run. From the Repeat drop down list, select one of the followingoptions:

If you selected an Off Door Template, you will have the option to enter when the Off template is applied.Otherwise, only the On field is displayed.

l Once —- The batch job is run once. Click the On field to display the calendar and select a specificdate and time.





8. Click Next.



10. To activate or deactivate this job, select the job from the list in the Batch Job Specifications window and

click Activate/Deactivate.

Scheduling a Global Action

Perform this procedure to schedule global actions.

NOTE: The global actions must be created before they can be scheduled. If the required global actions havenot been created, contact your System Administrator.



The Job Specification page appears.







5. From the Type drop down list, select Global Action.


l From the Global Action drop down list, select global action to perform. Only configured globalactions will appear on the list.

l From the Off Global Action drop down list, you have the option to select to a global action that isperformed after the first global action expires.



7. On the following page, select how often this batch job is run. From the Repeat drop down list, select oneof the following options:






NOTE: If you selected an Off Global Action, you will have the option to enter when the Off action occurs.Otherwise, only the On field is displayed.

8. Click Next.




10. To activate or deactivate this job, select the job and click Activate/Deactivate.

Setting Batch Door Modes

Perform this procedure to change the door mode for a set of doors.


The Job Specification page appears.







5. From the Type drop down list, select Door Mode.


l From the Available list, select the required doors then click to add it to the Members list.

l From the On Door mode drop down list, select the door mode that you want to apply to theselected doors.

l From the Off Door mode drop down list, select the door mode that you want to apply to the doorswhen the On action is complete.


l Select the Activate check box to make the door modes active.


7. On the following page, select how often this batch job is run. From the Repeat drop down list, select oneof the following options:






Setting Batch Door Modes 16

NOTE: If you selected an Off Door Mode, you will have the option to enter when the Off action occurs.Otherwise, only the On field is displayed.

8. Click Next.



Contacting Your Support Representative

When you select > Support from the top-right, the Support page displays information on how to contact yourAvigilon support representative. The system displays the following message by default:

Support

Thank you for choosing Avigilon.

For quickest support please contact your account representative xxxxx at xxxxx.

To customize this message, see System Support on page 287.

For More Information

Visit Avigilon at avigilon.com for additional product documentation.

Technical Support

To contact Avigilon Technical Support, go to avigilon.com/contact-us.

Upgrades

Software and firmware upgrades will be made available for download as they become available. Check foravailable upgrades at: avigilon.com/support-and-downloads.

Feedback

We value your feedback. Please send any comments on our products and services to [email protected].

Initial Setup

After installing your Access Control Manager appliance, complete the following recommended set upprocedures:

Accepting the End User License Agreement

Before you can use the Access Control Manager system, you must accept the End User License Agreement.

You may have noticed this error message that is displayed on each page:

Contacting Your Support Representative 17

http://www.avigilon.com/http://avigilon.com/contact-us/http://avigilon.com/support-and-downloads/mailto:[email protected]

END USER LICENSE NOT YET ACCEPTED, SYSTEM WILL NOT RUN PROPERLY! PLEASE ACCEPT EULA TOSTAY IN COMPLIANCE!

1. To access the End User License Agreement, click the link under the error message or select Appliance >About > View End User License Agreement Terms and Conditions.

2. On the End User License Agreement page, review the license agreement.

3. After reviewing the license agreement, select the check box next to the message I accept the terms ofthe License Agreement.

4. Click Submit.

The error message is removed and you can begin to configure the Access Control Manager system.

Changing the Administrator Password

After you login for the first time, it is recommended that you change the default "admin" identity password.

1. Click Identities.

The Identities Listing page is displayed.

2. On the Identities Listing page, click A.

3. Select the Administrator, System identity.

4. In the Account Information area, enter a new password in the Password and Confirm field.

5. Click .

If you are currently logged in with the "admin" identity, you will automatically be logged out. Log in again withthe new password, or use a different Super Admin identity.

Creating a Super Admin Identity

After you login to the Access Control Manager system for the first time, it is recommended that you create aSuper Admin identity for configuring the system. By creating a new Super Admin identity, you can better protectthe security of the system by not using the default "admin" identity, and having a backup identity in case thedefault admin password is lost.

1. Click Identities.

2. On the following page, click Add New Identity.

3. Select an Identity Profile in the Identity Profile dialog box and click OK.

4. In the Identity Information area, enter a Last Name and First Name.

5. In the Account Information area, enter a Login name for accessing the system.

6. In the Password and Confirm field, enter a password for the new identity. The password must be at leastfour characters long.

7. Click and the Roles tab is automatically displayed.

8. In the Roles tab, select Super Admin from the Available list and click to assign the new identity tothe Super Admin role.

