USM-Device Administration Portal-ENG

Device Administration Portal
Device Administration Portal

Document: USM-Device Administration Portal-ENG.pdf
Version: 11.20.B
Printed: 18.12.2020
© 2020 Spica International
Spica International
Pot k sejmiscu 33
1231 Ljubljana
Slovenia
Tel: +386 1 568 08 00

Fax: +386 1 568 08 88
E-mail: info@spica.com
www.spica.com
Contents I
Table of Contents
1 Device Administration Portal 1

1.1 Introduction
................................................................................................................................... 1
1.2 End-user
...................................................................................................................................
software license agreement 2
1.3 Technical
...................................................................................................................................
support 4
2 Configuring the system 5

2.1 Login ................................................................................................................................... 7
3 Installation 8
3.1 System...................................................................................................................................
requirements 9
3.1.1 Window s Features
..........................................................................................................................................................
configuration 10
3.1.1.1 Internet Information
.........................................................................................................................................................
Services (IIS) 10
3.1.1.2 Microsoft Message
.........................................................................................................................................................
Queue (MSMQ) Server 17
3.1.1.3 Internet Explorer
.........................................................................................................................................................
tw eaks 19
3.2 Installation
...................................................................................................................................
procedure 20
3.2.1 Custom izable..........................................................................................................................................................
application param eters 27
3.2.1.1 DAP - Web.config
......................................................................................................................................................... 28
3.2.1.2 EP - Event .........................................................................................................................................................
Processor Service.exe.config 29
3.2.1.3 DC - Device.........................................................................................................................................................
Communicator Service.exe.config 32
3.2.1.4 Space API.........................................................................................................................................................
- Space API Service.exe.config 36
3.2.2 Encrypted com ..........................................................................................................................................................
m unication channel on the portal 37
3.2.3 Adding or rem..........................................................................................................................................................
oving com ponents 44
4 Main views 45
4.1 Overview
................................................................................................................................... 46
4.2 Servers
................................................................................................................................... 47
4.2.1 Server details.......................................................................................................................................................... 47
4.2.2 Assigned devices
.......................................................................................................................................................... 49
4.3 Devices
................................................................................................................................... 50
4.3.1 Device .......................................................................................................................................................... 51
4.3.1.1 General ......................................................................................................................................................... 51
4.3.1.2 Connection......................................................................................................................................................... 52
TCP Settings ......................................................................................................................................... 53
4.3.1.3 Readers ......................................................................................................................................................... 55
General ......................................................................................................................................... 56
Restrictions ......................................................................................................................................... 58
User Interface Events ......................................................................................................................................... 59
Advanced ......................................................................................................................................... 60
4.3.1.4 User Interfaces
......................................................................................................................................................... 61
General ......................................................................................................................................... 62
Events ......................................................................................................................................... 63
4.3.1.5 Inputs ......................................................................................................................................................... 64
General ......................................................................................................................................... 65

II Device Administration Portal
4.3.1.6 Outputs ......................................................................................................................................................... 67

General ......................................................................................................................................... 68
Activated by ......................................................................................................................................... 70
Deactivated by ......................................................................................................................................... 71
Schedules ......................................................................................................................................... 72
Advanced ......................................................................................................................................... 73
4.3.1.7 Alarms ......................................................................................................................................................... 74
General ......................................................................................................................................... 75
Triggers ......................................................................................................................................... 76
Conditions ......................................................................................................................................... 77
Advanced ......................................................................................................................................... 78
4.3.1.8 Connected.........................................................................................................................................................
Devices 79
Zone Door general ......................................................................................................................................... 80
Zone Door schema ......................................................................................................................................... 80
4.3.1.9 Anti-passback
......................................................................................................................................................... 82
General ......................................................................................................................................... 83
Readers ......................................................................................................................................... 84
4.3.1.10 Advanced ......................................................................................................................................................... 85
4.4 Live Log
................................................................................................................................... 86
5 External configuration 87
5.1 Alarm...................................................................................................................................
groups 88
5.2 Area tree
................................................................................................................................... 89
5.3 Email...................................................................................................................................
notifications 90
5.3.1 Em ail notification
..........................................................................................................................................................
service 91
5.3.2 Alarm notifications
.......................................................................................................................................................... 92
5.3.3 Offline controllers
..........................................................................................................................................................
notifications 93
5.4 Update
...................................................................................................................................
access profiles 94
5.5 OSDP...................................................................................................................................
readers 95
5.5.1 Connecting OSDP
..........................................................................................................................................................
readers to Zone Door unit 96
..........................................................................................................................................................
readers to Zone Wing device 97
..........................................................................................................................................................
readers to Zone Spot device 98
6 3rd party devices 100

6.1 Aperio
................................................................................................................................... 100
6.1.1 Mounting .......................................................................................................................................................... 101
6.1.2 Aperio Program
..........................................................................................................................................................
m ing Application 105
6.1.2.1 Managing.........................................................................................................................................................
IP communication hub 107
IP Address ......................................................................................................................................... 109
ACU Settings ......................................................................................................................................... 111
6.1.2.2 Managing.........................................................................................................................................................
RS485 communication hub 114
RS485 Address......................................................................................................................................... 116
Remote unlock ......................................................................................................................................... 118
6.1.2.3 Pairing Locks
.........................................................................................................................................................
w ith communication hub 120
6.1.3 Aperio AH40 .......................................................................................................................................................... 124
6.1.3.1 Add Aperio.........................................................................................................................................................
AH40 device configuration 125
6.1.4 Aperio RS485.......................................................................................................................................................... 129
6.1.4.1 Add lock configurations
.........................................................................................................................................................
to Zone Wing 130
6.2 Assa...................................................................................................................................
Abloy Visionline 135
6.2.1 SW Configuration
.......................................................................................................................................................... 136
6.2.1.1 Visionline......................................................................................................................................................... 137

Contents III
6.2.1.2 Add Assa.........................................................................................................................................................

Abloy Visionline device in DAP 139
6.2.1.3 Set up reading
.........................................................................................................................................................
card option in Time&Space Manager 142
6.2.1.4 Adding access
.........................................................................................................................................................
profiles to users 144
6.3 Iris ID
................................................................................................................................... 145
6.3.1 HW Configuration
.......................................................................................................................................................... 147
6.3.1.1 Mounting .........................................................................................................................................................
and Wiring 148
6.3.1.2 Static IP Address
......................................................................................................................................................... 150
6.3.1.3 Update iCAM.........................................................................................................................................................
Application 152
6.3.1.4 iCAM Operation
.........................................................................................................................................................
mode 153
.......................................................................................................................................................... 154
6.3.2.1 Activate iCAM
.........................................................................................................................................................
SDK licence 155
6.3.2.2 Add device .........................................................................................................................................................
configuration in DAP 156
6.4 Morpho
...................................................................................................................................
Sigma 159
.......................................................................................................................................................... 161
......................................................................................................................................................... 163
.......................................................................................................................................................... 165
6.4.2.1 Reader Settings
......................................................................................................................................................... 168
6.4.2.2 User Interface
.........................................................................................................................................................
Settings 170
Advanced Interface .........................................................................................................................................
Details 173
6.4.2.3 Output Settings
......................................................................................................................................................... 175
6.4.2.4 Alarms Settings
......................................................................................................................................................... 178
6.4.2.5 Advanced.........................................................................................................................................................
Settings 180
6.5 Morpho
...................................................................................................................................
Sigma Lite 182
.......................................................................................................................................................... 184
.......................................................................................................................................................... 185
6.6 Spica
...................................................................................................................................
Field Clocking 189
6.6.1 Application installation
.......................................................................................................................................................... 190
6.6.1.1 Configure.........................................................................................................................................................
SSL communication encryption 195
.......................................................................................................................................................... 201
......................................................................................................................................................... 204
.........................................................................................................................................................
Settings 206
Details 207
6.6.3 Fingerprint Managem
..........................................................................................................................................................
ent 208
6.7 Spica
...................................................................................................................................
MATT 210
.......................................................................................................................................................... 211
6.7.1.1 Configure.........................................................................................................................................................
.......................................................................................................................................................... 222
......................................................................................................................................................... 225
.........................................................................................................................................................
Settings 226
Details 227
6.7.2.3 Advanced.........................................................................................................................................................
Settings 228
6.8 TBS ................................................................................................................................... 229
.......................................................................................................................................................... 230
6.8.1.1 Integration.........................................................................................................................................................
Configuration 233
.......................................................................................................................................................... 237
6.8.2.1 BioAdmin.........................................................................................................................................................
Web Edition 238
6.8.2.2 Add TBS .........................................................................................................................................................
device in DAP 240
6.8.2.3 Adding fingerprints
.........................................................................................................................................................
to users 243
6.8.2.4 Configuring.........................................................................................................................................................
RemoteZone w eb service 246
6.9 Web...................................................................................................................................
Clocking Portal 248
6.9.1 Configuration.......................................................................................................................................................... 249
6.9.1.1 Configure.........................................................................................................................................................

IV Device Administration Portal
6.9.2 Event registration

.......................................................................................................................................................... 257

Device Administration Portal 1
1 Device Administration Portal
1.1 Introduction
Device Administration Portal is the basic module in Time&Space system. Its key function is the
transfer of clock transactions from clock terminals to a shared database that is accessed
independently by all modules in the system. The second, equally important function is the
downloading of data to the terminals, i.e. the transfer of data such as access parameters
that were entered via the keyboard using any of the Time&Space modules. These parameters
control the functioning of clock terminals, for example, the function of individual keys on the
clock terminal keyboard, and inform the terminals about the valid ID badges.
The module consists of 4 parts: Device Administration Portal, Event Processor, Device
Communicator and Space API.
Device Administration Portal is a web client responsible for the management of terminal's
settings. The application also monitors the communication between Event Processor service
and hardware.
Event Processor is a standalone windows service responsible for storing data into the
database and generating appropriate responses.
Device Communicator is a standalone windows service responsible for the communication
between terminals and Event Processor service.
Space API is a standalone windows service responsible for the communication between
Device Administration Portal and Event Processor service on one side and for the
communication between DAP application and other Time&Space modules .
Device Adm inistration Portal

1.2 End-user software license agreement

Terms of License
This program and accompanying documentation (the software) are copyrighted material,
protected by national legislation and international agreements on protection of intellectual
property. Any unauthorized use or copying of this software is punishable by law. Users are
permitted to make copies of the software solely for backup purposes, and as a protection
against accidental loss or damage of the purchased copy.
By purchasing a copy of the software the user is granted the license to use the software
within the user's organization without time limitations. The user is obliged to comply to the
conditions related to the scope of the license as defined in the purchase documentation
(proposal/order/invoice) at the time of purchase. These conditions are including, but are not
limited to maximum number of users, number of clients, servers, number of administrators,
administrative workstations, computers, locations and similar. Any use beyond these
restrictions is not permitted.
Any use outside user's organization or any commercial exploitation of the software involving
third parties such as lending, renting or selling of the software is not permitted.
Special Terms
Users are obliged to actively protect the software against any unauthorized use or copying,
and prevent access to the software by the public or any third party.
SPICA International does not permit any modification of programs or accompanying
documentation including any modification of the program code or accompanying files.
Warranty Disclaimer
SPICA International has written the software and accompanying documentation with utmost
care and best effort to make it error free. Any eventual error, which would prevent or
significantly hamper the use of the software, should be immediately reported to SPICA
International. SPICA International will act upon such error report with priority and make every
effort to correct the error in the shortest possible time.
However, the software is provided by SPICA International »as-is«, and without any warranty,
express or implied, direct or consequential as to the usability or inability to use the software.
SPICA International does not provide any warranty as to the fitness of this software to any
particular purpose, and is not liable for any errors, known or unknown, of this software.
Cumulative liabilities of SPICA International for any damage caused by this software will be
limited to the purchase price of this software.
Data
SPICA International is not in any way responsible for data maintained with this software. The
user is entirely and solely responsible for data safekeeping, protection against loss and
protection of privacy of personal information.
Modifications of Software
SPICA International continually develops and improves its software products, which are
therefore subject to change without prior notice. SPICA International reserves the right to
freely modify its software products at any time without any prior or special notice and cannot
provide any warranty as to the nature and scope of any particular change. SPICA
International also retains the right to stop further development of a particular product, or to
discontinue a product completely.

Device Administration Portal 3
Modifications upon User Request
In order to meet and surpass the expectations of its users, SPICA International constantly
and systematically collects information about user demands and requirements. This
information plays crucial role in decisions on software product development. Upon user
request, SPICA International will provide information on the status of an individual request or
demand in the context of development planning for the standard products. This information
may include the planned time for the completion of a particular task, if any such time has
been established. Information provided in this way does not make SPICA International in any
way liable for the nature and scope of the actual implementation, licensing policy or time of
delivery. All such information is strictly informal and may change without any notice.

1.3 Technical support

Technical support and additional information:
Spica International
Pot k sejmiscu 33
1231 Ljubljana
Slovenia
Tel.: +386 1 568 08 00

Email: support@spica.com
Further information is available at http://timeandspace.eu.

Configuring the system 5
2 Configuring the system

The following schema represents the basic module architecture which is suitable for most
installations:
Device Administration Portal (DAP),

Space API (API),
Event Processor (EP),
Microsoft Message Queue (MSMQ),
Device Communicator (DC),
Database (DB).
Basic architecture

Important: Event Processor and Device Communicator must always be installed on the
same workstation.
To address a load balancing issues or to optimize system architecture according to

geographical diversification, the basic architecture can be expanded with additional services.
In the following example, the EP 2, MSMQ2 and DC 2 services have been added to the
configuration.
Device Administration Portal (DAP),

Space API (API),
Event Processor No. 1 (EP1),
Device Communicator No. 1 (DC1),
Microsoft Message Queue (MSMQ1),
Event Processor No. 2 (EP2),
Device Communicator No. 2 (DC2),
Microsoft Message Queue (MSMQ2),
Database (DB).
Advanced architecture
Important: EP2 and DC2 services cannot be installed on the same workstation as EP1
and DC1.

Configuring the system 7
2.1 Login
To access Device Administration Portal, enter this address http://HostName into the web
browser (Host Name signifies the name or the IP address of the computer where the module
is installed). User account needs Event Collector/DAP Login permission to enter the
application.
Login dialogue
Note: Logging with a super user (e.g. TSSPICA) is not supported.
Important: Currently only Time&Space standard authentication mode is supported in the

module.

3 Installation
To install the module, start DAP Setup.exe from the distribution media and follow the
installation procedure.
Pre-installation requirements
TimeBox.dll, TimeBoxCom.dll and TSStartup.exe (obtained with Time&Space setup),

.Net Framework 4.5 or higher,
Internet Information Services (IIS) 7.0 or higher,
Message Queuing (MSMQ),
ASP.NET MVC 4 (Standalone Edition),
ASP.NET Web Pages.
Supported devices
Aperio,
Assa Abloy VisiOnline,
Iris ID,
Morpho Sigma,
Morpho Sigma Lite and Morpho Sigma Lite+,
Spica Field Clocking,
Spica MATT,
Spica Zone Button TT,
Spica Zone Button TT AC,
Spica Zone Spot,
Spica Zone Touch,
Spica Zone Wing,
TBS,
Web Clocking Portal.
Tip: Before the installation, make sure that Spica Zone devices have the appropriate FW
version. For more information, please contact our support.
Warning: Only native mode (MA5G) is supported on Morpho Sigma terminals.

