Professional Documents
Culture Documents
Spica International
Pot k sejmiscu 33
1231 Ljubljana
Slovenia
E-mail: info@spica.com
www.spica.com
Contents I
Table of Contents
3 Installation 8
3.1 System...................................................................................................................................
requirements 9
3.1.1 Window s Features
..........................................................................................................................................................
configuration 10
3.1.1.1 Internet Information
.........................................................................................................................................................
Services (IIS) 10
3.1.1.2 Microsoft Message
.........................................................................................................................................................
Queue (MSMQ) Server 17
3.1.1.3 Internet Explorer
.........................................................................................................................................................
tw eaks 19
3.2 Installation
...................................................................................................................................
procedure 20
3.2.1 Custom izable..........................................................................................................................................................
application param eters 27
3.2.1.1 DAP - Web.config
......................................................................................................................................................... 28
3.2.1.2 EP - Event .........................................................................................................................................................
Processor Service.exe.config 29
3.2.1.3 DC - Device.........................................................................................................................................................
Communicator Service.exe.config 32
3.2.1.4 Space API.........................................................................................................................................................
- Space API Service.exe.config 36
3.2.2 Encrypted com ..........................................................................................................................................................
m unication channel on the portal 37
3.2.3 Adding or rem..........................................................................................................................................................
oving com ponents 44
4 Main views 45
4.1 Overview
................................................................................................................................... 46
4.2 Servers
................................................................................................................................... 47
4.2.1 Server details.......................................................................................................................................................... 47
4.2.2 Assigned devices
.......................................................................................................................................................... 49
4.3 Devices
................................................................................................................................... 50
4.3.1 Device .......................................................................................................................................................... 51
4.3.1.1 General ......................................................................................................................................................... 51
4.3.1.2 Connection......................................................................................................................................................... 52
TCP Settings ......................................................................................................................................... 53
4.3.1.3 Readers ......................................................................................................................................................... 55
General ......................................................................................................................................... 56
Restrictions ......................................................................................................................................... 58
User Interface Events ......................................................................................................................................... 59
Advanced ......................................................................................................................................... 60
4.3.1.4 User Interfaces
......................................................................................................................................................... 61
General ......................................................................................................................................... 62
Events ......................................................................................................................................... 63
4.3.1.5 Inputs ......................................................................................................................................................... 64
General ......................................................................................................................................... 65
5 External configuration 87
5.1 Alarm...................................................................................................................................
groups 88
5.2 Area tree
................................................................................................................................... 89
5.3 Email...................................................................................................................................
notifications 90
5.3.1 Em ail notification
..........................................................................................................................................................
service 91
5.3.2 Alarm notifications
.......................................................................................................................................................... 92
5.3.3 Offline controllers
..........................................................................................................................................................
notifications 93
5.4 Update
...................................................................................................................................
access profiles 94
5.5 OSDP...................................................................................................................................
readers 95
5.5.1 Connecting OSDP
..........................................................................................................................................................
readers to Zone Door unit 96
5.5.2 Connecting OSDP
..........................................................................................................................................................
readers to Zone Wing device 97
5.5.3 Connecting OSDP
..........................................................................................................................................................
readers to Zone Spot device 98
1.1 Introduction
Device Administration Portal is the basic module in Time&Space system. Its key function is the
transfer of clock transactions from clock terminals to a shared database that is accessed
independently by all modules in the system. The second, equally important function is the
downloading of data to the terminals, i.e. the transfer of data such as access parameters
that were entered via the keyboard using any of the Time&Space modules. These parameters
control the functioning of clock terminals, for example, the function of individual keys on the
clock terminal keyboard, and inform the terminals about the valid ID badges.
The module consists of 4 parts: Device Administration Portal, Event Processor, Device
Communicator and Space API.
Device Administration Portal is a web client responsible for the management of terminal's
settings. The application also monitors the communication between Event Processor service
and hardware.
Event Processor is a standalone windows service responsible for storing data into the
database and generating appropriate responses.
Device Communicator is a standalone windows service responsible for the communication
between terminals and Event Processor service.
Space API is a standalone windows service responsible for the communication between
Device Administration Portal and Event Processor service on one side and for the
communication between DAP application and other Time&Space modules .
This program and accompanying documentation (the software) are copyrighted material,
protected by national legislation and international agreements on protection of intellectual
property. Any unauthorized use or copying of this software is punishable by law. Users are
permitted to make copies of the software solely for backup purposes, and as a protection
against accidental loss or damage of the purchased copy.
By purchasing a copy of the software the user is granted the license to use the software
within the user's organization without time limitations. The user is obliged to comply to the
conditions related to the scope of the license as defined in the purchase documentation
(proposal/order/invoice) at the time of purchase. These conditions are including, but are not
limited to maximum number of users, number of clients, servers, number of administrators,
administrative workstations, computers, locations and similar. Any use beyond these
restrictions is not permitted.
Any use outside user's organization or any commercial exploitation of the software involving
third parties such as lending, renting or selling of the software is not permitted.
Special Terms
Users are obliged to actively protect the software against any unauthorized use or copying,
and prevent access to the software by the public or any third party.
SPICA International does not permit any modification of programs or accompanying
documentation including any modification of the program code or accompanying files.
Warranty Disclaimer
SPICA International has written the software and accompanying documentation with utmost
care and best effort to make it error free. Any eventual error, which would prevent or
significantly hamper the use of the software, should be immediately reported to SPICA
International. SPICA International will act upon such error report with priority and make every
effort to correct the error in the shortest possible time.
However, the software is provided by SPICA International »as-is«, and without any warranty,
express or implied, direct or consequential as to the usability or inability to use the software.
SPICA International does not provide any warranty as to the fitness of this software to any
particular purpose, and is not liable for any errors, known or unknown, of this software.
Cumulative liabilities of SPICA International for any damage caused by this software will be
limited to the purchase price of this software.
Data
SPICA International is not in any way responsible for data maintained with this software. The
user is entirely and solely responsible for data safekeeping, protection against loss and
protection of privacy of personal information.
Modifications of Software
SPICA International continually develops and improves its software products, which are
therefore subject to change without prior notice. SPICA International reserves the right to
freely modify its software products at any time without any prior or special notice and cannot
provide any warranty as to the nature and scope of any particular change. SPICA
International also retains the right to stop further development of a particular product, or to
discontinue a product completely.
In order to meet and surpass the expectations of its users, SPICA International constantly
and systematically collects information about user demands and requirements. This
information plays crucial role in decisions on software product development. Upon user
request, SPICA International will provide information on the status of an individual request or
demand in the context of development planning for the standard products. This information
may include the planned time for the completion of a particular task, if any such time has
been established. Information provided in this way does not make SPICA International in any
way liable for the nature and scope of the actual implementation, licensing policy or time of
delivery. All such information is strictly informal and may change without any notice.
Spica International
Pot k sejmiscu 33
1231 Ljubljana
Slovenia
Basic architecture
Important: Event Processor and Device Communicator must always be installed on the
same workstation.
Advanced architecture
Important: EP2 and DC2 services cannot be installed on the same workstation as EP1
and DC1.
2.1 Login
To access Device Administration Portal, enter this address http://HostName into the web
browser (Host Name signifies the name or the IP address of the computer where the module
is installed). User account needs Event Collector/DAP Login permission to enter the
application.
Login dialogue
3 Installation
To install the module, start DAP Setup.exe from the distribution media and follow the
installation procedure.
Pre-installation requirements
Supported devices
Aperio,
Assa Abloy VisiOnline,
Iris ID,
Morpho Sigma,
Morpho Sigma Lite and Morpho Sigma Lite+,
Spica Field Clocking,
Spica MATT,
Spica Zone Button TT,
Spica Zone Button TT AC,
Spica Zone Spot,
Spica Zone Touch,
Spica Zone Wing,
TBS,
Web Clocking Portal.
Tip: Before the installation, make sure that Spica Zone devices have the appropriate FW
version. For more information, please contact our support.
See the document Installation and Upgrade Guide.pdf, chapter System Requirements.
Web browsers
Important: Javascript must be enabled in the web browser. For more information check
the following website.
IIS feature
Important: If IIS service is installed after .NET Framework, then you will likely encounter
Runtime Error when accessing DAP. To fix this issue repair .NET Framework under Installed
programs or execute the following statement in CMD: "%windows%\Microsoft.
NET\Framework\v4.0...\aspnet_regiis -i".
ASP features
If a case of x64 bit OS set Enable 32-Bit Applications option to True for the used application
pool (e.g. DAP).
To enable Active Directory authentication and Single Sing On (SSO) in the application, enable
Windows Authentication in the virtual directory and put NTLM provider first.