9. Click .

Changing the Administrator Password 18

These are the only settings required to create a Super Admin identity. You can add and configure more detailsfor the account. For more information about the available Identity settings, see Identities on page 339.

Creating a Super Admin Identity 19

Managing Appliances

When you log in to the Access Control Manager application, you are accessing an appliance that is set up in yournetwork. The appliance configures and directs communication between all the elements in the access controlsystem.

After you have connected your appliance to the network, you can further customize and set up your applianceto meet your system requirements.

Appliances - Changes

Changes to appliances, including additions and deletions may be required after the original installation.

Adding Extra Appliances

NOTE: You can only add appliances if the system license supports multiple appliances.

Adding appliances increases the number of panels the system can support, and provides more storage for userdata. Additional appliances are a requirement for replication and failover.

After you connect the new appliance to the network, complete the following steps to add the new appliance tothe system:

1. In the top-right, select > Appliance.

The Appliance Listing page is displayed. For more information, see Appliances - Listing page onpage 52.

2. Click the Add Appliance button.

The Appliance Add page is displayed. For more information, see Appliances - Add page on page 53.

3. Enter a new hostname for the appliance.

By default, the hostname for all appliances is the ACM system. You will need to set a new hostname forthe appliance if an existing appliance already uses this hostname on the network.

4. Click .

The new appliance automatically restarts. When you next log in to the system, you will see the new appliance inthe Appliance Listing page.

Editing Appliances

After the appliance has been set up according to the Getting Started Guide included with the appliance, theAccess Control Manager system is ready for use. But if you want to customize your appliance further, you canedit the system's default settings and set up the appliances backup and redundancy features.

Managing Appliances 20


If there is only one appliance in this system, the Appliance Edit page is displayed.

If there is more than one appliance in this system, the Appliance Listing page is displayed. Select theappliance you want to edit.

2. Navigate through the tabbed pages to configure this appliance. The tabbed pages include:

l Appliance: Use this page to edit the appliance properties, as well as shutdown or restart theappliance remotely. For more information, see Appliances - Listing page on page 52.

l Access: Use this page to specify and enable the controller panel types. For more information, seeAppliances - Access page on page 58.

l Ports: Use this page to specify how the appliance Ethernet ports are used to communicate withaccess control devices. For more information, see Appliances - Port Listing page on page 59.

l Replication: Use this page to set up system replication and redundancy. For more information, seeAppliances - Replication page on page 63.

l Backups: Use this page to set up scheduled backups for this appliance. For more information, seeAppliances - Backups Listing page on page 65.

l Logs: Use this page to access the system logs. For more information, see Appliances - LogsListing page on page 69.

l Software Updates: Use this page to update the appliance software. For more information, seeAppliances - Software Updates page on page 70.

l About: Use this page to see the current licenses, version numbers, and status of this appliance. Formore information, see Appliances - About page on page 71.

3. Click to save your changes.

Deleting an Appliance

Appliances may need to be deleted in certain cases. If you want to disconnect an appliance that is no longerneeded, delete it from the system before physically removing it. If you want to take an appliance that is beingused for replication or redundancy and use it as a primary appliance, the appliance must be deleted first.

NOTE: You can only delete an appliance if your system has more than one appliance.


2. From the Appliance Listing page, click beside the appliance that you want to delete.

3. When the confirmation message is displayed, click OK.

The selected appliance is removed from the list.

Configuring Replication and Failover

NOTE: Only the default Admin identity can edit the appliance Replication settings.

Deleting an Appliance 21

The Replication tab on the Appliance: Edit page allows configuration and monitoring of LDAP data replicationand optionally redundancy/failover of the ACM application so that monitoring and hardware control is not losteven if an appliance fails.

Tip: It is recommended that replication be set up on all appliances before adding panels, other hardware or userdetails to the system. Once replication is configured, it is possible to configure system hardware and identityinformation from one of the replicated appliances on the network rather than having to connect directly to eachindividual appliance to make changes to its installed hardware. However, it may be necessary to perform adownload of the hardware configuration from the appliance where the hardware is installed in order to updatethe hardware with the latest configuration data changes made from another appliance.

The replication feature allows two or more appliances to be set up to share a single set of LDAP1 configurationdata, where the appliances would be able to share identities and other system details. Any change made toconfiguration data on one appliance would automatically be copied (“replicated”) to the other appliances. Thisreplication configuration is referred to as a “Peer to Peer” configuration. In this configuration, each appliance“owns” the hardware installed on it, and events and status information sent from that hardware can only beviewed on the hardware owner appliance. All panel hardware added in a replicated environment must beassigned upon creation to one of the available Peer to Peer appliances. A panel and its subpanels cannot besplit across multiple appliances, but will be installed on one of the Peer appliances.