Installation 9
3.1 System requirements

Workstations/Servers
See the document Installation and Upgrade Guide.pdf, chapter System Requirements.
Web browsers
Supported browsers in the DAP are:
Internet Explorer 10 or newer,

Google Chrome,
Mozilla Firefox,
Opera.
Important: Javascript must be enabled in the web browser. For more information check
the following website.

3.1.1 Windows Features configuration

3.1.1.1 Internet Information Services (IIS)
The following IIS features are required for the DAP module:
Root IIS feature
IIS feature

Installation 11
Com m on HTTP Features
Important: If IIS service is installed after .NET Framework, then you will likely encounter
Runtime Error when accessing DAP. To fix this issue repair .NET Framework under Installed
programs or execute the following statement in CMD: "%windows%\Microsoft.
NET\Framework\v4.0...\aspnet_regiis -i".

ASP and .NET Extensibility features
ASP features

Installation 13
x64 operation system and application pool
If a case of x64 bit OS set Enable 32-Bit Applications option to True for the used application
pool (e.g. DAP).
Enable 32-bit applications

Active Directory authentication and Single Sing On (SSO)
To enable Active Directory authentication and Single Sing On (SSO) in the application, enable
Windows Authentication in the virtual directory and put NTLM provider first.
Window s Authentication

Installation 15
Providers

Also, make sure that client workstations have User Authentication set to Automatic logon
with current username and password under Internet Security options.
Security settings for autom atic logon
Advice: Windows features list may vary according to a specific operating system.

Installation 17
3.1.1.2 Microsoft Message Queue (MSMQ) Server

MSMQ Server must be installed on the workstation running Event Processor and Device
Communication service.
Microsoft Message Queue (MSMQ) Server
Advice: DAP services will fail to start after the restart of the operating system if MSMQ
service has not started yet. To solve this issue set the dependency on DAP services to wait
for the MSMQ service.

Device Communicator Queue/Device Communicator Error Queue - Message queue for

Device communicator module. If some error occurs during message processing such
message is moved to Device communicator error queue.
Device Communicator Control Queue/Device Communicator Control Error Queue -
Priority queue towards Device communicator module. Messages with higher priority (e.g.
open or close door) are sent through this queue. If some error occurs during message
processing such message is moved to Device communicator control error queue.
Event Processor Data Queue/Event Processor Data Error Queue - Message queue for
Event processor module. Messages from Device Communicator towards Event Processor
are sent through this queue. Typical examples are clockings and alarms. If some error
occurs during message processing such message is moved to Event processor error queue.
DAP queues

Installation 19
3.1.1.3 Internet Explorer tweaks

If using Internet Explorer browser, make sure that the following parameters are set as
follows:
Allow ActiveX Filtering option must be enabled under Internet Security settings.
Security settings for IE
Compatibility mode must be disabled for the DAP web site in the browser. The button will
turn from blue to grey when Compatibility View is turned off for a site.
Com patibility m ode button

3.2 Installation procedure

The installation procedure consists of the following steps:
1. Select the Next button to proceed with the installation.
Welcom e screen

Installation 21
2. Accept the license agreement to continue.
Licence agreem ent

3. If all requirements are installed, full feature set will be available for the installation.
DAP Requirem ents

Installation 23
4. Select the desired features and update default installation paths if needed.
Installed features
Important: If some of the features are not available, then some of the pre-installation
requirements are not fulfilled.

5. If Device Administration Portal feature is selected in the previous step, an additional step is
displayed. By default, the application will be installed as a virtual directory called ECP on
Default Web Site. Change the name of the virtual directory or site if necessary. In this case,
users will access the application by entering address http://HostName/ECP into the web
browser. Host Name signifies the name or the IP address of the computer where IIS is
running.
DAP configuration
Important: Device Administration Portal must be installed as a virtual directory.

Installation 25
6. Select the appropriate database type (Microsoft SQL Sever or Oracle).
Database type

7. Confirm the installation parameters with the Next button and start the installation process.
Confirm ation step
8. After the installation is completed, see Customizable application parameters chapter for
additional settings.

Installation 27
3.2.1 Customizable application parameters

DAP - Web.config
EP service - Event Processor Service.exe.config
DC service - Device Communicator Service.exe.config
Space API - Space API Service.exe.config
Advice: In case that DAP services and database server are running on the same
workstation it is possible, that DAP services will fail to start after the restart of the operating
system. To solve this issue set the dependency on DAP services to wait for the database
server to start.
Note: When service parameters are modified, you need to restart the service for changes
to apply.
Important: Set read/write permissions on a destination folder for a user under which the
service operates in order for the log file to be created. E.g set permission (Modify, Read &
Execute, List Folder Contents, Read, Write) to IUSR and IIS_IUSRS user on the DAP
installation directory.
Important: Make sure that IIS_IUSRS user group has read/write permissions on
Windows temporary directory (e.g. c:\windows\temp). Originally, the default was c:\Temp,
then %WinDir%\Temp. In the Windows XP era, the temporary directory was set per-user as
Local Settings\Temp, although still user-relocatable. For Windows Vista, 7&8 the temp
location has moved again to AppData section of the User Profile, typically C:\Users\User
Name\AppData\Local\Temp (%USERPROFILE%\AppData\Local\Temp).

3.2.1.1 DAP - Web.config

Configuration file (Web.config) is located in DAP Portal installation folder (e.g. C:
\inetpub\wwwroot\DAP).
Server kind - <add key="ServerKind" value="MSSQL" /> - This parameter defines the
kind of database server (MSSQL or ORACLE) used in the system.
API server address - <add key="apiServerAddress" value="http://localhost:1600" / >
- This parameter defines the address (IP and Port) of Space API with which the portal
communicates. By default this parameter is set to localhost:1600.
Session timeout - <forms loginUrl="~/Account/LogOn" timeout="30" /> - This
parameter defines the period after which the session expires in the application. By default
this parameter is set to 30 minutes.
Automatic reconfiguration delay - <add key="reconfigurationDelay" value="2"/> - This
parameter defines the period after which automatic reconfiguration of a device is triggered
if the configuration has changed. By default this parameter is set 2 minutes. If the value is
set to 0, the reconfiguration is executed immediately.
Language - <globalization uiCulture="en-GB" culture="en-GB"/> - This parameter
defines the language of the web application. Currently the following languages are
supported:
Arabic (ar),
Bosnian - Latin (bs-latn-BA),
Bulgarian (bg),
Croatian (hr),
English (en-GB),
Finnish (fi),
French (fr),
German (de),
Greek (el),
Italian (it),
Lithuanian (lt),
Macedonian - Cyrillic (mk),
Macedonian - Latin (MK-mk),
Polish (pl),
Portuguese (pt),
Romanian (ro),
Russian (ru),
Slovenian (sl),
Turkish (tr),
Ukrainian (uk).
Live log - <target name="eventsFile" xsi:type="File" fileName="${appDataFolder}/
Logs/DAP Events ${shortdate}.log" layout="${longdate} ${message}"/> - This
parameter defines the path of log file which tracks data from Live log.
Note: Live log only tracks communication when the view is opened in the application.

Installation 29
3.2.1.2 EP - Event Processor Service.exe.config

Configuration file (Event Processor Service.exe.config) is located in Event Processor service
installation folder (e.g. C:\Program Files (x86)\Spica\TimeSpace\Event Processor).
<Application Settings>
Server address - <add key="serverAddress" value="http://+:1601" /> - This

parameter defines the address (IP and Port) on which the service operates. By default this
parameter is set to +:1601.
Detailed events table - <add key="enableDefaultEventStorage" value="false"/> - This
parameter defines (True/False) if the Event Processor also stores registrations to the table,
called CLOCKING_EVENTS. Comparing to the default events table (EVENTS), this one also
consists registrations from unknown users. Currently, this table is not used in the system.
By default, this parameter is set to False.
Interface language - <add key="DefaultCulture" value="en"/> - This parameter defines
the language on the interface (e.g. Zone Button). Currently the following languages are
supported: English (en) and Slovenian (sl).
<Database>
<Legacy>
Disable correction of time events - <add key="DisableCorrections" value="false"/> -

This parameter defines that the system will correct the existing time events till time events
correction time out is reached. If set to true, all registrations are stored in the database.
Time events correction time out - <add key="AutoCorrectionThreshold" value="1"/> -
This parameter defines the time out for correction of time events. By default this parameter
is set to 1 minute.
<MASigma>
User Verification Parameter Type - <add key="UserVerificationParameterType"

value="2"/> - This parameter defines per user rules. The rule can be set at the time of
enrollment or can be edited in user template (0 - Per user rule check is disabled; 1 - Per
user rule is enabled and user rule reference is trigger_event; 2 - Per user rule check is
enabled and user rule reference is terminal for all trigger sources).
User Record Reference - <add key="UserRecordReference" value="1"/> - This
parameter defines user record source which is used during user control operation (0 -
Reference source is disabled; 1 - Reference source is terminal for all trigger sources).
Device background image <add key="DeviceBackground" value="\
\MASigmaBackground.png"/> - This parameter defines the location of an image displayed
on the device as background. Image must be in PNG format. By default this parameter is
set to "\MASigmaBackground.png".
User ID definition <add key="VerifyUserId" value="-1"/> - This is a system parameter
used for defining user id on MA Sigma. Set the parameter value to 5, when printed badge
number for HID cards should be used in the system. Otherwise leave it to -1. This
parameter is supported only on MA Sigma terminals with iClass reader.
Custom HID card number format on MA Sigma - <add
key="HIDCardNumberFormatSlot" value="0"/> - This is a system parameter used for
HID card number presentation on MA Sigma. For more information contact our support.
<Devices>

Pull events time out - <add key="PullEventsTimeout" value="900"/> - This parameter

defines execution time out for downloading off-line events from the terminal. By default this
parameter is set to 900 seconds.
Device time synch time out - <add key="DeviceTimeSynchronizationInterval"
value="6"/> - This parameter defines execution time out for synchronizing internal clock
on the device with the system time. By default this parameter is set to 6 hours.
Delete device transaction log - <add key="DeleteTransactionsFromController"
value="False"/> - This parameter defines if event transaction log is deleted till last pull
event action. By default this parameter is set to false.
Event Processor service address - <add key="ServerAddress" value=""/> - This
parameter is set only if there are more than one Event Processor services in the system.
The address is set IP of workstation where the service is installed.
Mass reload packet size - <add key="MassReloadProfileCountPerPacket" value="50"/
> - This parameter defines the packet size which is used when reloading profiles on Zone
Wing/Spot device. By default this parameter is set to 50 profiles.
Mass reload synchronization time out - <add key="ProfileSynchornizationInterval"
value="300"/> - This parameter defines execution time out for updating access profiles
on on Zone Wing/Spot device. By default this parameter is set to 300 seconds.
<ClockingResponse>
Show balance on Info event - <add key="ShowBalanceOnInfo" value="1"/> - If

enabled (value="1"), a response message from the Info event will contain user's running
balance.
Show vacation on Info event - <add key="ShowVacationOnInfo" value="1"/> - If
enabled (value="1"), a response message from the Info event will contain user's vacation
balance.
Show custom counter no. 1 on Info event - <add
key="ShowFirstCustomCounterOnInfo" value="0"/> - If enabled (value="1"), a
response message from the Info event will contain value of custom counter no.1.
Show custom counter no. 2 on Info event - <add
key="ShowSecondCustomCounterOnInfo" value="0"/> - If enabled (value="1"), a
response message from the Info event will contain value of custom counter no.2.
Show last clocked event on Info event - <add key="ShowLastClockedEventOnInfo"
value="1"/> - If enabled (value="1"), a response message from the Info event will
contain information about last clocked event.
Show balance on clocking - <add key="ShowBalanceOnClocking" value="1"/> - If
enabled (value="1"), a response message from a clocking event will contain user's running
balance.
Show custom counter no. 1 on clocking - <add
key="ShowFirstCustomCounterOnClocking" value="0"/> - If enabled (value="1"), a
response message from a clocking event will contain value of custom counter no.1.
Show custom counter no. 2 on clocking - <add
key="ShowSecondCustomCounterOnClocking" value="0"/> - If enabled (value="1"), a
response message from a clocking event will contain value of custom counter no.2.
Definition of custom counter no.1 - <add key="FirstCustomCounterId" value="101"/>
- This parameter defines custom counter no.1 used in response messages. ID of counter
counters are stored in the COUNTER table.
Definition of custom counter no.2 - <add key="SecondCustomCounterId"
value="102"/> - This parameter defines custom counter no.2 used in response
messages. ID of counter counters are stored in the COUNTER table.
<System>
Clear error message queue <add key="PullErrorMessageQueueTimeout" value="60"/

> - This parameter defines execution time out for clearing DAP error message queues. By

Installation 31
default this parameter is set to 60 minutes.

Mass transit timeout <add key="MassTransitTimeout" value="3"/> - Specifies a timeout
period after which the request should be cancelled and a TimeoutException should be
thrown.
Mass transit request expiration <add key="MassTransitRequestExpiration" value="3"/
> - Specifies a time-to-live (TTL) for the request message after which the message should
be discarded.
<Logs>
Error log - <target name="errorFile" xsi:type="File" fileName="${basedir}/Logs/

Event Processor Error-${shortdate}.log" layout="${longdate}
${uppercase:${level}} ${message}: ${exception:format=tostring}"/> - This
parameter defines the path of a log file which tracks errors from the service.
Debug log - <targe t n am e ="de bu gF ile " xsi:ty pe ="F ile " file N am e ="$ { base dir} /L ogs/
Ev e n t P roce ssor D e bu g- $ { sh ortdate } .log" lay ou t="$ { lon gdate }
$ { u ppe rcase :$ { le v e l} } $ { m e ssage } "/> - This parameter defines the path of a log file
which tracks advanced level messaged from the service.
Info log - <target name="infoFile" xsi:type="File" fileName="${appDataFolder}/
Logs/Event Processor Info-${shortdate}.log" layout="${longdate}
parameter defines the path of a log file which tracks basic information from the service.

3.2.1.3 DC - Device Communicator Service.exe.config

Configuration file (Device Communicator Service.exe.config) is located in Device Communicator
service installation folder (e.g. C:\Program Files (x86)\Spica\TimeSpace\Device
Communicator).
<Database>
<Sigma>
Online notification server address - <add key="OnlineResponseServerAddress"

value=""/> - This parameter defines the address (IP) of server which receives online
messages from devices (e.g.: MA Sigma). By default this parameter is set to an empty string
"", which means that online messages from devices are disabled. To enable online
messages this property should be set to the local IP address.
Online notification server port - <add key="OnlineResponseServerPort"
value="12345"/> - This parameter defines the port of online notification server address.
By default this parameter is set to 12345.
Trigger event - <add key="TriggerEvent" value="7"/> - This parameter defines on
which triggered events the terminal should start user control workflow (1 - Finger; 2 -
Contactless card; 3 - Finger and contactless card; 4 - Keypad; 5 - Finger and keypad; 6 -
Keypad and contactless card; 7 - Finger, keypad and contactless card; 8 - External reader;
9 - (Option 1 + Option 8); 10 - (Option 2 + Option 8); 11 - (Option 3 + Option 8); 12 -
(Option 4 + Option 8); 13 - (Option 5 + Option 8); 14 - (Option 6 + Option 8); 15 - (Option 7
+ Option 8)).
Advice: If MA Sigma response server address is not set or not accessible, all registrations
on the terminal will be treated as off-line and will be downloaded according to Pull events
time out rule.
<SpicaMATT>
MATT communication port - <add key="ServerPort" value="4443"/> - This parameter

defines the communication port for MATT devices. By default this parameter is set to 4443.
MATT communication encryption - <add key="EnableSSL" value="false"/> - This
setting provides (True/False) secure communication between the access control system and
the MATT devices. By default this parameter is set to false.
<VingcardPlugin>
Request Timeout - <add key="RequestTimeout" value="300"/> - This parameter

defines the timeout for a request response from ASSA ABLOY Hospitality Web API.
Reconnect Count - <add key="ReconnectCount" value="10"/> - This option defines how
many times DC service will send reconnection requests to ASSA ABLOY Hospitality Web API.
Visionline user's password - <add key="Passoword" value=" "/> - This parameter
defines the password for the Visionline user.
Visionline user - <add key="Username" value=" "/> - This parameter defines the user
name for the Visionline user.
ASSA ABLOY Hospitality Web API address - <add key="APIAddress" value="http://
address:1580/api/v1"/> - This parameter defines the address (IP and Port) of ASSA
ABLOY Hospitality Web API address.
Encoder - <add key="Encoder" value="KDE Encoder"/> - This parameter defines the
name of the encoder defined in Visionline.