Window s Authentication
Providers
Also, make sure that client workstations have User Authentication set to Automatic logon
with current username and password under Internet Security options.
Advice: Windows features list may vary according to a specific operating system.
Advice: DAP services will fail to start after the restart of the operating system if MSMQ
service has not started yet. To solve this issue set the dependency on DAP services to wait
for the MSMQ service.
DAP queues
Allow ActiveX Filtering option must be enabled under Internet Security settings.
Compatibility mode must be disabled for the DAP web site in the browser. The button will
turn from blue to grey when Compatibility View is turned off for a site.
Welcom e screen
3. If all requirements are installed, full feature set will be available for the installation.
4. Select the desired features and update default installation paths if needed.
Installed features
Important: If some of the features are not available, then some of the pre-installation
requirements are not fulfilled.
5. If Device Administration Portal feature is selected in the previous step, an additional step is
displayed. By default, the application will be installed as a virtual directory called ECP on
Default Web Site. Change the name of the virtual directory or site if necessary. In this case,
users will access the application by entering address http://HostName/ECP into the web
browser. Host Name signifies the name or the IP address of the computer where IIS is
running.
DAP configuration
Database type
7. Confirm the installation parameters with the Next button and start the installation process.
8. After the installation is completed, see Customizable application parameters chapter for
additional settings.
Advice: In case that DAP services and database server are running on the same
workstation it is possible, that DAP services will fail to start after the restart of the operating
system. To solve this issue set the dependency on DAP services to wait for the database
server to start.
Note: When service parameters are modified, you need to restart the service for changes
to apply.
Important: Set read/write permissions on a destination folder for a user under which the
service operates in order for the log file to be created. E.g set permission (Modify, Read &
Execute, List Folder Contents, Read, Write) to IUSR and IIS_IUSRS user on the DAP
installation directory.
Important: Make sure that IIS_IUSRS user group has read/write permissions on
Windows temporary directory (e.g. c:\windows\temp). Originally, the default was c:\Temp,
then %WinDir%\Temp. In the Windows XP era, the temporary directory was set per-user as
Local Settings\Temp, although still user-relocatable. For Windows Vista, 7&8 the temp
location has moved again to AppData section of the User Profile, typically C:\Users\User
Name\AppData\Local\Temp (%USERPROFILE%\AppData\Local\Temp).
Server kind - <add key="ServerKind" value="MSSQL" /> - This parameter defines the
kind of database server (MSSQL or ORACLE) used in the system.
API server address - <add key="apiServerAddress" value="http://localhost:1600" / >
- This parameter defines the address (IP and Port) of Space API with which the portal
communicates. By default this parameter is set to localhost:1600.
Session timeout - <forms loginUrl="~/Account/LogOn" timeout="30" /> - This
parameter defines the period after which the session expires in the application. By default
this parameter is set to 30 minutes.
Automatic reconfiguration delay - <add key="reconfigurationDelay" value="2"/> - This
parameter defines the period after which automatic reconfiguration of a device is triggered
if the configuration has changed. By default this parameter is set 2 minutes. If the value is
set to 0, the reconfiguration is executed immediately.
Language - <globalization uiCulture="en-GB" culture="en-GB"/> - This parameter
defines the language of the web application. Currently the following languages are
supported:
Arabic (ar),
Bosnian - Latin (bs-latn-BA),
Bulgarian (bg),
Croatian (hr),
English (en-GB),
Finnish (fi),
French (fr),
German (de),
Greek (el),
Italian (it),
Lithuanian (lt),
Macedonian - Cyrillic (mk),
Macedonian - Latin (MK-mk),
Polish (pl),
Portuguese (pt),
Romanian (ro),
Russian (ru),
Slovenian (sl),
Turkish (tr),
Ukrainian (uk).
Live log - <target name="eventsFile" xsi:type="File" fileName="${appDataFolder}/
Logs/DAP Events ${shortdate}.log" layout="${longdate} ${message}"/> - This
parameter defines the path of log file which tracks data from Live log.
Note: Live log only tracks communication when the view is opened in the application.
<Application Settings>
<Database>
Server kind - <add key="ServerKind" value="MSSQL" /> - This parameter defines the
kind of database server (MSSQL or ORACLE) used in the system.
<Legacy>
<MASigma>
<Devices>
<ClockingResponse>
<System>
<Logs>
<Database>
Server kind - <add key="ServerKind" value="MSSQL" /> - This parameter defines the
kind of database server (MSSQL or ORACLE) used in the system.
<Sigma>
Advice: If MA Sigma response server address is not set or not accessible, all registrations
on the terminal will be treated as off-line and will be downloaded according to Pull events
time out rule.
<SpicaMATT>
<VingcardPlugin>
<TBSPlugin>
Warning: If "UseAsPin" option is changed afterward, all users who had PIN set will
continue to work with the old configuration. If you want for a new configuration to apply, add
a wildcard (e.g. Enable Disable PIN check option in Time&Space Manager) for the affected
users and then remove it. This action will re-send the PIN parameter with the new
configuration.
<SFCPlugin>
<WCPPlugin>
<Service>
<Logs>
<Application Settings>
Note: If changing Space API port, the certificate binding needs to be updated. Execute
the following steps:
Search for the certificate that is bound to port 1600 (PowerShell > netsh http show
sslcert) and copy Certificate Hash.
Replace ipport, certhash and appid with your own parameters and executed the
following statement in PowerShell (e.g. netsh http add sslcert ipport=0.0.0.0:1610
certhash=9602318af42077b62259185f6ccbe4f8c477c9ed appid='{00000000-0000-
0000-0000-000000000000}' ).
<Database>
Server kind - <add key="ServerKind" value="MSSQL" /> - This parameter defines the
kind of database server (MSSQL or ORACLE) used in the system.
<Logs>
Create a certificate request and send that request to a known certificate authority (CA) or
Create a self-signed certificate.
Log on to the Web server computer as an administrator.
Select server node in the tree view and open Server Certificates option.
Self-Signed Certificate
Bindings options
Site bindings
Select https from the Type drop-down list, All Unassigned from the IP address and set
the port in the Port field (e.g. 443). Import certificate you received from known certificate
authority (CA) or use a self-signed certificate created in the previous section (e.g. Spica)
from the SSL Certificate drop-down list.
Enter website address in the browser using https prefix (e.g. https://localhost:443/DAP).
Note: In the case of a self-signed certificate, you will receive website's security warning
about an unauthorized certificate. Select continue to the website option.
To remove the existing module, go to Control Panel\Programs and Features and select
Time&Space Device Administration Portal software and choose Uninstall.
Important: The uninstall process does not support individual component selection. All
components will always be removed from the system.
Re-installation
To install a new version of the module, simply start and follow the installation procedure.
4 Main views
The application has four main views:
4.1 Overview
Overview view shows the list of all devices in the system according to user's permissions
grouped by Server/Connection/Device. To find a particular connection or Device, use the
search field.
Shortcuts section offers the following actions which are executed on all devices:
Enable All - Use this action to enable the connection for all devices.
Disable All - Use this action to disable the connection for all devices.
Overview view
Note: Devices without connection parameters or those which are not assigned to a
server are not displayed in this view.
4.2 Servers
Servers view shows the list of all Event Processor services defined in the system with some
basic parameters. The server is responsible for storing data into the database and
generating appropriate responses on device's interfaces.
Use menu actions ( Add and Remove) to manage the list or click on server's name to
access detailed information about a specific server.
Servers view
Important: Avoid using DNS alias in the address field, use either primary DNS suffix or IP
address.
Advice: Check the configuration file for detailed information about the server.
Advice: Only device with already defined TCP connection can be assigned to the server.
4.3 Devices
Devices view shows the list of all devices in the system with some basic parameters. The
status signalizes the current state of the server (Disabled, Offline, Online). Use menu actions
( Copy, Add and Remove) to manage the list or click on device's name to access
detailed information about a specific device.
Shortcuts section offers the following actions which are executed on the selected devices:
Enable Selected - Use this action to enable connection for the selected devices.
Disable Selected - Use this action to disable connection for the selected devices.
Reconfigure Selected - Use this action to re-send configuration parameters for the
selected devices.
Reload Profiles - Use this action to resend a complete list of user profiles with proper
access on the selected devices.
Update Profiles - Use this action to send only unsent updates of user profiles on the
selected devices.
Update Alarms - Use this action to send only unsent updates of user profiles on the
selected devices.
Devices view
Note: Restrictions by Unit 1/Unit 2/Unit 3 or Organizational units are applied on this view.
This means that a user will see only those devices, he/she is entitled to see.
