Andover Continuum CyberStation

Access Control Essentials Guide

 2010, Schneider Electric All Rights Reserved No part of this publication may be reproduced, read or stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Schneider Electric. This document is produced in the United States of America. Product Names are trademarks of Schneider Electric. All other trademarks are the property of their respective owners. Title: CyberStation Access Control Essentials Guide Revision: C Date: February, 2010 Schneider Electric part number: 30-3001-405 CyberStation version 1.91 The information in this document is furnished for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Schneider Electric. Schneider Electric assumes no liability for any errors or inaccuracies that may appear in this document. On October 1st, 2009, TAC became the Buildings Business of its parent company Schneider Electric. This document reflects the visual identity of Schneider Electric. However, there remain references to TAC as a corporate brand throughout the Andover Continuum software. In those instances, the documentation text still refers to TAC only to portray the user interface accurately. As the software is updated, these documentation references will be changed to reflect appropriate brand and software changes. All brand names, trademarks and registered marks are the property of their respective owners. Schneider Electric One High Street North Andover, MA 01845 (978) 975-9600 Fax: (978) 975-9782 http://www.schneider-electric.com/buildings

Andover Continuum CyberStation Access Control Essentials Guide

30-3001-405 Revision C

February, 2010

Contents

About this Manual .................................................................

Whats in this Manual ................................................................. Related Documentation ..............................................................

11
11 12

Chapter 1

Getting Started ......................................................................

Planning an Access Control System ........................................... Overview of an Access Control Network ....................................

13
14 19

Chapter 2

Configuring an Access Control System .............................

Task 1: Open Continuum Explorer ............................................ Open Continuum Explorer .......................................... More About Continuum Explorer ............................... Task 2: Create a Network and a Controller ............................... Containers and Parent/Child Objects ......................... Create a Network ......................................................... Web Configuration for Controllers ............................. Create a Controller ...................................................... More about Networks and Controllers ....................... Task 3: Configure IOU Modules ................................................. Creating an IOU Module Object ........................................ General Tab IOUModule Editor .............................. Security Level Tab IOUModule Editor .................... More about the IOUModule Editor ............................. Commissioning an IOU Module .................................. Task 4: Configure Controller Comm Ports ................................ General Tab CommPort Editor ............................... Viewing the Status of an XDriver Device ................... Settings Tab CommPort Editor ..............................
Andover Continuum CyberStation Access Control Essentials Guide

21
22 23 23 24 24 25 26 29 31 32 32 33 34 34 35 36 37 39 40
5

SecurityLevel Tab CommPort Editor ..................... Field Bus Controllers Tab CommPort Editor ......... NetController II Model 9680 ................................... ACX 57XX Series ..................................................... Task 5: Designate the Primary Access Server ........................... More about the Primary Access Server ...................... Task 6: Create CyberStation Points .......................................... Create an InfinityInput Point ..................................... Create an InfinityOutput Point .................................. Create an InfinityNumeric Point ................................ More about Points ....................................................... Task 7: Create Areas ................................................................... Factors to Consider When Defining Areas ................. Create an Area ......................................................... More about Areas ..................................................... Task 8: Create Doors ................................................................... When to Create a Door ................................................ Data that Defines a Door ............................................ Create a Door ............................................................... View Doors Assigned to an Area ................................. More about Doors ..................................................... Task 9: Create Personnel ............................................................ Access-Control Information in a Personnel Object .... Methods of Creating Personnel Objects ..................... Open the Personnel Manager for the First Time ....... Create a Personnel Object in the Personnel Manager More about Personnel Objects .................................... Task 10: Create Schedules ......................................................... About Schedule Points ................................................ Create and Configure a Schedule ............................... Attach a Schedule Point to a Door .............................. Attach a Schedule Point to an Area in a Personnel Object ....................................................... More about Schedules ................................................. Task 11: Configure Alarms ......................................................... About Event-Notification Objects ............................... Create an Event-Notification Object .......................... About Notification by E-mail and Pages .................... Creating an EventNotification Distribution List ... About AlarmEnrollment Objects ................................ Create an Alarm-Enrollment Object ..........................
6 Schneider Electric

43 43 44 45 46 46 47 47 50 52 53 54 54 55 55 56 56 56 57 63 64 65 65 66 66 68 69 70 70 71 73 74 76 77 77 78 82 83 84 85

General Expressions for Security ............................... About Attaching Alarms to Objects ............................ Attach an Alarm-Enrollment to a Door ...................... Attaching Alarms to a Point ....................................... Using the Alarms / Advanced Alarms Tab of an Object Editor ........................................................... More about Alarms ...................................................... Task 12: Configure Video ............................................................ About Video Monitor and Video Administrator ......... Video Monitor Main Features ................................. Video Administrator Main Features ....................... About VideoLayouts .................................................... Configuring Video via Video Monitor and Video Administrator .................................................... Allow Access to and Enable Video Monitor and Video Administrator ......................................... Create a VideoServer Object ................................... Configure Video Using Video Administrator ......... More about Video Monitor and Video Administrator Configuring Video Using VideoLayout ....................... Create a VideoServer Object ................................... Create a VideoLayout Object .................................. Add a VideoLayout to the Alarms Tab of an Object More about Video Layouts ....................................... Task 13: Create Graphic Panels and Controls .......................... About Graphic Controls for Access Control ................ Create a Graphics Panel and a Door Control ............. More about Graphics Panels and Controls ................ Task 14: Configure Reports ........................................................ About Report Objects ................................................... Create a Report ............................................................ More about Reports .....................................................

86 88 88 89 90 96 97 97 98 99 101 102 102 105 107 110 110 110 111 112 114 115 115 116 119 120 120 120 124

Chapter 3

Monitoring an Access Control System ............................... 125

Responding to Alarms ................................................................. About the Alarm Status Bar ....................................... About the Active Alarm View Window ....................... More about Responding to Alarms ......................... 126 126 126 128

Andover Continuum CyberStation Access Control Essentials Guide

Monitoring Live Access Events .................................................. About Creating EventView Objects ............................ More about EventView Objects .................................. Using ListView Windows ............................................................ About Predefined ListView Objects ............................ About Creating ListView Objects ............................... More about ListView Objects ......................................

129 129 129 130 131 131 132

Chapter 4

Advanced Topics for Access Control .................................

Security Groups for CyberStation Users ................................... About User Objects ............................................................ Before Configuring Users ............................................ Creating a User Object ................................................ About Security Groups ...................................................... Configuring User Security Groups ............................. Displaying Security Groups ........................................ Renaming Security Groups ......................................... Displaying Access Privileges in the Actions Tab ... Assigning Access Privileges for Security Groups ....... Copying Access Privileges Between Security Groups About SecurityLevel Objects ............................................. Creating a SecurityLevel Object ................................. Displaying Access Privileges in the Security Tab ...... Universal Unlock Folder ............................................. Assigning Access Privileges in a SecurityLevel Object .... Copying Access Privileges from a Single Security Group to Another Group ............................................................... More about Users and Security .................................. Using Area Lockdown ................................................................. About Area Lockdown ................................................. What Happens During Lockdown .............................. Locking down an Area ................................................. Locking down Individual Doors .................................. More about Area Lockdown ........................................ Controlling Access with Condition Levels ................................. About Changing the Condition Level ......................... Implementing Condition Levels and Clearance Levels Sending a Condition Level Message to Controllers ... Restoring Controller Condition Levels to Previous Levels ............................................................

133
134 134 135 135 136 137 138 138 139 140 143 144 145 145 146 146 149 150 151 151 152 152 153 154 155 156 156 157 157

Schneider Electric

About Sending Condition Level Values to Individual Controllers ................................................. More about Condition and Clearance Levels ............. Adding FIPS-PIV Card Credentials ........................................... Overview of FIPS-PIV ................................................. PIV Middleware Providers ...................................... Physical Access Control System (PACS) ................ Identity Management System (IDMS) ................... Overview of FIPS-PIV cards and readers .................. FIPS-PIV Cards ....................................................... FIPS-PIV Readers .................................................... Configuring FIPS-PIV on a New System ................... Specifying the Allowed Credentials ........................ Entering or Importing FIPS-PIV Credential Information .............................................................. Configuring a Door/Reader ...................................... Transitioning an Existing system to FIPS-PIV ......... Updating to FIPS-PIV Revision .............................. Specifying the Allowed Credentials ........................ FIPS-PIV Credential Information .......................... Configuring a Door/Reader ...................................... Medium Assurance Profiles .................................... More about FIPS-PIV ..................................................

158 158 159 159 160 160 161 162 162 162 164 164 165 165 166 167 167 168 169 169 170

Andover Continuum CyberStation Access Control Essentials Guide

10

Schneider Electric

About this Manual

Whats in this Manual

This manual provides basic, essential information for planning, configuring and monitoring an access control system consisting of Schneider Electric controllers and CyberStation software. This manual provides the following information: An introduction to planning for an access control system Step-by-step procedures for basic configuration tasks in CyberStation Step-by-step procedures for monitoring your access control system using CyberStation An overview of advanced access control features that you may want to implement in your facility This manual is intended to be used with the CyberStation online help and the documentation that accompanies Schneider Electric controllers.

Andover Continuum CyberStation Access Control Essentials Guide

11

For complete user-interface details (beyond the scope of the basic tasks in this manual), you must consult the online help and the other CyberStation documents listed in the next section. The procedural information in this manual assumes that your access control hardware and software are installed, online, and ready to be configured.

Related Documentation
For additional or related information, you can refer to these documents. Document CyberStation online help HVAC Essentials Guide CyberStation Installation Guide Continuum Remote Communication Configuration Guide ACX 57xx Series Controller Operation and Technical Reference NetController II Operation and Technical Reference Guide Document Number n/a 30-3001-1000 30-3001-720 30-3001-814 30-3001-999 30-3001-995

12

Schneider Electric

Chapter 1
Getting Started

This chapter offers guidance on planning your access control system and includes the following topics: A review of a sample floor plan for a manufacturing facility, its access control issues, and access control devices in place to address the issues for this sample site A network configuration of controllers, servers, and CyberStation workstations that provides the access control infrastructure for the sample site

Andover Continuum CyberStation Access Control Essentials Guide

13

Chapter 1: Getting Started

Planning an Access Control System

Schneider Electrics access control products support the full range of access control needs: Small buildings to multi-site facilities Limited access validation and monitoring of personnel movement within a facility to extensive oversight As you prepare to implement an access control system in your organization, you may want to work from floor plans of your facility to identify factors such as the following that will affect implementation: Locations where access control is needed Personnel who use these locations The movement of personnel from one location to another How you want to manage access permissions in each location

14 Schneider Electric

Chapter 1: Getting Started

The following illustration is a floor plan of a small office and manufacturing facility.
Rear Entrance Loading Dock Emergency Exit

Warehouse

Manufacturing Floor

Office

Main Entrance

The following issues for this sample site determine the access control devices that are needed and the configuration of the system: At the main entrance, a receptionist greets employees and visitors during business hours. The main entrance is locked during off hours, but employees may need to enter and exit at those times. The employer wants to monitor use of this door during off hours. Warehouse and manufacturing employees can use the rear entrance to enter and leave the building.

Andover Continuum CyberStation Access Control Essentials Guide

15

Chapter 1: Getting Started

The door in the manufacturing area to the outside is for emergencies only and should be closed and locked under normal circumstances. Only authorized employees are allowed onto the manufacturing floor. The employer wants to monitor manufacturing employees who exit the building through the warehouse to the rear entrance. The following illustration shows the same floor plan, with access control devices in place.
Single Reader at Rear Entrance Loading Dock: Door Switch is Supervised Emergency Exit: Door Switch is Supervised

Dual-Reader Door

Camera: Captures Video

Warehouse

Manufacturing Floor

Single-Reader Door Office

Motion Detector: Unlocks Door during Regular Hours Triggers Video during Off Hours

Main Entrance: Card Reader for Employee Access

16 Schneider Electric

Chapter 1: Getting Started

The following table describes how these access control devices address the issues identified for this facility. Note that the devices used in this example are only one of many possible access control solutions that can be implemented. Area or Door Main Entrance Access Control Card reader allows access to employees. No access to visitors unless the receptionist is present. Motion detector unlocks door for exiting during regular hours, and triggers alarm with video during off hours. Camera captures video if triggered during off hours. Security guard at CyberStation workstation is alerted and can view video. Supervised input on door detects tampering and trigger an alarm. Door to Manufacturing from Office Card reader allows access only to authorized employees. No access-validation needed to exit Manufacturing through this door. Door to Manufacturing from Warehouse Card reader allows access to Manufacturing only to authorized employees, and requires employees to present access cards to exit Manufacturing through this door. Card reader allows employees access to Warehouse. No access validation needed to exit to the outside using this door. Supervised inputs on door detect opening or tampering during off hours and trigger an alarm.

Rear Entrance

Andover Continuum CyberStation Access Control Essentials Guide

17

Chapter 1: Getting Started

Area or Door Loading Dock

Access Control Supervised inputs on door detect opening or tampering during off hours and trigger an alarm. Supervised inputs on door detect opening or tampering and trigger an alarm.

Emergency Exit

18 Schneider Electric

Chapter 1: Getting Started

Overview of an Access Control Network

This illustration represents a sample Andover Continuum Security architecture.

The following components are standard in a security setup: CyberStation ACX 57xx Controller NetController II web.Client Server Integral DVMS (Digital Video Management System) Badge Printer

Andover Continuum CyberStation Access Control Essentials Guide

19

Chapter 1: Getting Started

20 Schneider Electric

Chapter 2
Configuring an Access Control System

This chapter contains step-by-step procedures for configuring an access control network in CyberStation using ACX 57xx and NetController II controllers. The chapter presents basic configuration tasks in the sequence that you typically perform them. So that you can more readily understand how the elements of an access control network work together, the procedures in this chapter cover basic setup tasks for a simple network. Each procedure provides cross references to the CyberStation online help so that you can obtain complete, detailed information about all the options associated with a configuration task.

Andover Continuum CyberStation Access Control Essentials Guide

21

Chapter 2: Configuring an Access Control System

Task 1: Open Continuum Explorer

Objects are the building blocks of your access control network. In CyberStation, objects are categorized by class. Area, Door, Schedule, and Personnel are examples of object classes. An objects attributes are determined by its object class, although the attribute values are specific to the individual objects. Objects may represent: Physical devices, such as a controller or a workstation Folders that are storage locations for objects Data, such as points, alarms, schedules, and personnel records When you configure a network in CyberStation, you create the objects that correspond to the devices, folders, and data in your network, and you specify their attribute values. Continuum Explorer is the tool that you use to configure and manage your network.
Networks and their objects are organized in a hierarchy under Root.

Navigation Pane Select an object in this pane to display the objects it contains in the Viewing Pane.

Viewing Pane

22 Schneider Electric

Chapter 2: Configuring an Access Control System

Open Continuum Explorer

1. Open CyberStation if it is not running at your workstation, and login. 2. At the CyberStation main menu, click Explorer. Note: You can also open Continuum by clicking: Start>Programs>Continuum>Continuum Explorer Continuum Explorer opens. The navigation pane does not yet contain any network objects or controllers. However, other predefined objects, created for you during installation, are displayed.

3. Proceed to Task 2: Create a Network and a Controller on page 24.

More About Continuum Explorer

See the topic, Continuum Explorer in the CyberStation online help.

Andover Continuum CyberStation Access Control Essentials Guide

23

Chapter 2: Configuring an Access Control System

Task 2: Create a Network and a Controller

A network is a logical organization of controllers that know about each other and have the ability to exchange data. The ACX 57xx is a highly intelligent controller that is designed for access control.
Each network contains one or more controllers, up to a maximum of 190 controllers. You can create additional networks to manage more controllers.

Containers and Parent/Child Objects

Each network in CyberStation has a hierarchical structure of objects. Many objects can be containers for other objects. For example, a network object contains all the controllers in that network. A container object is also called a parent object. All objects within the container are child objects that are owned by the parent object. These relationships are important for organizing the many objects that make up a network. They are also significant because you can apply settings to container objects that affect all the child objects within them.

24 Schneider Electric

Chapter 2: Configuring an Access Control System

Create a Network
When you configure an access control network, the first object you create is the network itself. 1. In Continuum Explorer, right click Root, select New, and then select Network. 2. Enter a name for the network for Object Name, and click the Create button.

CyberStation creates an alias from the object name that you enter. You can edit the alias if you wish. An alias cannot contain symbols or spaces.

3. In the Network editor, enter the Universal Time Coordinate (UTC) offset in minutes for Time Zone. The UTC offset is the difference between your local time and Greenwich Mean Time (GMT). Enter - if local time is behind GMT. Note: -300 minutes is an example of the Time Zone offset for Eastern Standard time. 4. Click OK.
CAUTION It is required that you locate Continuum controllers and workstations and Pelco video system in the same time zone. You should also ensure that they are time synchronized with each other. The system manager can act as a time server. Since the system manager is essentially a PC, however, be aware that the time of the PC may drift.