Installation 33
User Group - <add key="UserGroup" value="Staff"/> - This parameter defines the

name of the group defined in Visionline.
<TBSPlugin>
TBS API - <add key="ServerEndpoint" value="http://localhost/BACore/RemoteSync.

svc/basic"/> - URL to the TBS SOAP API.concurrent
TBS RemoteZone web service - <add key="RemoteZoneEndpoint" value="http://
localhost/BACore/RemoteZone.svc/Basic" /> - URL to the TBS RemoteZone web service.
By default this option is disabled.
Authentication token - <add key="ServerSecurityToken"
value="6100c932616e4eb88f526f024bc96246"/> - This is used for secure
communication between T&S and TBS system. Token must match authRPKey in BioAdmin
Web Edition\Core\Web.xml.
Notification port - <add key="NotificationServerPort" value="6969"/> - Each TBS
device will call this service on this port upon clocking.
Notification SSL encryption - <add key="NotificationServerEnableSSL" value="false"/
> - This parameter is currently not in use.
User packet size - <add key="UserUploadBatchSize" value="50"/> - This parameter
defines the size of user packet which is sent to the terminal.
PIN mapping - <add key="UseAsPin" value="BadgeNo"/> - PIN value can be linked
with: BadgeNo, UserID or UserPIN property.
Clocking response timeout - <add key="ClockingResponseTimeout" value="2" />
Button mapping - Map a maximum of 8 TnA TBS events to Time&Space event indexes as
defined within the interface of the TBS Virtual Controller. Values must be unique and button
indexes must start with zero.
<add key="Button_0" value="COMING"/>
<add key="Button_1" value="LEAVING"/>
<add key="Button_2" value="COMING_CUSTOM_1"/>
<add key="Button_3" value="LEAVING_CUSTOM_1"/>
Warning: If "UseAsPin" option is changed afterward, all users who had PIN set will
continue to work with the old configuration. If you want for a new configuration to apply, add
a wildcard (e.g. Enable Disable PIN check option in Time&Space Manager) for the affected
users and then remove it. This action will re-send the PIN parameter with the new
configuration.
<SFCPlugin>
SFC communication port - <add key="ServerPort" value="4449"/> - This parameter

defines the communication port for SFC devices. By default this parameter is set to 4449.
SFC communication encryption - <add key="EnableSSL" value="false"/> - This setting
provides (True/False) secure communication between the access control system and the
SFC devices. By default this parameter is set to false.
<WCPPlugin>
WCP communication port - <add key="ServerPort" value="4448"/> - This parameter

defines the communication port for WCP device. By default this parameter is set to 4448.
WCP communication encryption - <add key="EnableSSL" value="false"/> - This
setting provides (True/False) secure communication between the access control system and
the WCP portal. By default this parameter is set to false.
Language - <add key="DefaultCulture" value="en-GB"/> - This parameter defines the
language of the web application. Currently the following languages are supported: English

(en-GB) and Slovenian (sl).

Location rules - <add key="LocationRuleSet" value="0"/>
0 - Only one location is available;
1 - Drop down menu is shown where a user can select the location if the location/reader
value is not set. If the value is set then the application tries to match user's IP address
with location's IP range. If the matching fails, a drop down menu is shown where the
user can select the location.
2 - Enforce IP matching where the location is selected based on user's IP address. If
matching fails, an error is shown.
Space API - <add key="SpaceApiUrl" value="https://localhost:1600/"/> - This
parameter defines the address (IP and Port) of Space API with which the portal
communicates. By default this parameter is set to localhost:1600.
SpaceAPI Authentication token - <add key="SpaceApiToken" value=""/> - Space API
GUID (Globally Unique Identifier) is a unique identifier with which 3rd party applications
authenticate with Space API. Use one on the predefined keys from EC_APP_API_KEYS table
(e.g. select API_KEY from EC_APP_API_KEYS where ID = 13).
Location/reader definitions - <add key="Location 1" value=""/> - Key represents the
display name in the application and must match with reader's custom ID property in DAP.
Value is left blank if the location rule is 0 or 1. When the location rule is set to 2 then an IP
range must be defined separated by semicolon e.g. <add key="Ljubljana"
value="192.168.1.1;192.168.2.255" />.
<Service>
Event Processor address - <add key="EventProcessorServerAddress" value=""/> -

This parameter defines the address (IP) of the host where related Event Processor service
is located when there is more than one Event Processor service in the system.
Sequential Connection Initialization - <add
key="UseSequentialConnectionInitialization" value="false"/> - If this feature is
enabled (true), enabled connections will be restored with a delay when DAP services are
started. This option should be used on larger systems (more than 50 devices) to avoid the
non-responding state of DAP Portal upon start-up.
Number of concurrent connections - <add key="NumberOfDevicesToConnectAtOnce"
value="10"/> - This parameter defines the number of connections which will be restored
at once.
Sequential Connection timeout - <add key="SequentialConnectionTimeout"
value="60"/> - This parameter defines the delay between connections cycles.
<Logs>
Debug log - <target name="debugFile" xsi:type="File" fileName="${basedir}/Logs/

Device Communicator Debug ${shortdate}.log" layout="${longdate}
${uppercase:${level}} ${message}"/> - This parameter defines the path of a log file
which tracks advanced level messaged from the service.
Device Communicator Error ${shortdate}.log" layout="${longdate}
parameter defines the path of a log file which tracks errors from the service.
Info log - <target name="infoFile" xsi:type="File" fileName="${basedir}/Logs/
Device Communicator Info-${shortdate}.log" layout="${longdate}
parameter defines the path of a log file which tracks basic information from the service.
Protocol log - <target name="protocolFile" xsi:type="File" fileName="${basedir}/
Logs/protocol-${shortdate}.log" layout="${longdate} ${message}" /> - This
parameter defines the path of a log file which tracks protocol messages between the
service and devices.

Installation 35

3.2.1.4 Space API - Space API Service.exe.config

Configuration file (Space API Service.exe.config) is located in Space API service installation
folder (e.g. C:\Program Files (x86)\Spica\TimeSpace\Space API).
<Application Settings>
Server address - <add key="serverAddress" value="http://+:1600" /> - This

parameter defines the address (IP and Port) on which the service operates. By default this
parameter is set to +:1600.
Note: If changing Space API port, the certificate binding needs to be updated. Execute
the following steps:
Search for the certificate that is bound to port 1600 (PowerShell > netsh http show
sslcert) and copy Certificate Hash.
Replace ipport, certhash and appid with your own parameters and executed the
following statement in PowerShell (e.g. netsh http add sslcert ipport=0.0.0.0:1610
certhash=9602318af42077b62259185f6ccbe4f8c477c9ed appid='{00000000-0000-
0000-0000-000000000000}' ).
<Database>
<Logs>

error-${shortdate}.log" layout="${longdate} ${uppercase:${level}} ${message}:
${exception:format=tostring}" /> - This parameter defines the path of a log file which
tracks errors from the service.
Debug log - <target name="debugFile" xsi:type="File" fileName="${basedir}/Logs/
debug-${shortdate}.log" layout="${longdate} ${uppercase:${level}}
${message}" /> - This parameter defines the path of a log file which tracks advanced
level messaged from the service.
Info log - <target name="infoFile" xsi:type="File" fileName="${appDataFolder}/
Logs/Space API Info-${shortdate}.log" layout="${longdate} ${uppercase:${level}}
${message}: ${exception:format=tostring}"/> - This parameter defines the path of a
log file which tracks basic information from the service.

Installation 37
3.2.2 Encrypted communication channel on the portal

HTTPS is a secure communications channel that is used to exchange information between a
client computer and a server. It uses Secure Sockets Layer (SSL). To enable SSL in IIS, you
must first obtain a certificate that is used to encrypt and decrypt the information that is
transferred over the network. IIS includes its own certificate request tool that you can use to
send a certificate request to a certification authority. This tool simplifies the process of
obtaining a certificate.
1. Get the appropriate certificate
Create a certificate request and send that request to a known certificate authority (CA) or
Create a self-signed certificate.
Log on to the Web server computer as an administrator.
Select server node in the tree view and open Server Certificates option.
IIS Web Server

Select Create self-Signed Certificate action.
Server Certificates view

Installation 39
Enter a friendly name for the new certificate (e.g. Spica).
Self-Signed Certificate

2. Create HTTPS binding on the site
Create a HTTPS binding on the site.

Select desired website (e.g. Spica) and select Bindings option.
Bindings options

Installation 41
Select Add... button to add a new SSL binding to the website.
Site bindings
Select https from the Type drop-down list, All Unassigned from the IP address and set
the port in the Port field (e.g. 443). Import certificate you received from known certificate
authority (CA) or use a self-signed certificate created in the previous section (e.g. Spica)
from the SSL Certificate drop-down list.
Add site binding

Website with http and https binding.
Http and https binding

Installation 43
3. Test by making a request to the site
Enter website address in the browser using https prefix (e.g. https://localhost:443/DAP).
Https DAP address
Note: In the case of a self-signed certificate, you will receive website's security warning
about an unauthorized certificate. Select continue to the website option.

3.2.3 Adding or removing components

De-installation
To remove the existing module, go to Control Panel\Programs and Features and select
Time&Space Device Administration Portal software and choose Uninstall.
Important: The uninstall process does not support individual component selection. All
components will always be removed from the system.
Re-installation
To install a new version of the module, simply start and follow the installation procedure.
Advice: Current configuration files will be renamed as ".old" type.

Main views 45
4 Main views
The application has four main views:
Overview - Offers an overview of the system.

Servers - Shows all Event Processor services in the system.
Devices - Shows all devices in the system.
Live log - Displays communication messages between devices and Event Processor
services.

4.1 Overview
Overview view shows the list of all devices in the system according to user's permissions
grouped by Server/Connection/Device. To find a particular connection or Device, use the
search field.
Shortcuts section offers the following actions which are executed on all devices:
Enable All - Use this action to enable the connection for all devices.
Disable All - Use this action to disable the connection for all devices.
Overview view
Note: Devices without connection parameters or those which are not assigned to a
server are not displayed in this view.

Main views 47
4.2 Servers
Servers view shows the list of all Event Processor services defined in the system with some
basic parameters. The server is responsible for storing data into the database and
generating appropriate responses on device's interfaces.
Use menu actions ( Add and Remove) to manage the list or click on server's name to
access detailed information about a specific server.
Servers view
4.2.1 Server details

Name - Name of the server displayed across the application.
Address - IP address or a name of the workstation where Event Processor service is
installed.
Port - TCP/IP port through which the server communicates with Space API service. The main
function of Space API is to gather client requests and redistribute them to appropriate
servers. It also provides feedback and notifications received by the servers.
Status - The status signalizes the current state of the server (Offline, Online).
Server details view s
Important: Avoid using DNS alias in the address field, use either primary DNS suffix or IP
address.

Advice: Check the configuration file for detailed information about the server.

Main views 49
4.2.2 Assigned devices

Devices view shows the list of currently assigned devices to a selected server with some
basic information (Name, Address/Port and Type). Use menu actions ( Add and Remove)
to manage the list or click on the device's name to access detailed information about a
specific device.
Server devices view
Advice: Only device with already defined TCP connection can be assigned to the server.

4.3 Devices
Devices view shows the list of all devices in the system with some basic parameters. The
status signalizes the current state of the server (Disabled, Offline, Online). Use menu actions
( Copy, Add and Remove) to manage the list or click on device's name to access
detailed information about a specific device.
Shortcuts section offers the following actions which are executed on the selected devices:
Enable Selected - Use this action to enable connection for the selected devices.
Disable Selected - Use this action to disable connection for the selected devices.
Reconfigure Selected - Use this action to re-send configuration parameters for the
selected devices.
Reload Profiles - Use this action to resend a complete list of user profiles with proper
access on the selected devices.
Update Profiles - Use this action to send only unsent updates of user profiles on the
selected devices.
Update Alarms - Use this action to send only unsent updates of user profiles on the
selected devices.
Devices view
Note: Restrictions by Unit 1/Unit 2/Unit 3 or Organizational units are applied on this view.
This means that a user will see only those devices, he/she is entitled to see.

Main views 51
4.3.1 Device
4.3.1.1 General
General view displays basic information about the specific device. Use Enable/Disable action
to change the status of the device. Select Edit action to update these parameters.
Name - Name of the device displayed across the application.

Status - The status signalizes the current state of the server (Offline, Online).
ID - Custom ID field.
Description - Description is a free text field where additional information can be stored.
Area - Time&Space system offers a possibility for hierarchical classification of outputs
according to natural criteria (e.g. geographical location). Areas located higher on the
organizational structure, include subordinated zones, which help the system to preserve
space topology.
Server - Assign selected device to desired Event Processor service to balance traffic load
on large systems.
Bios - Information about the Bios version.
App. ver. - Information about the application version.
Time Zone - Information about the time zone.
Display Language - Information about the display language.
Device details
Advice: Server information is displayed only if there is more than one Event Processor
service configured in the system.

4.3.1.2 Connection
Connection view displays information about device's connection. Connection parameters must
be set up for each device otherwise the communication between Event Processor service and
the device will not be possible. A device with TCP connection communicates with the Event
Processor service directly using Ethernet LAN. Select edit action to update the parameters.
Connection settings

Main views 53
4.3.1.2.1 TCP Settings
Address - IP address of the device.

Port - TCP/IP port through which EP service sends/receives requests for the connection.
Security Type - This option specifies communication encryption type between DAP and
device (Basic - no encryption; TLS/SSL - communication is encrypted with a public key; TLS/
SSL with certificate - communication is encrypted with a private key).
Auto Reconnect - This option specifies whether the connection will be automatically re-
established after being interrupted.
Max Reconnect Count - This option specifies how many times EP service will send
reconnection requests before shutting down the connection to the device.
Auto Reconnect Timeout - This option specifies the interval between two attempts to re-
establish connections.
Keep Alive - This option specifies whether NOOP (short for NO Operation) packets should
be sent to terminals. Such a command is used to ensure that the connection is always
alive.
Keep Alive Timeout - This option specifies the interval between NOOP packets.
Short Delay - This delay is used for operations which are not time critical (i.e. testing the
terminal). This means that the confirmation of the reception is immediate and the Short
Delay parameter is used. The default value is set to 1000 ms.
Long Delay - Long delay is used for operations which need more time to get the reception
confirmation. The default value is set to 5000 ms.
TCP Connection settings
Warning: For TLS/SSL communication encryption option make sure that device has

appropriate FW version. For more information contact our support.
Advice: Use Spica Device Manager tool to set IP address and Port parameters on devices.