4.3.1 Device
4.3.1.1 General
General view displays basic information about the specific device. Use Enable/Disable action
to change the status of the device. Select Edit action to update these parameters.
Device details
Advice: Server information is displayed only if there is more than one Event Processor
service configured in the system.
4.3.1.2 Connection
Connection view displays information about device's connection. Connection parameters must
be set up for each device otherwise the communication between Event Processor service and
the device will not be possible. A device with TCP connection communicates with the Event
Processor service directly using Ethernet LAN. Select edit action to update the parameters.
Connection settings
Warning: For TLS/SSL communication encryption option make sure that device has
Advice: Use Spica Device Manager tool to set IP address and Port parameters on devices.
4.3.1.3 Readers
Readers view displays the list of device's readers with some basic information. The reader is a
data input device that reads data from identification cards and is connected to a device via
Wiegand or Data/Clock interface. Use menu actions ( Add and Delete) to manage the list
or click on reader's name to access detailed information about a specific reader.
Readers
4.3.1.3.1 General
General view displays information about the specific reader. Select Edit action to update
these parameters.
Common
Verification Settings
Use Verification settings field to set the security level for the time and access events on the
specific reader. You can specify which parameters will be requested and checked for each
event clocking. Security demands for time and attendance calculation are listed in the Time
events group and for access control in the Access events group.
Verify Access Profile - Select this option, if you want access profile to be checked during
registration on the reader.
Verify Schedule - Select this option, if you want access schedules to be checked during
registration on the reader.
Verify PIN - Select this option, if you want PIN to be checked during registration on the
reader.
Verify Fingerprint - Select this option, if you want fingerprint to be checked during
registration on the reader.
Readers details
4.3.1.3.2 Restrictions
Restrictions details view displays information about restrictions on the specific reader. Select
Edit action to update this parameter.
Prerequisite inputs - Set additional requirements (inputs) that must be fulfilled before a
user can make registration on the reader. The number of available inputs varies between
different device types.
Reader restrictions
User Interface Events view displays information about defined events on the related user
interface. Select Add, Edit and Delete actions to manage the list.
Advice: Number of available event definitions varies between different user interface
types.
4.3.1.3.4 Advanced
Advanced view
Warning: Two-man rule functionality requires Zone Wing application version 2.70 or
higher.
Warning: Two-man rule functionality is not compatible with Anti-passback, meaning that
one is not aware of the other if both are enabled.
User Interfaces
4.3.1.4.1 General
General view displays information about the specific user interface (related Reader and Type).
Select Edit action to update these parameters.
4.3.1.4.2 Events
Events view displays information about defined events on the related interface. Use menu
actions ( Edit and Delete) to manage the list.
Advice: The number of available event definitions varies between different user interface
types.
4.3.1.5 Inputs
Inputs view displays the list of device's inputs along with some basic information. The number
of available inputs varies between different device types. Use menu actions ( Add and
Delete) to manage the list or click on input's name to access detailed information about the
specific input.
Inputs
4.3.1.5.1 General
Inputs details view displays information about the specific input. Select Edit action to update
these parameters.
Input details
4.3.1.6 Outputs
Outputs view displays the list of device's outputs along with some basic information. Usually,
outputs represent devices, such as doors, visual or sound signals, etc. The number of
available outputs varies between different device types. An active output supplies power
(from internal power supply) to the connected activator, while the passive output provides
“dry contact” output to the electrical circuit of the connected activator. Use menu actions (
Add and Delete) to manage the list or click on output's name to access detailed information
about the specific output.
Outputs
4.3.1.6.1 General
Output details view displays information about the specific output. Select Edit action to
update these parameters.
Default - Access is granted upon request on the basis of parameters on reader's security
settings.
Always active - Output is always active, identification is not required.
Always closed - Output is always inactive, access is not possible.
Pulse time - Defines how long the output will be active after an access request has been
Output details
4.3.1.6.2 Activated by
Activated by view displays information about output activators. The following output
activators can be set:
Activate output with an input - The output is triggered if the input is active. The output is
active as long as the input is present.
Activate output with an input (relay time applies) - The output is triggered if the input is
active. The output is active for the length of pulse time.
Activate output with a granted access action - The output is triggered upon successful
registration on a specific reader. Output is active for the length of pulse time.
Activate output with a denied access action - The output is triggered upon unsuccessful
registration on a specific reader. Output is active for the length of pulse time.
Activate output with an alarm - The output is triggered when specific alarm is activated.
Output is active for the length of pulse time.
Activators
4.3.1.6.3 Deactivated by
Deactivators view displays information about output deactivators. The following output
deactivators can be set:
Deactivate output with an input - The output is inactive if the input is active. The output is
inactive as long as the input is present.
Deactivate output with an alarm - The output is inactive when the specific alarm is
activated. The output is inactive for the length of pulse time.
Deactivators
4.3.1.6.4 Schedules
Schedules view displays information about output's open/closed schedules. Select Edit action
to update these parameters.
Open Schedules - The output is active in the interval set by the schedule if the access
schedule parameters checking yields positive result.
Activation by Anti-pass back zone - Open schedules can have an additional parameter,
named Anti-passback Zone. By selecting this option, an additional rule is added which
will check for present employees and prevent output activation by schedule if nobody is
present.
Closed Schedules -The output is inactive in the interval set by the schedule.
Schedules
Note: Please note that output deactivators have higher priority than output activators,
meaning that during the specified time the entry through that reader is not allowed,
regardless of other settings. Outside these intervals, the door will be opened upon valid
requests or it will be permanently open, if so set.
4.3.1.6.5 Advanced
Advanced view displays the list of output's advanced parameters. These additional
parameters represent options, which are useful in some specific situation. Select Edit action
to update these parameters.
Enable Toggle mode - If this option is selected, a positive registration or input status
changes output state (On/Off) without a timed change back to the original state.
Furthermore, the functionality can be limited by selecting one or more periods.
Warning: Open Schedules option will be disabled due to the usage of Toggle mode.
4.3.1.7 Alarms
Alarms view displays the list of device's alarms with some basic information. The devices
continually monitor the state of their alarm inputs and immediately inform the supervising
software about all changes. Alarm triggers are usually door open sensors, emergency entry/
exit buttons, IR detectors, temper switch, etc.
Use menu actions ( Add and Delete) to manage the list or click on output's name to
access detailed information about the specific alarm.
Alarm s view
4.3.1.7.1 General
Alarm details view displays information about the specific alarm. Select Edit action to update
these parameters.
Alarm details
4.3.1.7.2 Triggers
Triggers view displays information about triggers for selected alarm. Trigger(s) must be
defined because they are responsible for the activation of the alarm. The type of available
triggers depends on the alarm type:
Alarm triggers
4.3.1.7.3 Conditions
Conditions view displays information about alarm's deactivation periods. This means that the
alarm is not triggered if the schedule conditions are met. The user can specify one or more
conditions on a single alarm definition. Select Edit action to update these parameters.
Conditions view
Warning: This functionality requires Zone Wing application version 2.50 or higher.
4.3.1.7.4 Advanced
Advanced view displays additional information about the specific alarm. Select Edit action to
update these parameters.
Delay - If the delay value is set, an alarm will always be activated with a specified time
delay. Maximum delay time is limited to 255 seconds.
Reactivation time - If reactivation value is set, defined time will pass between two
messages received by the operator if alarm triggers are still active (e.g. if the operator
deactivates the alarm manually after being warned about an alarm event, but the alarm
state continues after the end of the reactivation time, the alarm will go off again). The
default value is set to 0, meaning that the alarm message will not be repeated. Maximum
reactivation time is limited to 9990 seconds.
Automatically Deactivate - If this field is checked, the alarm will be deactivated
automatically once the alarm's trigger becomes inactive. Regardless of this setting, the
operator can manually deactivate an active alarm by clicking the Deactivate button. If this
field is not checked, the alarm can be deactivated only from the computer.
Advanced view
Note: Up to 32 Zone Doors units can be connected to a single Zone Wing device.
Unit details view displays information about the specific Zone Door. Currently the following
predefined door types are available:
Important: The Zone Door type must match Zone Door's FW edition to be fully
operational.
Schema view displays information about Zone Door's pin configuration. Select Edit action to
update these parameters.
Schem a settings
4.3.1.9 Anti-passback
Anti-passback (APB) view displays the list of APB zones valid for a selected device. The zone
can consist of one or more APB rules. APB rule is a security mechanism preventing an access
card or similar device from being used to enter an area a second time without first leaving it
(so that the card cannot be passed back to a second person who wants to enter). If more
than one APB rule is defined on one zone, all of them must be fully filled before a user can
pass.
