OPENPATH ACCESS CONTROL SYSTEM USER GUIDE FOR ADMINISTRATOR WEB PORTAL V1.
Table of Contents Openpath Admin Portal User Guide NEW FEATURES | APRIL 2019 GETTING STARTED TERMINOLOGY LOGGING IN DASHBOARD MAIN DASHBOARD HARDWARE DASHBOARD USERS USER MANAGEMENT CREATE USER IMPORT USERS ISSUE CREDENTIALS CREATE A MOBILE CREDENTIAL ADD A WIEGAND CREDENTIAL USER ACCESS USER SECURITY MANAGING USERS GUEST ACCESS LINKS AND WEBHOOK URLS GROUP MANAGEMENT CREATE GROUPS ROLE MANAGEMENT CREATE ROLES SCHEDULE MANAGEMENT CREATE SCHEDULE MULTIPLE SCHEDULES SITES SITE MANAGEMENT CREATE SITES ZONE MA
ENTRY STATE MANAGEMENT CREATE ENTRY STATE HARDWARE ACU MANAGEMENT ADD ACU READER MANAGEMENT ADD READER REPORTS ACTIVITY LOGS USER ACTIVITY AND ENTRY ACTIVITY INTEGRATIONS IDENTITY PROVIDERS GOOGLE G SUITE MICROSOFT AZURE ACTIVE DIRECTORY OKTA SINGLE SIGN-ON MANUALLY SYNC INBOUND WEBHOOKS OUTBOUND WEBHOOKS SUBSCRIPTIONS HOOK ACTIONS OTHER INTEGRATIONS ADMINISTRATION ORGANIZATION DETAILS BILLING ALERT SETTINGS QUICK START MY PROFILE USER DATA MODEL CONFIGURING OPENPATH WITH LEGACY SYSTEMS REGULATORY Version
Openpath Admin Portal User Guide NEW FEATURES | APRIL 2019 ● Export data to CSV files from most tables in the Control Center (for example, see USER MANAGEMENT). Tables are now re-sizable by clicking and dragging the sides of columns. ● Activity Logs now have a Denied Reason column that provides details on why access attempts are denied. See ACTIVITY LOGS. ● You can link an Entry without hardware to an ACU.
● ● ● ● ● ● ● Smart Reader: A device installed near an Entry capable of reading information stored on key cards, fobs, and Openpath mobile credentials. Trigger Method: A combination of credential type and 1FA/2FA User: A person defined in the Control Center with credentials. Wiegand Reader: A device installed near an Entry capable of reading information stored on a Wiegand card and transmitting to an access control unit. Zone: Contains one or more Entries within a Site.
DASHBOARD MAIN DASHBOARD Once logged in, you will see the home screen where the Dashboard shows the latest Entry statistics. On the Main Dashboard, you can quickly see your organization’s usage statistics as well as the current state for locks and Entries. The data on the Dashboard is real time, so as soon as an Entry unlock is made or denied or a lock state changes, the data displayed will update immediately.
Select an ACU to see its associated readers. Use Remote Diagnostics to assess and identify individual devices: ● ● ● Identify: Clicking this next to an ACU will cause the Status LED on the ACU to flash green. Clicking it next to a reader will cause the following: ○ the reader’s center dot light up green ○ the reader’s outer ring LED will light up and spin ○ the reader’s buzzer will beep several times Refresh: Refresh an ACU to send the latest data from the physical device to the Control Center.
USERS The Users tab lets you manage and import users, as well as create and define groups and roles for users. USER MANAGEMENT The User Management screen is where you can view and manage users. You can export user data to CSV by clicking Export Data. Filters can be used on any of the columns to narrow down the users shown in the view. The Identity Provider column will list the master user database from where the users were created (within the portal, from Active Directory, G Suite, etc.).
IMPORT USERS In addition to creating individual users, you can also bulk import users via CSV. Under the Users tab, click Import Users (or from the User Management page, click the blue Import Users button). There you can upload a CSV file with your users’ info. A sample CSV with the required fields is also included on the page. You can also import users by using a directory service integration. See INTEGRATIONS. ISSUE CREDENTIALS Once you have created users, you can issue credentials.