Main views 55
4.3.1.3 Readers
Readers view displays the list of device's readers with some basic information. The reader is a
data input device that reads data from identification cards and is connected to a device via
Wiegand or Data/Clock interface. Use menu actions ( Add and Delete) to manage the list
or click on reader's name to access detailed information about a specific reader.
Readers

4.3.1.3.1 General
General view displays information about the specific reader. Select Edit action to update
these parameters.
Common
Name - Name of the reader.

Position - With reader position, Event Collector identifies the reader with which it
communicates. The position is defined upon the reader's installation. For setting the
reader's position on a device, see device's documentation. Choose the position number of
the reader from the drop-down menu.
Type - Select the appropriate reader type (Wiegand, Data Clock, OSDP and OSDP Secure).
Check hardware specification for the supported formats.
User Interface - User Interface types varies depending on device type: Zone - No display
(reader only), Zone Touch and Zone Button; Zone Button TT AC - Zone Button, No display
(reader only); Zone Button TT - Zone Button.
Area - Time&Space system offers the possibility for hierarchical classification of readers
organizational structure include subordinated zones, which help the system to preserve
space topology.
Zone Door - Select a Door device to which the reader belongs.
Zone Door Pin - Select a pin for which the configuration is set. For available Pin
configurations see Zone Door Schema view.
Verification Settings
Use Verification settings field to set the security level for the time and access events on the
specific reader. You can specify which parameters will be requested and checked for each
event clocking. Security demands for time and attendance calculation are listed in the Time
events group and for access control in the Access events group.
Verify Access Profile - Select this option, if you want access profile to be checked during
registration on the reader.
Verify Schedule - Select this option, if you want access schedules to be checked during
Verify PIN - Select this option, if you want PIN to be checked during registration on the
reader.
Verify Fingerprint - Select this option, if you want fingerprint to be checked during

Main views 57
Readers details

4.3.1.3.2 Restrictions
Restrictions details view displays information about restrictions on the specific reader. Select
Edit action to update this parameter.
Prerequisite inputs - Set additional requirements (inputs) that must be fulfilled before a
user can make registration on the reader. The number of available inputs varies between
different device types.
Reader restrictions

Main views 59
4.3.1.3.3 User Interface Events
User Interface Events view displays information about defined events on the related user
interface. Select Add, Edit and Delete actions to manage the list.
User Interface Events
Advice: Number of available event definitions varies between different user interface
types.

4.3.1.3.4 Advanced
Additional access verification - If Two-man rule option is selected, two successful

registrations are required within the timeout in order to have the positive output.
Show extended information (running, extra hours) on clocking - If this feature is
enabled, user's balance/overtime is shown after registration on the terminal.
Advanced view
Warning: Two-man rule functionality requires Zone Wing application version 2.70 or
higher.
Warning: Two-man rule functionality is not compatible with Anti-passback, meaning that
one is not aware of the other if both are enabled.

Main views 61
4.3.1.4 User Interfaces

User Interface view displays the list of device's user interfaces along with some basic
information. User Interface is a device through which a user communicates with Time&Space
system (e.g. viewing clockings info, selecting events to clock). Use menu actions ( Add and
Delete) to manage the list or click on interface's name to access detailed information about
a specific user interface.
User Interfaces

4.3.1.4.1 General
General view displays information about the specific user interface (related Reader and Type).
Select Edit action to update these parameters.
Name - Name of the user interface.

Type - User interface types varies depending on device type: Zone Door - Reader Only;
Zone Button TT - Zone Button; Zone Button TT AC - Zone Button, Reader Only.
User Interface details

Main views 63
4.3.1.4.2 Events
Events view displays information about defined events on the related interface. Use menu
actions ( Edit and Delete) to manage the list.
User Interface events
Advice: The number of available event definitions varies between different user interface
types.

4.3.1.5 Inputs
Inputs view displays the list of device's inputs along with some basic information. The number
of available inputs varies between different device types. Use menu actions ( Add and
Delete) to manage the list or click on input's name to access detailed information about the
specific input.
Inputs

Main views 65
4.3.1.5.1 General
Inputs details view displays information about the specific input. Select Edit action to update
these parameters.
Name - Name of the input.

Position - The application uses the position to identify the input which it communicates
with. The position is defined upon the input's installation. To set the input's position on a
device see device's documentation. Choose the position number of the input from the drop-
down menu.
Default state - There are two types of default states available:
Open - input is active when contact is closed.
Inactive state Active state
Closed - input is active when contact is open.
Zone Door - Select a door to which the input belongs.

Zone Door Pin - Select a pin for which the configuration is set.

Input details

Main views 67
4.3.1.6 Outputs
Outputs view displays the list of device's outputs along with some basic information. Usually,
outputs represent devices, such as doors, visual or sound signals, etc. The number of
available outputs varies between different device types. An active output supplies power
(from internal power supply) to the connected activator, while the passive output provides
“dry contact” output to the electrical circuit of the connected activator. Use menu actions (
Add and Delete) to manage the list or click on output's name to access detailed information
about the specific output.
Outputs

4.3.1.6.1 General
Output details view displays information about the specific output. Select Edit action to
update these parameters.
Name - Name of the output.

Position - The application uses the position to identify the output which it communicates
with. The position is defined upon the output's installation. To set output's position on a
device, see Device's documentation. Choose the position value of the output from the drop-
down menu.
Relay type - There are two possible types of relay available:
Normally Open - output is active when contact is closed.

Normally Closed - output is active when contact is open.
Mode - There are three possible types of output mode available:
Default - Access is granted upon request on the basis of parameters on reader's security
settings.
Always active - Output is always active, identification is not required.
Always closed - Output is always inactive, access is not possible.
Pulse time - Defines how long the output will be active after an access request has been

Main views 69
granted. Possible values are 0 to 255 seconds.

space topology.
Zone Door - Select a door to which the output belongs.
Zone Door Pin - Select a pin for which the configuration is set.
Output details

4.3.1.6.2 Activated by
Activated by view displays information about output activators. The following output
activators can be set:
Activate output with an input - The output is triggered if the input is active. The output is
active as long as the input is present.
Activate output with an input (relay time applies) - The output is triggered if the input is
active. The output is active for the length of pulse time.
Activate output with a granted access action - The output is triggered upon successful
registration on a specific reader. Output is active for the length of pulse time.
Activate output with a denied access action - The output is triggered upon unsuccessful
registration on a specific reader. Output is active for the length of pulse time.
Activate output with an alarm - The output is triggered when specific alarm is activated.
Output is active for the length of pulse time.
Use menu actions ( Edit and Delete) to manage the list.
Activators

Main views 71
4.3.1.6.3 Deactivated by
Deactivators view displays information about output deactivators. The following output
deactivators can be set:
Deactivate output with an input - The output is inactive if the input is active. The output is
inactive as long as the input is present.
Deactivate output with an alarm - The output is inactive when the specific alarm is
activated. The output is inactive for the length of pulse time.
Use menu actions ( Edit and Delete) to manage the list.
Deactivators

4.3.1.6.4 Schedules
Schedules view displays information about output's open/closed schedules. Select Edit action
to update these parameters.
Open Schedules - The output is active in the interval set by the schedule if the access
schedule parameters checking yields positive result.
Activation by Anti-pass back zone - Open schedules can have an additional parameter,
named Anti-passback Zone. By selecting this option, an additional rule is added which
will check for present employees and prevent output activation by schedule if nobody is
present.
Closed Schedules -The output is inactive in the interval set by the schedule.
Schedules
Note: Please note that output deactivators have higher priority than output activators,
meaning that during the specified time the entry through that reader is not allowed,
regardless of other settings. Outside these intervals, the door will be opened upon valid
requests or it will be permanently open, if so set.
Advice: Access schedules are defined in Time&Space Manager.

Main views 73
4.3.1.6.5 Advanced
Advanced view displays the list of output's advanced parameters. These additional
parameters represent options, which are useful in some specific situation. Select Edit action
Enable Toggle mode - If this option is selected, a positive registration or input status
changes output state (On/Off) without a timed change back to the original state.
Furthermore, the functionality can be limited by selecting one or more periods.
Advanced param eters
Warning: Open Schedules option will be disabled due to the usage of Toggle mode.

4.3.1.7 Alarms
Alarms view displays the list of device's alarms with some basic information. The devices
continually monitor the state of their alarm inputs and immediately inform the supervising
software about all changes. Alarm triggers are usually door open sensors, emergency entry/
exit buttons, IR detectors, temper switch, etc.
Use menu actions ( Add and Delete) to manage the list or click on output's name to
access detailed information about the specific alarm.
Alarm s view

Main views 75
4.3.1.7.1 General
Alarm details view displays information about the specific alarm. Select Edit action to update
these parameters.
Name - Name of the alarm.

Description - Short description with additional information about the alarm.
Type
Standard (On input) - The alarm is activated if the input is active.
On deactivated output (Open Door) - The alarm is activated if the input is still active
after output deactivation.
On activated input (Forced Door) - The alarm is activated if the input is active and
output is inactive.
Unauthorized access attempt - The alarm is activated if a user without access rights
makes registration.
Unsuccessful user authentication - The alarm is activated if a user authentication is not
successful (e.g. invalid PIN, unmatched biometric verification).
Access granted - The alarm is activated when access granted event happens on the
controller.
Group - Alarm group defines some additional settings, which are used upon alarm
activation.
Area - If the area is assigned, the operator must have appropriate permissions to view the
alarm. Note that if the area is not selected, the alarm will be viewable to all operators
without restrictions.
Alarm details

4.3.1.7.2 Triggers
Triggers view displays information about triggers for selected alarm. Trigger(s) must be
defined because they are responsible for the activation of the alarm. The type of available
triggers depends on the alarm type:
Standard (on input) - Triggered by the state change of specific input.

Conditioned by output deactivation (Open door) - Triggered by the state change of
specific input and output.
Conditioned by output activation (Forced door) - Triggered by the state change of specific
input and output.
Unauthorized access attempt - Triggered with the specific registration (e.g. rejected
access due to invalid access profile) on the reader.
User authentication failed - Triggered with the specific registration (e.g. rejected access
due to invalid PIN or unmatched biometric verification) on the reader.
Alarm triggers

Main views 77
4.3.1.7.3 Conditions
Conditions view displays information about alarm's deactivation periods. This means that the
alarm is not triggered if the schedule conditions are met. The user can specify one or more
conditions on a single alarm definition. Select Edit action to update these parameters.
Conditions view
Warning: This functionality requires Zone Wing application version 2.50 or higher.
Advice: Access schedules are defined in Time&Space Manager.

4.3.1.7.4 Advanced
Advanced view displays additional information about the specific alarm. Select Edit action to
Delay - If the delay value is set, an alarm will always be activated with a specified time
delay. Maximum delay time is limited to 255 seconds.
Reactivation time - If reactivation value is set, defined time will pass between two
messages received by the operator if alarm triggers are still active (e.g. if the operator
deactivates the alarm manually after being warned about an alarm event, but the alarm
state continues after the end of the reactivation time, the alarm will go off again). The
default value is set to 0, meaning that the alarm message will not be repeated. Maximum
reactivation time is limited to 9990 seconds.
Automatically Deactivate - If this field is checked, the alarm will be deactivated
automatically once the alarm's trigger becomes inactive. Regardless of this setting, the
operator can manually deactivate an active alarm by clicking the Deactivate button. If this
field is not checked, the alarm can be deactivated only from the computer.
Advanced view

Main views 79
4.3.1.8 Connected Devices

Connected Devices view displays the list of connected devices on the specific Wing device.
The entity (Zone Door or Aperio Lock) holds the configuration parameters (readers/inputs/
outputs) for the device. Use menu actions ( Copy, Add and Delete) to manage the list
or click on the name of connected device to access the detailed information.
Zone Doors view
Note: Up to 32 Zone Doors units can be connected to a single Zone Wing device.

4.3.1.8.1 Zone Door general
Unit details view displays information about the specific Zone Door. Currently the following
predefined door types are available:
2 Readers/ 2 Inputs / 4 Outputs,

1 Reader / 6 Inputs / 4 Outputs,
4 Readers / 6 Inputs / 8 Outputs (OSDP readers only).
Select Edit action to update these parameters.
Name - Name of the unit.

Description - Description is a free text field where additional information can be stored.
Address - Zone Door communicates with the Wing over CAN bus, thus it must have the
appropriate address (0 -31) defined.
Zone Door details
Important: The Zone Door type must match Zone Door's FW edition to be fully
operational.
4.3.1.8.2 Zone Door schema
Schema view displays information about Zone Door's pin configuration. Select Edit action to

Main views 81
Schem a for 2 Readers/ 4 Inputs / 2 Outputs
If needed, change the schema configuration for the available pins.
Schem a settings
Important: Schema software configuration must match the hardware configuration.

4.3.1.9 Anti-passback
Anti-passback (APB) view displays the list of APB zones valid for a selected device. The zone
can consist of one or more APB rules. APB rule is a security mechanism preventing an access
card or similar device from being used to enter an area a second time without first leaving it
(so that the card cannot be passed back to a second person who wants to enter). If more
than one APB rule is defined on one zone, all of them must be fully filled before a user can
pass.
Use menu actions ( Add and Delete) to manage the list or click on zone's name to access
detailed information about the specific zone.
Anti-passback view

Main views 83
4.3.1.9.1 General
Anti-passback details view displays information about the specific zone. Select Edit action to
Name - Name of the zone.

Duration (min) - If enabled the list of violators is reset after the specific time period.
Start Time (timestamp) - If set, all users will be able to exit an anti-passback zone up to
that timestamp (exiting a zone is defined as performing a registration on a reader
configured as an exit reader for that anti-passback zone). After the timestamp, the anti-
passback will come to full effect. Please note that this applies only to anti-passback
restrictions. All of the other security restrictions (profiles, schedules, etc …) are not affected
by this parameter. The timestamp must be in the appropriate format.
Maximum Occupancy (number) - If enabled the max. number of concurrent users in the
zone is limited to the entered value.
Verification
Entry only – APB rule is active on entrance (the device will not accept two subsequent
entry attempts).
Exit only – APB rule is active on exit (the device will not accept two subsequent exit
attempts).
Entry and Exit – APB rule is active on entrance and exit (the device will not accept two
subsequent entry or exit attempts).
Anti-passback zone details
Warning: Start Time functionality requires Zone Wing application version 2.70 or higher.