Use menu actions ( Add and Delete) to manage the list or click on zone's name to access
detailed information about the specific zone.
Anti-passback view
4.3.1.9.1 General
Anti-passback details view displays information about the specific zone. Select Edit action to
update these parameters.
Verification
Entry only – APB rule is active on entrance (the device will not accept two subsequent
entry attempts).
Exit only – APB rule is active on exit (the device will not accept two subsequent exit
attempts).
Entry and Exit – APB rule is active on entrance and exit (the device will not accept two
subsequent entry or exit attempts).
Warning: Start Time functionality requires Zone Wing application version 2.70 or higher.
4.3.1.9.2 Readers
Readers view displays a list of readers with verification type. Use menu actions ( Add and
Delete) to manage the list.
4.3.1.10 Advanced
Advanced view displays the list of device's advanced parameters. These additional
parameters represent options, which are useful in some specific situation. Select Edit action
to update these parameters.
Max Response Time - This option defines how long the device should wait for Event
Processor service to respond when sending data that need to be confirmed. If the server
does not respond within the specified time, the terminal will switch to off-line mode. The
default value is 30 seconds. Increase this value if your computer or network communication
is slow (the default value may be too short in such situations).
Profile Update Priority - This option is used to defined custom update priority of access
profiles for a specific device. Value 0 represents the highest priority.
Offline Registrations - If this option is set to Standard, the device will stop collecting
registrations when the buffer is filled up. If set to Cyclic, it will overwrite the old
registrations using FIFO (first in, first out) mode.
Enable Profiles - If this option is not selected, this reader will ignore users access profiles.
Enable Notifications - If this option is not selected, an email notification will be generated
when device's status goes to Offline.
Badge Encoding
Legacy mode - The Legacy mode does not change the badge string returned from the
device.
Default mode - The user can alter the badge string by appending Badge Number and
Facility Code but cannot change the length of these parameters.
Advanced mode - The user can alter the badge string by defining the length of Badge
Number (min 1 and max 16) and Facility Code (min 1 and max 6).
Advanced view
Tip: Messages are updated only when the view is opened in the browser.
5 External configuration
The chapter covers settings which are used in the module but are configured elsewhere. At
the moment the following external settings exist:
Alarm groups,
Area tree,
Email notifications,
Update access profiles.
Enable alarm e-mail notifications - If this option is selected, the notifications are enabled
and Sender and Recipients fields become editable.
Sender - Enter sender's email address.
Recipients - Enter email addresses for recipients who will receive notifications.
Subject and body of the message can be customized by changing parameters in Event
Processor's configuration file, section <notifications>.
<notifications>
<controller contentType="text/html charset=UTF-8" sender="example@spica.com"
recipients="example@spica.com" subject="Controller {NAME} (ID: {CUSTOMID}) is offline."
body="Controller {NAME} (ID: {CUSTOMID}) at {CONNECTION.ADDRESS}:{CONNECTION.
PORT} is offline."/>
<alarm contentType="text/html charset=UTF-8" subject="Alarm {NAME} has been
triggered!" body="Alarm {NAME} (ID: {CUSTOMID}) has been triggered on controller
{CONTROLLER.NAME}."/>
</notifications>
Tip: The groups are managed in the Visual Space Manager. See Visual Space Manager
User's Manual for more details.
Email address of the sender and recipients are set in Event Processor's configuration file,
section <notifications>. Subject and body of the message can be customized if needed.
<notifications>
<controller contentType="text/html charset=UTF-8" sender="example@spica.com"
recipients="example@spica.com" subject="Controller {NAME} (ID: {CUSTOMID}) is
offline." body="Controller {NAME} (ID: {CUSTOMID}) at {CONNECTION.ADDRESS}:
{CONNECTION.PORT} is offline."/>
<alarm contentType="text/html charset=UTF-8" subject="Alarm {NAME} has been
triggered!" body="Alarm {NAME} (ID: {CUSTOMID}) has been triggered on controller
{CONTROLLER.NAME}."/>
</notifications>
Advice: Since the information is stored in the database, it must be set only once.
Spica Zone Wing - OSDP readers connected to RS485 connector on Zone Door unit
This option is exclusively connected with Zone Door schema, named 4 Readers / 6
Inputs / 8 Outputs (OSDP readers only).
Support for 4 readers (HID OSDP v2) per Zone Door unit.
Reader type is set to OSDP.
Zone Wing application ver. 2.40 or higher is required.
Zone Door FW ver. 1.3.0 or higher is required.
Spica Zone Wing - OSDP readers connected to RS485 connector on Zone Wing unit
Support for 4 readers (HID OSDP v2) per Zone Wing unit.
Reader type is set to OSDP Secure.
Zone Wing application ver. 2.80 or higher is required.
Spica Zone Spot - OSDP readers connected to RS485 connector on Zone Spot unit
Support for 4 readers (HID OSDP v2) per Zone Wing unit.
Reader type is set to OSDP Secure.
Zone Spot application ver. 2.80 or higher is required.
Make sure that the appropriate application version is present on Zone Wing (Application
ver. 2.40 or higher is required).
Make sure that the appropriate FW version is present on Zone Door (FW ver. 1.3.0 or
higher is required).
Connect Zone Door unit to Zone Wing. Refer to Zone Wing&Door User's Manual for more
information.
Connect OSDP reader to RS485 connector on Zone Door unit. You can use PSUP/PGND
connectors to power up the reader.
Configure reader's RS485 channel (ranging from 0 to 3) using HID configuration card. Keep
in mind, that each reader must be on the dedicated address.
Add Zone Wing device to the system.
Add Zone Door (type 4 Readers / 6 Inputs / 8 Outputs (OSDP readers only)) to the Zone
Wing.
Make sure that the appropriate application version is present on the device (Application
ver. 2.80 or higher is required).
Connect Zone Door unit to Zone Wing. Refer to Zone Wing&Door User's Manual for more
information.
Connect OSDP reader to RS485 connector on Zone Door unit. You can use PSUP/PGND
connectors to power up the reader.
Configure reader's RS485 channel (ranging from 0 to 3) using HID configuration card. Keep
in mind, that each reader must be on the dedicated address.
Add Zone Wing device to the system.
Add Zone Door schema configuration (type 2 Readers/2 Inputs/4 Outputs or 2 Readers/4
Inputs/2 Outputs) to the Zone Wing.
Add a new reader on the device with the following configuration:
Name - Name of the reader.
Type - Select OSDP secure type.
RS485 Address - Select the appropriate address (ranging from 0 to 3) which will match
reader HW configuration.
OSDP key - Insert 32 characters long hexadecimal string (characters [a-fA-F0-9]) which
is used to encrypt the communication.
User interface - Select Reader only type.
Assign the appropriate event on the reader's interface.
Make sure that the appropriate application version is present on the device (Application
ver. 2.80 or higher is required).
Connect OSDP reader to RS485 connector on Zone Spot unit. You can use +12/GND
connectors to power up the reader.
Configure reader's RS485 channel (ranging from 0 to 3) using HID configuration card. Keep
in mind, that each reader must be on the dedicated address.
Add Zone Spot device to the system.
Add a new reader on the device with the following configuration:
Name - Name of the reader.
Type - Select OSDP secure type.
RS485 Address - Select the appropriate address (ranging from 0 to 3) which will match
reader HW configuration.
OSDP key - Insert 32 characters long hexadecimal string (characters [a-fA-F0-9]) which
is used to encrypt the communication.
User interface - Select Reader only type.
Assign the appropriate event on the reader's interface.
6.1 Aperio
DAP supports both Aperio hub variations, IP communication hub (Aperio AH40) and RS485
communication hub (Aperio AH30) in combination with Zone Wing.
The Aperio AH40 system is used in the following way: The user holds an RFID card in front of
the lock. The lock sends card credentials wirelessly to the Communication Hub and the
Communication Hub (wired through Ethernet) then communicates with Time&Space system.
Time&Space system then makes the access decision. The decision is sent via the
Communication Hub to the lock and access is granted or denied.
The Aperio AH30 system is used in the following way: The user holds an RFID card in front of
the lock. The lock sends card credentials wirelessly to the Communication Hub and the
Communication Hub (wired through RS485 via Zone Wing) then communicates with
Time&Space system. Time&Space system then makes the access decision. The decision is
sent via Zone Wing and the Communication Hub to the lock and access is granted or denied.
The biggest difference between Aperio AH40 and Aperio AH30 system in the operational
mode, the AH30 in combination with Zone Wing can work in online/offline mode while the
AH40 works only in online mode. The online/online mode relates to the communication
between a hub and access control system.