● ○ Cloud Key (used for providing Guest Access Links) ○ Card: Openpath/MIFARE (CSN) – Fast ○ Card: Openpath DESFire (Encrypted) – Secure ○ Card: Wiegand ID ○ PIN Code (this option requires a non-Openpath reader) Enter the required information then click Create. CREATE A MOBILE CREDENTIAL After you create a mobile credential, click Send to send an email instructing the user to set up their mobile device as a credential.
USER SECURITY The Security tab is where you can manage Multi-Factor Authentication (MFA) credentials. You cannot add MFA credentials for other users – only view and delete. You can add a MFA credential for yourself under MY PROFILE.
● Reset Anti-Passback: if using Anti-Passback, resets a user’s Anti-Passback state. See ANTI-PASSBACK. GUEST ACCESS LINKS AND WEBHOOK URLS Users with Cloud Keys can share temporary Guest Access Links and generate webhook URLs. Webhook URLs can be used to open Entries via a web browser or integrated into software or external services. ● ● ● To generate links, click on a user to go to their User Details, then click on the Credentials tab in the upper righthand corner.
GROUP MANAGEMENT The Group Management page is where you can create and manage groups for users. Groups let you assign access and Entry permissions for one or more users, and they’re useful for organizing your user base by department or role. You can export group data to CSV by clicking Export Data. CREATE GROUPS ● ● ● To create a new group, click the blue Create Group button on the top left corner. Enter a name, description, and assign users.
ROLE MANAGEMENT A role is a set of portal access permissions that can be assigned to users. There are two default roles that cannot be edited: ● ● Entry User – all users are automatically assigned this role upon creation. This role is required for letting users open Entries via the mobile app. Super Admin – gives full portal access with edit permissions. Note: Users with the Super Admin role can assign and revoke portal access for other users. Version 1.
CREATE ROLES ● ● To create a new role, click the blue Create Role button on the top left corner. Enter a name, description, and assign users. Select the permissions you’d like this role to have, then click the blue Save button in the lower right corner. Note: You can assign multiple roles to the same user. The user’s permissions will be cumulative across all assigned roles. SCHEDULE MANAGEMENT Schedule Management is where you can define schedules for users and groups.
You can export schedule data to CSV by clicking Export Data. CREATE SCHEDULE ● ● ● ● ● To create a user/group schedule, click the blue Create Schedule button on the top left corner. Enter a name, then click Save. Next, click on the Scheduled Events tab to define the schedule. Click the blue Create Event button. Choose between a Repeating Event and a One-Time Event. In this example, we’re creating a normal business hours schedule, so we’ll define a Repeating Event.
MULTIPLE SCHEDULES You can assign multiple user/group schedules to users/groups. Access is cumulative of the assigned schedules. For example, if a user has a group schedule that gives access 9:00 am to 5:00 pm and a user schedule that gives access 3:00 pm to 9:00 pm, then that user will have a combined access of 9:00 am to 9:00 pm. SITES Sites are physical locations (like office buildings) comprised of Zones and Entries. You should create a Site for every location where you have Openpath installed.
CREATE SITES ● ● To create a new Site, click the blue Create Site button on the top left corner. Enter a Site Name and click Add Site Details. Enter the address and a phone number for the Site and click the blue Save button. ZONE MANAGEMENT The Zone Management page is where you can view and manage Zones. Zones are groups of one or more Entries that you can assign to Sites. Zones are useful for breaking up large Sites into smaller areas like floors or common areas (in multi-tenant scenarios).
ZONE SHARING Zones can be shared between multiple Openpath customers. This is useful if you’re a landlord who wants to share a Zone of common Entries with multiple tenants. Recipients cannot edit shared Zones. CREATE ZONE ● ● To create a Zone, click the blue Create Zone button in the top left corner. Enter a name and description (optional) and select the Site to which the Zone will be assigned. Note: A Zone can only be assigned to one Site, but a Site can have multiple Zones assigned to it.
ANTI-PASSBACK Anti-Passback lets you define a sequence in which Entries must be accessed in order to gain Entry. Sequences are defined using Areas – each Area contains a set of inbound and outbound Entries. For each Area, after every successful inbound Entry the user must exit through an outbound Entry before entering an inbound Entry again. This feature is commonly used with parking gates and helps prevent users from sharing credentials with other users.