4.3.1.9.2 Readers
Readers view displays a list of readers with verification type. Use menu actions ( Add and
Delete) to manage the list.
Anti-passback zone readers

Main views 85
4.3.1.10 Advanced
Advanced view displays the list of device's advanced parameters. These additional
parameters represent options, which are useful in some specific situation. Select Edit action
Max Response Time - This option defines how long the device should wait for Event
Processor service to respond when sending data that need to be confirmed. If the server
does not respond within the specified time, the terminal will switch to off-line mode. The
default value is 30 seconds. Increase this value if your computer or network communication
is slow (the default value may be too short in such situations).
Profile Update Priority - This option is used to defined custom update priority of access
profiles for a specific device. Value 0 represents the highest priority.
Offline Registrations - If this option is set to Standard, the device will stop collecting
registrations when the buffer is filled up. If set to Cyclic, it will overwrite the old
registrations using FIFO (first in, first out) mode.
Enable Profiles - If this option is not selected, this reader will ignore users access profiles.
Enable Notifications - If this option is not selected, an email notification will be generated
when device's status goes to Offline.
Badge Encoding
Legacy mode - The Legacy mode does not change the badge string returned from the
device.
Default mode - The user can alter the badge string by appending Badge Number and
Facility Code but cannot change the length of these parameters.
Advanced mode - The user can alter the badge string by defining the length of Badge
Number (min 1 and max 16) and Facility Code (min 1 and max 6).
Advanced view

4.4 Live Log

Live log view displays communication messages between devices and Event Processor. Use
actions Clear/Freeze to manage the data log.
Live Log view
Tip: Messages are updated only when the view is opened in the browser.

External configuration 87
5 External configuration
The chapter covers settings which are used in the module but are configured elsewhere. At
the moment the following external settings exist:
Alarm groups,
Area tree,
Email notifications,
Update access profiles.

5.1 Alarm groups

Alarm group specifies how alarms are processed in the system thus the group must have a
component when creating alarm definitions on the device. The groups are managed by the
Visual Space Manager. See Visual Space Manager User's Manual for more details.
Alarm group edit dialogue in VSM

5.2 Area tree

Time&Space system offers a possibility for hierarchical classification of devices (readers,
outputs, alarms) according to natural criteria (e.g. geographical location). Areas located
higher on the organizational structure include subordinated zones, which help the system to
preserve space topology. If an area is set on the device level, this criterion will apply to all
sub-entities (readers, outputs, alarms). Separate area units can be set to each sub-entity
(readers, outputs, alarms) if the area is not set on the device level. Area tree is managed in
the Time&Space Manager. See Time&Space Manager user's manual for more details.
Area editor in Tim e&Space Manager

5.3 Email notifications

There are two types of email notifications available in the module, Offline Devices notifications
and Alarm notification. To receive the notifications, Email notification service must also be
configured in the system.

5.3.1 Email notification service

Service checks email notification requests in Time&Space database on a specified interval and
sends email messages to the recipients using SMTP protocol. See Time&Space Manager
User's Manual, chapter Notification Service for more details.

5.3.2 Alarm notifications

If you want to send an email when the alarm is activated, set up the notification parameters
on the alarm group which is linked to a selected alarm.
Enable alarm e-mail notifications - If this option is selected, the notifications are enabled
and Sender and Recipients fields become editable.
Sender - Enter sender's email address.
Recipients - Enter email addresses for recipients who will receive notifications.
Notifications settings on Alarm group edit dialogue in VSM
Subject and body of the message can be customized by changing parameters in Event
Processor's configuration file, section <notifications>.
<notifications>
<controller contentType="text/html charset=UTF-8" sender="example@spica.com"
recipients="example@spica.com" subject="Controller {NAME} (ID: {CUSTOMID}) is offline."
body="Controller {NAME} (ID: {CUSTOMID}) at {CONNECTION.ADDRESS}:{CONNECTION.
PORT} is offline."/>
<alarm contentType="text/html charset=UTF-8" subject="Alarm {NAME} has been
triggered!" body="Alarm {NAME} (ID: {CUSTOMID}) has been triggered on controller
{CONTROLLER.NAME}."/>
</notifications>
Tip: The groups are managed in the Visual Space Manager. See Visual Space Manager
User's Manual for more details.

5.3.3 Offline controllers notifications

By selecting Enable Notifications under Advanced settings, an email notification will be
generated when Device's status is changed to Offline.
Email address of the sender and recipients are set in Event Processor's configuration file,
section <notifications>. Subject and body of the message can be customized if needed.
<notifications>
<controller contentType="text/html charset=UTF-8" sender="example@spica.com"
recipients="example@spica.com" subject="Controller {NAME} (ID: {CUSTOMID}) is
offline." body="Controller {NAME} (ID: {CUSTOMID}) at {CONNECTION.ADDRESS}:
{CONNECTION.PORT} is offline."/>
<alarm contentType="text/html charset=UTF-8" subject="Alarm {NAME} has been
triggered!" body="Alarm {NAME} (ID: {CUSTOMID}) has been triggered on controller
{CONTROLLER.NAME}."/>
</notifications>

5.4 Update access profiles

Access profile is the list of reader's accessible to some user or, to be more precise, to a holder
of an ID badge to which that specific access profile has been assigned. Accurate access
permissions are crucial information in every access control system. To automate the update of
access profiles in the module, an additional parameter (address and port of Event Processor
or Space API) must be set in Time&Space Manager.
Space options in Tim e&Space Manager
Advice: Since the information is stored in the database, it must be set only once.

5.5 OSDP readers

There are two connection types for OSDP readers depending on controller type:
Spica Zone Wing - OSDP readers connected to RS485 connector on Zone Door unit
This option is exclusively connected with Zone Door schema, named 4 Readers / 6
Inputs / 8 Outputs (OSDP readers only).
Support for 4 readers (HID OSDP v2) per Zone Door unit.
Reader type is set to OSDP.
Zone Wing application ver. 2.40 or higher is required.
Zone Door FW ver. 1.3.0 or higher is required.
Spica Zone Wing - OSDP readers connected to RS485 connector on Zone Wing unit
Support for 4 readers (HID OSDP v2) per Zone Wing unit.
Reader type is set to OSDP Secure.
Zone Wing application ver. 2.80 or higher is required.
Spica Zone Spot - OSDP readers connected to RS485 connector on Zone Spot unit
Support for 4 readers (HID OSDP v2) per Zone Wing unit.
Reader type is set to OSDP Secure.
Zone Spot application ver. 2.80 or higher is required.

5.5.1 Connecting OSDP readers to Zone Door unit

To properly connect OSDP readers to Zone Door unit, execute the following steps:
Make sure that the appropriate application version is present on Zone Wing (Application
ver. 2.40 or higher is required).
Make sure that the appropriate FW version is present on Zone Door (FW ver. 1.3.0 or
higher is required).
Connect Zone Door unit to Zone Wing. Refer to Zone Wing&Door User's Manual for more
information.
Connect OSDP reader to RS485 connector on Zone Door unit. You can use PSUP/PGND
connectors to power up the reader.
Configure reader's RS485 channel (ranging from 0 to 3) using HID configuration card. Keep
in mind, that each reader must be on the dedicated address.
Add Zone Wing device to the system.
Add Zone Door (type 4 Readers / 6 Inputs / 8 Outputs (OSDP readers only)) to the Zone
Wing.
Zone Door schem a for OSDP readers

5.5.2 Connecting OSDP readers to Zone Wing device

To properly connect OSDP readers to Zone Wing device, execute the following steps:
Make sure that the appropriate application version is present on the device (Application
Connect Zone Door unit to Zone Wing. Refer to Zone Wing&Door User's Manual for more
information.
Connect OSDP reader to RS485 connector on Zone Door unit. You can use PSUP/PGND
Add Zone Wing device to the system.
Add Zone Door schema configuration (type 2 Readers/2 Inputs/4 Outputs or 2 Readers/4
Inputs/2 Outputs) to the Zone Wing.
Add a new reader on the device with the following configuration:
Type - Select OSDP secure type.
RS485 Address - Select the appropriate address (ranging from 0 to 3) which will match
reader HW configuration.
OSDP key - Insert 32 characters long hexadecimal string (characters [a-fA-F0-9]) which
is used to encrypt the communication.
User interface - Select Reader only type.
Assign the appropriate event on the reader's interface.
OSDP Secure reader properties

5.5.3 Connecting OSDP readers to Zone Spot device

To properly connect OSDP readers to Zone Spot device, execute the following steps:
Make sure that the appropriate application version is present on the device (Application
Connect OSDP reader to RS485 connector on Zone Spot unit. You can use +12/GND
Add Zone Spot device to the system.
Add a new reader on the device with the following configuration:
Type - Select OSDP secure type.
RS485 Address - Select the appropriate address (ranging from 0 to 3) which will match
reader HW configuration.
OSDP key - Insert 32 characters long hexadecimal string (characters [a-fA-F0-9]) which
is used to encrypt the communication.
User interface - Select Reader only type.
Assign the appropriate event on the reader's interface.
OSDP Secure reader properties


6 3rd party devices
6.1 Aperio
DAP supports both Aperio hub variations, IP communication hub (Aperio AH40) and RS485
communication hub (Aperio AH30) in combination with Zone Wing.
The Aperio AH40 system is used in the following way: The user holds an RFID card in front of
the lock. The lock sends card credentials wirelessly to the Communication Hub and the
Communication Hub (wired through Ethernet) then communicates with Time&Space system.
Time&Space system then makes the access decision. The decision is sent via the
Communication Hub to the lock and access is granted or denied.
The Aperio AH30 system is used in the following way: The user holds an RFID card in front of
the lock. The lock sends card credentials wirelessly to the Communication Hub and the
Communication Hub (wired through RS485 via Zone Wing) then communicates with
Time&Space system. Time&Space system then makes the access decision. The decision is
sent via Zone Wing and the Communication Hub to the lock and access is granted or denied.
The biggest difference between Aperio AH40 and Aperio AH30 system in the operational
mode, the AH30 in combination with Zone Wing can work in online/offline mode while the
AH40 works only in online mode. The online/online mode relates to the communication
between a hub and access control system.

3rd party devices 101
6.1.1 Mounting
Aperio hub must be installed into a junction box ex European 2-Gang, Aperio bottom cover or
with Americas adaptor plate to junction box.
Placem ent of the Hub, 1-8 doors

AH40 - Connectors
J201 (Ethernet connector) - Connection to the Electronic Access Control system through a
10BASE-T / 100BASE-TX Local Area Network. Can also be used for power supply if
connected to a IEEE 802.3af compliant Power Sourcing Device (PSE). Wire requirements
CAT5 or higher.
J321 (Power supply input) - 8-24 V DC. The power supply shall be a Limited Power
Source (LPS) according to EN 60950-1. The power supply shall be 3A over current
protected. Wire requirements 16-22 AWG.
AH40 - Connectors
Note: When PoE (Power over Ethernet) is used, no power supply may be connected to
J321.

AH30 - Connectors
A - RS485 Data A connected with 485A connector on Zone Wing.

B - RS485 Data B connected with 485B connector on Zone Wing.
GND - Signal ground. Should be connected to EAC system GND and power supply GND.
8-24 VDC - Power supply input, 8-24 V DC. The power supply shall be a Limited Power
Source (LPS) according to EN 60950-1. The power supply shall be 3A over current
protected. Wire requirements 16-22 AWG.
AH30 - Connectors
Note: Hub's RS485 address can be set by using the deep switch (A0-A4) or Aperio
Programming Application. For more information about deep switch addressing, see Aperio™
Hub AH20/AH30 Installation Instructions.

Aperio Communication Hub LED Indications
The Communication Hub has a status LED visible through the front cover. It supports optical
schemes with red, green and yellow. The indication schemes are described by the figure
below:
Hub LED indicators

6.1.2 Aperio Programming Application

Programming Application is used for the configuration of a door installation. It is installed on a
laptop. The laptop has an Aperio USB radio device connected to one of its USB ports. The USB
radio device enables the application to connect via a Communication Hub to the door lock.
Read more in the Aperio Online Programming Application Manual.
Check list for pairing and configuration of locks/sensors and com m unication hubs

An installation is a password protected set of settings you need when you want to
communicate with a hub and/or a lock. The installation is linked to an encryption file that is
needed in order for the communication to work. (The encryption key file is provided by your
local ASSA ABLOY company via encrypted e-mail or on a USB memory stick.)
Insert the USB Radio dongle and start the Aperio Programming application.
Select File > New installation... in the Programming Application menu.
Enter a name for the installation, a password containing at least 8 characters of which at
least one upper and lower case character and a number. Finally click the button in the Key
file field to add the Encryption key.
New installation
Click Create
Warning: Proper handling of encryption keys is essential to lock/sensor security! It is

absolutely necessary to use the customer encryption key by setting all communication hubs
and locks/sensors in Customer mode to ensure a secure and encrypted communication with
the lock/sensor.

6.1.2.1 Managing IP communication hub

To scan for communication hubs, click Quick Scan (F7). Locate a communication hub by the
last four characters of the communication hub MAC address (ex. 01CF) in the scan result
table. The same characters should be on a label on the cover of the communication hub.
Scan results

Select the communication hub(s) to be included in your installation. Click Show details to
view detailed information.
Hub details
To establish communication in DAP with a hub, you need to set up hub's IP address and
ACU settings.

6.1.2.1.1 IP Address
Right click on the hub and select Communication hub > Change IP Address.
Change IP Address

Update or fill in the IP address of the communication hub. Click OK and the new IP address
will be applied in the communication hub, and the IP communication will be restarted using
the new IP address. This parameter is used in DAP (named Hub Address) when configuring
connection to the hub.
IP address settings

6.1.2.1.2 ACU Settings
Right click on the hub and select Configure... to open Configure Communication Hub
wizard and select Next.
Configure Com m unication Hub

Select Change... option in ACU Settings section.
ACU Settings

Set the following parameters for the communication with access control system.
Address: Network address of the access control system on the network.

Port: The TCP port of the access control system use for communication. This parameter is
used in DAP (named Local port) when configuring connection to the hub. Default value is
9990.
Enable TLS - This setting provides secure communication between the access control
system and the IP communication hub. This option must be enabled.
ACU Settings Dialogue
Note: Make sure that a valid TLS certificate is present in the DAP system (Default location
for certificates is C:\Program Files (x86)\Spica\TimeSpace\Device Communicator\Certificates).

6.1.2.2 Managing RS485 communication hub

To scan for communication hubs, click Quick Scan (F7). Locate a communication hub by the
last four characters of the communication hub MAC address (ex. 01CF) in the scan result
table. The same characters should be on a label on the cover of the communication hub.
Scan results

Select the communication hub(s) to be included in your installation. Click Show details to
view detailed information.
Hub details
To establish communication in DAP with a hub, you need to set up hub's RS485 address
and ACU settings.

6.1.2.2.1 RS485 Address
Right click on the hub and select Communication hub > Change EAC Address.
Change IP Address

Set RS485 address (from 1 to 63) of the communication hub if not set with deep switch.
Click OK and the new RS485 address will be applied in the hub. This parameter is used in
DAP (named lock Address) when configuring locks on the Zone Wing.
RS485 address settings

6.1.2.2.2 Remote unlock
To enabled remote unlock of the lock from the system (e.g. Visual Space Manager), additional
settings are required on the hub and lock. This functionality requires Zone Wing application
version 2.80 or higher.
Remove unlock parameter must be enabled on the hub. Right click on the hub and select
Communication hub > Configure. Click Next until the menu appears. Click Change for
Remote Unlock option and set value to 1 minute.
Rem ove unlock settings

Pooling interval parameter must be enabled on the lock. Polling interval decides how often
the lock wakes up and connects to the communication hub to check for information from the
system. Right click on the lock and select Lock/Sensor > Configure. Click Next until the
menu appears. Click Change for Pooling interval option and set the value to the desired
interval. The default polling interval in the lock is 10 seconds.
Pooling interval settings
Warning: The polling interval can have a significant effect on the battery lifetime. The
lower value will result in more response remote unlock action but will also have a negative
effect on the battery. Consult with you local Aperio supplier about the most optimal
parameter value for your installation.
Note: This setting only applies for V3 locks.

6.1.2.3 Pairing Locks with communication hub

Right click on the hub and select Communication hub > Pair with lock or sensor.
Pair w ith lock or sensor

The pairing process starts. Hold the credential at the lock, or engage the magnet for the
sensor to pair the hardware with the communication hub.
Paring process
The result is displayed.

Paring process results

Hub details with paired locks. Remember lock IDs because they are needed for lock
configuration in DAP.
Hub details w ith paired locks

6.1.3 Aperio AH40

Product description
For connection to EAC system via IP/Ethernet connection.

Allows to connect up to 16 Aperio™ devices on a single hub.
Integrated antenna with the option to mount an external antenna.
Encrypted radio communication.
TCP/IP communication encrypted using TLS 1.1/1.2.
Powered using Power over Ethernet (PoE) or external power supply.
AH40 is certified to be used with ASSA ABLOY external antenna AH ANTENNA 1. If other
external antenna is used it must be of same type (dipole) and not have larger antenna gain
than 3,9dBi.
For standard electrical installation boxes.
LED for status visualisation.
Aperio hub and lock
Follow the HW Configuration and SW Configuration section to set up the terminal properly in
DAP.
Warning: There are some limitations for the integration of Aperio AH40 hub in
Time&Space system:
Locks works only when the device is enabled and accessible in the system. Operation in
offline mode is not supported.
Low battery alarm can be automatic or manually deactivated because the lock sends
deactivation packet to the system.
Force door and open door are software alarms, meaning they are triggered by DAP and not
by the lock, therefore they must be confirmed and deactivated in Visual Space Manager.

6.1.3.1 Add Aperio AH40 device configuration

1. Go to Devices view, select New Device action and select Aperio AH40 device type.
Continue by selecting Next button.
Add new Device dialogue
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
Device's General Settings

3. Enter device's IP address and communication port and continue by selecting Create
Connection button.
TCP Connection param eters
4. When the connection parameters are saved, you are placed to Connection view. Continue
by selecting Locks view from the tree.
Connection view

5. Select Add button from the menu to add lock configuration.
Locks view
6. Enter Name, Identification no. and select appropriate lock type and continue by selecting
Save and Generate Schema button.
New lock dialogue
Note: You can add up to 16 locks on a single hub.

7. Navigate to General view. Select Enable connection button to start up the communication
with the terminal.
Enable connection
8. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to Aperio AH40 device.

6.1.4 Aperio RS485

The AH30-3-0 Communication Hub is the link between Aperio locks and the existing access
control system. Up to 8 locks can be paired to one Hub and has a standard RS485 connection,
making it compatible with most systems on the market today. It communicates directly with
Aperio enabled locks via an encrypted 2.4GHz wireless link, and is designed to be positioned
above the door within approximately 5 -25m of the lock.
Product description
Connect up to 8 Aperio devices on a single hub.

RS485 interface.
Encrypted radio communication.
Integrated antenna.
LED status for visual indication.
Internal doors only.
Operates on a transmission range of about 25 meters.
Aperio AH30 hub
Warning: There are some limitations for the integration of Aperio AH30 hub in
Time&Space system:
A single Zone Wing can manage up to 16 Aperio AH30 hubs. Further on, the maximum
number of Aperio locks per Zone Wing/AH30 hubs combination is limited to 21.
Force door and open door are software alarms are supported only on the following locks:
L100, AS100 and KS100.
This functionality also requires an appropriate update on the hardware side, Zone Wing
application ver. 2.60 or higher is required.

6.1.4.1 Add lock configurations to Zone Wing

1. Go to Devices view, select New Device action and select Spica Zone Wing device type.

3. Enter device's IP address and communication port and continue by selecting Create
Connection button.
by selecting Connected Devices view from the tree.
Connection view

5. Select Add Aperio Lock from the menu to add lock configuration.
Connected Devices view
6. Enter Name, address and select appropriate lock type and continue by selecting Save
and Generate Schema button. Predefined readers, inputs and outputs will be created
according to the selected lock type.
New lock dialogue
Note: You can add up to 21 locks on a single Zone Wing.

with the terminal.
Enable connection
Online device
related to Zone Wing device.


6.2 Assa Abloy Visionline

Integration to enable management of all staff access rights for all offline and online locks
within a hotel environment through a single system (Back-of-House and Front-of-House).
Access rights to all doors will be through a common system, while the guest administration is
operated separately through the PMS (Package Management System). For non-hotel
applications (education/healthcare/etc.), other systems will replace the PMS (Property
Management System), but the principle of operation remains the same.
Access control rights on all access points for employees (Time&Space, Visionline) are
managed through a single software interface (Time&Space).
Any card encoding for RFID cards for Visionline locks are programmed through a desktop
encoder, with a desktop reader used for reading unique card ID’s from cards for use in the
T&S badging system.
Any ‘online’ distribution of access rights to VingCard locks will be prompted from T&S but
actioned through Visionline.
Integration architecture

Visionline
Add Assa Abloy Visionline device in DAP
Set up card reading option in Time&Space Manager
Adding access profiles to users

6.2.1.1 Visionline
Install Visionline (version 1.18.1.7 or newer) and configure Devices (Encoder/HCU/ZigBee
Gateway), Doors and Door Areas. Check Visionline user's manual for more details.
Device dialogue
Go to Tools\Options, select Online\Miscellaneous chapter and enable Enable Online

option.
Enable Online system option

Go to Tools\Options, select Events chapter and enable Store events from Moving Log in
the database option.
Events system option

6.2.1.2 Add Assa Abloy Visionline device in DAP

1. Go to Devices view, select New Device action and select Assa Abloy VisiOnline device
type. Continue by selecting Next button.
Create device button.

3. A number of reader entities on this device must correspond with the number of locks on
the gateway. Further on, the reader's ID must be updated with Lock's DoorID. The DoorIDs
are visible in System Monitoring tool.
Online Netw ork view in System m onitoring tool
Reader's ID updated w ith Lock's DoorID
4.

Make sure that Enable Profiles is enabled on this device on Advanced device settings.
Enable Profiles property
5. The Time&Space part of the Visionline integration is mostly covered by the Device
Communicator component. Edit its configuration file where individual settings are explained.
6. Select Enable connection button to start up the communication with the device.

6.2.1.3 Set up reading card option in Time&Space Manager

To add correct card numbers in the system, add the card reading option in Time&Space
Manager. When Read Badge button is selected on the Select Badge dialogue, the Visionline
encoder starts the reading process, and if a card is presented, the card serial number is
shown in the badge number field .
Read Badge button

To enable this button, do the following:
• Get an ID (e.g. CAC8E5FD72E7E646A825A70B01480963) from EC_Readers table for a

reader on Visionline device. You can execute the following query:
select ER.ID
from EC_REA DERS ER, EC_CO N TRO LLERS EC
w here EC.ID=ER.CO N TRO LLER_ID a nd EC.N A M E='A ssa A bloy V isionline'
• Open Registry Editor and go to HKEY_CURRENT_USER -> SOFTWARE -> Spica -> TimeSpace
-> Common and create a new String Value with the following parameters:
Name =SpaceAPIReadCardURL
Value =HTTPS://<SpaceAPI address>/Badges/?readerId=<reader's ID from step 1>
Registry exam ple for Read Badge button
Restart the Time&Space Manager for changes to apply.

6.2.1.4 Adding access profiles to users

After the badge is assigned to a user, go to Profile view and add the Visionline reader(s) to
the user‘s access profile. To save the changes, select OK button. Once again, the assigned
card must be presented on the encoder to encode it.
Removal of the assigned access profiles is currently possible only from Visionline system.
Access profile for Visionline reader
Note: At the moment, the management of access profiles for multiple users is not
available.

6.3 Iris ID
The iCAM7000 series is the newest generation in the iCAM series and is completely
compatible with the prior iCAM4000 series solution deployed worldwide. IrisAccess, now in its
fourth generation, has even more features and functionality with greater integration
flexibility.
Iris ID’s biometric solutions provide highly accurate, non-contact identification by the iris of
the eye from 14 inches away while delivering security, convenience, privacy and productivity
to millions of people around the world. The iCAM7000’s versatility and flexibility allows for
easy integration with many Wiegand and network based access control, time and
attendance, visitor management and point of sale applications.
Every iris pattern is unique and stable for life and since there are more readily measurable
characteristics in the iris, iris recognition is regarded to be the most accurate, fastest, and
scalable option for both small and large scale biometric deployments. Other biometric
modalities such as fingerprint, hand, voice, vein and facial characteristics can often vary and
change over time or with use conditions.
the system.
Iris ID
Warning: There are some limitations for the integration of Iris ID terminal in Time&Space
system:

Currently only data collection of Time&Attendance events is supported. Events are pulled in
off-line mode according to Pull events time out.
Template enrolment is supported within Time&Space system.

To perform the configuration you need to connect and power up a device. This manual
includes only the most important steps for more details please refer to iCAM7000 Hardware
Guide .
Mounting and Wiring

Static IP Address
iCAM Manager SDK Installation
iCAM Configuration
Advice: See iCAM7000 Hardware Guide for more details.

6.3.1.1 Mounting and Wiring

The recommended mounting height for the iCAM7 series is 138cm (54.3 inches) from the
floor to the bottom of the unit. This mounting height can be adjusted to accommodate the
height of the average user at the installed location.
High amounts of ambient light must be avoided. Intense light sources such as sunlight or
halogen lamps may reduce the image capture performance of the iCAM which may result in
an increased “Failure to acquire” rate.
The iCAM is not weatherproof and must not be exposed to precipitation or extreme
temperatures. A 3rd party enclosure may be used to protect the unit if required. See www.
irisid.com – Support & Service for more information.
Device m ounting

Device w iring


1. Set the computer to the static IP of 192.168.5.250 (subnet 255.255.255.0).
2. Open the web browser and enter http://192.168.5.100 in the address bar then press
ENTER. The iCAM login screen will appear.
iCAM Configuration login
3. Enter the default Username: iCAM7000 and Password: iris7000 (both are case
sensitive). This credentials are also need when setting connection parameters in DAP.
4. The iCAM Startup Screen will appear.

5. Enter the desired IP address data of the iCAM7000 series camera unit. A selection to
enable or disable IP announcement will also be available (set by default as active -
Recommended ).
IP Address – Enter IP address.

Subnet Mask – Enter Subnet address.
Default Gateway – Enter Gateway address.
Start up screen

6.3.1.3 Update iCAM Application

iCAM700 Update is an application utility that allows for new installation of iCAM Manager
software on iCAM7000 for operational modes compatible with the iCAM Manager SDK. The
utility is designed to update the iCAM7000 Series software to a version that is compatible
with this SDK. Once properly updated, an operational mode called “iCAM Manager” will be
available on the iCAM. This “iCAM Manager” mode is the required mode for communication and
usage with the iCAM Manager SDK.
The Find iCAM7000s button function can be used instead of the manual Add function if
desired. It will search the network for available iCAM7000 units and display them in the list.
To perform this process Click on Find iCAM7000 button or select Find ICU7000s option from
Program menu (Network settings, windows firewall, available ports, routers, and anti-virus
applications can block the applications ability to find/detect ICU7000s on the network.)
Select the New Installation button or select New Installation option from Program menu.
iCAM7000 Update
Advice: iCAM7000Update software utility can be found on Time&Space distribution media

(...Server\IrisID\iCAM7000Update).

6.3.1.4 iCAM Operation mode

When iCAM Manager Mode is selected, the iCAM software can be communicated to and
controlled by custom developed applications. The iCAM also is self-controlled and iris template
creation and matching is performed inside the iCAM. This mode provides (based on the
custom application) the ability to enroll, store, output, and match iris templates inside the
device.
In order for the custom application to connect to the iCAM when is in iCAM Manager Mode, the
below information is required to be entered for the camera and in the controlling application:
Security ID - Enter a unique security ID for this unit (16 character requirement). By default
the id is set to "1111111111111111" .
Operation m ode
Warning: Make sure you have updated iCAM Manager software on device for operational
modes compatible with the iCAM Manager SDK.

SW configuration process includes the following steps:
Activate iCAM SDK licence

Add device configuration in DAP

6.3.2.1 Activate iCAM SDK licence

A valid license key file (.xml) must be imported before using Iris ID device in DAP application.
Use the License Viewer application to import licenses. Contact your HW provider for more
information about iCAM SDK licence.
Iris ID License
Note: Since iCAM SDK is installed with DAP setup, the licence must be activated on the
workstation running Event Processor service.
Advice: Licence Viewer application can be found on Time&Space distribution media (...
Server\IrisID\License Viewer).

6.3.2.2 Add device configuration in DAP

1. Go to Devices view, select New Device action and select Iris ID iCAM 7000/7100 device

3. Enter terminal's static IP address, Username, Password and Security ID and continue by
selecting Create Connection button.
Warning: Username and password are both case sensitive.
by selecting General view from the tree.
Connection view

5. Select Enable connection button to start up the communication with the terminal.
Enable connection
Online device
related to Iris ID terminal.

6.4 Morpho Sigma

MorphoAccess® SIGMA Series provides an innovative and effective solution for access control
applications using Fingerprint Verification or/and Identification. Among a range of alternative
biometric technologies, the use of finger imaging has significant advantages: each finger
constitutes an unalterable physical signature, developed before birth and preserved until
death. Unlike DNA, a finger image is unique for each individual - even identical twins.
Designed for physical access control applications, MorphoAccess® SIGMA Series terminals
feature a compact, attractive design, coupled with high reliability and security. These 5th
generation terminals are both robust and easy to use for a variety of applications, including
office, headquarters and administrative building security, as well as protection of external
access points.
DAP.
Morpho Sigm a
Warning: There are some limitations for the integration of Morpho Sigma terminal in
Time&Space system:
By default, the maximum size of SIGMA series terminal database is limited to 3,000 user
records (with two fingers per user record). In combination with Time&Space system, user
records are translated to assigned user badges with a valid access profile (e.g. User with
two badges and a valid access profile will spend 2 user records on Sigma device.). User
licenses can be installed for extending this maximum database limit.
For all events (Time Attendance and Access Control) a valid access profile is necessary for
the registration on the terminal.
Only one access schedule per reader can be defined on user's access profile.
Only access schedules with ID from 1 to 58 can be used on Sigma terminal.
Access schedules on Morpho Sigma are determined on 15 minute intervals. “From value” is
rounded upwards (e.g. 8:17 -> 8:30) while “To value” is rounded downwards (e.g. 8:17 ->
8:15).
Open Door and Forced Door alarms cannot be disabled in Visual Space Manager, because
trigger must be disabled on hardware.

Sigma terminal do not support the option for disabling fingerprint verification for a specific
user in Time&Space Manager. Fingerprint verification has to be managed through Biometric
Administration Portal.
Valid From parameter which can be set on the badge is not supported on Sigma device.
Only date from Valid To parameter is considered if set on the badge.
When changing a time zone parameter in DAP to the zone before the current one (e.g. -
10:00), then the event log must be cleared from device using MorphoBio ToolBox.