6.1.1 Mounting
Aperio hub must be installed into a junction box ex European 2-Gang, Aperio bottom cover or
with Americas adaptor plate to junction box.
AH40 - Connectors
J201 (Ethernet connector) - Connection to the Electronic Access Control system through a
10BASE-T / 100BASE-TX Local Area Network. Can also be used for power supply if
connected to a IEEE 802.3af compliant Power Sourcing Device (PSE). Wire requirements
CAT5 or higher.
J321 (Power supply input) - 8-24 V DC. The power supply shall be a Limited Power
Source (LPS) according to EN 60950-1. The power supply shall be 3A over current
protected. Wire requirements 16-22 AWG.
AH40 - Connectors
Note: When PoE (Power over Ethernet) is used, no power supply may be connected to
J321.
AH30 - Connectors
AH30 - Connectors
Note: Hub's RS485 address can be set by using the deep switch (A0-A4) or Aperio
Programming Application. For more information about deep switch addressing, see Aperio™
Hub AH20/AH30 Installation Instructions.
The Communication Hub has a status LED visible through the front cover. It supports optical
schemes with red, green and yellow. The indication schemes are described by the figure
below:
Check list for pairing and configuration of locks/sensors and com m unication hubs
An installation is a password protected set of settings you need when you want to
communicate with a hub and/or a lock. The installation is linked to an encryption file that is
needed in order for the communication to work. (The encryption key file is provided by your
local ASSA ABLOY company via encrypted e-mail or on a USB memory stick.)
Insert the USB Radio dongle and start the Aperio Programming application.
Select File > New installation... in the Programming Application menu.
Enter a name for the installation, a password containing at least 8 characters of which at
least one upper and lower case character and a number. Finally click the button in the Key
file field to add the Encryption key.
New installation
Click Create
Scan results
Select the communication hub(s) to be included in your installation. Click Show details to
view detailed information.
Hub details
To establish communication in DAP with a hub, you need to set up hub's IP address and
ACU settings.
6.1.2.1.1 IP Address
Right click on the hub and select Communication hub > Change IP Address.
Change IP Address
Update or fill in the IP address of the communication hub. Click OK and the new IP address
will be applied in the communication hub, and the IP communication will be restarted using
the new IP address. This parameter is used in DAP (named Hub Address) when configuring
connection to the hub.
IP address settings
Right click on the hub and select Configure... to open Configure Communication Hub
wizard and select Next.
ACU Settings
Set the following parameters for the communication with access control system.
Note: Make sure that a valid TLS certificate is present in the DAP system (Default location
for certificates is C:\Program Files (x86)\Spica\TimeSpace\Device Communicator\Certificates).
Scan results
Select the communication hub(s) to be included in your installation. Click Show details to
view detailed information.
Hub details
To establish communication in DAP with a hub, you need to set up hub's RS485 address
and ACU settings.
Right click on the hub and select Communication hub > Change EAC Address.
Change IP Address
Set RS485 address (from 1 to 63) of the communication hub if not set with deep switch.
Click OK and the new RS485 address will be applied in the hub. This parameter is used in
DAP (named lock Address) when configuring locks on the Zone Wing.
To enabled remote unlock of the lock from the system (e.g. Visual Space Manager), additional
settings are required on the hub and lock. This functionality requires Zone Wing application
version 2.80 or higher.
Remove unlock parameter must be enabled on the hub. Right click on the hub and select
Communication hub > Configure. Click Next until the menu appears. Click Change for
Remote Unlock option and set value to 1 minute.
Pooling interval parameter must be enabled on the lock. Polling interval decides how often
the lock wakes up and connects to the communication hub to check for information from the
system. Right click on the lock and select Lock/Sensor > Configure. Click Next until the
menu appears. Click Change for Pooling interval option and set the value to the desired
interval. The default polling interval in the lock is 10 seconds.
Warning: The polling interval can have a significant effect on the battery lifetime. The
lower value will result in more response remote unlock action but will also have a negative
effect on the battery. Consult with you local Aperio supplier about the most optimal
parameter value for your installation.
The pairing process starts. Hold the credential at the lock, or engage the magnet for the
sensor to pair the hardware with the communication hub.
Paring process
Hub details with paired locks. Remember lock IDs because they are needed for lock
configuration in DAP.
Follow the HW Configuration and SW Configuration section to set up the terminal properly in
DAP.
Warning: There are some limitations for the integration of Aperio AH40 hub in
Time&Space system:
Locks works only when the device is enabled and accessible in the system. Operation in
offline mode is not supported.
Low battery alarm can be automatic or manually deactivated because the lock sends
deactivation packet to the system.
Force door and open door are software alarms, meaning they are triggered by DAP and not
by the lock, therefore they must be confirmed and deactivated in Visual Space Manager.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter device's IP address and communication port and continue by selecting Create
Connection button.
4. When the connection parameters are saved, you are placed to Connection view. Continue
by selecting Locks view from the tree.
Connection view
Locks view
6. Enter Name, Identification no. and select appropriate lock type and continue by selecting
Save and Generate Schema button.
7. Navigate to General view. Select Enable connection button to start up the communication
with the terminal.
Enable connection
8. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to Aperio AH40 device.
Product description
Warning: There are some limitations for the integration of Aperio AH30 hub in
Time&Space system:
A single Zone Wing can manage up to 16 Aperio AH30 hubs. Further on, the maximum
number of Aperio locks per Zone Wing/AH30 hubs combination is limited to 21.
Force door and open door are software alarms are supported only on the following locks:
L100, AS100 and KS100.
This functionality also requires an appropriate update on the hardware side, Zone Wing
application ver. 2.60 or higher is required.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter device's IP address and communication port and continue by selecting Create
Connection button.
4. When the connection parameters are saved, you are placed to Connection view. Continue
by selecting Connected Devices view from the tree.
Connection view
5. Select Add Aperio Lock from the menu to add lock configuration.
6. Enter Name, address and select appropriate lock type and continue by selecting Save
and Generate Schema button. Predefined readers, inputs and outputs will be created
according to the selected lock type.
7. Navigate to General view. Select Enable connection button to start up the communication
with the terminal.
Enable connection
8. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to Zone Wing device.
Access control rights on all access points for employees (Time&Space, Visionline) are
managed through a single software interface (Time&Space).
Any card encoding for RFID cards for Visionline locks are programmed through a desktop
encoder, with a desktop reader used for reading unique card ID’s from cards for use in the
T&S badging system.
Any ‘online’ distribution of access rights to VingCard locks will be prompted from T&S but
actioned through Visionline.
Integration architecture
6.2.1 SW Configuration
Visionline
Add Assa Abloy Visionline device in DAP
Set up card reading option in Time&Space Manager
Adding access profiles to users
6.2.1.1 Visionline
Install Visionline (version 1.18.1.7 or newer) and configure Devices (Encoder/HCU/ZigBee
Gateway), Doors and Door Areas. Check Visionline user's manual for more details.
Device dialogue
Go to Tools\Options, select Events chapter and enable Store events from Moving Log in
the database option.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Create device button.
3. A number of reader entities on this device must correspond with the number of locks on
the gateway. Further on, the reader's ID must be updated with Lock's DoorID. The DoorIDs
are visible in System Monitoring tool.
4.
Make sure that Enable Profiles is enabled on this device on Advanced device settings.
5. The Time&Space part of the Visionline integration is mostly covered by the Device
Communicator component. Edit its configuration file where individual settings are explained.
6. Select Enable connection button to start up the communication with the device.
select ER.ID
from EC_REA DERS ER, EC_CO N TRO LLERS EC
w here EC.ID=ER.CO N TRO LLER_ID a nd EC.N A M E='A ssa A bloy V isionline'
• Open Registry Editor and go to HKEY_CURRENT_USER -> SOFTWARE -> Spica -> TimeSpace
-> Common and create a new String Value with the following parameters:
Name =SpaceAPIReadCardURL
Value =HTTPS://<SpaceAPI address>/Badges/?readerId=<reader's ID from step 1>
Removal of the assigned access profiles is currently possible only from Visionline system.
Note: At the moment, the management of access profiles for multiple users is not
available.
6.3 Iris ID
The iCAM7000 series is the newest generation in the iCAM series and is completely
compatible with the prior iCAM4000 series solution deployed worldwide. IrisAccess, now in its
fourth generation, has even more features and functionality with greater integration
flexibility.
Iris ID’s biometric solutions provide highly accurate, non-contact identification by the iris of
the eye from 14 inches away while delivering security, convenience, privacy and productivity
to millions of people around the world. The iCAM7000’s versatility and flexibility allows for
easy integration with many Wiegand and network based access control, time and
attendance, visitor management and point of sale applications.