Andover Continuum CyberStation Access Control Essentials Guide

25

Chapter 2: Configuring an Access Control System

Web Configuration for Controllers

The NetController II and the ACX controllers are commissioned and configured using your PCs Internet Browser. To configure the controller, it must be installed and connected to your Ethernet network. IP configurable NetControllers and ACX controllers are shipped with default IP addresses and Subnet Mask values. These values must be changed to new values, which are assigned by your local IT personnel. The default values for all IP configurable controllers are: IP Address: 169.254.1.1 Subnet Mask: 255.255.0.0 Prior to changing these values, the PC being used to commission the controllers must be configured to communicate with the controllers at their default address. The setup values for the PC are: IP Address: 169.254.1.(191-254) Subnet Mask: 255.255.255.0 1. From Microsoft Internet Explorer, in the Address field, enter the controllers default IP address (169.254.1.1). The Andover Continuum Embedded WebServer page appears.

2. Select Controller Configuration Options.

26 Schneider Electric

Chapter 2: Configuring an Access Control System

The Controller Configuration Login dialog displays.

3. In the login dialog enter the default controller user name and password: Username: acc Password: acc Note: The password can be changed by right clicking the Continuum task icon 4. Select OK. and selecting Change your password...

Andover Continuum CyberStation Access Control Essentials Guide

27

Chapter 2: Configuring an Access Control System

The Controller Configuration screen appears on the left menu.

5. Select Controller Configuration. 6. In the Configurable Properties section enter the following information: ACCNet ID IP Address Subnet Mask Gateway Address Web Server Port PPP IP Address Transport Type; use the drop down menu to make the proper selection. 7. In the Miscellaneous section, using the dropdown menu, select the following information: IO Configuration Comm4 Port Line 8. Select Submit to Controller.
28 Schneider Electric

Chapter 2: Configuring an Access Control System

9. Exit the configuration setup. Note: Once you have finished commissioning your controller, your PCs IP address and Subnet Mask value can be returned to their normal settings.

Create a Controller
Note: Before performing this procedure, you must first install the controller, connect it to your Ethernet network, and then commission the controller. Refer to Web Configuration for Controllers on page 26. 1. In Continuum Explorer, right click the existing network object, select New, and then select InfinityController. 2. Enter a controller name for Object Name, and click the Create button. 3. In the InfinityController editor, enter a unique number from 1 to 190 for ACCNetID. Note: This must match what was entered in the web configuration page. The ACCNetID value uniquely identifies the controller within the access control network. 4. Select the controller model from the Controller Type dropdown menu.

Andover Continuum CyberStation Access Control Essentials Guide

29

Chapter 2: Configuring an Access Control System

For example, select 5740 for an ACX 5740 controller.

Serial Number and Version will be read from the controller after the Teach operation.

5. Select the Network tab. 6. Enter the IP address of the controller and subnet mask, and if required, enter the default router. You obtain this information from your IT administrator. 7. Click Apply. 8. Select the General tab, and then click the Teach button. 9. In the Select Teach Mode dialog, select the InfinityController Teach radio button, and click OK. Note: To confirm that the Comm Status is online, click the Refresh button. 10. Click OK to close the InfinityController editor. 11. Proceed to Task 5: Designate the Primary Access Server on page 46.
30 Schneider Electric

Chapter 2: Configuring an Access Control System

More about Networks and Controllers

See the following topics in the CyberStation online help: Network Editor InfinityController Editor

Andover Continuum CyberStation Access Control Essentials Guide

31

Chapter 2: Configuring an Access Control System

Task 3: Configure IOU Modules

After you finish configuring a controller with the Comm port editor, you can define your input and output. Start by defining the IOU modules with the IOUModule editor. IOU modules are electrical units that contain a number of input and/or output circuits that are electrically and sometimes physically attached to controllers. They provide controllers with the ability to interface with the outside world. There are four types of IOU Modules: Input modules Output modules Mixed input and output modules Special-purpose modules

Creating an IOU Module Object

The following steps allow you to add an IOU Module object for an IOU Module connected to a controller. 1. Right click the controller that you want to own this module, select New, and then select IOUModule. 2. When the New dialog appears, name the IOUModule and click Create.

32 Schneider Electric

Chapter 2: Configuring an Access Control System

General Tab IOUModule Editor

Use the General tab to enter basic information about the IOU module.

Description

The description is optional, but a good description of the IOUModule object helps others when they need to test, modify or manipulate the network. To enter a description, type up to 32 characters (including spaces) in the text field. Enter the IOU number here. You must manually assign a unique number (between 1 and 32) for each IOU module on a network controller. Physically label the IOU modules with the numbers you assign. This number is not the same as the 12digit module ID # assigned to the individual module at the factory. You will use this number when you configure points on this controller.

IOU Number

Model Number

The model number identifies the type of the IOUModule and is read from the module.

Andover Continuum CyberStation Access Control Essentials Guide

33

Chapter 2: Configuring an Access Control System

Comm Status Module ID and Program ID

This displays Online or Offline, depending on whether the controller is in communication with the module. These Schneider Electric-assigned numbers appear after the Learn process. The only time you will need these numbers is when speaking to a Schneider Electric Support Representative. These numbers will help our staff to answer your questions. You may manually enter the Module ID number in this field, (if you know it), rather than following the Learn process. Use the Learn button to commission the IOU module on the network. See Commissioning an IOU Module on page 35 later in this chapter. Use the Wink button after commissioning the IOU module to confirm that your system recognizes the IOU module. Click the Wink button. The Status light on the IOU module should flash. This indicates the IOU module was successfully commissioned.

Learn

Wink

Update IOU

Click the Update IOU button to browse for a *.iou file (a Schneider Electric-provided Flash File for individual modules) when updating IOU modules with new firmware.

Security Level Tab IOUModule Editor

The SecurityLevel tab shows the object security level and access privileges for the object.

More about the IOUModule Editor

For more information, see the IOUModule Editor topic and its related subtopics in the CyberStation online help.

34 Schneider Electric

Chapter 2: Configuring an Access Control System

Commissioning an IOU Module

Perform this procedure after installing the IOU module on the controller.

1. In the IOUModule editor, click the Learn button. A dialog displays requesting the operator to press the Commission button on the physical module. 2. At the IOU Module, press the Commission button on the front panel. The dialog at the workstation should disappear indicating that it received the information from the module. If the module is not easily accessible, you can enter the module ID found on the label inside the cover of the module into field, and click the Apply button. 3. In the IOUModule editor, click the Refresh button. The ModuleID for commissioned module, the ProgramID field, and the IO model type (i.e., AO-4-8) are automatically entered. This information was received from the module. Also, the Comm Status should be Online.
Andover Continuum CyberStation Access Control Essentials Guide 35

Chapter 2: Configuring an Access Control System

Task 4: Configure Controller Comm Ports

The comm port you select to configure and the settings you choose in the CommPort editor depend on the model of network controller and the device you want to connect to it. Refer to the CommPort Editor topic of the CyberStation online help to identify the appropriate settings to use for your devices. To configure a comm port, follow these steps: 1. In Continuum Explorer, expand the network controller whose comm ports you want to configure. 2. CommPort objects appear in the list of objects in the viewing pane. Double click the CommPort class folder under the controller. 3. Double click the CommPort object you want to configure. 4. In the CommPort editor, select the appropriate settings in each tab as described on the following pages. 5. Click OK.

36 Schneider Electric

Chapter 2: Configuring an Access Control System

General Tab CommPort Editor

In the General tab, enter basic information about the comm port. Description Type in a description for the comm port. You can use up to 32 alphanumeric characters. This attribute is optional, but providing a good description can aid other users. The CommPort attribute displays the number of the comm ports you are editing. Each comm port has a default mode. To change the default mode, select a different one from the Default Mode dropdown menu. The Settings tab displays different attributes, depending on the default mode you select. Refer to the table of default modes and their descriptions for more information. Note: In the event of a controller reset, each comm port reverts to its original default mode. For a complete list of default modes for each comm port on each controller, please see the help topics: Configuring Settings for Infinet or MSTP, Default Modes for Controller Comm Ports, and Summary of Comm Port Characteristics.

Comm Port Number Default Mode

Andover Continuum CyberStation Access Control Essentials Guide

37

Chapter 2: Configuring an Access Control System

. Default Mode Printer XDriver (XDriver option must be enabled to support this function) Description Select this option when connecting a serial printer to this port. Select this option to use a customized external equipment driver to connect to a third-party device. Note: Before you can select the XDriver, you must first install it using the instructions provided with the software. To select an XDriver file, click the browse button to locate and select the file for the XDriver. NotConfigured Select this option if the comm port is available. Indicates that the port is not preset to any other default mode configuration.

38 Schneider Electric

Chapter 2: Configuring an Access Control System

Viewing the Status of an XDriver Device

In the General tab, click the XDriver Status button to view the status of the device that is using the XDriver. The XDriver Status button displays the following read-only information:

Status

Displays the status of the device, or XdrvNotInstalled when no XDriver file has been selected. Displays the last error to occur on the device. Displays the time and date that the last error occurred on the device. Displays the number of errors that have occurred on the device since you last set it to zero. Increments to 255 errors and remains set at 255 until you reset it to zero by clicking the Reset Count button.

Error Error Time Error Count

Andover Continuum CyberStation Access Control Essentials Guide

39

Chapter 2: Configuring an Access Control System

Settings Tab CommPort Editor

The Settings tab is where you view or edit the communications speed and handshaking settings for the mode that you have chosen for the port. Depending on which Default Mode you select on the General tab, some of the attributes on this tab may be unselectable (appear gray).

Baud Rate

The Baud rate is the speed, measured in bits per second, at which the controller sends information to the device that you are connecting to the comm port. Select the baud rate that matches that required by the equipment connected to this port.

40 Schneider Electric

Chapter 2: Configuring an Access Control System

Track CXD

This option monitors a communications carrier detect signal called CXD. When selected, it enables the controller to detect when communication with connected objects has been lost. Depending on your modem configuration, the CXD (sometimes called DCD) signal (pin 8 on an RS_232 connector) is asserted high when the communications link is established between modems. Once the carrier signal is lost, CXD goes low. Track CXD looks for the high-to-low transition and makes the controller reset this comm port to its default mode. Track CXD cleans up the comm port by logging off the last user. Track CXD is selected by default, and it is required for comm ports that are connected to modems. If Track CXD is not selected, the controller cannot respond to the loss of the CXD signal.

Flow Control

The flow control type determines how the comm port handles the flow of data between the controller and its attaches device (usually a printer, modem, or terminal). This process is also known as handshaking. Select one of the following options from the dropdown menu: NoFlowControl: Select this flow control type if you do not want to regulate the flow of information between the controller and its attached printer, modem, or terminal. Without a flow control type, buffers that hold data that is being transmitted or received could overflow, and some data could get lost.

Andover Continuum CyberStation Access Control Essentials Guide

41

Chapter 2: Configuring an Access Control System

CtsRts: This flow control type uses hardware signals to send clear to send (Cts) and request to send (Rts) messages. Both of these messages must be acknowledged by the controller and its attached device before information can be transmitted. XonXoff: This control flow type uses software signals in the form of characters that are sent as part of the data being transmitted. When the controller or its attached device detects that it has been sent an Xon character, it makes itself available to receive data. It considers all data received after the Xon character as valid. When it detects an Xoff character at the end of the data steam, the controller or attached device knows the transmission is complete. XonXoff CtsRts: This flow control type uses both the software (XonXoff) and hardware (CtsRts) handshake methods for regulating the flow of information between the controller and its attached device. Current Mode This is a read-only attribute that shows you the default mode selected in the General tab.

42 Schneider Electric

Chapter 2: Configuring an Access Control System

SecurityLevel Tab CommPort Editor

Refer to CommPort Editor topic of the CyberStation online help for details regarding attaching or detaching SecurityLevel objects.

Field Bus Controllers Tab CommPort Editor

When you set the General tabs Default Mode to Infinet, MS/TP, or Wireless, the Field Bus Controllers tab appears on the CommPort editor. This tab displays the controllers that reside on their respective field bus network Infinet, BACnet MS/TP, or Wireless connected to this comm port. The controllers will not display, however, until you click the Learn button on the Settings tab. The CommStatus column displays either Online or Offline for controllers listed in the Name column. When a controller is Online, it is communicating with the rest of the network.

When a controller is Offline, it is not in communication with the rest of the network. This information is read only.
Andover Continuum CyberStation Access Control Essentials Guide 43

Chapter 2: Configuring an Access Control System

NetController II Model 9680

Comm Port Infinet Port User Port COMM1 COMM2 COMM3 COMM4 COMM16 Custom Port

Default Mode AutoSet AutoSet AutoSet AutoSet LON -

Other Modes Printer; Infinet; Lbus; LON; PPP; Wireless; XDriver Printer; Infinet; Wireless; XDriver Printer; PP; XDriver Printer I; Lbus; XDriver XDriver -

44 Schneider Electric

Chapter 2: Configuring an Access Control System

ACX 57XX Series

Comm Port Infinet Port User Port COMM1 COMM2 COMM3 COMM4 COMM16 Custom Port Default Mode AutoSet Other Modes Infinet; Wireless; XDriver -

Note: For additional information, in the Comm Port editor, see the help topics: Configure Settings for Infinet, Default Modes for Controller Comm Ports, and Summary of Comm Port Characteristics

Andover Continuum CyberStation Access Control Essentials Guide

45

Chapter 2: Configuring an Access Control System

Task 5: Designate the Primary Access Server

The Primary Access Server is the CyberStation workstation that you designate to record access events in the CyberStation database. If your network has multiple CyberStation workstations, you also should designate another workstation as a Secondary Access Server. 1. In Continuum Explorer, right click the workstation that you want to make the primary access server, and select Edit. 2. In the General tab of the Device editor, check the Primary Access Server check box, and click OK.

Select this check box.

3. When prompted to teach the controllers and workstations about this workstation, click Yes. 4. Proceed to Task 6: Create CyberStation Points on page 47.

More about the Primary Access Server

See the topic Device Editor in the CyberStation online help.

46 Schneider Electric

Chapter 2: Configuring an Access Control System

Task 6: Create CyberStation Points

A point is an object that stores a value, such as an input indicating the status of a door lock, an output that locks or unlocks a door, or a True-False condition that triggers an alarm. In access control systems, you most often work with the following types of point objects: Point Type Supervised InfinityInput Use in Access Control Systems Used to monitor contact status as well as the condition of the wiring, allowing CyberStation to detect that wiring was tampered with.

Digital InfinityOutput Used to specify a digital (On or Off) value, allowing CyberStation to change the status of a switch or a contact. InfinityNumeric InfinityDateTime InfinityString Software point that stores a number value, including an On/Off value (1 or 0). Software point that stores a date and time value. Software point that stores text.

Points enable you to monitor and control access events. You use these points with schedules, alarms, and other objects to establish routine access control and to respond to unauthorized access events.

Create an InfinityInput Point

Supervised input points can monitor: The status of a contact or switch, and Whether the wiring for the contact or switch was tampered with. Supervised points can have one of three values: On, Off, or Trouble.

Andover Continuum CyberStation Access Control Essentials Guide

47

Chapter 2: Configuring an Access Control System

You create a supervised input point for each input (for example, from a contact sensor) from the devices wired to channels at each controller in your network. 1. In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityInput. 2. Enter a point name for Object name, and click the Create button. 3. In the General tab of the InfinityInput editor, enter the units for this point. For example, define the meaning of the On value: On = Closed. Leave the Value field at 0. The system updates the value with the input from the associated controller channel.

Entering a description helps other users identify what this point represents.

4. Select the Settings tab. 5. Select Supervised for Elec Type. 6. Enter the controller channel number (marked on the controller) to which this input is wired. 7. Enter $####### for Format.

48 Schneider Electric

Chapter 2: Configuring an Access Control System

$ indicates a text value. Each # is a placeholder for one character. This format enables On, Off, or Trouble to be reported for the value.

$ indicates a text value. Each # is a placeholder for one character. Use a period to indicate the position of the decimal point, if needed An example for the Format value is $#####.# 8. Select the appropriate input type based on the wired configuration of the switch (normally open with a resistor in series, normally closed with a resistor in series). 9. Click OK.

Andover Continuum CyberStation Access Control Essentials Guide

49

Chapter 2: Configuring an Access Control System

Create an InfinityOutput Point

An InfinityOutput point is a digital point that stores the value of a signal sent to an access control device. The value is sent via the controller channel to which the device is wired, and is used to control the device. For example, the output may lock a door. An output point can have a value of On or Off. You create an output point for each output (for example, to a door lock) to the devices wired to channels at each controller in your network. 1. In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityOutput. 2. Enter a point name for Object name, and click the Create button. 3. In the General tab of the InfinityOutput editor, enter the units for this point. For example, define the meaning of the On value: On = Unlock. Leave the Value field at 0.