To perform the configuration you need to connect and power up a device. See Sigma
Administration user's manual for more details.
Power Supply Interface
POE and external power supply are not used at the same time: if both power supplies are
used, priority is given to the external power supply. If the external power supply is shut
down, switch to POE without reboot is not guaranteed.
External power supply
Must comply with CEE/EEC EN60950 standard. It is strongly recommended to use class II
power supply at 12V-24V and 1A min (at 12V). Could be provided by a 12 Volts Wiegand
power supply, which complies with the Security Industry Association's Wiegand standard
March 1995.
Power over Ethernet
MorphoAccess® SIGMA Series terminal's power supply can also be provided by the Ethernet
using RJ45 connection (Power Over Ethernet mode). When the terminal is connected to the
network by the RJ45 connector (ref RJ45/POE on Figure 5: MorphoAccess® SIGMA Series
Terminal Rear View Diagram), it allows either the power supply over the Data pins or over the
spare pins, But when the terminal is connected to the network by the Ethernet connector
block (Figure 5), only power supply over the data pins is possible.

Morpho Sigm a Rear View Diagram


To be able to connect to Morpho Sigma terminal, a static IP must be set on the device.
1. Enter Terminal Administration Menu and navigate to System Menu > First Boot Assistant >
Network Configuration > Ethernet. Under Ethernet, an administrator can select IPV4 or IPV6.
Ethernet Configuration
2. On next screen, Default IP Mode is selected as DHCP. Press on Static option. Use Check
button “ ” to save the setting.
IP m ode

3. Under Static IP Mode, an administrator can manually configure IP Address of the terminal,
Subnet Mask, Network Mask, Gateway Address and DNS Servers.
Configuring IP Address under Static IP Mode

1. Go to Devices view, select New Device action and select MA SIGMA device type. Continue
by selecting Next button.

3. Enter terminal's static IP address and continue by selecting Create Connection button.
4. When the connection parameters are saved, you are placed on Connection view. Continue
Connection view

Enable connection
Online device
related to MA Sigma terminal.


Common

Position - This parameters is not used on Morpho Sigma terminal.
Type - This parameters is not used on Morpho Sigma terminal.
User Interface - Available user interface types: Reader Only, Sigma 4 Buttons and Sigma
16 Buttons. By default user interface is set to Sigma 4 Buttons.
space topology.
Use Verification settings field to set the security level for time and access events on the
specific reader. You can specify which parameters will be requested and checked for each
event clocking.
Verify Badge Number - This option is always selected and disabled due to device specifics.
Verify PIN - Select this option, if you want PIN to be checked during registration on the
reader.
Verify Schedule - This option is always selected and disabled due to device specifics.
Advice: For the verification of PIN, a wild card can be set on the user level in Time&Space
Manager.
Advanced


Reader settings

6.4.2.2 User Interface Settings

The following user interface types are available on the terminal:
Reader Only - only default event,

Sigma 4 Buttons - default event + Time and Attendance menu with 4 buttons,
Sigma 16 Buttons - default event + Time and Attendance menu with 16 buttons.
Sigma 2x8 Buttons - default event + Time and Attendance menu with 2 menus by 8
buttons.
Warning: Verify Access option is not validated on MA Sigma terminals. Every event
defined on the interface will trigger a relay (access) on the terminal.
Reader Only user interface
Reader Only User Interface Event Configuration

Sigma 4 Buttons user interface
4 Buttons User Interface Event Configuration
Exam ple of 4 Buttons Tim e and Attendance Menu

Sigma 16 Buttons user interface
4 Buttons User Interface Event Configuration
Exam ple of 16 Buttons Tim e and Attendance Menu

6.4.2.2.1 Advanced Interface Details
If user interface type is not set to Reader Only, two additional settings are available on the
user interface:
Allow entering device setup

Allow badge input on keyboard
Advanced User Interface Settings

Allow entering device setup
An administrator can login to terminal and access several functionalities under administration
menu. It allows administrator to perform configuration, add users, upload multimedia,
download logs, etc.
Adm inistration icon
Allow badge input on keyboard
In this mode, badge number of the user is entered using the MorphoAccess® SIGMA Series
terminal keyboard.
Keyboard icon

6.4.2.3 Output Settings

Available parameters:
Name - Name of the output.

Position - This parameters is not used on Morho Sigma device.
Relay type - There are two possible types of relay available:
Open - output is active when contact is closed.

Closed - output is active when contact is open.

Mode - Default - Access is granted upon request on the basis of parameters on reader's
security settings.
Pulse time - Defines how long the output will be active after an access request has been
granted. Possible values are 0 to 100 seconds.
space topology.
Outputs settings
Output relay w iring diagram

Advice: For more details about output wiring, check MA Sigma Quick User Guide.

6.4.2.4 Alarms Settings

There are four alarm types supported on the MA Sigma:
On deactivated output (Open door) - Alarm is activated if input is still active after output
deactivation.
On activated output (Forced door) - Alarm is activated if input is active and output is
inactive.
Unauthorized access attempt - Alarm is activated if a user without access rights makes
registration.
Unsuccessful user authentication - Alarm is activated if a user authentication is not
successful (e.g. invalid PIN, unmatched biometric verification).
Alarm edit dialogue
Note: Each alarm type can be created only once and all alarm parameters are
predefined.

Alarm w iring diagram
Advice: For more details about alarm wiring, check MA Sigma Quick User Guide.

6.4.2.5 Advanced Settings

Max Response Time - This option defines how long the device should wait for Event
Processor service to respond when sending data that need to be confirmed. If the server
does not respond within the specified time, the terminal will switch to off-line mode. The
default value is 30 seconds. Increase this value if your computer or network communication
is slow (the default value may be too short in such situations).
Profile Update Priority - This option is used to defined custom update priority of access
profiles for a specific device. Value 0 represents the highest priority.
Enable Profiles - If this option is not selected, this reader will ignore users access profiles.
Enable Notifications - If this option is selected, email notification will be generated when
device's status goes to Offline.
Picture Capture - By default this option is disabled. If enabled, it can work in the following
operation modes:
Photo Taking - One picture is captured during the registration or alarm on the terminal.
Face detection (optional) - Multiple pictures are taken and face detection is performed.
If a face is detected in one or multiple photo, save the photo with the best face detection
quality measure.
Face detection (mandatory) - Take multiple pictures and perform face detection. If no
photo contains a face, the user is rejected.
Template on Card - This option defines where user's data is stored and if access profiles
are used. The following options are available:
Disabled - User's data is stored in the database and template management is done in
Biometric Administration Portal. Further on, a user must have a valid access profile to
make registration on the terminal.
Integrated Access Control Mode - User's data is stored on the card and template
management is done on the device or in Webserver. Further on, a user must have a valid
access profile to make registration on the terminal.
Reader Emulation Mode - User's data is stored on the card and template management
is done on the device or in Webserver. In this mode, the terminal works as a dummy
Wiegand reader thus a valid access profile is not needed to make a registration on the
terminal. Before you can use this mode, all output definitions must be removed from the
device in Device Administration Portal.

Advanced Settings
Warning: It is a pre-requisite that the terminal should have an SD card plugged in for
Picture Capture On Registration option.
Note: Integrated Access Control Mode or Reader Emulation Mode as Template on Card
option does not support BIOPIN verification (ID + Biopin or ID + PIN + Biopin).
Note: Only Unauthorized access attempt and Unsuccessful user authentication (only for
assigned badges) alarm types support picture capture functionality.

6.5 Morpho Sigma Lite

MorphoAccess® SIGMA Lite Series provides an innovative and effective solution for access
control applications using Fingerprint Verification or/and Identification. Among a range of
alternative biometric technologies, the use of finger imaging has significant advantages: each
finger constitutes an unalterable physical signature, developed before birth and preserved
until death. Unlike DNA, a finger image is unique for each individual - even identical twins.
Designed for physical access control applications, MorphoAccess® SIGMA Lite Series terminals
feature a compact, attractive design, coupled with high reliability and security. These 5th
generation terminals are both robust and easy to use for a variety of applications, including
office, headquarters and administrative building security, as well as protection of external
access points.
The first design features a LED indicator to assist users in the access control process,
whereas the second model offers enhanced interactivity with a color touch screen.
DAP.
MA Sigm a Lite and MA Sigm a Lite +
Warning: There are some limitations for the integration of Morpho Sigma Lite terminal in
Time&Space system:
For all events (Time Attendance and Access Control) a valid access profile is necessary for
the registration on the terminal.
Only one access schedule per reader can be defined on user's access profile.
Only access schedules with ID from 1 to 58 can be used on Sigma terminal.
Access schedules on Morpho Sigma are determined on 15 minute intervals. “From value” is
rounded upwards (e.g. 8:17 -> 8:30) while “To value” is rounded downwards (e.g. 8:17 ->

8:15).
Open Door and Forced Door alarms cannot be disabled in Visual Space Manager, because
trigger must be disabled on hardware.
Sigma terminal do not support the option for disabling fingerprint verification for a specific
user in Time&Space Manager. Fingerprint verification has to be managed through Biometric
Administration Portal.
Valid From parameter which can be set on the badge is not supported on Sigma device.
Only date from Valid To parameter is considered if set on the badge.
When changing a time zone parameter in DAP to the zone before the current one (e.g. -
10:00), then the event log must be cleared from device using MorphoBio ToolBox.

To perform the configuration you need to connect and power up a device. See Sigma
Administration user's manual for more details.
Power Supply Interface
POE and external power supply are not used at the same time: if both power supplies are
used, priority is given to the external power supply. If the external power supply is shut
down, switch to POE without reboot is not guaranteed.
External power supply
12-24 Volts (regulated and filtered) 1 Amp min @12V, CEE/EEC EN60950 standard compliant.
A12 Volts power supply compliant with SIA's Wiegand standard will also be suitable. If
sharing power between devices, each unit must receive 1A (e.g. two units would require a
12vDC, 2A supply).
Power Over Ethernet (POE)
Power can be provided through RJ-45 connector using a PSE (Power Sourcing Equipment)
IEEE 802.3af or IEEE802.3at type 1 compliant. The terminal is a Class 0 (15.4W) PD (Powered
Device).
Morpho Sigm a Lite Rear View Diagram

1. Go to Devices view, select New Device action and select MA SIGMA LITE or MA SIGMA
LITE+ device type. Continue by selecting Next button.

3. Enter terminal's static IP address and continue by selecting Create Connection button.
4. When the connection parameters are saved, you are placed on Connection view. Continue
Connection view

Enable connection

Online device
related to MA Sigma terminal.

6.6 Spica Field Clocking

Spica Field Clocking (SFC) is a solution which emulates time clocking terminal. The application
runs on Android based devices (with fingerprint sensor), but it was specially designed for use
on MorphoTablet 2. Fingerprint templates are managed in Biometric Administration Portal,
thus a least one Sigma/Sigma Lite terminal is required for template enrollment.
Follow the Application installation and Add device configuration in DAP section to set up the
terminal properly.
Spica Field Clocking


1. The application is pre-installed on devices distributed by Spica International or authorised
Spica partners. The application is not publicly available, thus it cannot be installed on devices
bought on the open market.
2. When you start the application for the first time, you need to set up the communication
parameters:
Server address - IP address of the workstation where Device Communicator service is

installed and SFC communication port (e.g. http://192.168.12.29:4449). The
communication with the server can be established via HTTP or HTTPS protocol. See
chapter SSL encryption for more info.
PIN - PIN is used as authentication parameter when entering application settings later
on.
Em pty application settings
Note: By default 4449 port is used for the communication with SFC devices.

3. When settings are entered, save the configuration with Save button and start the
application with the Start button.
Inserted application settings

4. Application in this step has generated a pairing code, which must be set as connection
parameter for SFC reader in DAP. This way a mobile device is paired with the reader
configuration in the system.
Pairing code
Note: Do not forget to enabled the connection on SFC in DAP, so the application will be
able to establish the communication.

5. When the communication is established, terminal's parameters (date, time and buttons)
are updated as set it the system.
Established connection w ith the server

6. If the server is unreachable after the parameters have been updated, the application
switches to offline mode what is signalised with a grey Time&Space logo.
Offline m ode

6.6.1.1 Configure SSL communication encryption

IIS Web Server



2. Add a new Secure Sockets Layer (SSL) server certificate binding and the corresponding
client certificate policies for an IP address and port. First, open the certificate details and copy
the thumbprint information.
Certificate details

3. Update SFC communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<SF C com m u n ication port>
ce rth ash = <th u m bprin t> appid={ 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } in the
Command Prompt.
Add certificate binding

4. Set HTTPS protocol for a server address in the application settings.
HTTPS protocol
5. Enable SSL parameter in the Device Communicator configuration file.
6. Restart DAP services.
7. Follow SW Configuration chapter to set SFC configuration in the system.

1. Go to Devices view, select New Device action and select Spica Field Clocking device
2. Edit the Name, ID, Description, Area and Time zone parameter if needed and continue by
selecting Create Device button.
Advice: Since SFC devices are linked with the reader configurations, there could be only
one SFC device present in the system. All the following devices are added as reader
configurations on the existing SFC device.

3. Enter device's pairing code as reader ID.
4. Define Interface type and set button events.
with the terminal.
Enable connection

6. When the communication is enabled, the status is updated to Online, and predefined
Online device
related to SFC device.


Common

ID - Device pairing code.
Position - This parameter is not used with on the selected device.
Type - This parameter is not used with on the selected device.
User Interface - Currently only one user interface types is available, named Custom.
organisational structure include subordinated zones, which help the system to preserve
space topology.
Use Verification settings field to set the security level for the time events on the specific
reader. You can specify which parameters will be requested and checked for each event
clocking.
Verify Access Profile - This parameter is not used with on the selected device.
Verify PIN - This parameter is not used with on the selected device.
Verify Fingerprint - This parameter is not used with on the selected device.
Advanced


Reader edit dialogue


There is only one user interface available on the device:
Custom - default event + 4 buttons with 4 events.
Events view

One additional setting is available on the user interface:
Allow entering device setup - If enabled, a user can access application's settings.

6.6.3 Fingerprint Management

Fingerprint templates (PK Lite) are managed in Biometric Administration Portal, thus a least
one Sigma/Sigma Lite terminal is required for template enrollment. See Biometric
Administration Portal User's Manual for more details.
PK Lite tem plates

Fingerprint templates are synchronized with SFC devices on Reload Profiles/Update Profiles
action or manually from the application setup for the users who have valid access profile.
Information about the number of existing templates on the device is shown int he lower left
corner as Enrolled users parameter.
Reload tem plates action in application settings

6.7 Spica MATT

MATT (Managed Android Time Terminal) is a solution which emulates time clocking terminal.
ATT application runs on Android based devices (with NFC reader), but it was specially
designed for use on Famoco NFC FX100. Follow the Application installation and Add device
configuration in DAP section to set up the terminal properly.
MATT on Fam oco
Note: Android version must be 4.1.x or higher.


1. The application is pre-installed on devices distributed by Spica International or authorised
Spica partners. The application is not publicly available. Thus it cannot be installed on devices
bought on the open market.
2. When you start the application for the first time, you need to set up the communication
parameters:
Server address - IP address of the workstation where Device Communicator service is

installed and MATT communication port (e.g. http://192.168.12.136:4443). The
communication with the server can be established via HTTP or HTTPS protocol. See
chapter SSL encryption for more info.
PIN - PIN is used as authentication parameter when entering application settings later
on.
Em pty application settings
Note: By default 4443 port is used for the communication with MATT devices.