Every iris pattern is unique and stable for life and since there are more readily measurable
characteristics in the iris, iris recognition is regarded to be the most accurate, fastest, and
scalable option for both small and large scale biometric deployments. Other biometric
modalities such as fingerprint, hand, voice, vein and facial characteristics can often vary and
change over time or with use conditions.
Follow the HW Configuration and SW Configuration section to set up the terminal properly in
the system.
Iris ID
Warning: There are some limitations for the integration of Iris ID terminal in Time&Space
system:
Currently only data collection of Time&Attendance events is supported. Events are pulled in
off-line mode according to Pull events time out.
Template enrolment is supported within Time&Space system.
6.3.1 HW Configuration
To perform the configuration you need to connect and power up a device. This manual
includes only the most important steps for more details please refer to iCAM7000 Hardware
Guide .
Device m ounting
Device w iring
3. Enter the default Username: iCAM7000 and Password: iris7000 (both are case
sensitive). This credentials are also need when setting connection parameters in DAP.
5. Enter the desired IP address data of the iCAM7000 series camera unit. A selection to
enable or disable IP announcement will also be available (set by default as active -
Recommended ).
Start up screen
The Find iCAM7000s button function can be used instead of the manual Add function if
desired. It will search the network for available iCAM7000 units and display them in the list.
To perform this process Click on Find iCAM7000 button or select Find ICU7000s option from
Program menu (Network settings, windows firewall, available ports, routers, and anti-virus
applications can block the applications ability to find/detect ICU7000s on the network.)
Select the New Installation button or select New Installation option from Program menu.
iCAM7000 Update
In order for the custom application to connect to the iCAM when is in iCAM Manager Mode, the
below information is required to be entered for the camera and in the controlling application:
Security ID - Enter a unique security ID for this unit (16 character requirement). By default
the id is set to "1111111111111111" .
Operation m ode
Warning: Make sure you have updated iCAM Manager software on device for operational
modes compatible with the iCAM Manager SDK.
6.3.2 SW Configuration
SW configuration process includes the following steps:
Iris ID License
Note: Since iCAM SDK is installed with DAP setup, the licence must be activated on the
workstation running Event Processor service.
Advice: Licence Viewer application can be found on Time&Space distribution media (...
Server\IrisID\License Viewer).
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter terminal's static IP address, Username, Password and Security ID and continue by
selecting Create Connection button.
4. When the connection parameters are saved, you are placed to Connection view. Continue
by selecting General view from the tree.
Connection view
5. Select Enable connection button to start up the communication with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to Iris ID terminal.
Designed for physical access control applications, MorphoAccess® SIGMA Series terminals
feature a compact, attractive design, coupled with high reliability and security. These 5th
generation terminals are both robust and easy to use for a variety of applications, including
office, headquarters and administrative building security, as well as protection of external
access points.
Follow the HW Configuration and SW Configuration section to set up the terminal properly in
DAP.
Morpho Sigm a
Warning: There are some limitations for the integration of Morpho Sigma terminal in
Time&Space system:
By default, the maximum size of SIGMA series terminal database is limited to 3,000 user
records (with two fingers per user record). In combination with Time&Space system, user
records are translated to assigned user badges with a valid access profile (e.g. User with
two badges and a valid access profile will spend 2 user records on Sigma device.). User
licenses can be installed for extending this maximum database limit.
For all events (Time Attendance and Access Control) a valid access profile is necessary for
the registration on the terminal.
Only one access schedule per reader can be defined on user's access profile.
Only access schedules with ID from 1 to 58 can be used on Sigma terminal.
Access schedules on Morpho Sigma are determined on 15 minute intervals. “From value” is
rounded upwards (e.g. 8:17 -> 8:30) while “To value” is rounded downwards (e.g. 8:17 ->
8:15).
Open Door and Forced Door alarms cannot be disabled in Visual Space Manager, because
trigger must be disabled on hardware.
Sigma terminal do not support the option for disabling fingerprint verification for a specific
user in Time&Space Manager. Fingerprint verification has to be managed through Biometric
Administration Portal.
Valid From parameter which can be set on the badge is not supported on Sigma device.
Only date from Valid To parameter is considered if set on the badge.
When changing a time zone parameter in DAP to the zone before the current one (e.g. -
10:00), then the event log must be cleared from device using MorphoBio ToolBox.
6.4.1 HW Configuration
To perform the configuration you need to connect and power up a device. See Sigma
Administration user's manual for more details.
POE and external power supply are not used at the same time: if both power supplies are
used, priority is given to the external power supply. If the external power supply is shut
down, switch to POE without reboot is not guaranteed.
Must comply with CEE/EEC EN60950 standard. It is strongly recommended to use class II
power supply at 12V-24V and 1A min (at 12V). Could be provided by a 12 Volts Wiegand
power supply, which complies with the Security Industry Association's Wiegand standard
March 1995.
MorphoAccess® SIGMA Series terminal's power supply can also be provided by the Ethernet
using RJ45 connection (Power Over Ethernet mode). When the terminal is connected to the
network by the RJ45 connector (ref RJ45/POE on Figure 5: MorphoAccess® SIGMA Series
Terminal Rear View Diagram), it allows either the power supply over the Data pins or over the
spare pins, But when the terminal is connected to the network by the Ethernet connector
block (Figure 5), only power supply over the data pins is possible.
1. Enter Terminal Administration Menu and navigate to System Menu > First Boot Assistant >
Network Configuration > Ethernet. Under Ethernet, an administrator can select IPV4 or IPV6.
Ethernet Configuration
2. On next screen, Default IP Mode is selected as DHCP. Press on Static option. Use Check
IP m ode
3. Under Static IP Mode, an administrator can manually configure IP Address of the terminal,
Subnet Mask, Network Mask, Gateway Address and DNS Servers.
6.4.2 SW Configuration
1. Go to Devices view, select New Device action and select MA SIGMA device type. Continue
by selecting Next button.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter terminal's static IP address and continue by selecting Create Connection button.
4. When the connection parameters are saved, you are placed on Connection view. Continue
by selecting General view from the tree.
Connection view
5. Select Enable connection button to start up the communication with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to MA Sigma terminal.
Verification Settings
Use Verification settings field to set the security level for time and access events on the
specific reader. You can specify which parameters will be requested and checked for each
event clocking.
Verify Badge Number - This option is always selected and disabled due to device specifics.
Verify PIN - Select this option, if you want PIN to be checked during registration on the
reader.
Verify Schedule - This option is always selected and disabled due to device specifics.
Advice: For the verification of PIN, a wild card can be set on the user level in Time&Space
Manager.
Advanced
Reader settings
Warning: Verify Access option is not validated on MA Sigma terminals. Every event
defined on the interface will trigger a relay (access) on the terminal.
If user interface type is not set to Reader Only, two additional settings are available on the
user interface:
An administrator can login to terminal and access several functionalities under administration
menu. It allows administrator to perform configuration, add users, upload multimedia,
download logs, etc.
In this mode, badge number of the user is entered using the MorphoAccess® SIGMA Series
terminal keyboard.
Keyboard icon
Mode - Default - Access is granted upon request on the basis of parameters on reader's
security settings.
Pulse time - Defines how long the output will be active after an access request has been
granted. Possible values are 0 to 100 seconds.
Area - Time&Space system offers a possibility for hierarchical classification of outputs
according to natural criteria (e.g. geographical location). Areas located higher on the
organizational structure include subordinated zones, which help the system to preserve
space topology.
Outputs settings
Advice: For more details about output wiring, check MA Sigma Quick User Guide.
On deactivated output (Open door) - Alarm is activated if input is still active after output
deactivation.
On activated output (Forced door) - Alarm is activated if input is active and output is
inactive.
Unauthorized access attempt - Alarm is activated if a user without access rights makes
registration.
Unsuccessful user authentication - Alarm is activated if a user authentication is not
successful (e.g. invalid PIN, unmatched biometric verification).
Note: Each alarm type can be created only once and all alarm parameters are
predefined.
Advice: For more details about alarm wiring, check MA Sigma Quick User Guide.
Max Response Time - This option defines how long the device should wait for Event
Processor service to respond when sending data that need to be confirmed. If the server
does not respond within the specified time, the terminal will switch to off-line mode. The
default value is 30 seconds. Increase this value if your computer or network communication
is slow (the default value may be too short in such situations).
Profile Update Priority - This option is used to defined custom update priority of access
profiles for a specific device. Value 0 represents the highest priority.
Enable Profiles - If this option is not selected, this reader will ignore users access profiles.
Enable Notifications - If this option is selected, email notification will be generated when
device's status goes to Offline.