Note: Anti-Passback logic also applies to cloud key credentials and other remote unlock methods. In general, you might not want to allow remote unlock methods on Zones with Anti-Passback enabled. RESET ANTI-PASSBACK You can reset Anti-Passback in two ways: on the Zone level and on the user level. ● ● To reset Anti-Passback on the Zone level, go to Zone Management and click Reset Anti-Passback under the Anti-Passback column. To reset Anti-Passback on a user (or multiple users), see MANAGING USERS.
Note: It is likely that your Openpath installer may provision some or all of the following features for you during the installation process. CREATE ENTRY ● ● To create a new Entry, click the blue Create Entry button in the top left corner. Enter a name and select the Zone (optional) and ACU to which this Entry belongs. Once you select an ACU, then more Entry settings will display. Version 1.
ENTRY SETTINGS ENTRY BEHAVIOR Entry Behavior is where you set the Default State for the Entry. See ENTRY STATE MANAGEMENT. ENTRY/EXIT HARDWARE Entry/Exit Hardware is where you can select a relay to use on the ACU (or expansion board), like for controlling electric strikes or maglocks. ● ● ● Port – select which port to assign the reader, from Relay 1-4. Technically, the electric strike is wired to one of the 4 ACU ports, and the reader is wired to the strike.
OPENPATH READER Associate the Entry with the Openpath Reader. ● ● ● ● ● Port – select the port on the ACU to which the Openpath Reader is connected. Card Reading – enable this to allow RFID/NFC cards at this reader. Touch to Unlock – enable this to allow Touch Entry. Set the range using the slider. Auto Proximity Unlock – enable this to unlock the Entry when a user with a valid mobile credential is in range of the reader. Set the range using the slider.
REQUEST TO EXIT Often, doors will have a Request to Exit button or sensor that will unlock the door from the inside. ● ● Port – select the port for the Request to Exit device to which the Entry is wired. Mode – this is an electrical term regarding how the Request to Exit device sends the command to the ACU. Your installer will be able to give you guidance on whether the Mode should be set to Normally Closed or Normally Open for a particular Entry configuration.
● Forced-Open Detection – if enabled, an Entry opening without first unlocking through Openpath or triggering the REX will generate an event. Contact sensor events can trigger alerts. See ALERT SETTINGS. They can also be used to trigger custom integrations. See OUTBOUND WEBHOOKS. WIEGAND DEVICE Openpath is compatible with legacy Wiegand Devices. ● ● Port – select the port for the Wiegand Device to which this Entry is wired.
could be set to an unlocked state during normal business hours, Monday – Friday, for the relevant time Zone. 1. To assign a schedule, click on the Entry to edit it, then click on the Schedule tab in the upper righthand corner. 2. Click Create Event to create a new schedule for this Entry. 3. Choose between a Repeating Event and a One-Time Event. 4. Enter a Start and End Time, choose a Time Zone, and select which days this event will occur (if a Repeating Event). 5.
ENTRY STATE MANAGEMENT An Entry State defines whether an Entry is unlocked and what access methods may be used to unlock it.
2. Use the sliders shown above to enable the trigger methods you want to be valid with this Entry State. Definitions for the various methods are provided at the bottom of the page. 3. Click the blue Create button when finished. HARDWARE Hardware is divided in two categories: ACUs and Readers. ACU MANAGEMENT The ACU Management screen is where you can view and manage ACUs. You can export ACU data to CSV by clicking Export Data. Version 1.
ADD ACU 1. To add a new ACU, click the blue Add ACU button on the top left corner. 2. Enter a name for the ACU – names are usually relevant to the location where the ACU is installed. 3. If using an expansion board, select it from the Add ACU Expansion Board drop down, otherwise leave it as Openpath ACU. 4. Click the blue Add button. A description of the ACU will appear in green. Click Save. Once you add an ACU to the system, you need to register it (also known as provisioning).
ADD READER 1. To add a new reader, click the blue Add Reader button on the top left corner. 2. Enter a name for the reader – names are usually relevant to the location where the reader is installed. 3. Select the ACU to which this reader belongs. 4. Select the port to which this reader is wired. 5. Click Save. REPORTS Reports are where you can view activity logs, user activity, and entry activity.