Failover/Redundancy Feature

The failover, or redundancy, feature of replication allows a “Hot Standby” appliance to be set up to take overcontrol and event monitoring when the Primary appliance used in daily operations fails. This configuration isreferred to as Primary/Hot Standby. To use the failover feature, both appliances are originally configured withPeer to Peer replication so that each appliance will share a common LDAP configuration database. The HotStandby appliance is then configured as such, and then will not have its own hardware or collaborations, and willnot appear in the list of replicated appliances available for assignment when these items are created.

Each Primary appliance can only be assigned one Standby appliance, but the same Standby appliance can beassigned to more than one Primary appliance. However, if two or more Primary appliances fail at the same time,the Standby appliance will replace the first appliance that it knows is offline (if configured for automatic failover),and will not be available for failover of the other Primary appliances while it is standing in.

The following types of failover and failback are supported:

l Automatic failover

l Manual failover

l Manual failback

Automatic failover

Automatic failover is controlled by the Standby appliance by monitoring the health of the Primary appliance. If aPrimary appliance is found to be unresponsive by the Standby appliance within a set period of time, the Standbyappliance will automatically initiate failover of the Primary appliance and will begin to control the hardwareinstalled on that Primary appliance, and will begin to receive events and status from this hardware.

1Lightweight Directory Access Protocol is an open, industry standard application protocol for accessing andmaintaining distributed directory information services over a network. An LDAP database in the Access ControlManager system typically includes user details, connected hardware details, events, alarms and other systemconfiguration details.

Failover/Redundancy Feature 22

There are two settings that control automatic failover - Heartbeat count and Heartbeat time. The Heartbeatcount is the number of health checks the inactive hot standby appliance makes to see if the active primaryappliance is alive. If this number of failures occurs in a row, the hot standby will do an automatic failover. TheHeartbeat time is the time between health checks (regardless of if the previous check was successful or failed).

It is not necessarily possible to calculate specifically how long it would take to failover. It is not simply a matter ofmultiplying the Heartbeat count by the Heartbeat time (for example Heartbeat count of two and Heartbeat timeof 30 seconds does not necessarily mean failover in about one minute of the primary going down, however oneminute would be the best/shortest case). This is because the time it takes each check to fail may depend on anetwork time-out in the case of the hot stand by machine no longer having network connectivity to the primarymachine. Typically, a worst case network time-out is approximately two minutes - however this may possiblyvary. A health check may also fail immediately depending on network considerations/status.

It is recommended to set the Heartbeat count to at least a value of two so that a short network glitch does notcause a premature failover. A Heartbeat count of two and a Heartbeat time of 30 seconds should typicallyensure that a failover is initiated within one to about five minutes of the primary going down.

Manual failover and failback

A manual failover can be initiated through from the Replication tab on the Appliance: Edit page on the Standbyappliance. This is usually done to test functionality or if a Primary appliance is going to be down for scheduledmaintenance.

Once the Primary appliance is back online and fully functional, you can then manually initiate failback of theStandby appliance over to the Primary appliance, which restores hardware control and event and statusreporting to the Primary appliance.

Read through all of the following procedures before configuring replication and redundancy. If any detail isunclear, contact Avigilon Technical Support for more information before you begin.

Recommended System Architecture

System Architecture for Replication

Replication works by automatically copying the LDAP1 configuration databases from one appliance to another.Changes made in one appliance’s database are automatically replicated to the all of the other appliances.Replication can occur between two or more Peer to Peer appliances, or it can occur between a Primaryappliance and its Standby appliance, and a mix of both configurations is possible.

If you only have one appliance in your system, replication is not possible. In this situation, performing periodicbackups is the recommended method of ensuring appliance recovery after a failure.

When two appliances exist, they can start replicating information.

1Lightweight Directory Access Protocol is an open, industry standard application protocol for accessing andmaintaining distributed directory information services over a network. An LDAP database in the Access ControlManager system typically includes user details, connected hardware details, events, alarms and other systemconfiguration details.

Manual failover and failback 23

Once replication is set up, any identity or other system configuration data that is added to or edited on oneappliance is automatically copied to the other appliances. Be aware that each appliance will be responsible fortheir connected panels, subpanels, and other hardware. Configuration and viewing of all system hardware ispossible from any replicated Peer appliance, but you will not be able to see the hardware status or events fromany appliance other than the one the hardware is installed on.

When more than two replicated Peer appliances exist, it is recommended that Peer to Peer replication be set upin a mesh formation, where every Peer appliance has links (“subscriptions”) to all of the other Peer appliances.This allows system configuration to be performed from one Peer appliance and have the details automaticallyreplicated to all the other Peer appliances, while providing multiple paths for this data to replicate among theparticipating appliances. The exception to this is a Standby appliance, which only needs to have replicationsubscriptions with its Primary appliance.

NOTE: Up to 99 appliances can be connected together for Peer-to-Peer replication, and this limit includes anyHot Standby appliances in the environment.

System Architecture for Redundancy

Redundancy works by having a configured Hot Standby appliance automatically or manually replace a failedPrimary appliance. Redundancy requires Peer to Peer replication between the Primary and the Standbyappliances to be configured and tested first to function properly. Once this is in place, the Standby appliance isthen designated as such and the software configures it for that role.

When configured and in standby mode, the Standby appliance is essentially a blank appliance that only hasbasic system settings. The Standby appliance has its own configuration for appliance related attributes such ashost name, ports, time zone (etc.), but it does not have any hardware configuration of its own. It only has thathardware data which is replicated from the Primary appliance that owns it. When a Standby appliances takesover for a Primary appliance, the operating system settings on the Standby appliance (such as host name and IPaddress) do not change to match the Primary appliance’s settings. Instead, the applications running on theStandby appliance begin to service the records (including doors, panels, video servers, collaborations and soon) previously controlled by the Primary appliance. Note that this requires a different URL for clients to be ableto access the Hot Standby appliance – this is not handled automatically by the ACM system.

If one Primary appliance (1) exists for everyday operations and one Hot Standby appliance (*) is available, set upthe Standby appliance to subscribe to and receive replicated configuration data and transactional data from thePrimary appliance. If the Primary appliance fails, the Standby can automatically step-in and maintain dailyoperations.


If more than one Primary appliance exists for a Hot Standby appliance, the Hot Standby appliance still remainsseparate from daily operations but must receive replicated configuration and transaction data from all Primaryappliances it is configured to failover for. Be aware that the Standby appliance can only stand-in for one failedPrimary appliance at a time.

If the replicated environment with multiple appliances is configured in a mesh formation for replication wherepossible, but due to some physical limitation such as a Wide Area Network (WAN) being involved one or more ofthe appliances is a single point of failure for propagation of replicated data, it is recommended that each ofthese appliances have its own Hot Standby appliance. In the event of a failure of one of these critical Primaryappliances, the environment is guaranteed to have a Hot Standby appliance available to ensure that allreplicated Peer appliances are able to continue to synchronize configuration data amongst themselves.


Replication and Failover Requirements

WARNING — Make sure your system meets all the following requirements before you set up replication andfailover or the system may lose configured system data.

l License requirements:

l The application license agreement must be entered on all appliances. The license key is tied to aspecific machine. When using redundancy, a license and key must be separately installed on boththe Primary and Standby appliances. The license features on a Standby appliance needs toinclude all the features used by the Primary appliances it may replace.

l Network infrastructure:

l DNS registered host names for each appliance in the enterprise. Each appliance must be able toconnect to the other appliance by host name. There must be static or reserved IP addresses,proper netmask, and network gateway for each appliance.

l Name server IP address for host name resolution. All appliances must be able to resolve all of theother appliances by host name. Each appliance must either have a named server configured forthis purpose, or a host file can be used for name resolution on each appliance if a DNS server is notavailable.

l Time Server IP address or host name. All appliances must be synchronized for time and date. Thisis crucial for proper replication processing. Each must utilize a time server for this purpose. TheOpen LDAP multi-master replication used by the ACM software synchronizes a LDAP directorytree across multiple appliances. Each appliance supports read/write operations across anenterprise system. Conflicts are handled using a timestamp to determine the most recent record.All appliances must use a common clock base to synchronize their clocks to ensure the conflictresolution works correctly.

NOTE: Time is based on UTC (Coordinated Universal Time) to ensure consistency across the ACMsystem. UTC time is transferred from the client to the server when the date/time is set.

l Defined and open TCP ports:

l Web Server Port / Replication Subscriptions Web Port (default 443). Certain replication optionsrequire each appliance to contact each other through the web service port.

l LDAP Connect Port / Replication Subscription LDAP Port (should be a unique, open TCP port thatnothing else uses). This is a TCP port used for Open LDAP replication between appliances.

l Event Replication Port (default 6052). Once a Primary/Standby appliance relationship isestablished, the Primary appliance will automatically transfer event transactions to the Standbyappliance so event data will be available when a failover occurs. Connectivity is required for bothPrimary and Standby appliances using the Event Replication Port (this is a TCP port used for openSSL socket communication).

l Replication Failover Port for heartbeat (default is NONE but should be a unique, open T

access control user guide4a54f0271b66873b1ef4-ddc094ae70b29d259d46aa8a44a90623.r7.c… · 2018. 10....

Documents