3. When settings are entered, save the configuration with Save button and start the
application with the Start button.
Inserted application settings

4. Application in this step has generated a pairing code, which must be set as connection
parameter for MATT device in DAP. This way a mobile device is paired with the device
configuration in the system.
Pairing code
Note: Do not forget to enabled the connection on MATT in DAP, so the application will be
able to establish the communication.

5. When the communication is established, terminal's parameters (date, time and buttons)
are updated as set it the system.
Established connection w ith the server

6. If the server is unreachable after the parameters have been updated, the application
switches to offline mode what is signalised with a grey Time&Space logo.
Offline m ode


IIS Web Server



Certificate details

3. Update MATT communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<M ATT com m u n ication port>
Command Prompt.

4. Set HTTPS protocol for a server address in the application settings.
HTTPS protocol
7. Follow SW Configuration chapter to set MATT configuration in the system.

1. Go to Devices view, select New Device action and select Spica MATT device type.

3. Enter device's pairing code and continue by selecting Create Connection button.
by selecting the General view from the tree.
Connection view

with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online, and predefined
Online device
related to MATT device.


Common

Position - This parameter is not used with on the selected device.
User Interface - Currently only one user interface types is available, named MATT.
organisational structure include subordinated zones, which help the system to preserve
space topology.
Use Verification settings field to set the security level for the time events on the specific
reader. You can specify which parameters will be requested and checked for each event
clocking.
Verify Access Profile - This parameter is not used with on the selected device.
Verify PIN - This parameter is not used with on the selected device.
Reader edit dialogue


There is only one user interface available on the device:
MATT - default event + 4 buttons with 4 events.
Events view

One additional setting is available on the user interface:
Allow entering device setup - If enabled, a user can access application's settings.

6.7.2.3 Advanced Settings

Max Response Time - This option defines how long the device should wait for Device
Communicator service to respond when sending data that need to be confirmed. If the
server does not respond within the specified time, the terminal will switch to offline mode.
The default value is 2 seconds. Increase this value if your computer or network
communication is slow (the default value may be too short in such situations).
Advanced Settings

6.8 TBS
Biometric technology made in Switzerland: TBS (Touchless Biometric Systems) offers flexible,
functional hardware and software for access control and time recording. TBS technology
combined with world’s best touch sensor for highest security and multifunctionality at point of
access.
2D-TERMINAL MULTISPECTRAL
Warning: This integration assumes that no additional licenses for TBS third party zone
access management will be purchased. Consequently, the integration only supports two
modes of operation:
Fully on-line – Devices must be fully on-line and a successful clocking will cause the user’s
balance to be shown on the device.
Fully off-line – No balance is shown to the user who registers and the devices do not need
to be on-line to register a clocking.
Hybrid mode supported by native Time&Space HW devices is not supported.
Note: Please note that the integration has only been tested with the 2D Terminal from
TBS.

Operating Mode Selection
This page appears if a device is started for the first time or restarted after factory state reset.
You can also change operating mode dynamically from ADMIN menu. Set the device to WE
Mode (Web Edition). This is the standard and recommended mode. Connection to the server
via the network is required, selecting this mode enables the terminal to communicate with
BioAdmin Web Edition or WebServer Edition. Communication between devices and server is
based on web services, routed through HTTP (Port 80) or optionally HTTPS (Port 8080).
Operation m ode selection

Network Configuration
The device may have static IP or dynamic IP assigned automatically if DHCP server is available
on the network. By default it is set to DHCP, at right a sample is shown how to configure
static IP. For the integration with Time&Space system, it's recommended to use static IP
address.
Netw ork settings

Integration Configuration
Go to TBS Device Configuration portal by entering device's IP address in the browser. Default
credentials for the portal are: "user" for username and "4TbsPartners" for password. Please
follow the steps described in the selected operational mode (full on-line mode or fully off-line
mode) for the integration to work correctly.
TBS Device Configuration portal

6.8.1.1 Integration Configuration

Each TBS HW device must be configured manually as the TBS API does not allow external
applications to configure the devices in detail. However, all settings within a single terminal
can be exported to a binary file and then deployed to multiple terminals using the TBS
Terminal Updater tool. For more information, please contact TBS Support.
Network chapter
Server Communication - Mode

Web Edition Endpoint - Because of web service based connection to the server, the
complete URL of the service endpoint need to be specified. The address could be IP or
domain name if the default port (80) is used. Usually, default suffix does not need to be
changed if WebEdition is installed with default settings.
Netw ork chapter

Device Operations chapter
Authentication is the process of recognising a person, based on tokens he left during

enrollment. Tokens are called ‘ID factors’, usually biometrics, PIN and/or RFID are used.
Identification and Verification are device specific authentication modes, while Smart Mode
makes authentication user specific.
Identification (1:N) - The input sample is compared against all reference samples in
the database.
Verification (1:1) - The input sample is compared against reference sample,
preselected in first verification step.
Smart Mode - In Smart Mode, each user can have its combination of ID factors
assigned. The device recognises the person (based on first ID factor presented) and
asks for the remaining factors. The ID factors a user has to present in Smart Mode
need to be defined in WebClient server software.
Authorization - TBS Basic (Al and Validity) option must be selected.

Select XML option for a fully on-line system.
Do not select XML option for a fully off-line system.
Result Output - TBS Server and XML option must be selected.
Actions - Remove all predefined settings in this section.
Device Operations settings for fully on-line operation m ode

User Interface chapter
Buttons defined here are mapped to the T&S buttons defined within the interface of the
virtual controller through the Device Communicator configuration file explained later on.
Button configuration

Integration chapter
XML Server URL (Server IP and port) – Use the DNS or the IP of the host where
Time&Space Device Communicator resides. Use the same port as configured below within
the NotificationServerPort value.
OnlineRightsRequest
Yes – Select this option for a fully on-line system.
No – Select this option for a fully off-line system.
RightsRequest timeout [s] – Should be more than ClockingResponseTimeout setting in

device communicator. After this timeout, an online clocking will be considered invalid if no
response from Time&Space is received.
AccessInfoDelay [s] - Set to 1s, so clockings to be more “real-time”.
Send if RightsRequest succeeded

Yes – Select this option for a fully off-line system.
No – Select this option for a fully on-line system.
Integration settings for fully on-line operation m ode

BioAdmin Web Edition
Add TBS device in DAP
Adding fingerprints to users
Configuring RemoteZone web service

6.8.2.1 BioAdmin Web Edition

Install BioAdmin Web Edition (version 8.1 or newer) and enter the application with default
credentials: "sysadmin" for Operator ID and "12345678" for the password.
BioAdm in Web Edition login page
Configure the TBS device so that it is visible and connected with this service.
Clients m anagem ent view

This web service also implements the TBS SOAP API that is used as the integration point
between T&S and TBS devices. In BioAdmin Web Edition\Core folder, open and edit the
Web.config file and updated value for the authRPKey parameter. The value of the
authRPKey to a unique key applicable to each installation. This is used for secure
communication between T&S and TBS system.
<appsettings>
...
<add key="authRPKey" value="6100c932616e4eb88f526f024bc96246" />
...
</appsettings>
Advice: The AuthRPKey key is a custom alphanumeric value.
On the Users view there are three types (Roles) of users that can be added:
ADMIN – Administrators of TBS devices, should only be added manually using this
application.
ENROLL – People who can enroll users on each device, should only be added manually
using this application.
USER – T&S users that will be pushed and kept in sync on each device automatically.
Users view
Warning: Do not add users with user role manually as they will be erased by the
integration process.

6.8.2.2 Add TBS device in DAP

1. Go to Devices view, select New Device action and select TBS device type. Continue by
selecting Next button.
Advice: Since DAP is communicating with TBS API, only one TBS device can be configured
in the system.

3. Edit the reader settings and set the following parameters:
ID is very important and must be mapped to the actual BioClient ID found on each
device’s home configuration page. So for every BioClient, a new reader must be added to
the TBS device in DAP.
Set User Interface parameter to Custom.
Set Type parameter to Data Clock.
Enable Show extended information on clocking if balance or personal message should
be shown on the device upon a successful clocking. This option only works in full on-line
mode.
Verification Settings are not applicable to TBS devices.
TBS reader settings

4. Edit the user interface settings and add events.
Events definition
Warning: There should be only one page and a maximum of 8 buttons on that page.
Default event is not applicable as the TBS device has its own default event configuration. Use
the device communicator’s config file to map these buttons to TBS events.
5. The Time&Space part of the TBS integration is mostly covered by the Device Communicator
component. Edit its configuration file where individual settings are explained.

6.8.2.3 Adding fingerprints to users
Note: When Profile update or Profile reload action is executed in DAP, all Time&Space
users who have permissions for TBS terminal(s) will appear in TBS system. If the permissions
are later removed, the users will remain in the system. A user with permission for one TBS
terminal will be able to make registration on all TBS terminals in the system. In order to
manage permission for each TBS terminal, an additional module is required on TBS side, called
RemoteZone web service.
1. Use BioAdmin Web Edition to add a user with Admin or Enroll role and PIN option set.
2. Access the admin login on TBS terminal and log using the pin defined in step 1.
Default screen
3. One you are logged choose the person you want to add fingerprints to.
Database screen

4. From the drop down menu choose re-enroll a user.
Action m enu
5. From the many choose to insert user data and set a finger on the sensor.
Finger selection

6. If the fingerprint is inserted correctly, there is message Verification passed.
Enrollm ent com pleted
Note: This procedure is done only once for every new user we like to add permissions to
access the TBS terminal.

6.8.2.4 Configuring RemoteZone web service

RemoteZone web service, as part of ‘TBS BioAdmin Core’ software component, exposes an
interface to manage zones to partition a biometric installation. A zone is defined by a set of
assigned biometric clients and users having local and (optional) scheduled rights to access
those devices.
Note: RemoteZone web service is available from release R7 of BioAdmin Web Edition and
not enabled by default.
Warning: RemoteZone web service requires an appropriate license in order to be

activated.
Activation on TBS side
Activation requires some configuration changes in 'web.config' file of ‘TBS BioAdmin Core’:
Add following line (xml node) under “serviceActivations” xml node:
<add relativeAddress="RemoteZone.svc" service="TBS.Services.PublicSvc.SvcRemoteZone"

/>
Add following lines (“service” xml node) under “services” xml node:


<service name="TBS.Services.PublicSvc.SvcRemoteZone">
<endpoint address="Basic" name="epBasicHttp" binding="basicHttpBinding"
bindingConfiguration=""
bindingNamespace="http://api.tbsinc.com/Services/RemoteZone/Basic"
contract="TBS.Services.PublicSvc.ISvcRemoteZone" />
<endpoint address="mex" binding="mexHttpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
</service>
Warning: Basic XML knowledge is required for this process! A wrong configuration may
lead to malfunctions of the entire TBS system.

Zone view s in Biom anager
Activation on Time&Space side
Activation requires some configuration changes in 'Device Communicator Service.exe.config'

file of Device Communicator:
Uncomment RemoteZoneEndpoint key and set URL to the TBS RemoteZone web service in
TBSPlugin section. By default this option is disabled.
<TBSPlugin>
<add key="ServerEndpoint" value="http://localhost/BACore/RemoteSync.svc/basic"/>
<add key="RemoteZoneEndpoint" value="http://localhost/BACore/RemoteZone.svc/
Basic" />
Restart DC service.
Warning: If RemoteZone web service is enabled on TBS side this feature must also be
enabled on Time&Space side and vice versa. Other combination may lead to malfunctions of
the entire system.

6.9 Web Clocking Portal

Web Clocking Portal (WCP) provides online clocking solution for remotely located individuals
or small groups of users in situations where installation and connection of classic time
recording device (clocking terminal) are too costly or impractical. Further on, WCP supports
multiple locations where the access to the specific location can limited using an IP range.
WCP

6.9.1 Configuration
1. Go to Devices view, select New Device action and select Web Clocking Portal device type.
Advice: Since WCP is communicating with Space API, only one WCP device can be
configured in the system.

3. Edit the reader settings and set the following parameters:
ID is very important and must be mapped to the virtual reader configuration found in
Device Communicator configuration file. So for every location, a new reader must be
added to the WCP device in DAP.
Set User Interface parameter to Custom.
WCP reader settings
4. Edit the user interface settings and update the configuration if needed.
Events definition

5. The Time&Space part of the WCP integration is mostly covered by the Device Communicator
component. Make sure that Space API and SpaceAPI Authentication token are properly set.


IIS Web Server



Certificate details

3. Update WCP communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<W C P com m u n ication port>
Command Prompt.

6.9.2 Event registration

To access WCP, enter the appropriate address (e.g. http://hostname:4448) into the web
browser (hostname signifies the name or the IP address and WCP communication port of the
computer where DAP is installed).
Login page
Note: User account needs Web Clocking Portal privilege in order to access the
application.

After successful login, the application displays the list of available events for registration for a
specific location. Registration of an event is done by selecting the radio button in front of it
and applying Clock now button.
List of events for location 1
Note: The list of events can be changed on reader's interface. Events which are not used
on the daily level can be hidden in the combo list.

When you register an event, a new screen with the following information is shown:
The name of the event,

The name of the user,
The current balance/overtime.
Registration inform ation
Advice: Response information can be customized by using clocking response parameters.

USM-Device Administration Portal-ENG

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

USM-Device Administration Portal-ENG

Uploaded by

Copyright:

Available Formats

Device Administration Portal

Device Administration Portal

Tel: +386 1 568 08 00

1 Device Administration Portal 1

2 Configuring the system 5

© 2020 Spica International

4.3.1.6 Outputs ......................................................................................................................................................... 67

6 3rd party devices 100

© 2020 Spica International

6.2.1.2 Add Assa.........................................................................................................................................................

© 2020 Spica International

6.9.2 Event registration

© 2020 Spica International

1 Device Administration Portal

Device Adm inistration Portal

© 2020 Spica International

1.2 End-user software license agreement

© 2020 Spica International

Modifications upon User Request

© 2020 Spica International

1.3 Technical support

Tel.: +386 1 568 08 00

Further information is available at http://timeandspace.eu.

© 2020 Spica International

2 Configuring the system

Device Administration Portal (DAP),

© 2020 Spica International

To address a load balancing issues or to optimize system architecture according to

Device Administration Portal (DAP),

© 2020 Spica International

Note: Logging with a super user (e.g. TSSPICA) is not supported.

Important: Currently only Time&Space standard authentication mode is supported in the

© 2020 Spica International

TimeBox.dll, TimeBoxCom.dll and TSStartup.exe (obtained with Time&Space setup),

Warning: Only native mode (MA5G) is supported on Morpho Sigma terminals.

© 2020 Spica International

3.1 System requirements

Supported browsers in the DAP are:

Internet Explorer 10 or newer,

© 2020 Spica International

3.1.1 Windows Features configuration

Root IIS feature

© 2020 Spica International

Com m on HTTP Features

© 2020 Spica International

ASP and .NET Extensibility features

© 2020 Spica International

x64 operation system and application pool

Enable 32-bit applications

© 2020 Spica International

Active Directory authentication and Single Sing On (SSO)

© 2020 Spica International

© 2020 Spica International

Security settings for autom atic logon

© 2020 Spica International

3.1.1.2 Microsoft Message Queue (MSMQ) Server

Microsoft Message Queue (MSMQ) Server

© 2020 Spica International

Device Communicator Queue/Device Communicator Error Queue - Message queue for

© 2020 Spica International

3.1.1.3 Internet Explorer tweaks

Security settings for IE

Com patibility m ode button

© 2020 Spica International