The default view lists requests chronologically with most recent first. Filters can be used on the columns to narrow down the requests shown in the view. The Denied Reason column provides information on why access is denied. USER ACTIVITY AND ENTRY ACTIVITY You can view user activity and entry activity via helpful charts and diagrams. All data can be exported to CSV.
GOOGLE G SUITE Note: To enable this feature, you must have administrative privileges in your Google G Suite account. 1. Under Integrations > Identity Providers, click Get Started on the G Suite integration. 2. Google will prompt you to sign in. Sign in with your G Suite account and allow Openpath to access your users and groups. This is also where you can enable the Single Sign On feature. Be sure to take note of the namespace. 3.
MICROSOFT AZURE ACTIVE DIRECTORY Note: To enable this feature, you must have administrative privileges in your Azure Active Directory account. 1. Under Integrations > Identity Providers, click Get Started on the Microsoft Azure AD integration. 2. Microsoft will prompt you to sign in. Sign in with your Azure AD account and allow Openpath to access your users and groups. This is also where you can enable the Single Sign On feature. Be sure to take note of the namespace. 3.
OKTA Note: To enable this feature, you must have administrative privileges in your Okta account. We recommend using a dedicated service account that uses only the “Group” role as that role contains only the permissions that Openpath requires to synchronize your users and groups. 1. Under Integrations > Identity Providers, click Get Started on the Okta integration. 2. Enter your API URL.
SINGLE SIGN-ON Google G Suite and Microsoft Azure Active Directory integrations support Single Sign-On (SSO). If enabled, users with portal access can log into the Control Center with their identity provider credentials. Note: Openpath requires that you keep at least one Openpath-native administrative account in case there are ever any issues connecting to your identity provider. MANUALLY SYNC After setup, you now have an option to Manually Sync. You can perform this action at any time. Version 1.
INBOUND WEBHOOKS The Inbound Webhooks screen provides information on setting up webhooks for users and unlock events. OUTBOUND WEBHOOKS SUBSCRIPTIONS An outbound webhook subscription allows you to set up a listener for a "hook event," which will then trigger your choice of either a POST to your own specified target URL, or a "hook action" which is essentially a customized JSON configuration.
HOOK ACTIONS Hook actions are customized JSON configurations that are used as triggers for subscriptions. They handle specialized integration setups, such as triggering the disable of your ADT alarm. Hook actions are currently set up by the Openpath support team to handle a defined set of hooks that Openpath can process on your ACU. We expose the JSON configuration here, but highly recommend that you do not edit the configuration.
BILLING The Billing page is where you set up payment details for your Openpath subscription and accept the Terms and Conditions. ALERT SETTINGS Configure Alert Settings to receive email or SMS (US mobile numbers only) warnings regarding: ● ● ● ● ● ● ● Billing – invalid payments, expired terms, and/or your account being frozen Entry Ajar – an Entry entering or leaving the ajar alarm state (i.e. when the contact sensor reports the door being open longer than the set duration.
MFA Device such as Google Authenticator. This gives you an extra layer of security when logging into the Control Center. USER DATA MODEL If you have portal access to more than one org, or you’re using multiple identity provider integrations with SSO enabled, you should be familiar with how the Openpath user data model works. A namespace is a contained pool of emails, all of which must are unique within the namespace.
authentication or SSO). For example, you might have one identity (me@company.com) from when the org was created (under the local org namespace) that is authenticated through email and password. If you sync with an identity provider that has the same email (me@company.com) in it, another identity will be created under the identity provider namespace. Identities are separate from, but related to users.
If you’re supporting a legacy system, there are a few items you need to configure in the Control Center: ● ● Under Entry settings, configure the Wiegand Device to Output (Gateway) mode. See WIEGAND DEVICE. ○ If you want card data to pass directly through to the legacy panel (without being authenticated by the Smart Hub ACU), enable Gateway Credential Pass-Through.
FCC RF exposure compliance requirements, a separation distance of at least 20 cm should be maintained between the antenna of Openpath Smart Reader(s) and persons during operation. NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.