Picture Capture - By default this option is disabled. If enabled, it can work in the following
operation modes:
Photo Taking - One picture is captured during the registration or alarm on the terminal.
Face detection (optional) - Multiple pictures are taken and face detection is performed.
If a face is detected in one or multiple photo, save the photo with the best face detection
quality measure.
Face detection (mandatory) - Take multiple pictures and perform face detection. If no
photo contains a face, the user is rejected.
Template on Card - This option defines where user's data is stored and if access profiles
are used. The following options are available:
Disabled - User's data is stored in the database and template management is done in
Biometric Administration Portal. Further on, a user must have a valid access profile to
make registration on the terminal.
Integrated Access Control Mode - User's data is stored on the card and template
management is done on the device or in Webserver. Further on, a user must have a valid
access profile to make registration on the terminal.
Reader Emulation Mode - User's data is stored on the card and template management
is done on the device or in Webserver. In this mode, the terminal works as a dummy
Wiegand reader thus a valid access profile is not needed to make a registration on the
terminal. Before you can use this mode, all output definitions must be removed from the
device in Device Administration Portal.
Advanced Settings
Warning: It is a pre-requisite that the terminal should have an SD card plugged in for
Picture Capture On Registration option.
Note: Integrated Access Control Mode or Reader Emulation Mode as Template on Card
option does not support BIOPIN verification (ID + Biopin or ID + PIN + Biopin).
Note: Only Unauthorized access attempt and Unsuccessful user authentication (only for
assigned badges) alarm types support picture capture functionality.
Designed for physical access control applications, MorphoAccess® SIGMA Lite Series terminals
feature a compact, attractive design, coupled with high reliability and security. These 5th
generation terminals are both robust and easy to use for a variety of applications, including
office, headquarters and administrative building security, as well as protection of external
access points.
The first design features a LED indicator to assist users in the access control process,
whereas the second model offers enhanced interactivity with a color touch screen.
Follow the HW Configuration and SW Configuration section to set up the terminal properly in
DAP.
Warning: There are some limitations for the integration of Morpho Sigma Lite terminal in
Time&Space system:
For all events (Time Attendance and Access Control) a valid access profile is necessary for
the registration on the terminal.
Only one access schedule per reader can be defined on user's access profile.
Only access schedules with ID from 1 to 58 can be used on Sigma terminal.
Access schedules on Morpho Sigma are determined on 15 minute intervals. “From value” is
rounded upwards (e.g. 8:17 -> 8:30) while “To value” is rounded downwards (e.g. 8:17 ->
8:15).
Open Door and Forced Door alarms cannot be disabled in Visual Space Manager, because
trigger must be disabled on hardware.
Sigma terminal do not support the option for disabling fingerprint verification for a specific
user in Time&Space Manager. Fingerprint verification has to be managed through Biometric
Administration Portal.
Valid From parameter which can be set on the badge is not supported on Sigma device.
Only date from Valid To parameter is considered if set on the badge.
When changing a time zone parameter in DAP to the zone before the current one (e.g. -
10:00), then the event log must be cleared from device using MorphoBio ToolBox.
6.5.1 HW Configuration
To perform the configuration you need to connect and power up a device. See Sigma
Administration user's manual for more details.
POE and external power supply are not used at the same time: if both power supplies are
used, priority is given to the external power supply. If the external power supply is shut
down, switch to POE without reboot is not guaranteed.
12-24 Volts (regulated and filtered) 1 Amp min @12V, CEE/EEC EN60950 standard compliant.
A12 Volts power supply compliant with SIA's Wiegand standard will also be suitable. If
sharing power between devices, each unit must receive 1A (e.g. two units would require a
12vDC, 2A supply).
Power can be provided through RJ-45 connector using a PSE (Power Sourcing Equipment)
IEEE 802.3af or IEEE802.3at type 1 compliant. The terminal is a Class 0 (15.4W) PD (Powered
Device).
6.5.2 SW Configuration
1. Go to Devices view, select New Device action and select MA SIGMA LITE or MA SIGMA
LITE+ device type. Continue by selecting Next button.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter terminal's static IP address and continue by selecting Create Connection button.
4. When the connection parameters are saved, you are placed on Connection view. Continue
by selecting General view from the tree.
Connection view
5. Select Enable connection button to start up the communication with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to MA Sigma terminal.
Follow the Application installation and Add device configuration in DAP section to set up the
terminal properly.
2. When you start the application for the first time, you need to set up the communication
parameters:
Note: By default 4449 port is used for the communication with SFC devices.
3. When settings are entered, save the configuration with Save button and start the
application with the Start button.
4. Application in this step has generated a pairing code, which must be set as connection
parameter for SFC reader in DAP. This way a mobile device is paired with the reader
configuration in the system.
Pairing code
Note: Do not forget to enabled the connection on SFC in DAP, so the application will be
able to establish the communication.
5. When the communication is established, terminal's parameters (date, time and buttons)
are updated as set it the system.
6. If the server is unreachable after the parameters have been updated, the application
switches to offline mode what is signalised with a grey Time&Space logo.
Offline m ode
Create a certificate request and send that request to a known certificate authority (CA) or
Create a self-signed certificate.
Log on to the Web server computer as an administrator.
Select server node in the tree view and open Server Certificates option.
Self-Signed Certificate
2. Add a new Secure Sockets Layer (SSL) server certificate binding and the corresponding
client certificate policies for an IP address and port. First, open the certificate details and copy
the thumbprint information.
Certificate details
3. Update SFC communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<SF C com m u n ication port>
ce rth ash = <th u m bprin t> appid={ 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } in the
Command Prompt.
HTTPS protocol
6.6.2 SW Configuration
1. Go to Devices view, select New Device action and select Spica Field Clocking device
type. Continue by selecting Next button.
2. Edit the Name, ID, Description, Area and Time zone parameter if needed and continue by
selecting Create Device button.
Advice: Since SFC devices are linked with the reader configurations, there could be only
one SFC device present in the system. All the following devices are added as reader
configurations on the existing SFC device.
5. Navigate to General view. Select Enable connection button to start up the communication
with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online, and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to SFC device.
Verification Settings
Use Verification settings field to set the security level for the time events on the specific
reader. You can specify which parameters will be requested and checked for each event
clocking.
Verify Access Profile - This parameter is not used with on the selected device.
Verify PIN - This parameter is not used with on the selected device.
Verify Fingerprint - This parameter is not used with on the selected device.
Verify Schedule - Select this option, if you want access schedules to be checked during
registration on the reader.
Advanced
Events view
Allow entering device setup - If enabled, a user can access application's settings.
Fingerprint templates are synchronized with SFC devices on Reload Profiles/Update Profiles
action or manually from the application setup for the users who have valid access profile.
Information about the number of existing templates on the device is shown int he lower left
corner as Enrolled users parameter.
2. When you start the application for the first time, you need to set up the communication
parameters:
Note: By default 4443 port is used for the communication with MATT devices.
3. When settings are entered, save the configuration with Save button and start the
application with the Start button.
4. Application in this step has generated a pairing code, which must be set as connection
parameter for MATT device in DAP. This way a mobile device is paired with the device
configuration in the system.
Pairing code
Note: Do not forget to enabled the connection on MATT in DAP, so the application will be
able to establish the communication.
5. When the communication is established, terminal's parameters (date, time and buttons)
are updated as set it the system.
6. If the server is unreachable after the parameters have been updated, the application
switches to offline mode what is signalised with a grey Time&Space logo.
Offline m ode
Create a certificate request and send that request to a known certificate authority (CA) or
Create a self-signed certificate.
Log on to the Web server computer as an administrator.
Select server node in the tree view and open Server Certificates option.
Self-Signed Certificate
2. Add a new Secure Sockets Layer (SSL) server certificate binding and the corresponding
client certificate policies for an IP address and port. First, open the certificate details and copy
the thumbprint information.
Certificate details
3. Update MATT communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<M ATT com m u n ication port>
ce rth ash = <th u m bprin t> appid={ 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } in the
Command Prompt.
HTTPS protocol
6.7.2 SW Configuration
1. Go to Devices view, select New Device action and select Spica MATT device type.
Continue by selecting Next button.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Save and Create Connection button.
3. Enter device's pairing code and continue by selecting Create Connection button.
4. When the connection parameters are saved, you are placed to Connection view. Continue
by selecting the General view from the tree.
Connection view
5. Navigate to General view. Select Enable connection button to start up the communication
with the terminal.
Enable connection
6. When the communication is enabled, the status is updated to Online, and predefined
configuration is sent to the terminal.
Online device
Warning: Make sure you also check and configure Customizable Application Parameters
related to MATT device.