4. Select the Settings tab. 5. Select Digital for Elec Type.

50 Schneider Electric

Chapter 2: Configuring an Access Control System

6. Enter the controller channel number (marked on the controller) to which this output is wired. 7. Enter $### for Format. $ indicates a text value. Each # is a placeholder for one character. This format enables On or Off to be reported for the value.

8. Click OK.

Andover Continuum CyberStation Access Control Essentials Guide

51

Chapter 2: Configuring an Access Control System

Create an InfinityNumeric Point

An InfinityNumeric point stores a number value, such as: Value System constant Result of a calculation Logical value Example Maximum occupancy for a specific area Current occupancy of the area On or Off value set by a schedule

1. In Continuum Explorer, right click the controller where you want to create the point, select New, and then select InfinityNumeric. 2. Enter a point name for Object name, and click the Create button. 3. In the General tab of the InfinityNumeric editor, enter the units for this point. For example, define the meaning of the point value: Max. Occupancy = 100 or On=Occupied. 4. Leave Value empty, or enter a value, depending on how you intend to use this point. For example, if the point will be a constant, enter the number. If the value will be the result of a calculation, do not enter anything in the field. 5. Enter the format of the value for Format. $ indicates a text value. Each # is a placeholder for one character. Use a period to indicate the position of the decimal point, if needed

52 Schneider Electric

Chapter 2: Configuring an Access Control System

An example for the Format value is $#####.#.

6. Click OK. 7. Proceed to Task 7: Create Areas on page 54.

More about Points

See the following topics in the CyberStation online help: InfinityInput Editor InfinityOutput Editor InfinityNumeric Editor

Andover Continuum CyberStation Access Control Essentials Guide

53

Chapter 2: Configuring an Access Control System

Task 7: Create Areas

An area is a space that can be accessed only by passing through an access control device, such as a card reader or keypad. Each area can be accessed through one or more doors where access control devices are configured.

Lobby/Offices

Manufacturing Floor

Stock Room

For example, the manufacturing floor of a small facility might have doors leading to other areas of the facility, such as an office area, stock room, and emergency exit to the outside.

Factors to Consider When Defining Areas

Unlike Door objects, which correspond to actual doors in your facility, Area objects are not necessarily direct representations of each physical space in your facility. The number of Area objects that you need to create depends on many factors, including: The size and physical layout of your facility The movement of personnel into, out of, and through your facility
54 Schneider Electric

Chapter 2: Configuring an Access Control System

The degree of access control that you require for the movement of personnel within the facility The types of personnel who need access to various locations in your facility and when access is needed After you create an area object, you configure doors that access the area. You also assign the area to personnel who need access to it. In addition, you can attach schedule points to Door and Personnel objects to determine when access can occur.

Create an Area
Because the doors accessing an area may be managed by different controllers, you typically create a folder for Area objects from Root. 1. In Continuum Explorer, right click Root, select New, and then select Folder. 2. Enter a folder name, and click the Create button. 3. Right click the folder, select New, and then select Area. 4. Enter an area name, and click the Create button. 5. In the Area editor, click OK. You can now assign doors and personnel to this area. 6. Proceed to Task 8: Create Doors on page 56.

More about Areas

See the topic Area Editor in the CyberStation online help.

Andover Continuum CyberStation Access Control Essentials Guide

55

Chapter 2: Configuring an Access Control System

Task 8: Create Doors

Door objects, along with Area and Personnel objects, are the fundamental elements of your access control system. Door objects are highly customizable, and you can configure doors to meet the access control requirements of specific locations. You can configure access control devices, such as card readers and keypads, on one side of a door (single-reader door) or on both sides (dual-reader door).

When to Create a Door

You create Door objects only for doors that have access control devices associated with them. If you want to monitor a door that is simply closed or locked under normal circumstances, such as a fire door, you can do this by setting up supervised input points for the door switch and contacts.

Data that Defines a Door

You will need the following information to define each door: Card-format information for access-card sets Site codes (Wiegand or ABA card formats only) accepted at the door Area(s) to which the door provides access Type of validation needed at the door (by site code, card number, personal identification number [PIN], etc.) Channel numbers for card reader and keypad inputs Channel numbers for door inputs and outputs You can also attach schedule points to a door to determine when the door is locked or unlocked or when no access is allowed.

56 Schneider Electric

Chapter 2: Configuring an Access Control System

Create a Door
You create Door objects in the controller to which the door and reader inputs and outputs are wired. 1. In Continuum Explorer, right click the controller where you want to add the door, select New, and then select Door. 2. Enter a door name, and click the Create button. 3. In the Door editor, select the Card Formats tab. 4. If you use Wiegand cards, enter the site code(s) used with your access cards. Note: You can have up to four site codes per door.

Andover Continuum CyberStation Access Control Essentials Guide

57

Chapter 2: Configuring an Access Control System

5. Select the card format, Wiegand or ABA, and then select the individual formats that you want the reader to recognize. Note: The FIPS-PIV options are included in the Wiegand Formats section. Cyberstation version 1.9 and higher supports this special personnel category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or credential holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control. Refer also to the CyberStation help topic, Defining a Custom FIPS-PIV String Format. 6. Select the Entry Reader tab. 7. Enter the channel number on the controller that is connected to the card reader at this door. 8. Select the area to which the door provides access.

58 Schneider Electric

Chapter 2: Configuring an Access Control System

9. Select the access validation options required at this door.

10. If the door has readers on both sides, select the Exit Reader tab, and repeat steps 7 - 9 to configure the second reader.

Andover Continuum CyberStation Access Control Essentials Guide

59

Chapter 2: Configuring an Access Control System

11. Select the Channels tab.

12. Enter the channel number where each input or output is wired.

Channel Door Output ADA (Americans with Disabilities Act) Output Alarm Output Exit Request Input

Description Channel to which the door lock is wired. Channel to which an electronic door opener is wired. Channel that will be energized when an alarm condition is active at this door. Channel that receives input from a motion detector, request-to-exit (REX) button, or other REX device.

60 Schneider Electric

Chapter 2: Configuring an Access Control System

Channel Door Switch Input

Description Channel to which the door switch is wired. The door switch monitors whether the door is open or closed. You also select the resistor type for the switch. Channel to which a bond sensor is wired. A bond sensor determines the physical position of the door latch. You also select the resistor type for the sensor. Channel for input that requests that the door be opened for a person to leave the area accessed by this door. Channel for input indicating that the card holder has ADA access enabled on his or her access card.

Bond Sensor Input

ADA (Americans with Disabilities Act) Exit Request Input ADA (Americans with Disabilities Act) Input

Andover Continuum CyberStation Access Control Essentials Guide

61

Chapter 2: Configuring an Access Control System

13. Select the Options tab.

62 Schneider Electric

Chapter 2: Configuring an Access Control System

14. Under Send Access Events, select the events you want to log for this door. The events that you select for this door can be shown in logs, ListView and EventView windows, and reports. Events not selected here are not captured and cannot be retrieved for later viewing and reporting. 15. Click OK. Note: Cyberstation version 1.9 and higher supports a special personnel category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or credential holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control.

View Doors Assigned to an Area

1. In Continuum Explorer, expand the folder where you created areas, and double click the area to which you assigned the new door. 2. In the Area editor, select the Doors to Area tab.

Andover Continuum CyberStation Access Control Essentials Guide

63

Chapter 2: Configuring an Access Control System

The door you created now appears in the list. The list indicates whether the door provides access to the area, exits the area, or both.

3. Click Cancel. 4. Proceed to Task 9: Create Personnel on page 65.

More about Doors

See either the topic, Door, and its subtopics, or Door Editor in the CyberStation online help.

64 Schneider Electric

Chapter 2: Configuring an Access Control System

Task 9: Create Personnel

A Personnel object stores the access information for each person authorized to enter your facility. Personnel objects can also store personal and employee data for each person.

Access-Control Information in a Personnel Object

You can specify access control information for each Personnel object, such as: Card format Site code Card number Card expiration date Areas to which the person has access rights
Andover Continuum CyberStation Access Control Essentials Guide 65

Chapter 2: Configuring an Access Control System

Schedules points that determine when the person can access assigned areas More advanced access control settings, such as area clearance levels and executive privilege, can also be defined in a Personnel object. These are described in greater detail in the CyberStation online help. In addition, if you have purchased the badging option, you can create ID badges for Personnel objects. The badges can include a photo, signature, fingerprint, etc., to identify the card holder.

Methods of Creating Personnel Objects

You have several options for creating Personnel objects: You can enter new Personnel objects in the Personnel Manager dialog. You can use the Personal Import Utility to import personnel records from another application into CyberStation. Once imported, these records become Personnel objects that you can edit and manage in the Personnel Manager. You can import personnel records from a .CSV file and save the imported data as Personnel objects. You can create Personnel objects from templates. You can add new Personnel objects from Continuum Explorer.

Open the Personnel Manager for the First Time

The Personnel Manager automatically opens when you double click a Personnel object in Continuum Explorer. However, if you have not yet created any Personnel objects, you create a new Personnel object in Continuum Explorer, which also opens the Personnel Manager. You typically create one or more folders in which to store Personnel objects. 1. To create a Personnel folder in Continuum Explorer, right click Root, select New, and then select Folder. 2. Enter a folder name, and click the Create button. 3. Right click the folder, select New, and then select Personnel.

66 Schneider Electric

Chapter 2: Configuring an Access Control System

4. Enter a name for the Personnel object (for example, you might want to enter the last name and first initial of the person), and click the Create button. The Personnel Manager opens.

5. In the Details tab, enter the persons full name. 6. Select the card format for Card Type. 7. For Wiegand cards, enter the site code for the card. For FIPS-PIV cards, enter agency code and system code. 8. Enter the card number. For FIPS-PIV cards, enter credential number. 9. Under Access Rights, expand the UnAssigned areas list.

Andover Continuum CyberStation Access Control Essentials Guide

67

Chapter 2: Configuring an Access Control System

10. Select the check box next to areas this person can access.

You can expand an area to attach a schedule point. Schedule points are described in Task 10: Create Schedules on page 70. 11. Click Apply. Note: Cyberstation version 1.9 and higher supports a special personnel category for federal employees and contractors whose security identification must comply with the Federal Information Processing Standard for Person Identity Verification (FIPS-PIV). In Cyberstation you can configure door and Personnel objects to accommodate FIPS-PIV card or credential holders and FIPSPIV card readers. For more information, see Adding FIPS-PIV Card Credentials in Chapter 4, Advanced Topics for Access Control.

Create a Personnel Object in the Personnel Manager

When the Personnel Manager is open, you can continue creating Personnel objects without closing and reopening it each time. 1. In the Personnel Manager, click the Add Record button. 2. Repeat steps 5 - 11 above to enter information for this person. 3. When you finish adding Personnel objects, click OK to save the current object and close the Personnel Manager. 4. Proceed to Task 10: Create Schedules on page 70. Note: An alternate method for creating a Personnel object is with the Personnel Editor. Refer to the Personnel Editor topic in the CyberStation online help for more details.

68 Schneider Electric

Chapter 2: Configuring an Access Control System

More about Personnel Objects

See the following topics in the CyberStation online help: Personnel Manager Personnel Editor Personnel Import Utility Allowed Credentials Dialog

Andover Continuum CyberStation Access Control Essentials Guide

69

Chapter 2: Configuring an Access Control System

Task 10: Create Schedules

A schedule is a graphical calendar of events that CyberStation uses to determine when activities occur. Access-control activities that you can manage with schedules include: When doors are locked or unlocked When personnel have access to areas

About Schedule Points

Schedules use the following points to determine when the schedule is active and which CyberStation objects are controlled by the schedule: InfinityDateTime points that are updated with occupied and unoccupied times An InfinityNumeric or InfinityOutput point whose value is set by the schedule. Other objects that reference this point, such as a door, are controlled by the schedule that sets the point value.

70 Schneider Electric

Chapter 2: Configuring an Access Control System

Create and Configure a Schedule

You create schedules in the controller where the schedule will be used. (Later, you can use the Schedule editors Mass Create feature to copy the schedule to other controllers in your network, if needed.) Note: Before creating a schedule, you must create the points called for in the schedule. See Task 6: Create CyberStation Points on page 47. 1. In Continuum Explorer, right click the controller, select New, and then select Schedule. 2. Enter a schedule name, and click the Create button. 3. In the Schedule editor, select the Configuration tab.

Andover Continuum CyberStation Access Control Essentials Guide

71

Chapter 2: Configuring an Access Control System

4. Under Point Configuration, use the browse button to locate each of the following points: An InfinityDateTime point that the schedule updates with the next occupancy time (the date and time at which an area will next be occupied) An InfinityDateTime point that the schedule updates with the next unoccupancy time (the date and time at which an area will next be unoccupied) 5. Use the browse button to locate the InfinityNumeric point that the schedule will set for Occupancy Point. The value of this point will be set to On (Occupancy Time is now.) or Off (Unoccupancy Time is now.). 6. Check the Automatic Download check box, and select the day of the week and the time you want CyberStation to download the schedule to the controller. 7. Click OK. 8. In Continuum Explorer, right click the workstation that you want to perform the schedule download, and select Open. 9. In the General tab of the Device editor, click the Auto Download check box, and click OK.

Select this check box.

Each week, at the day and time you selected in the schedule, this workstation downloads the next seven days of the schedule to the controller.

72 Schneider Electric

Chapter 2: Configuring an Access Control System

Attach a Schedule Point to a Door

After you create and configure a schedule, you attach the point you selected for the Occupancy Point to the objects you want the schedule to control. 1. In Continuum Explorer, double click the door to which you want to attach the schedule point. 2. In the Door editor, select the Options tab. 3. Click the browse button next to one of the schedule fields, and navigate to and select the schedule point you want to attach. You can use schedule points to control the door in two ways: Attach the point to . . . Door Force Lock Schedule To . . . Lock the door, with access allowed to valid personnel when the schedule is On, and Lock the door, with no access allowed when the schedule is Off. Door Force Unlock Schedule Unlock the door, with no access validation required when the schedule is On, and Lock the door, with access allowed to valid personnel when the schedule is Off. 4. If you are using the Force Lock option, select the Entry Reader tab, and ensure that the Door Force Lock Schedule check box is selected for Normal under Access Validation. Repeat for the Exit Reader tab if this is a dual-reader door. 5. Click OK.

Andover Continuum CyberStation Access Control Essentials Guide

73

Chapter 2: Configuring an Access Control System

Attach a Schedule Point to an Area in a Personnel Object

Attaching schedule points to areas in a Personnel object enables you to specify when this person can access the assigned areas without affecting access to the areas by other personnel. For example, you may want permanent employees to have access to your facility at any time. You may also want temporary workers to have access only during the regular business day and be denied access after hours. You can limit the times of access for temporary workers by attaching schedule points to area assignments in their Personnel objects. If . . . Then . . .

A schedule point is attached to the person can access the area only an area in the Personnel object when the schedule associated with the point is active. No schedule point is attached to an area in the Personnel object the person can access the area as determined by schedules (if any) that are attached to doors to the area.

1. In Continuum Explorer, double click the Personnel object that you want to edit. 2. In the Personnel Manager, under Access Rights, expand Assigned, and then expand an area where you want to attach a schedule point.

74 Schneider Electric

Chapter 2: Configuring an Access Control System

3. Click the icon next to Add Schedule to display the Add Schedule dialog.
Click here to display the Add Schedule dialog.

4. Select the browse button next to Schedule Points Location to locate, and select the controller with the schedule point that you want to add. 5. Select a schedule point, select the area(s) where you want to attach the point, and click OK.

. . . And in this pane, select the check box for each area that you want to use the point. Select a schedule point in this pane . . .

6. Click OK. 7. Proceed to Task 11: Configure Alarms on page 77.

Andover Continuum CyberStation Access Control Essentials Guide

75

Chapter 2: Configuring an Access Control System

More about Schedules

See the following topics in the CyberStation online help: Schedule Editor Options Tab (located in the Door Editor topics) Editing a Personnel Object (located in the Personnel Manager topics)

76 Schneider Electric

Chapter 2: Configuring an Access Control System

Task 11: Configure Alarms

When you have configured your access control system to define when, where, and to whom access is permitted, your next task is to set up alarms that notify you when unauthorized access is attempted or other access-related conditions occur. Two CyberStation objects work together to define alarm conditions and the systems response to the alarm: An EventNotification object determines what happens in response to the alarm.
These EventNotification objects define the response to alarms of different levels of severity.

An AlarmEnrollment object specifies the conditions that define the alarm state and the return to normal state. You attach an AlarmEnrollment object to the objects, such as doors and points, to configure the alarm for that object.
These AlarmEnrollment objects define some typical door-related alarm conditions.

About Event-Notification Objects

In an EventNotification object, you specify how the system responds to an alarm condition. You also specify how a user, when notified of an alarm, must respond to acknowledge the alarm. Actions the system can take include: Displaying alarm messages in the Active Alarm View window or the Alarm Status bar at specific workstations Beeping or playing an audio file at the workstations Sending an e-mail message and/or paging one or more individuals

Andover Continuum CyberStation Access Control Essentials Guide

77

Chapter 2: Configuring an Access Control System

Displaying a video layout that shows video from cameras in locations affected by the alarm Displaying a graphics panel associated with the alarm You can also specify the notification actions that occur when the conditions that triggered the alarm return to normal.

Create an Event-Notification Object

You create EventNotification objects in Root. Typically, you create a folder in Root to store both EventNotification objects and AlarmEnrollment objects. 1. In Continuum Explorer, right click Root, select New, and then select Folder. 2. Enter a folder name, and click the Create button. 3. Right click the folder, select New, and then select EventNotification. 4. Enter a name, and click the Create button. Note: The Fault state referred to in the EventNotification editor does not apply to access control events. 5. In the General tab of the EventNotification editor, enter a number for the priority of the alarm state and the return to normal state.

78 Schneider Electric

Chapter 2: Configuring an Access Control System

Priority is used to sort events in the Active Alarm View window, with higher-priority events (events with a smaller priority number) at the top of the list. For example, a certain kind of alarm may be priority 1, while the return to normal for the alarm is priority 10. You can choose how you want to assign priorities to alarms.

6. Under Colors and Fonts, right click to select the colors and fonts used to display the alarm in the Active Alarm View window and the Alarm Status bar. 7. If you want the notification to be reissued if the alarm continues, enter the number of minutes between notifications for Repeat. 8. Select the Actions tab.

Andover Continuum CyberStation Access Control Essentials Guide

79

Chapter 2: Configuring an Access Control System

9. Click the check box next to each action you want the system to take in notifying users of the alarm and the return to normal. Note: You can receive an email notification of an alarm by choosing one of the email selections from the checklist. For more information about email notification of alarms see About Notification by Email and Pages on page 82.

10. Select the Delivery tab. 11. Click the Add Recipient button. 12. In the Recipients Configuration dialog, click the browse button to locate and select the CyberStation workstation to be notified of the alarm. Note: The recipients referred to in this dialog are the CyberStation workstations that you want to be notified of the alarm and that will then take the actions you selected in the Actions tab. 13. Specify the days and times of day that this workstation should receive the messages.

80 Schneider Electric

Chapter 2: Configuring an Access Control System

For example, you might designate Workstation 1 as the recipient of alarm notification during office hours Monday through Friday. You might then designate another workstation as the recipient of notification at night and on weekends.

14. Click the check box next to the actions the workstation should take if it receives notification during the times you selected. If you want the workstation . . . Always to perform the action To perform the action only if a workstation that was designated as primary for this action is offline To perform the action only if a repeat of the alarm has occurred Then . . . Select the check box under Primary for the action. Select the check box under Secondary for the action.

Select the check box under Backup for the action.

Andover Continuum CyberStation Access Control Essentials Guide

81

Chapter 2: Configuring an Access Control System

15. Click OK. 16. Select the Deactivate tab. 17. Select when to remove the alarm from the Active Alarm View window. 18. Click OK. You can now create an AlarmEnrollment object that uses this EventNotification object.

About Notification by E-mail and Pages

If you want to use the e-mail and paging options in an EventNotification object, you also need to set up distribution lists in the e-mail application at the computer that distributes alarm notifications. For each EventNotification object, create a distribution list of the people you want to be paged or receive e-mail when an associated alarm occurs. Create the lists in the first address book that appears in the e-mail application, and use the formats shown in the following table for the list names. The list names in the Example column are for an EventNotification object named dooralarms. Requirements for forwarding CyberStation alarms via E-mail or page: The CyberStation workstations that have been designated primary and backup E-mail and/or page handlers must have a MAPIcompliant E-mail client such as MS Exchange or Outlook. The E-mail client application can communicate with an existing Email server application, such as MS Exchange Server. The primary or backup E-mail/paging workstation must be running CyberStation at the time an alarm is generated.

82 Schneider Electric

Chapter 2: Configuring an Access Control System

Each EventNotification object associated with the alarms that you wish to E-mail or page must have its own E-mail distribution list in the personal address book or Contacts list of the client E-mail application using a specified naming convention as outlined in Step 4 below. This E-mail distribution list must be stored in the first address book shown in the list of available address books in the E-mail client application. For example, if you create an EventNotification distribution list in the Personal Address Book in Microsoft Outlook, then the Personal Address Book must be the first one showing in the address list dropdown menu when you open the Address Book.

Creating an EventNotification Distribution List

To create an E-mail or page distribution list, proceed as follows: Note: The following steps are based on Microsoft Outlook. Other mail applications may have different menu names and choices but the general procedure is the same. 1. Open the Address Book for the E-mail account on the CyberStation workstation that will be providing the E-mail/paging service(s). Your toolbar may have a button for this. If not, use the Address Book option of the Tools menu. 2. Select New Entry from the Files menu. 3. Select the entry type Personal Distribution List and put this entry in the Personal Address Book. 4. In the Name field enter a name for the distribution list using the following format:

List Type E-mail Paging

Format of List Name acc.eventnotification.na me acc.page.eventnotificatio n.name

Example acc.eventnotification.dooralar ms acc.page.eventnotification.doo ralarms

Andover Continuum CyberStation Access Control Essentials Guide

83

Chapter 2: Configuring an Access Control System

For example, if your EventNotification object is named Severe, the personal distribution list for E-mail deliveries should be named: ACC.Severe. Likewise, your personal distribution list for page deliveries should be named: ACC.page.Severe. Note: Use the EventNotification object Name not the Alias, for example, Critical Temp, not CriticalTemp. 5. Add members (the E-mail addresses or pager and service numbers of those to whom the notification of the alarm will be sent) to your personal distribution lists. 6. Set address book options so that the address book where your personal distribution lists are stored is the first one to be searched when sending E-mails or pages. For example, in Microsoft Exchange, select Options from the Tools menu. Click the Addressing tab. When sending mail, check names using these address lists in the following order area, use the Add button, then the up or down arrow buttons to add the correct address book to this field and position it at the top of the list.

About AlarmEnrollment Objects

An AlarmEnrollment object: Defines the conditions that your access control system uses to determine that a point is in the alarm state Defines the conditions that the system uses to determine that the point has returned to its normal state Contains the text messages that are displayed in the Active Alarm View window or the Alarm Status bar Has an attached EventNotification object that defines how the system responds to the alarm and notifies the appropriate people You attach an AlarmEnrollment object to points, doors, and other objects that you want to alarm.

84 Schneider Electric

Chapter 2: Configuring an Access Control System

Create an Alarm-Enrollment Object

You create AlarmEnrollment objects in Root or in an alarms folder that you previously created in Root for AlarmEnrollment and EventNotification objects. 1. In Continuum Explorer, right click the folder that contains your AlarmEnrollment objects, select New, and then select AlarmEnrollment. 2. Enter a name for the alarm (for example, doorisajar), and click the Create button. 3. In the General tab of the AlarmEnrollment dialog, click the browse button to locate and select the EventNotification object that determines how the system responds to the alarm.
The EventNotification object you select here determines how the system responds if the alarm condition occurs.

4. Select Value for Alarmed Attribute. This is the attribute that triggers the alarm, based on the parameters you define for Value in the Algorithms tab. 5. Select Expression for Alarm Type. You define the expression used to define the alarm condition in the Algorithms tab. Most access control alarms use the Expression alarm type.
Andover Continuum CyberStation Access Control Essentials Guide 85

Chapter 2: Configuring an Access Control System

6. Under Send, select the Alarm check box. If you want to be notified at the return to normal, select this check box as well. 7. Select the Algorithms tab. 8. In the Expression field, enter the alarm condition that triggers the alarm. For example, enter DoorAjar = True to generate an alarm that occurs when the value for the attribute DoorAjar is equal to 1, indicating that the door has been left open.

General Expressions for Security

Expression State is Disabled Override is True DoorAjar is True

Description An alarm is generated when a user disables this object. An alarm is generated when this object has been manually overriden. The door is held open for longer than the DoorAjar time and the Door Strike Time.

86 Schneider Electric

Chapter 2: Configuring an Access Control System

Expression ForcedEntry is True InvalidAttempt is True Value = Trouble Doorswitch = Trouble ExitRequest = Trouble and Point1 = On

Description The door switch is open without a Valid Access, Request to Exit or Operator command. An individual without access to this area attempted to card in at this door. A wiring fault on Supervised InfinityInput. A wiring fault on the door switch input of the door. A wiring fault on a Exit Request switch for the door. Add to any of above expressions, only if true when a linked point for Point1 is on.

9. Select the Feedback tab. 10. Enter the messages that you want to be displayed in the Active Alarm View or the Alarm Status bar.

Andover Continuum CyberStation Access Control Essentials Guide

87

Chapter 2: Configuring an Access Control System

Use wildcards as placeholders for the object name and description of the object to which you attach this alarm: Enter %n in place of the object name. Enter %d in place of the object description (entered in the General tab of the object editor). Using wildcards enables you to attach the same AlarmEnrollment object to multiple objects while still providing an alarm message that is unique to the object where the alarm has occurred. 11. Click OK.

About Attaching Alarms to Objects

You can attach up to eight AlarmEnrollment objects to a Door object or a point object. For example, you might create and attach alarms to a Door object for door ajar, switch tampering, and forced entry conditions.

Attach an Alarm-Enrollment to a Door

1. In Continuum Explorer, double click a Door object. 2. In the Door editor, select the Alarms tab. 3. Click the browse button in one of the empty fields, and locate and select the AlarmEnrollment object you want to attach. 4. Select the Enabled check box.

Note: Unless the Enabled check box next to an alarm is checked, the alarm does not become active, even if the alarm condition occurs. 5. Click OK. 6. Proceed to Task 12: Configure Video on page 97.

88 Schneider Electric

Chapter 2: Configuring an Access Control System

Attaching Alarms to a Point

Once you have created the appropriate EventNotification and AlarmEnrollment objects, you need to open a point object editor. From the navigation pane of the Continuum Explorer: 1. Double click the Infinity controller that contains the points you want to alarm. 2. In the viewing pane of Continuum Explorer, right click the icon for the point, and select Open from the drop down menu. The object editor for that point will appear. 3. Select the Alarms tab (or Advanced Alarms tab on some object editors). The Alarms tab (or Advanced Alarms tab) appears. For example:

Andover Continuum CyberStation Access Control Essentials Guide

89

Chapter 2: Configuring an Access Control System

Using the Alarms / Advanced Alarms Tab of an Object Editor

Use the Alarms tab (or Advanced Alarms tab) to browse for up to eight AlarmEnrollment objects to attach to the point. To attach an alarm to an object: 1. Click the browse button in one of the empty alarm fields. 2. Search and find the alarm you want. 3. Click the Select button. 4. Check the Enabled checkbox. To delete an attached alarm, select its name in the text field and press the Delete key on your keyboard.

90 Schneider Electric

Chapter 2: Configuring an Access Control System

Additional information you can add from the Alarms tab include the following attributes: Graphic Click the browse button in the Graphic field to search for the desired graphic panel that you want to appear when the alarm goes off. Select the page number of the graphic panel you want first to appear. Click the browse button in the Program field to search for the desired report program or any other Plain English program to this object. Note: You cannot select an HTML report directly. To associate an HTML report with an object, you must select a program that uses the SHOWREPORT keyword to run an HTML report. An example of the SHOWREPORT keyword is: SHOWREPORT: C:\PROGRAM FILES\CONTINUUM\REPORTS\SYSTEMCH K.HTM. Note: For additional information on Plain English (PE) refer to the Andover Continuum CyberStation Plain English Language Reference guide, 303001-872.

Program

Andover Continuum CyberStation Access Control Essentials Guide

91

Chapter 2: Configuring an Access Control System

Alarm Points

Alarm points allow any expression alarm that you attach on this tab to reference up to four "alarm points," named Point 1, Point 2, Point 3, and Point 4. Using alarm points saves you the trouble of having to change the expression (via the Algorithms tab of the AlarmEnrollment editor for that alarm object) every time you attach an expression alarm to a different point:

Note: For additional information on the Algorithm expressions refer to General Expressions for Security on page 86.

92 Schneider Electric

Chapter 2: Configuring an Access Control System

To configure these alarm points for an attached expression alarm, click the Alarm Points button to bring up the Alarm Points dialog:

Using the Alarm Points dialog, you must specify the actual point names for every alarm point the attached expression alarm references.

Andover Continuum CyberStation Access Control Essentials Guide

93

Chapter 2: Configuring an Access Control System

Follow this procedure: 1. In the General tab of the AlarmEnrollment editor, for the alarm you want to attach, make sure that you select Expression for the Alarm Type. Any attached alarm to which you want to apply alarm points must be an expression alarm. 2. In the Algorithms tab of the AlarmEnrollment editor, enter the expression in the Expression field. When you want to use alarm points, the alarm point name (point1, point2, point3, or point4) must be part of the expression. For example: ...value > point1 + 2... 3. Save the AlarmEnrollment object after making these expression-alarm changes. 4. On this tab of this editor, click the Alarm Points button to search for and select the name of an object for every alarm point referenced by attached expression alarm. The Alarm Points dialog appears, showing fields where you may specify up to four point names, Point 1 through Point 4. 5. Click the browse button in one of the point's fields. 6. Once you have found the point you want, click the Select button. That point specified in the field will be associated with that alarm point and applied to the attached expression alarm, which references the point. 7. Click OK.

94 Schneider Electric

Chapter 2: Configuring an Access Control System

Video Points

Click the Video Points button to bring up the Video Points dialog, shown on the next page. Note: If Endura video support is enabled in Setting 18 of the General Preferences tab, you will be unable to access the Video Points dialog. For more information, see the following topics in the CyberStation online help:
Using the General Preferences Dislog Using Video Points

Use the Video Points dialog to assign cameras to doors and points and configure parameters that control video images displayed in a VideoLayout or in the Video Monitor, during alarm conditions. Note: At Cyberstation Version 1.9 and higher, the Video Points dialog lists 16 video points. If you are using a VideoLayout, you can configure only points 1 through 4. If you are using the Video Monitor, you can configure points 1 through 16. See Task 12: Configure Video. Use the Video Points dialog to assign "video point" cameras. Use the Video Servers dropdown menu to select a video server on which the camera is located. Use the Cameras dropdown menu to select a camera for the numbered video point. (The camera must be configured and enabled on the selected video server.) Check the Rec. checkbox to enable the recording of a video clip from the selected camera. Recording begins at the moment the alarm goes off. In the Duration field, use the up and down arrows to select the number of seconds to record a video clip, once you check the Rec. checkbox. In the PTZ field, select the number of the preset camera view. These PTZ (pan, tilt, zoom) capabilities are configured on the Integral video servers, using Integral software.

Andover Continuum CyberStation Access Control Essentials Guide

95

Chapter 2: Configuring an Access Control System

If you are associating a VideoLayout with the video points for this object, then you must first reference these video points from the General tab of the VideoLayout editor. See Task 12: Configure Video.

More about Alarms

See the following topics in the CyberStation online help: EventNotification Editor AlarmEnrollment Editor Alarms Tab or Advanced Alarms Tab for the objects where you attach an alarm

96 Schneider Electric

Chapter 2: Configuring an Access Control System

Task 12: Configure Video

Andover Continuum access control systems provide complete videosurveillance capabilities. You can configure video servers and cameras at your site to monitor and record activities at many locations. There are two main Andover Continuum video-surveillance tools: Video Monitor (configured via its Video Administrator) Video Layouts The remainder of this section presents the following major video topics: About Video Monitor and Video Administrator About VideoLayouts Configuring Video via Video Monitor and Video Administrator Configuring Video Using VideoLayout

About Video Monitor and Video Administrator

Video Monitor is CyberStations powerful tool for viewing and recording video surveillance images in an Andover Continuum access-control system. Video Monitor, available in CyberStation Version 1.9 and higher, allows you to view and record video images from cameras assigned to doors or points that trigger alarm events. It allows you to monitor doors, immediately capture video images from doors, monitor door status, monitor a persons access to doors, and get alarm information as soon as it happens. You customize the way Video Monitor operates using its powerful configuration tool, Video Administrator. With Video Administrator, you can attach up to 16 cameras to a door or point. Video Monitor is then launched when an event associated with the door or point triggers an alarm.

Video Monitor Main Features

This subsection summarizes Video Monitors main features. For more detailed information, see the CyberStation help topic, Video Monitor and its associated topics.
Andover Continuum CyberStation Access Control Essentials Guide 97

Chapter 2: Configuring an Access Control System

The Video Monitor applications main screen comprises the following main sections. Active Video Events List The Active Video Events list, located along the top of the Video Monitor, lists recent alarm events (both door events and point events) as they happen. For each event, detailed information is displayed. In a door event listing, you can also actually unlock the door, momentarily. (The number of seconds the door is momentarily unlocked is determined by what was set in the Door Strike Seconds attribute on the Channels tab in the Door editor for that Door object.) Video Control Frames The video control frames section, located in the middle of the Video Monitor, comprises the two frames in which video images are displayed. For the camera associated with a door or point, the right-hand frame displays live video images, while the lefthand frame displays recorded (or live) images. This frame area also has video-image search, record, and playback buttons, and controls for video resolution and visual aesthetics. Door Events, Door Status, and Person Events These three tabs along the bottom of the Video Monitor display access-event and current-status information about a door and/or a person. Specifically, Door Events displays the latest access events for the door in alarm. Person Events displays access events of a person associated with doors. Video Monitor is shown on the next page

98 Schneider Electric

Chapter 2: Configuring an Access Control System

Video Administrator Main Features

This subsection summarizes Video Administrators major features. For more detailed information, see the CyberStation help topic, Video Administrator and its associated topics. Points tab This tab allows you to add doors/points, add, configure, and remove cameras, and preview a camera's video images. You can also arrange and customize the view of the points, servers, and cameras. Alarms tab On this tab, for every video server and every camera belonging to a server, you can monitor certain server/camera events,

Andover Continuum CyberStation Access Control Essentials Guide

99

Chapter 2: Configuring an Access Control System

such as motion detection and loss of video images, and generate alarm messages established for Pelco brand video servers. Settings tab This tab allows you to specify an executable program, so that you can execute it from Video Monitor's Run button. Video Administrator is shown below:

100

Schneider Electric

Chapter 2: Configuring an Access Control System

About VideoLayouts
A video layout is CyberStations other video-surveillance monitoring tool (version 1.7 and higher) represented as a CyberStation VideoLayout object. You configure a VideoLayout object via the VideoLayout editor, as well as via the Alarms tab (or Advanced Alarms tab) of the Door editor and various CyberStation point editors. You assign cameras to up to four video points for a Door object or a CyberStation point. A VideoLayout is launched when a door or point goes into alarm.

For more information see Configuring Video Using VideoLayout

Andover Continuum CyberStation Access Control Essentials Guide 101

Chapter 2: Configuring an Access Control System

Configuring Video via Video Monitor and Video Administrator

To create video via Video Monitor and Video Administrator, follow these procedures: Allow Access to and Enable Video Monitor and Video Administrator Create a VideoServer Object Configure Video Using Video Administrator

Allow Access to and Enable Video Monitor and Video Administrator

Follow this procedure to allow access to and enable Video Monitor and Video Administrator. 1. Ensure that Video Monitor (and Video Administrator) are activated in your sites Cyberstation security key (a key for version 1.9 or higher). Video Monitor is automatically enabled on all version 1.9 keys. If it is not activated in your 1.9 (or higher) key, or if you want it at your existing site, you must contact Schneider Electric for a special file to install. 2. Grant or deny permission to one or more user groups to use Video Monitor and Video Administrator via the Security editor, as follows. Note: Only the user groups containing one or more high-level system administrators at your site should have access to Video Administrator. Open the Security editor, select the Actions tab. Beneath the Actions column, scroll down to the Miscellaneous tab in the tree. Expand the Miscellaneous tab, and look for Run Video Monitor and Run Video Administrator. Under the Locks column, scroll horizontally to the user group(s) you want. (Each group 01, 02, and so on is a vertical column containing graphical keys and locks.)

102

Schneider Electric

Chapter 2: Configuring an Access Control System

For the Run Video Monitor row, under the user group you want, assign a key to grant access or assign a lock to deny access. For the Run Video Administrator row, under the user group you want, assign a key to grant access to a user group with appropriate system administrators, and assign a lock to deny access to everyone else. Click OK. Note: For each logged on user, a lock overrides the CyberStation security key and prevents the application from running. 3. Grant system administrators at your site permission to access and configure video servers, as follows: Open the Security editor, select the Actions tab. Beneath the Actions column, scroll down to VideoServer. Under the Locks column, scroll horizontally to the user group(s) containing system administrators. Click OK. See also Create a VideoServer Object 4. Grant system administrators at your site permission to access and configure Door objects and all points to which you must assign video. Use the Security editor Actions tab to do so, as you did in the last step. 5. Enable Video Monitor and Video Administrator. From the Preferences tab of the workstations Device editor, ensure that the Use Video Monitor setting is set to TRUE. This launches Video Monitor (instead of a VideoLayout) on an alarm event or manually when you click the video button on an alarm in Active Alarm View. When this preference is set to FALSE, VideoLayouts are used. Note: Video will only launch on an alarm event if the Display Video checkbox on the Actions tab of the EventNotification editor is checked. For more details, see Step 8.

Andover Continuum CyberStation Access Control Essentials Guide 103

Chapter 2: Configuring an Access Control System

6. Create one VideoServer object for every video server (for example, DVR, or Endura System Manager) at your site. If you create at least one Endura video server object, then workstations that do not have Endura video support enabled will not launch Video Monitor or Video Administrator. Error messages will appear when both Video Monitor and Video Administrator are launched indicating that Endura video support is not enabled. Note: As long as you have one Endura system with video enabled, video support becomes a site-wide requirement. Thus, you must ensure that all on-site workstations have Endura video support enabled. 7. Set the IP address, user name, and password. Note: A video server may have multiple users with different permissions. Ensure that the user entered when creating a video server object is able to search for and play back recorded video. Click the Test Connection or Learn Cameras button to verify connection to the video server. All of the recorded video clips are stored in DVR (Digital Video Recording) format. The supported platforms are: Digital Sentry including DS NVR, DS Express, and DS RealVue products Pelco Endura System version 1.x and 2.0 Note: If your video system integrates with Pelco Endura and video does not display properly, be aware that you may need to install Windows Media Player version 11. See your system administrator or refer to the CyberStation Installation Guide, part number 30-3001-720, for more information. 8. On the Actions tab of the EventNotification editor, for the EventNotification associated with each alarm, check the Display Video checkbox if you want the Video Monitor to launch when an alarm event occurs. (Video Monitor appears on those workstations where the alarm is delivered.)

104

Schneider Electric

Chapter 2: Configuring an Access Control System

Note: If you do not check the Display Video checkbox, Video Monitor must be opened manually, via the video button on an alarm, in the Active Alarm View. 9. Assign cameras to each door or point using the Video Administrator. (See Configure Video Using Video Administrator.)

Create a VideoServer Object

Before you can create video you must create a VideoServer object. This process enables you to then assign cameras. You create VideoServer objects in the Root or in a folder that was created in the Root. 1. Obtain the IP address, username, and password of the video server from your IT administrator to create a VideoServer object. 2. In Continuum Explorer, right click Root, select New, and then select Folder. 3. Enter a folder name, and click the Create button. 4. Right click the folder, select New, and then select VideoServer. 5. Enter a name for the server, and click the Create button. 6. In the VideoServer editor, enter the IP address, username, and password of the server. 7. Select the Server Type Pelco Type 1 (DS ConneX compatible) or Pelco Type 2 (Endura compatible). Note: You cannot select the Pelco Type 2 Server Type unless Endura video support is already enabled in your CyberStation product key. See your site administrator or your Schneider Electric customer service representative to obtain this support. 8. Click Apply. 9. Click the Test Connection button to confirm that CyberStation can communicate with the server. Connection successful displays below the button when communication is established. If communication fails, Error Connecting to Server displays instead.

Andover Continuum CyberStation Access Control Essentials Guide 105

Chapter 2: Configuring an Access Control System

10. Click the Learn Cameras button to learn the available cameras on the server whose IP address appears. Note: When you initially configure a new video server, you must press Learn Cameras in order to discover the cameras on the video server. When pressed, this button initiates a connection to the server, builds a camera list, and populates the database with that camera list. If you make any subsequent changes to your video network, such as adding or removing cameras, you must relearn the video server object by clicking Learn Cameras once more. Should you fail to do so, the current cameras on the video server will not be available. If the learn operation is successful, Learn Cameras Found (#) (where # is the number of cameras) displays. Should you learn Type 2 cameras, a Learn Endura Cameras dialog box displays with a progress bar showing the learn operation as it occurs.

Green indicators in the Camera, Encoder, Recorder, and Connection columns indicate that the video equipment is functioning normally. If there are any red indicators, you should check your Endura system to ensure it is operational, troubleshoot and make any necessary changes, and then attempt the learn operation again.
106 Schneider Electric

Chapter 2: Configuring an Access Control System

Any camera that has a red indicator in any column will not be 'learned.' As long as their status indicators are green, the remaining cameras in the list will be added, however. If the learn is not successful, Learn Cameras Failed appears instead. 11. Verify that you entered the correct IP address, username, and password for the server, and that the server is online if the error messages in Steps 9 and 10 display. 12. Click Close.

Configure Video Using Video Administrator

Follow this procedure to configure video using Video Administrator. (Video Administrator is Video Monitors configuration tool.) 1. Determine whether or not it is in your site's best interest to use the Video Monitor (and its Video Administrator) as opposed to the other CyberStation video surveillance tool, VideoLayouts. If you choose Video Monitor, proceed to Step 2. 2. Make a list of users at your site who should and should not have access permissions to the full functionality of both Video Administrator and Video Monitor. You will need to grant or deny access to this functionality. Note: Typically, only system administrators should have access to Video Administrator. 3. Allow system administrators access permissions to Video Administrator, and enable Video Administrator in CyberStation. For instructions, see Allow Access to and Enable Video Monitor and Video Administrator Note: This step, in part, involves granting only system administrators at your site permission to configure Video Administrator, permission to configure all video servers, and permission to configure all doors and points to which video will be assigned.

Andover Continuum CyberStation Access Control Essentials Guide 107

Chapter 2: Configuring an Access Control System

4. For every video server (DVR or System Manager for Pelco Endura) at your site, create a VideoServer object. (For instructions, see Create a VideoServer Object.) 5. Determine how many new doors/points you need to configure for use with Video Monitor in your CyberStation system. Write down the names of these doors/points, and make a note of where in the system they are located. 6. Determine the primary camera for each door/point, as well as how many additional cameras need to be assigned to that door/point. Write down the names of those cameras and note the doors/points to which they need to be assigned. Note: Be sure to name the cameras in advance at the video system front-end since you will be unable to change those names in Video Administrator. 7. Add a door or a point to Video Administrator. Click the Add Point button on the Points tab menu bar, and add the door or point for which you want to configure video. Note: Existing doors and points configured with camera assignments already in the database are automatically added to Video Administrator when it is launched. 8. Add a primary camera to the door or point in Video Administrator. Note: The first camera you add (that is, the primary) is the default camera displayed when Video Monitor launches for that point. Click the Add Camera button on the Points tab menu bar. Set its configuration properties, and see a preview of this camera's images, in the configuration properties pane. These include server name, camera name, record times, and PTZ (pan-tilt-zoom) presets. 9. Repeat Step 8 to add secondary cameras to the point or door. Note: The maximum number of 16 cameras is allowed for each door or point 10. Repeat Steps 7, 8, and 9, to add more doors and points to Video Administrator.

108 Schneider Electric

Chapter 2: Configuring an Access Control System

11. Choose a view, or customize your own view, for the way in which doors/points, cameras, servers, and so on, are grouped and listed in the "pivot table" on the Points tab. You accomplish this task using the View dropdown menu, as well as the Select All, Expand All, and Collapse All buttons on the Points tab menu bar. You also use the drag-and-drop customization features in the Points tab pivot table. 12. Select the Alarms tab. On the Alarms tab, for every video server and for every camera belonging to a video server, designate certain types of alarm events to monitor (and if necessary send alarm messages). These events include such conditions as loss of video images, motion detection, video server offline/online transitions, and so on. Note: These are not CyberStation alarms, although they do appear in CyberStation's Active Alarm View. Rather, these are Pelco brand video server alarms, intrinsic to Pelco video system functionality. The Alarms tab simply allows you to activate these video alarms, if you wish to receive messages based on these types of events. 13. Select the Settings tab. On the Settings tab, you may specify an executable program (such as a Plain English program or a calculator or Note Pad) so that it runs in Video Monitor when you click the Run button in the Video Monitor's Video Events section. 14. In the Video Administrator application, click Apply or OK. Note: If your video system integrates with Pelco Endura and video does not display properly, be aware that you may need to manually install Windows Media Player 10 or 11 on all CyberStation workstations using video. See your system administrator or refer to the CyberStation Installation Guide, part number 30-3001-720, for more information.

Andover Continuum CyberStation Access Control Essentials Guide 109

Chapter 2: Configuring an Access Control System

More about Video Monitor and Video Administrator

See the following topics in the CyberStation online help: Video Monitor and associated topics Video Administrator and associated topics VideoServer Editor and associated topics

Configuring Video Using VideoLayout

A video layout, represented as a VideoLayout object, is CyberStations other video-surveillance tool (version 1.7 and higher). The information covered in this task assumes that you have installed and configured a video server and cameras in your facility for use with CyberStation. Note: If you choose to use VideoLayouts, instead of Video Monitor, make sure the Use Video Monitor setting, located on Preferences tab of Device editor, is set to FALSE. In CyberStation, you work with two video-related objects: Each VideoServer object corresponds to a computer that you have set up as a video server and that manages one or more cameras. A network can have multiple video servers. Each VideoLayout object displays live or recorded video from up to nine cameras. When you attach an alarm to a CyberStation object, you can specify that a video layout be displayed with video feed from specific cameras.

Create a VideoServer
Creating a VideoServer enables you to then assign any of the cameras managed by the server to video layouts in CyberStation. You create VideoServer objects in the Root or in a folder that was created in the Root. For instructions, see Create a VideoServer Object, covered previously in this chapter.

110 Schneider Electric

Chapter 2: Configuring an Access Control System

Create a VideoLayout Object

In a VideoLayout object, you define video control frames, which are the viewing areas for video feeds from selected cameras. You create VideoLayout objects in Root or in a folder that was created in Root. 1. In Continuum Explorer, right click the folder that contains your video objects, select New, and then select VideoLayout. 2. Enter a name for the video layout, and click the Create button. 3. In the General tab of the VideoLayout editor, select the number and arrangement of video control frames that you want to display by clicking an option in the matrix in the right side of the editor.
Click the graphic that corresponds to the way you want video frames to be arranged in this video layout.

Note: If you are creating a layout for use with alarms in multiple objects, each requiring different cameras, assign cameras in the alarmed objects instead of in the layout. Bypass step 4, and proceed to step 5 in this procedure. 4. Right click a video frame, select Video Servers, select the video server, and then select the camera to assign to this frame. Repeat to assign cameras to the other frames in the layout. 5. To assign video points to up to four frames in the layout, right click a frame, select Video Points, and then select one of the available numbers (video points 1 through 4 only). Repeat to assign video points to additional frames.

Andover Continuum CyberStation Access Control Essentials Guide 111

Chapter 2: Configuring an Access Control System

The frames selected for video points will show the video feed when the video layout is displayed in response to an alarm .

Right click a frame to display the menu where you assign video points.

Note: Although 16 video points are listed, you may use only video points 1 through 4 with a VideoLayout. 6. Click OK.

Add a VideoLayout to the Alarms Tab of an Object

After you create a VideoLayout object and assign video points in it, you can add the video layout to the Alarms tab (or Advanced Alarms tab in some object editors) of an object so that the video layout is displayed when an alarm is triggered for the object. Note: The EventNotification object referenced in the AlarmEnrollment object(s) must have the Display Video option selected in the Actions tab of the EventNotification editor for a video layout to be displayed when the alarm occurs.
Display Video is at the bottom of the list of actions in the Actions tab of the EventNotification editor.

112

Schneider Electric

Chapter 2: Configuring an Access Control System

If this option is not selected, the video layout attached to the object is not displayed, even if the alarm occurs. See Create an Event-Notification Object for more information about actions in EventNotification objects. 1. In Continuum Explorer, double click the object to which you want to attach a video layout. 2. In the object editor, click the Alarms tab. 3. Click the Video browse button, and locate and select the video layout you want to attach to this object. 4. If the VideoLayout is configured using the video points, click the Video Points button. Note: In the Video Points dialog, select the video server and the camera to display video in up to four frames. At Cyberstation Version 1.9 and higher, the Video Points dialog lists 16 video points, but only points 1 through 4 are used with a VideoLayout.

Andover Continuum CyberStation Access Control Essentials Guide 113

Chapter 2: Configuring an Access Control System

5. To record video from a camera, select the Rec check box for that camera, and enter the number of seconds for Duration. 6. Click OK to return to the object editor.

7. Click OK.

More about Video Layouts

See the following topics in the CyberStation online help: VideoServer Editor and associated topics VideoLayout Editor and associated topics Using Video Points Alarms tab or Advanced Alarms Tab topics for the objects where you attach a video layout.

114

Schneider Electric

Chapter 2: Configuring an Access Control System

Task 13: Create Graphic Panels and Controls

The CyberStation application includes a graphics application, Pinpoint, that you use to create dynamic control panels that let you monitor and respond to access control events.

About Graphic Controls for Access Control

Pinpoint has several dynamic controls that are intended for access control: Pinpoint Control Description Shows door status. You can also use the control to lock or unlock the associated door, and to obtain information about the card holder of the card most recently read at the door. Door control Shows area lockdown status. You can also use the control to initiate area lockdown or clear the lockdown state. In addition, you can access and control the doors associated with the area. Displays the photo associated with a Personnel object.

Area control

Personnel photo control

Andover Continuum CyberStation Access Control Essentials Guide 115

Chapter 2: Configuring an Access Control System

Other Pinpoint controls and tools let you customize the appearance and operation of graphics panels as needed. For example: Use an image file of a floor plan as the panel background, and arrange door and area controls based on the physical location of the objects they represent. Use text, switch, button, and other controls to display information or perform specific actions, such as opening a Listview window.

Create a Graphics Panel and a Door Control

Create graphics panels in the controller that you want to own the panels. Typically, this controller also owns the doors that are shown in the graphics panel. 1. In Continuum Explorer, right click a controller, select New, and then select Graphics. 2. Enter a panel name, and click the Create button. The Pinpoint application opens and displays an empty panel. 3. Arrange the Pinpoint window and the Continuum Explorer viewing pane so that both are visible on your screen. 4. In Continuum Explorer, select a door, and drag it onto the graphics panel in the Pinpoint window.

116 Schneider Electric

Chapter 2: Configuring an Access Control System

A door control is created for you on the panel.

Select a door in the Continuum Explorer window, and drag it to the Pinpoint window. A door control is created for you in Pinpoint and is associated with the Door object you selected in Continuum Explorer.

5. Click the door control to open the Door Control dialog. 6. In the General tab, select the set of door graphics you want to use for Style. 7. Select the User Entry check box if you want to be able to execute commands from the control. If the User Entry check box is not checked, the control is viewonly.

Andover Continuum CyberStation Access Control Essentials Guide 117

Chapter 2: Configuring an Access Control System

8. Select the Switch Animation check box if you want to door control to reflect the state of the door switch, open or closed.

If the check box is not checked, the control reflects the state of the door lock, indicating whether the door is locked or unlocked. 9. Select the Personnel Data tab. 10. Select the attributes that you want displayed, and select the check box next to each attribute to enable it.

The selected attributes will be displayed in the Details dialog, which you access from a door control by right clicking the control. The dialog also shows the photo, if available, of the last person requesting access at the door.

118 Schneider Electric

Chapter 2: Configuring an Access Control System

11. In the Standard toolbar, click the Run Mode icon prompted, save changes to the panel.

, and if

12. Right click the door control to display a menu of actions you can take to control the door and obtain information about access events at the door. 13. To close the Pinpoint editor, click the close button in the upperright corner of the window. 14. Proceed to Task 14: Configure Reports on page 120.

More about Graphics Panels and Controls

See the Pinpoint Graphics topic in the CyberStation online help.

Andover Continuum CyberStation Access Control Essentials Guide 119

Chapter 2: Configuring an Access Control System

Task 14: Configure Reports

CyberStation provides powerful report-generation capabilities that enable you to gather, view and distribute data about events in your access control system.

About Report Objects

In a Report object, you specify the characteristics of the report that you want to generate: The data to include The report format (text, bar chart, pie chart, etc.) The output format, including whether the report is viewed on screen, printed, or saved to a file Whether the report is generated automatically or manually Whether the report is automatically e-mailed to a list of recipients

Create a Report
You can create reports in a folder or a controller. You may want to create a folder that stores all your reports.

120 Schneider Electric

Chapter 2: Configuring an Access Control System

1. In Continuum Explorer, right click Root, select New, and then select Folder. 2. Enter a folder name, and click the Create button. 3. Right click the folder, select New, and then select Report. 4. Enter a report name, and click the Create button. 5. In the Source tab of the Report editor, select a data source. The following data sources are intended for access control: Report Data Source Access Event Description Data associated with valid and invalid attempts to access doors or areas. If you select this data source, you can choose from 22 report types related to access events, such as most accessed doors, invalid attempts of an area, and most active person. Data from the AlarmEvent log in the CyberStation database. If you select this data source, you can choose from 22 report types related to alarms, such as most active alarmed object and active alarms per object. Data from the ActivityEvent log in the CyberStation database. If you select this data source, you can choose from 11 report types, such as login attempts per user and most common activities.

Alarm Event

Activity Event

6. Select a report type. 7. Select a chart type and subtype, which determine the presentation of your data.

Andover Continuum CyberStation Access Control Essentials Guide 121

Chapter 2: Configuring an Access Control System

To generate a tabular report, select Text.

8. Click the Configure Columns button. 9. In the Selectable Columns dialog, select column settings: Columns to include or exclude Sequence of columns Sort order of the data 10. Click OK. 11. Select the Filter tab. 12. Select the Log Filter radio button, and select a predefined filter for the time interval of the report OR The Time Interval radio button allows you to specify a custom time interval. 13. Select the Path browse button, and locate and select the controller with the objects that you want to include in the report.

122 Schneider Electric

Chapter 2: Configuring an Access Control System

14. Click the Add button to locate and select the objects in this controller that you want to include in the report.

15. Click the Output tab. 16. Options in this tab allow you to define the output format. You can use wildcards for the following data: %r represents the report type. %t represents the report date and time. %p represents the page number. 17. Select options for e-mailing the report and saving the report to a file, as needed. 18. Click Apply.

Andover Continuum CyberStation Access Control Essentials Guide 123

Chapter 2: Configuring an Access Control System

19. Click the View Report button to generate the report and display the content in the Report Viewer window.

20. Click the close button to close the Report Viewer window. 21. Click OK.

More about Reports

See Reports and Report Editor in the CyberStation online help.

124

Schneider Electric

Chapter 3
Monitoring an Access Control System

When your access control system is configured and operating, CyberStation has numerous features that enable you to monitor access control activity. This chapter introduces the following features: Alarm Status bar and Active Alarm View window EventView windows ListView windows

Andover Continuum CyberStation Access Control Essentials Guide 125

Chapter 3: Monitoring an Access Control System

Responding to Alarms
When you configure alarms, you typically specify that an alarm message be displayed at one or more CyberStation workstations. At a workstation, alarm messages appear either in the Alarm Status bar or in the Active Alarm View window, depending on settings in the EventNotification object associated with the alarm.

About the Alarm Status Bar

An alarm message is displayed in the Alarm Status bar when an alarm is triggered. If multiple alarms are active, the alarm displayed in the status bar is the first alarm that would appear in the list of alarms in the Active Alarm View window.

Buttons to the left of the message enable you to silence, mute, or acknowledge the alarm, and to perform other related actions.

About the Active Alarm View Window

The Active Alarm View window notifies you of alarms and provides information about current alarm conditions. The window displays automatically when an alarm occurs if you selected the Display Alarm View option in the EventNotification object associated with the alarm. If the window does not display automatically, you can display it by clicking the Alarm icon in the Alarm Status bar. You can open this window whether or not any alarms are currently active.

126 Schneider Electric

Chapter 3: Monitoring an Access Control System

This window updates in real time as alarms occur, are responded to, and/or the affected objects return to their normal state.

By default, alarms are sorted by priority. Alarms with a priority of 1 are considered the most urgent. They appear at the top of the list. Use buttons to the left of the entries in the list to respond to alarm notifications:
Button Description Acknowledge the alarm. Click this button when you have seen the alarm message and have taken the appropriate action to address the alarm condition. Your username is recorded in the Acknowledged by field for the alarm. If the workstation was beeping or playing audio, and if the alarm message was flashing, these stop when you click the Acknowledge button. Silence the audio associated with the alarm at all workstations that received the notification. Silencing an alarm does not acknowledge the alarm. Your username is recorded in the Silenced by field for the alarm. To silence audio at your workstation only, click in the toolbar, or click Mute! in the menu bar at the top of the Active Alarm View window. Additional toolbar buttons and menu options enable you to obtain more information about alarms and the objects associated with them.

Andover Continuum CyberStation Access Control Essentials Guide 127

Chapter 3: Monitoring an Access Control System

More about Responding to Alarms

See the Active Alarm View topic in the CyberStation online help.

128 Schneider Electric

Chapter 3: Monitoring an Access Control System

Monitoring Live Access Events

Active EventView windows are objects that provide real-time information about access events at doors that you specify. Using EventView windows, you can monitor ongoing activity, both routine and unexpected.

About Creating EventView Objects

You create EventView objects in the EventView editor. You can create multiple EventView objects, each customized to display selected events from specific doors. Settings you can define in the EventView editor include: Sort criteria to determine the display order of events Doors and events that you want to monitor Fonts and colors for different event types You can further customize an EventView window from menu options in the window itself. For example, the Add/Remove Columns option in the View menu lets you select the columns you want to display. You can also drag columns to change their sequence in the window.

More about EventView Objects

See the EventView Editor topic in the CyberStation online help.

Andover Continuum CyberStation Access Control Essentials Guide 129

Chapter 3: Monitoring an Access Control System

Using ListView Windows

ListView windows are objects that display a list of attribute values for an object class, such as Door objects or Personnel objects. You typically use ListView windows when you want to review the event history of an object or a person. For example, reviewing the event history may help you resolve a recurring problem, such as frequent Door Ajar events at a specific door.

130 Schneider Electric

Chapter 3: Monitoring an Access Control System

About Predefined ListView Objects

Several predefined ListView windows for access events are available from the ListViews page of the CyberStation main menu. The Personnel page also has predefined Listview windows for personnelrelated lists.

You can customize ListView windows using menu options in the windows. You can create and edit ListViews in the ListView editor.

About Creating ListView Objects

ListView objects are highly customizable. Settings that you can define include: Object class, including special ListView object classes, such as AlarmInformation, that you can use to track system events Whether the data displayed when you open a ListView window is the most recent available from the controllers or is retrieved from the CyberStation database (You can also update the window to get live data.) Filters for time intervals Path in which to look for objects of the selected class, which enables you to focus on objects of interest

Andover Continuum CyberStation Access Control Essentials Guide 131

Chapter 3: Monitoring an Access Control System

Columns included in the ListView window, their arrangement, fonts, and colors Qualifiers that further refine the selection of objects whose data is shown in the ListView window

More about ListView Objects

See the following topics in the CyberStation online help: ListView Editor CyberStation Main Screen

132 Schneider Electric

Chapter 4
Advanced Topics for Access Control

This chapter briefly describes additional features of CyberStation that can help you manage your access control system: Security Groups for CyberStation Users Using Area Lockdown Controlling Access with Condition Levels Adding FIPS-PIV Card Credentials

Andover Continuum CyberStation Access Control Essentials Guide 133

Chapter 4: Advanced Topics for Access Control

Security Groups for CyberStation Users

Just as you can customize personnel access to specific areas of your facility, you can also customize the access that users have to features and data in the CyberStation application. You accomplish this using three types of objects: User objects represent a real user in the CyberStation environment. Security groups enable you to define the access privileges needed by different types of CyberStation users. You can then assign users to appropriate security groups. Access privileges that you define for object classes in the Security editor apply to all objects in that class (for example, all doors, all personnel). SecurityLevel objects are CyberStation objects that you attach to other CyberStation objects or to containers. You use SecurityLevel objects if you want to further restrict security group access to individual objects, or to actions, such as deleting or editing, that may be taken with the individual objects. You attach a SecurityLevel object to each CyberStation container or object that you want to be controlled by those privileges. Access privileges that you define in the SecurityLevel editor for SecurityLevel objects apply only to the individual objects or containers that you attach them to. They do not apply to other objects in the same object class.

About User Objects

A user is a person who logs into a CyberStation workstation to monitor or manage your access control system. For each user, you create a User object that must include the following information: Username and password Security group(s) to which the user belongs The security group assignments of each user determine the objects and data the user can view and edit, and well as other actions they can perform, such as deleting objects. You can further define each users interaction with the CyberStation application by specifying the following in User objects:
134 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Programs that start when the user logs in or out A graphics panel that is displayed when the user logs in A CyberStation menu page that is displayed when the user logs in A report program that runs when the user logs in For example, you might assign a graphics panel representing a floorplan of your building, with Pinpoint controls for doors, areas, and other objects, to be displayed when a security guard logs in to CyberStation.

Before Configuring Users

Youll use the User editor to configure each user of your system. Before using the editor, you need to know the following information about the person to whom you are giving access to the system: The users name. There are two name considerations: the name that is assigned to the User object that is created for the user and the Full Name that is entered in the User editor. The object name is the one that system recognizes. The password this user will use when logging on to CyberStation. (It must be between 0 and 16 alphanumeric characters as determined by the General Preferences setting.) What programs, reports, menu pages, or graphics panels you want to run when this User logs on. The CyberStation User Security Group(s) that this user will be assigned to. In order to use the User editor, you must first create a User object.

Creating a User Object

Create a user object for each person who requires access to the CyberStation software. At a minimum, you specify the following information: Object name, which is also the username the user enters to log on to CyberStation Password, which is also required to log on Security group or groups to which the user is assigned (See Chapter 4 for more information about security groups.)
Andover Continuum CyberStation Access Control Essentials Guide 135

Chapter 4: Advanced Topics for Access Control

You can also enter personal information for the user. Perform the following steps to create a User object: 1. In Continuum Explorer, right click the Root. 2. Select New, and then select User from the popup menu. 3. In the New dialog, enter the username in the Object name field. CyberStation fills in the Alias field, but you can change it if needed. 4. Click the Create button.

About Security Groups

A security group is an object that contains a collection of privileges for using CyberStation editors and applications and for viewing CyberStation data. Security groups enable you to define the access privileges needed by different types of users. After you set up security groups, you assign users to the appropriate security group(s) based on the access that each user needs. Note: You can assign multiple users to the same security group. You use the Security editor to specify the privileges of each security group. CyberStation provides 1024 security groups in which you can define access privileges. By default, the Security editor displays the first 128 of these. In the Actions tab of the Security editor, access privileges are organized in folders for object classes and actions. For example, the Area object class includes all the actions associated with Area objects and the list of tabs in the Area editor.

136 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Each column corresponds to one security group. The lock and key icons indicate whether the security group has the access privilege ( ) or is denied the privilege (
Each column corresponds to one security group. Move the cursor over a column to display a tooltip showing the name of the security group.

).

Configuring User Security Groups

This section explains the process of configuring the security groups. This security also describes how to create SecurityLevel objects and use them with security groups to further customize CyberStation security. You use the Security editor to configure security groups. To access the Security editor, proceed as follows: 1. Right click the Continuum icon in your tooltray. 2. Select Security from the popup menu. This displays the Security editor.

Andover Continuum CyberStation Access Control Essentials Guide 137

Chapter 4: Advanced Topics for Access Control

Displaying Security Groups

CyberStation provides 1024 security groups for which you can assign access privileges. By default, the first 128 groups are displayed. You can display the additional groups as needed in multiples of 128 (256, 384, 512, and so on) up to 1024. Note: If you reduce the number of displayed security groups, users assigned to groups that are no longer displayed lose all access to CyberStation. Be sure to assign all users to security groups that are currently displayed. Security groups that are not displayed retain their settings and user assignments. If you later display these security groups, the settings in these groups will apply to any users assigned to them. 1. In the Group Names tab, select a value from the dropdown list for Number of Security Groups. 2. Click the Change button. If you select a smaller number of groups, you are prompted to confirm the change. Click Yes to continue. 3. Click Apply or OK.

Renaming Security Groups

By default, the security group names are Group 01 through Group 1024. You can rename the groups that you use, if you wish. 1. In the Group Names tab, use the vertical scroll bar to locate the security group name that you want to change. 2. Double click the group name, enter a new name, and press the Enter key. 3. Repeat steps 1 and 2 to rename other security groups as needed. 4. Click Apply or OK.

138 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Displaying Access Privileges in the Actions Tab

1. Select the Actions tab. 2. Expand a folder to display the object classes or tasks (actions) within that folder. Expand an object class to display the actions and editor tabs for that object class. For example, expand the Area class to display the actions for Area objects and the list of tabs in the Area editor.

Security groups are displayed to the right of the action or the tab name. The icon used to identify each group indicates whether the group has access privileges for it: The Lock icon indicates that the users in the security group do not have access privileges; that is, the action or tab is locked for this security group.

Andover Continuum CyberStation Access Control Essentials Guide 139

Chapter 4: Advanced Topics for Access Control

The Key icon indicates that the users in the security group have access privileges; that is, the action or tab is unlocked for this security group. Position your cursor over an icon to display the name of the security group and the action or editor tab it represents. Group names are defined in the Group Names tab. You can edit the names as needed, and also select the number of security groups that are displayed.

Assigning Access Privileges for Security Groups

Use this procedure to assign or remove access privileges for security groups. You can also assign and remove privileges by copying access settings to other security groups and by importing security groups. Note: When you remove access privileges to view an object class for a security group, users in that group do not see that object in Continuum Explorer. If the objects are contained within a class folder, the class folder is not displayed when any of these users are logged into CyberStation. For example, if a user belongs to a security group that does not have access privileges to view Personnel objects, Personnel objects and the Personnel class folder are not displayed in Continuum Explorer when this user is logged into CyberStation. 1. Expand a view or folder. To assign access privileges to object classes, expand the Classes folder, and then expand an object class. A list of actions is displayed. If you expanded an object class, a list of the tab names in that object editor is displayed after the actions. Use the vertical scroll bar to locate the action for which you would like to assign access privileges. In addition to actions specific to that object class, if any, the following actions are listed for most object classes: Change Out of Service Users belonging to security groups with this privilege can enable and disable objects of this class. Create Users belonging to security groups with this privilege can create objects of this class.
140 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Delete Users belonging to security groups with this privilege can delete objects of this class. Edit Users belonging to security groups with this privilege can open the editors of objects of this class, and modify object values in the editor. View Users belonging to security groups with this privilege can open the editors of objects of this class, but cannot modify any values unless they also have Edit privileges. These users will also be able to view the class folder for any objects for which they have view access (provided the users also have access to Continuum Explorer). Send To Text File Users belonging to security groups with this privilege can import and export object data to text files. 2. Assign or remove access privileges. If you want to... assign an access privilege for an action or an editor tab to a security group Then... In the row that contains the action or tab name, click the Lock icon for the security group that you want to have the privileges. The Key icon is now displayed for this security group, indicating that the group has access to the action or tab. remove an access privilege for an action or an editor tab from a security group In the row that contains the action or tab name, click the Key icon for the security group where you want to remove the privileges. The Lock icon is now displayed for this security group, indicating that the group does not have access to the action or tab.

Andover Continuum CyberStation Access Control Essentials Guide 141

Chapter 4: Advanced Topics for Access Control

assign access privileges to all actions within a view, object class, or folder

Right click the view, object class, or folder, and select Unlock Actions from the popup menu. In the Unlock Actions for Groups dialog, select the checkbox next to each security group that you want to have access, and click OK. The Key icon is now displayed for the selected security groups, indicating that the groups have access to all the actions (and editor tabs) in the view, object class, or folder.

remove access privileges to all actions within a view, object class, or folder

Right click the view, object class, or folder, and select Lock Actions from the popup menu. In the Lock Actions for Groups dialog, select the checkbox next to each security group that you do not want to have access, and click OK. The Lock icon is now displayed for the selected security groups, indicating that the groups do not have access to any of the actions (and editor tabs) in the view, object class, or folder.

3. Click OK.

142 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Copying Access Privileges Between Security Groups

Use this procedure to copy the access privileges assigned to one security group to another security group. This is useful when you want to define privileges for a security group that are only slightly different from another security group. When you paste the copied access privileges to the destination security group, the privileges for all actions in all folders are replaced with the new privileges. You can then assign or remove privileges as needed. 1. In the Actions tab, expand a view or folder. 2. If needed, use the horizontal scroll bar to display the icon for the security group whose access privileges you want to copy. 3. Right click the security group, and select Copy Group from the popup menu.

4. If needed, use the horizontal scroll bar to display the icon for the security group where you want to paste the access privileges. 5. Right click the security group where you want to paste the privileges, and select Paste Group from the popup menu.

6. Assign or remove privileges as needed for the security group where you copied the access privileges. 7. Click Apply or OK.
Andover Continuum CyberStation Access Control Essentials Guide 143

Chapter 4: Advanced Topics for Access Control

About SecurityLevel Objects

SecurityLevel objects define access privileges for individual objects or containers. You use the SecurityLevel editor to specify the privileges assigned to security groups in each SecurityLevel object. (This process is very similar to assigning security group privileges in the Security editor.) You then attach a SecurityLevel object to CyberStation objects to further refine the access privileges that users have to those objects. If you attach a SecurityLevel object to a container object, such as a controller or a folder, access to all objects in the container is also controlled by the SecurityLevel object.
An object, such as a door, can have only one SecurityLevel object attached to it.

For example, by creating SecurityLevel objects that you attach to the controllers in each of your buildings, you could allow security guards in one building access to the doors in their building but not to doors in buildings monitored by other security staff.

144 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Creating a SecurityLevel Object

Note: You cannot delete or move SecurityLevel objects. In Continuum Explorer, they must reside in Root. 1. In Continuum Explorer, right click Root. 2. Select New, and then select SecurityLevel from the popup menu. 3. Enter a name for the object, and click Open. 4. The SecurityLevel editor is displayed. You define access privileges for the SecurityLevel object in the Security tab of this editor.

Displaying Access Privileges in the Security Tab

Expand Classes to display the object classes. Expand an object class to display the actions and editor tabs for that object class. For example, expand the Area class to display the actions for Area objects and the list of tabs in the Area editor. Security groups are displayed to the right of the action or the tab name. The icon used to identify each group indicates whether the group has access privileges for it: The Lock icon indicates that the users in the security group do not have access privileges; that is, the action or tab is locked for this security group. The Key icon indicates that the users in the security group have access privileges; that is, the action or tab is unlocked for this security group. Position your cursor over an icon to display the name of the security group and the action or editor tab it represents. Group names are defined in the Group Names tab of the Security editor.

Andover Continuum CyberStation Access Control Essentials Guide 145

Chapter 4: Advanced Topics for Access Control

Universal Unlock Folder

Using the Universal Unlock folder, you can deny one or more user groups universal access and viewing privileges to all features of all objects to which the SecurityLevel object is attached. When you deny a security group access privileges (place a lock) in this folder, it overrides any other key (unlock) on any features throughout the system for that security group. It is a quick way to prevent access to every object to which the SecurityLevel object is attached for users in the security group. (Users are assigned to security groups in the Groups tab of the User editor.) When the universal lock is unlocked, all objects owned by a parent (folder or device) inherit the security level of the parent; security levels of each class are applied. To deny all access to any security group, lock the universal lock for that group. This simplifies the task of locking all access for a security group from a folder or a device.

Assigning Access Privileges in a SecurityLevel Object

Note: To protect your Andover Continuum system, reserve user security groups 1 and 128 (or the highest-numbered user security group your site uses) to have all keys unlocked for all classes. Do this for the base-level security and all object-level security (security levels). Be sure at least one user is assigned to both the first and your highest-numbered security groups. This ensures that at least one user will have full access to the system in case of an inadvertently locked action. Use this procedure to assign access privileges to security groups in a SecurityLevel object. 1. In the Security tab, expand the Classes folder, and then expand an object class. A list of actions is displayed, followed by a list of the tab names in that object editor.
146 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Use the vertical scroll bar to locate the action for which you would like to assign access privileges. In addition to actions specific to that object class, if any, the following actions are listed for most object classes: Change Out of Service Users belonging to security groups with this privilege can enable and disable objects of this class. Create Users belonging to security groups with this privilege can create objects of this class. Delete Users belonging to security groups with this privilege can delete objects of this class. Edit Users belonging to security groups with this privilege can open the editors of objects of this class, and modify object values in the editor. View Users belonging to security groups with this privilege can open the editors of objects of this class, but cannot modify any values unless they also have Edit privileges. These users will also be able to view the class folder for any objects for which they have view access (provided the users also have access to Continuum Explorer). Send To Text File Users belonging to security groups with this privilege can import and export object data to text files. 2. Assign or remove access privileges. If you want to... assign an access privilege for an action or an editor tab to a security group Then... In the row that contains the action or tab name, click the Lock icon for the security group that you want to have the privileges. The Key icon is now displayed for this security group, indicating that the group has access to the action or tab.

Andover Continuum CyberStation Access Control Essentials Guide 147

Chapter 4: Advanced Topics for Access Control

remove an access privilege for an action or an editor tab from a security group assign access privileges to all actions within a view, object class, or folder

In the row that contains the action or tab name, click the Key icon for the security group where you want to remove the privileges. The Lock icon is now displayed for this security group, indicating that the group does not have access to the action or tab. Right click the view, object class, or folder, and select Unlock Actions from the popup menu. In the Unlock Actions for Groups dialog, select the checkbox next to each security group that you want to have access, and click OK. The Key icon is now displayed for the selected security groups, indicating that the groups have access to all the actions (and editor tabs) in the view, object class, or folder.

remove access privileges to all actions within a view, object class, or folder

Right click the view, object class, or folder, and select Lock Actions from the popup menu. In the Lock Actions for Groups dialog, select the checkbox next to each security group that you do not want to have access, and click OK. The Lock icon is now displayed for the selected security groups, indicating that the groups do not have access to any of the actions (and editor tabs) in the view, object class, or folder.

3. Click OK. You attach a SecurityLevel object to individual CyberStation objects in the SecurityLevel tab in their respective object editors. For more information, see the help topics for SecurityLevel tabs in the editors.

148 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Copying Access Privileges from a Single Security Group to Another Group

Use this procedure to copy the access privileges assigned to one security group to another security group. This is useful when you want to define privileges for a security group that are only slightly different from another security group. When you paste the copied access privileges to the destination security group, the privileges for all actions in all folders are replaced with the new privileges. You can then assign or remove privileges as needed. 1. In the Security tab, expand an object class. 2. If needed, use the horizontal scroll bar to display the icon for the security group whose access privileges you want to copy. 3. Right click the security group, and select Copy Group from the popup menu.

4. If needed, use the horizontal scroll bar to display the icon for the security group where you want to paste the access privileges.

Andover Continuum CyberStation Access Control Essentials Guide 149

Chapter 4: Advanced Topics for Access Control

5. Right click the security group where you want to paste the privileges, and select Paste Group from the popup menu.

6. Assign or remove privileges as needed for the security group where you copied the access privileges. 7. Click Apply or OK.

More about Users and Security

See the following topics in the CyberStation online help: User Editor Security Group Editor SecurityLevel Editor

150 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Using Area Lockdown

The area lockdown feature in the Area editor enables you to immediately prevent entry or exit through all doors to an area.

When the Lockdown state is in effect, only personnel with executive privilege access to the area can enter or leave it. You can also lock down individual doors instead of an entire area.

About Area Lockdown

The area lockdown feature is intended to help you quickly control access in emergencies: You can issue a lockdown message to prevent access through all doors assigned to an area. You can clear the Lockdown state to restore routine access to an area. You can lock down and restore access to individual doors in an area that is not locked down. You can view the lockdown status of an area and of the doors assigned to an area.

Andover Continuum CyberStation Access Control Essentials Guide 151

Chapter 4: Advanced Topics for Access Control

What Happens During Lockdown

When an area is locked down, the Lockdown state overrides the following access control features, and doors to the area are locked: Use of valid cards or keypad entries Requests to exit Schedules that unlock doors or allow access with valid cards or keypad entries Attempts to force unlock a door in the Door editor, through a Pinpoint control, or using a Plain English program Only personnel who are assigned executive privilege access and are assigned access rights to the area can enter or exit through a door in the Lockdown state. You select executive privilege access and assign area access rights in the Personnel object for each person that you want to have this access.
Enable the Executive Privilege attribute in personnel profiles to display and edit the value in Personnel objects.

When the Lockdown state is cleared from an area, routine access resumes at doors to the area (if adjacent areas are not in the Lockdown state).

Locking down an Area

Use this procedure to lock down all doors assigned to an Area object. This procedure describes how to lock down an area from the Area editor. Depending on how your CyberStation system is configured, you can also lock down areas using a Pinpoint area control, a Plain English program, or command line entry. 1. Open the Area object for the area that you want to lockdown. 2. In the General tab of the Area editor, click the Lockdown Area button.

152 Schneider Electric

Chapter 4: Advanced Topics for Access Control

3. To verify that all doors to the area are locked down, select the Doors to Area tab, and view the lockdown status of each door: A door is locked down when the value for ForceLock is True. A door is not locked down when the value for ForceLock is False. The value may be false because the controller for the door did not receive the lockdown message, or because the controller does not support the area lockdown feature. If a door could not respond to the lockdown message (for example, because its controller was temporarily offline), in the General tab you can click the Lockdown Area button to send the message again. 4. To remove the Lockdown state from the area, in the General tab, click the Clear Lockdown Area button. When you remove the Lockdown state, all doors to the area resume their normal states. A door that provides access to another area that is still locked down remains locked down until the Lockdown state is cleared from the other area.

Locking down Individual Doors

Use this procedure to lock down one or more doors that are assigned to an area that is not locked down. This procedure describes how to lock down doors from the Area editor. Depending on how your CyberStation system is configured, you can also lock down doors using a Pinpoint area control, a Plain English program, or command line entry. 1. Open the Area object for an area that is assigned the door that you want to lockdown. 2. Click the Doors to Area tab of the Area editor. 3. Select one or more doors, and click the Lockdown Selected Doors button. You can select multiple doors by holding down the Ctrl key or the Shift key while you select doors in the list. 4. To verify that all doors to the area are locked down, view the lockdown status of each door:

Andover Continuum CyberStation Access Control Essentials Guide 153

Chapter 4: Advanced Topics for Access Control

A door is locked down when the value for ForceLock is True. A door is not locked down when the value for ForceLock is False. The value may be false because the controller for the door did not receive the lockdown message, or because the controller does not support the area lockdown feature. If a door could not respond to the lockdown message (for example, because its controller was temporarily offline), in the General tab you can click the Lockdown Selected Doors button to send the message again. 5. To remove the Lockdown state from doors, select one or more doors, and click the Clear Lockdown Selected Doors button. When you remove the Lockdown state, doors resume their normal states. A door that provides access to an area that is locked down remains locked down until the Lockdown state is cleared from the other area.

More about Area Lockdown

Refer to the following related Area Lockdown topics in the CyberStation online help: Area Editor Personnel Manager Pinpoint Graphics topics

154 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Controlling Access with Condition Levels

ConditionLevel is an InfinitySystemVariable object that is supported in ACX 57xx controllers. You use controller condition levels with personnel clearance levels to control access during different categories of emergency. Typically, the controller condition level corresponds to security alert levels that your company has established for emergencies. For example, a public facility in the United States might define condition levels that correspond to the five levels of the Department of Homeland Security (DHS) Advisory System, as shown in the following table. Clearance Level Needed for Access 1 2 or 1 3, 2, or 1 4, 3, 2, or 1 5, 4, 3, 2, or 1

DHS Level Severe High Elevated Guarded Low

DHS Color Red Orange Yellow Blue Green

Condition Level Level_01 Level_02 Level_03 Level_04 Level_05

In Personnel objects, you can specify clearance levels that correspond to these condition levels.
Enable the Default Clearance Level attribute in personnel profiles to view and edit the value in Personnel objects.

Andover Continuum CyberStation Access Control Essentials Guide 155

Chapter 4: Advanced Topics for Access Control

About Changing the Condition Level

You can quickly change the condition level at all controllers by sending them a new value for the ConditionLevel variable using the Global Condition Level dialog. This is a faster method of changing the values than manually changing the condition level at each controller. You can also restore the previous condition level at all controllers using this dialog.

Implementing Condition Levels and Clearance Levels

You can set up highly customized access that is tailored to the needs of your facility and the people who need access in normal and emergency situations. You can use up to 255 condition levels and clearance levels: 1 is the clearance level that allows the most access. That is, when the condition level is 1 (most severe alert), only personnel with a clearance level of 1 who are assigned to the area will have access. 255 is the clearance level that allows the least access. That is, the condition level must be 255 for personnel with a clearance level of 255 to be allowed access. Condition levels may also be turned off.

156 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Sending a Condition Level Message to Controllers

Use this procedure to send a new value for the ConditionLevel system variable to all controllers. All controllers that receive the message and support the ConditionLevel system variable update the value of the variable with the new condition level. CyberStation also saves each controller's original value for ConditionLevel in the DB Value field in the CyberStation database. 1. In the CyberStation tool tray, right click the Continuum task icon, and select Global Condition Level. 2. Select a new condition level for Change To. You can select Level_0 for the value if you do not want the controllers to use the condition level value when validating access. 3. Click Change. 4. When prompted to confirm the change, click Yes. 5. When prompted that the condition level is changed, click OK.

Restoring Controller Condition Levels to Previous Levels

Use this procedure to send the ConditionLevel value that was saved in the DB Value field for each controller to the controllers. This is the ConditionLevel value that was in effect at each controller before CyberStation sent the new ConditionLevel value. For example, if the value for ConditionLevel at Controller A was originally 4, the value at that controller is once again 4. 1. In the task bar, right click the Continuum task icon, and select Global Condition Level. 2. Select Local for Change To. 3. Click Change. 4. When prompted to confirm the change, click Yes. 5. When prompted that the condition level is changed, click OK.

Andover Continuum CyberStation Access Control Essentials Guide 157

Chapter 4: Advanced Topics for Access Control

About Sending Condition Level Values to Individual Controllers

Using the Global Condition Level dialog enables you to change the value for ConditionLevel at multiple controllers with one command. You can also change the value for individual controllers: You can edit the ConditionLevel variable in the InfinitySystemVariable editor. You can enter a command to change the value from the command line. You can use a Plain English (PE) program to change the value. You can use PE script attached to a Pinpoint control to change the value. When you use the command line or a PE program to send a value for this variable, you must use the numeric value that corresponds to the condition level that you want to set. Do not use a text string. For example, if you want to use the SET command to change the value for ConditionLevel to Level 5, use the following syntax: SET \[pathname]\ConditionLevel = 5

More about Condition and Clearance Levels

See the following topics in the CyberStation online help: Global Condition Level Personnel Manager

158 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Adding FIPS-PIV Card Credentials

Andover Continuum access control systems fully support sites that are required to have a special identification credential based on the Federal Information Processing Standard 201-1 for Personal Identity Verification (FIPS-PIV). This standard mandates United States government executive departments and agencies to have secure and reliable forms of identification for federal employees and contractors who gain physical access to controlled facilities and gain logical access to controlled information systems. Powerful access-control features are added to Andover Continuum systems to accommodate FIPS-PIV access-control requirements card formats, readers, verification processes, and so on in full compliance with the standard. To get started in understanding FIPS-PIV security identification, as well as how it is implemented in Andover Continuum access control systems, please read the following topics: Overview of FIPS-PIV Overview of FIPS-PIV cards and readers Configuring FIPS-PIV on a New System Transitioning an Existing system to FIPS-PIV See also all the referenced CyberStation online help topics.

Overview of FIPS-PIV
In 2004, Homeland Security Presidential Directive 12 (HSPD 12), entitled Policy for a Common Identification Standard for Federal Employees and Contractors, mandated executive departments and agencies to require secure and reliable forms of identification for federal employees and contractors when they attempt to gain physical access to controlled facilities and logical access to controlled information systems.

Andover Continuum CyberStation Access Control Essentials Guide 159

Chapter 4: Advanced Topics for Access Control

The HSPD 12 standard further specified that secure and reliable identification must be: Issued based on sound criteria for verifying an employees identity. Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation. Rapidly authenticated electronically. Issued only by providers whose reliability has been established by an official accreditation process. FIPS 201-1 Standard for Personal Identity Verification (PIV) In response to HSPD 12, the National Institute of Standards and Technology (NIST) developed the Federal Information Processing Standard 201-1 for Personal Identity Verification (FIPS-PIV). This standard includes two parts: PIV I Meets the control objectives of HSPD 12 PIV II Meets the technical interoperability requirements of HSPD 12

PIV Middleware Providers

To meet the requirements of the standard, NIST has certified a number of PIV middleware providers that offer identity- and card-management services. These certified providers are responsible for enrolling personnel and issuing PIV cards via a process that adheres to the standard. This process includes services such as identity proofing, document validation, background checks, card enrollment, card issuance, and card activation, termination, and renewal. Schneider Electric has a partnership with middleware provider, ImageWare Corp., which supplies the Identity Management System/ Card Management System (IDMS/CMS). For more information, please see Identity Management System (IDMS).

Physical Access Control System (PACS)

Once a valid PIV credential has been activated, terminated, or updated, the relevant PIV credential information must be transferred to a Physical Access Control System (PACS) for use in access control decisions. A PACS supports FIPS 201-1 PIV credentials and FIPS 2011 card readers, and makes access control decisions based on the access control policies configured and the credentials presented at the reader.
160 Schneider Electric

Chapter 4: Advanced Topics for Access Control

The PIV credential is securely stored on the smart card in the Card Holder Unique Identifier (CHUID) container. Contactless readers, used in PACS applications, operate in transparent mode and retrieve the Federal Agency Smart Credential Number (FASC-N) from the PIV smart card and present the FASC-N via Wiegand output to the access control panel. (The output format of the contactless readers may vary and must be supported by the PACS.

Identity Management System (IDMS)

In addition to the PACS, a FIPS-PIV compliant access control system must also have an Identity Management System (IDMS). The IDMS is a central data repository for employee data, contractor data, and related credential status data. The IDMS, which adheres to the FIPS 201-1 standard and is certified by NIST, is not only a database but also a workflow management system that provides the following services: Verify the identity of employees and contractors Print/encode FIPS-PIV cards Activate FIPS-PIV cards Revoke FIPS-PIV cards Maintain FIPS-PIV cards and cardholder data Issue FIPS-PIV cards Export FIPS-PIV credential data to a PACS The IDMS is separate from the PACS system and most often from a different vendor. Because the FIPS-201-1 standard does not specify a method for exporting FIPS-PIV credential data to a PACS and synchronizing information between the two systems, Andover Continuum CyberStation provides the following methods for exporting IDMS data to the PACS and updating the Continuum database with new data from the IDMS: Manual entry of personnel/credential data CSV import of personnel/credential data CyberStation's Personnel Import Utility (PIU).

Andover Continuum CyberStation Access Control Essentials Guide 161

Chapter 4: Advanced Topics for Access Control

The PIU provides direct integration between the IDMS/CMS middleware (ImageWare Corp.) and the Continuum database. You can configure the PIU to import into the Continuum database any additions, changes, or updates to FIPS-PIV credential data stored in the ImageWare IDMS. You can also configure the PIU to monitor changes from the IDMS continuously to keep the Continuum database up to date. For more information on the PIU, see the CyberStation help topic Personnel Import Utility (PIU).

Overview of FIPS-PIV cards and readers

This topic provides an overview of FIPS-PIV cards and readers.

FIPS-PIV Cards
A FIPS-PIV card must be issued by a vendor that has been approved by the United States General Services Administration (GSA) and it must conform to the FIPS-201-1 standard for layout and printing requirements. To be considered secure and reliable identification, FIPS-PIV cards must be: Issued based on sound criteria for verifying a person's identity Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation Rapidly authenticated electronically Issued only by providers whose reliability has been established by an official accreditation process The physical credential is a smart credential that contains a processor, memory, storage capacity, and an interface for accessing the credential data.

FIPS-PIV Readers
Physical access control systems typically use a contactless FIPS-PIV reader to read credential information from a FIPS-PIV card. Several vendors provide contactless FIPS-PIV readers. These readers must be on the GSA-approved list to conform to the FIPS-201-1 standard.
162 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Contactless FIPS-PIV readers read the CHUID data from the FIPSPIV credential via a 13.65 mHz radio-frequency interface. The reader's output to the access control panel is a Wiegand signal that contains the credential information that is verified in access control decisions. FIPS-PIV readers may be purchased with various Wiegand output formats. The most common output formats are: 75-bit Wiegand signal 200-bit Wiegand signal An Andover Continuum system can be configured to handle either of these default outputs. A Continuum system may also be configured to handle a custom output Wiegand signal from the FIPS-PIV reader. For more information on custom FIPS-PIV format, see the CyberStation help topic, Defining a Custom FIPS-PIV String Format. The 75-bit Wiegand signal provides the access control panel with the following elements of the FASC-N on the FIPS-PIV card: Agency Code System Code Credential Number Expiration date The 200-bit Wiegand signal provides the access control panel with all of the elements of the FASC-N, but does not provide the expiration date of the credential. Some readers also provide the ability to read multiple card formats. These readers are typically known as multi-technology readers that read older credentials, as well as FIPS-PIV credentials. This provides flexibility when transitioning an existing system to use FIPS-PIV credentials.

Andover Continuum CyberStation Access Control Essentials Guide 163

Chapter 4: Advanced Topics for Access Control

Note: FIPS-PIV readers typically have higher power requirements than standard proximity readers. Be sure to check the power requirements of the readers, before they are installed, to determine if the Andover Continuum hardware (ACX 57xx controller, AC-1, AC-1 Plus) can supply ample power to your particular reader. In some cases, the readers may need to be externally powered.

Configuring FIPS-PIV on a New System

When configuring CyberStation for access control using FIPS-PIV credentials, use the following four major steps as a guideline for getting started: 1. Specify the appropriate set of Allowed Credentials in the system. 2. Enter or import the FIPS-PIV credentials for use in Access Control Decisions. 3. Configure a reader for the appropriate FIPS-PIV wiegand format 4. Set up access validation logic, as appropriate.

Specifying the Allowed Credentials

CyberStation version 1.9 and higher allows you to configure each Personnel object with multiple credentials/cards. The global setting, Allowed Credentials, controls which credential(s) may be configured for Personnel objects in the Continuum database. You access the Allowed Credentials global setting via the Allowed Credentials dialog:

164 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Right click the Continuum icon in the system tray, and select Allowed Credentials, to display the Allowed Credentials dialog. For more information, please see the CyberStation help topic, Allowed Credentials Dialog. If you are configuring the site for access control using FIPS-PIV credentials only, the appropriate Allowed Credentials global setting would be: CredentialFIPS-PIV If the site uses a mix of FIPS-PIV and non-FIPS-PIV readers and credentials, the Allowed Credentials global setting may be set to: Credential1andFIPS-PIV or Credential2andFIPS-PIV Assigning dual credentials to a Personnel object allows you to configure the system so that a user may be configured with both a FIPS-PIV credential and a legacy credential (for example, Infinity37 proximity card).

Entering or Importing FIPS-PIV Credential Information

After selecting the appropriate Allowed Credentials setting, the FIPSPIV credential information is accessible via the Personnel Editor and the Personnel Manager. You may enter FIPS-PIV credential information manually or you may import it directly into the Continuum database via the CSV import function in the Personnel Import Utility (PIU).

Configuring a Door/Reader
When configuring the reader(s) of a door that is under the control of a FIPS-PIV reader, you must specify the output format of the FIPS-PIV reader. You may only specify one of the FIPS-PIV reader formats per reader. You may specify additional Wiegand formats if the physical reader attached to the panel is a multi-technology reader. All readers that are attached to a single network controller (ACX 57xx series or NetController II via IO Modules) must have the same FIPSPIV output format.
Andover Continuum CyberStation Access Control Essentials Guide 165

Chapter 4: Advanced Topics for Access Control

The following selections are available on the Card Formats tab of CyberStation's Door editor: FIPS_PIV_75 Bit Physical reader outputs 75 bit Wiegand signal FIPS_PIV_Full_FASC-N Physical reader outputs 200 bit Wiegand signal FIPS_PIV_Custom Physical reader outputs 75-254 bit Wiegand signal For more information, please see the CyberStation help topic, Defining a Custom FIPS-PIV String Format.

Transitioning an Existing system to FIPS-PIV

CyberStation's FIPS-PIV implementation can accommodate a smooth transition from a non-FIPS-PIV system to a system that uses FIPS-PIV credentials and readers. Since most sites that transition to FIPS-PIV already have cardholders and personnel with an existing credential (for example, Infinity37), those existing credentials will likely still be used to access areas whose readers have not yet been replaced with FIPS-PIV-compatible readers. Moreover, FIPS-PIV credentials may not have yet been issued to personnel, and they must use their Infinity37 credentials for access in the meantime. The following transitioning procedures/examples assume that existing personnel have Infinity37 cards and that the readers are configured for the Infinity37 card format. It also assumes that, during the transition period, personnel may have two credentials for access control. Once the transition period is over whereby all personnel have been issued a FIPS-PIV credential and all readers have been updated to FIPS-PIV readers the site may cut over to FIPS-PIV only. Note: The same steps outlined in the topic, Configuring FIPS-PIV on a New System, also apply when transitioning a site to FIPS-PIV, but with the following additional considerations.

166 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Updating to FIPS-PIV Revision

Follow these major steps when updating an existing site to allow access with FIPS-PIV credentials 1. Upgrade all CyberStation workstations to version 1.9. 2. Upgrade all network controllers (ACX 57xx series, NetController II, and IO Modules) to FIPS-PIV-compatible revisions. 3. Reload the controllers. 4. Update/replace existing readers. Note: If readers are replaced with multi-technology readers, both Infinity37 and FIPS-PIV credentials may be used to access the area. If readers are replaced only with FIPS-PIV readers, only FIPS-PIV credentials can be read by the reader. Once the workstation software and controller firmware have been updated, verify that normal access control operations are still operational. In order to use FIPS-PIV credentials and readers, you site must have purchased (and the CyberStation security keys must have been enabled for) the Critical Security product option. Additionally, the ACX 57xx and NetController II controllers must have been purchased with or updated with the Critical Security product option.

Specifying the Allowed Credentials

After updating to the appropriate versions of workstation and controller software, all existing credential information for personnel objects is maintained. Continuum version 1.9 and higher allows you to configure each personnel object with multiple credentials/cards. The global setting, Allowed Credentials, controls which credential(s) may be configured for Personnel objects in the Continuum database.

Andover Continuum CyberStation Access Control Essentials Guide 167

Chapter 4: Advanced Topics for Access Control

You access the Allowed Credentials global setting via the Allowed Credentials dialog. Right click the Continuum icon in the system tray. (For more information, please see Allowed Credentials.) If you are configuring the site for access control using FIPS-PIV credentials only, the appropriate Allowed Credentials global setting would be: CredentialFIPS-PIV If the site uses a mix of FIPS-PIV and non-FIPS-PIV readers and credentials, the Allowed Credentials global setting may be set to: Credential1andFIPS-PIV orCredential2andFIPS-PIV Note: Changing Allowed Credentials to a new value that does not include Credential1 causes all personnel information stored in Credential1 to be permanently deleted. Assigning dual credentials to a Personnel object allows you to configure the system so that a user may be configured with both a FIPS-PIV credential and a legacy credential (for example, Infinity37 proximity card).

FIPS-PIV Credential Information

After selecting the appropriate Allowed Credentials setting, the FIPSPIV credential information is accessible via the Personnel Editor and the Personnel Manager. You may enter FIPS-PIV credential information manually or you may import it directly into the Continuum database via the CSV import function in the Personnel Import Utility (PIU). Personnel that have not yet been enrolled in an Identity Management System (IDMS) and have not yet been issued a FIPS-PIV credential have no data stored in their personnel records for their FIPS-PIV credentials. However, their Infinity37 credential data remain intact. These personnel may continue to user their Infinity37 credential for access. Personnel that have had their FIPS-PIV credential issued and their FIPS-PIV credential data imported into CyberStation may use their FIPS-PIV credential for access control.
168 Schneider Electric

Chapter 4: Advanced Topics for Access Control

Any readers that have not yet been updated with a FIPS-PIV reader may still be used with the Infinity37 credential.

Configuring a Door/Reader
When configuring the reader(s) of a door that is under the control of a FIPS-PIV reader, you must specify the output format of the FIPS-PIV reader. You may only specify one of the FIPS-PIV reader formats per reader. You may specify additional Wiegand formats if the physical reader attached to the panel is a multi-technology reader. All readers that are attached to a single network controller (ACX 57xx series or NetController II via IO Modules) must have the same FIPSPIV output format. The following selections are available on the Card Formats tab of CyberStation's Door editor: FIPS_PIV_75 Bit Physical reader outputs 75 bit Wiegand signal FIPS_PIV_Full_FASC-N Physical reader outputs 200 bit Wiegand signal FIPS_PIV_Custom Physical reader outputs 75-254 bit Wiegand signal For more information, please see the CyberStation help topic, Defining a Custom FIPS-PIV String Format.

Medium Assurance Profiles

Note: This topic is for the more advanced system administrator. In order to meet the requirements for Medium Assurance Profiles in a PACS, some FIPS-PIV reader manufacturers allow readers to be configured to generate and output a Hashed Message Authentication Code (HMAC) of the data contained within the CHUID on a FIPS-PIV credential. The HMAC provides assurance that the data programmed on the card has not been tampered with. If you have purchased a FIPS-PIV reader that provides an HMAC as part of the Wiegand output, you must configure the reader format in the Door editor to use the FIPS_PIV_Custom format. Additionally, you must set the appropriate value of the PIVReaderFormat system variable to tell the controller how to interpret the Wiegand data generated by the reader.
Andover Continuum CyberStation Access Control Essentials Guide 169

Chapter 4: Advanced Topics for Access Control

For more information on configuring the PIVReaderFormat system variable, please see the CyberStation help topic, Defining a Custom FIPS-PIV String Format. Once the PIVReaderFormat system variable is set appropriately, you must specify the HMAC value in each Personnel object's FIPS-PIV credential. To do this, you must read the person's FIPS-PIV credential via a FIPS-PIV reader that generates the HMAC. Schneider Electric recommends you assign a FIPS-PIV reader as an enrollment reader for this purpose. Once the enrollment reader is created, add the door to a CyberStation Active Event View and present a FIPS-PIV credential to the reader. From the Cyberstation Active Event View, you must then copy the HMAC for the invalid attempt and add it to the Personnel object's HMAC value in the person's FIPS-PIV credential.

More about FIPS-PIV

See the following topics in the CyberStation online help: Access Credentials Dialog FIPS-PIV Attributes for Personnel Manager FIPS-PIV Tab for Personnel Editor Defining a Custom FIPS String Format

170 Schneider Electric

Andover Continuum CyberStation Access Control Essentials Guide Document Number: 30-3001-405 Revision C