Verification Settings
Use Verification settings field to set the security level for the time events on the specific
reader. You can specify which parameters will be requested and checked for each event
clocking.
Verify Access Profile - This parameter is not used with on the selected device.
Verify PIN - This parameter is not used with on the selected device.
Verify Schedule - Select this option, if you want access schedules to be checked during
registration on the reader.
Events view
Allow entering device setup - If enabled, a user can access application's settings.
Max Response Time - This option defines how long the device should wait for Device
Communicator service to respond when sending data that need to be confirmed. If the
server does not respond within the specified time, the terminal will switch to offline mode.
The default value is 2 seconds. Increase this value if your computer or network
communication is slow (the default value may be too short in such situations).
Advanced Settings
6.8 TBS
Biometric technology made in Switzerland: TBS (Touchless Biometric Systems) offers flexible,
functional hardware and software for access control and time recording. TBS technology
combined with world’s best touch sensor for highest security and multifunctionality at point of
access.
2D-TERMINAL MULTISPECTRAL
Warning: This integration assumes that no additional licenses for TBS third party zone
access management will be purchased. Consequently, the integration only supports two
modes of operation:
Fully on-line – Devices must be fully on-line and a successful clocking will cause the user’s
balance to be shown on the device.
Fully off-line – No balance is shown to the user who registers and the devices do not need
to be on-line to register a clocking.
Hybrid mode supported by native Time&Space HW devices is not supported.
Note: Please note that the integration has only been tested with the 2D Terminal from
TBS.
6.8.1 HW Configuration
Operating Mode Selection
This page appears if a device is started for the first time or restarted after factory state reset.
You can also change operating mode dynamically from ADMIN menu. Set the device to WE
Mode (Web Edition). This is the standard and recommended mode. Connection to the server
via the network is required, selecting this mode enables the terminal to communicate with
BioAdmin Web Edition or WebServer Edition. Communication between devices and server is
based on web services, routed through HTTP (Port 80) or optionally HTTPS (Port 8080).
Network Configuration
The device may have static IP or dynamic IP assigned automatically if DHCP server is available
on the network. By default it is set to DHCP, at right a sample is shown how to configure
static IP. For the integration with Time&Space system, it's recommended to use static IP
address.
Integration Configuration
Go to TBS Device Configuration portal by entering device's IP address in the browser. Default
credentials for the portal are: "user" for username and "4TbsPartners" for password. Please
follow the steps described in the selected operational mode (full on-line mode or fully off-line
mode) for the integration to work correctly.
Network chapter
Identification (1:N) - The input sample is compared against all reference samples in
the database.
Verification (1:1) - The input sample is compared against reference sample,
preselected in first verification step.
Smart Mode - In Smart Mode, each user can have its combination of ID factors
assigned. The device recognises the person (based on first ID factor presented) and
asks for the remaining factors. The ID factors a user has to present in Smart Mode
need to be defined in WebClient server software.
Buttons defined here are mapped to the T&S buttons defined within the interface of the
virtual controller through the Device Communicator configuration file explained later on.
Button configuration
Integration chapter
XML Server URL (Server IP and port) – Use the DNS or the IP of the host where
Time&Space Device Communicator resides. Use the same port as configured below within
the NotificationServerPort value.
OnlineRightsRequest
Yes – Select this option for a fully on-line system.
No – Select this option for a fully off-line system.
6.8.2 SW Configuration
BioAdmin Web Edition
Add TBS device in DAP
Adding fingerprints to users
Configuring RemoteZone web service
Configure the TBS device so that it is visible and connected with this service.
This web service also implements the TBS SOAP API that is used as the integration point
between T&S and TBS devices. In BioAdmin Web Edition\Core folder, open and edit the
Web.config file and updated value for the authRPKey parameter. The value of the
authRPKey to a unique key applicable to each installation. This is used for secure
communication between T&S and TBS system.
<appsettings>
...
<add key="authRPKey" value="6100c932616e4eb88f526f024bc96246" />
...
</appsettings>
On the Users view there are three types (Roles) of users that can be added:
ADMIN – Administrators of TBS devices, should only be added manually using this
application.
ENROLL – People who can enroll users on each device, should only be added manually
using this application.
USER – T&S users that will be pushed and kept in sync on each device automatically.
Users view
Warning: Do not add users with user role manually as they will be erased by the
integration process.
Advice: Since DAP is communicating with TBS API, only one TBS device can be configured
in the system.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Create device button.
ID is very important and must be mapped to the actual BioClient ID found on each
device’s home configuration page. So for every BioClient, a new reader must be added to
the TBS device in DAP.
Set User Interface parameter to Custom.
Set Type parameter to Data Clock.
Enable Show extended information on clocking if balance or personal message should
be shown on the device upon a successful clocking. This option only works in full on-line
mode.
Verification Settings are not applicable to TBS devices.
Events definition
Warning: There should be only one page and a maximum of 8 buttons on that page.
Default event is not applicable as the TBS device has its own default event configuration. Use
the device communicator’s config file to map these buttons to TBS events.
5. The Time&Space part of the TBS integration is mostly covered by the Device Communicator
component. Edit its configuration file where individual settings are explained.
6. Select Enable connection button to start up the communication with the device.
Note: When Profile update or Profile reload action is executed in DAP, all Time&Space
users who have permissions for TBS terminal(s) will appear in TBS system. If the permissions
are later removed, the users will remain in the system. A user with permission for one TBS
terminal will be able to make registration on all TBS terminals in the system. In order to
manage permission for each TBS terminal, an additional module is required on TBS side, called
RemoteZone web service.
1. Use BioAdmin Web Edition to add a user with Admin or Enroll role and PIN option set.
2. Access the admin login on TBS terminal and log using the pin defined in step 1.
Default screen
3. One you are logged choose the person you want to add fingerprints to.
Database screen
Action m enu
5. From the many choose to insert user data and set a finger on the sensor.
Finger selection
Note: This procedure is done only once for every new user we like to add permissions to
access the TBS terminal.
Note: RemoteZone web service is available from release R7 of BioAdmin Web Edition and
not enabled by default.
Activation requires some configuration changes in 'web.config' file of ‘TBS BioAdmin Core’:
Add following lines (“service” xml node) under “services” xml node:
Warning: Basic XML knowledge is required for this process! A wrong configuration may
lead to malfunctions of the entire TBS system.
Uncomment RemoteZoneEndpoint key and set URL to the TBS RemoteZone web service in
TBSPlugin section. By default this option is disabled.
<TBSPlugin>
<add key="ServerEndpoint" value="http://localhost/BACore/RemoteSync.svc/basic"/>
<add key="RemoteZoneEndpoint" value="http://localhost/BACore/RemoteZone.svc/
Basic" />
Restart DC service.
Warning: If RemoteZone web service is enabled on TBS side this feature must also be
enabled on Time&Space side and vice versa. Other combination may lead to malfunctions of
the entire system.
WCP
6.9.1 Configuration
1. Go to Devices view, select New Device action and select Web Clocking Portal device type.
Continue by selecting Next button.
Advice: Since WCP is communicating with Space API, only one WCP device can be
configured in the system.
2. Edit the Name, ID, Description and Area parameter if needed and continue by selecting
Create device button.
ID is very important and must be mapped to the virtual reader configuration found in
Device Communicator configuration file. So for every location, a new reader must be
added to the WCP device in DAP.
Set User Interface parameter to Custom.
4. Edit the user interface settings and update the configuration if needed.
Events definition
5. The Time&Space part of the WCP integration is mostly covered by the Device Communicator
component. Make sure that Space API and SpaceAPI Authentication token are properly set.
6. Select Enable connection button to start up the communication with the device.
Create a certificate request and send that request to a known certificate authority (CA) or
Create a self-signed certificate.
Log on to the Web server computer as an administrator.
Select server node in the tree view and open Server Certificates option.
Self-Signed Certificate
2. Add a new Secure Sockets Layer (SSL) server certificate binding and the corresponding
client certificate policies for an IP address and port. First, open the certificate details and copy
the thumbprint information.
Certificate details
3. Update WCP communication port and thumbprint parameters and execute the following
statement n e tsh h ttp add sslce rt ipport=0 .0 .0 .0 :<W C P com m u n ication port>
ce rth ash = <th u m bprin t> appid={ 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } in the
Command Prompt.
Login page
Note: User account needs Web Clocking Portal privilege in order to access the
application.
After successful login, the application displays the list of available events for registration for a
specific location. Registration of an event is done by selecting the radio button in front of it
and applying Clock now button.
Note: The list of events can be changed on reader's interface. Events which are not used
on the daily level can be hidden in the combo list.
When you register an event, a new screen with the following information is shown: