EFTA01225578

SOFTWARE HOUSE From Tyco Security Products C•CURE 9000 Version 2.50 Enterprise Architecture Guide REVISION HO um-252 HO EFTA01225578 C•CURE and Software House are registered trademarks of Tyco Security Products. The trademarks, logos, and service marks displayed on this document are registered in the United States [or other countries]. Any misuse of the trademarks is strictly prohibited and Tyco Security Products will aggressively enforce its intellectual property rights to the fullest extent of the law, including pursuit of criminal prosecution wherever necessary. MI trademarks not owned by Tyco Security Products are the property of their respective owners, and are used with permission or allowed under applicable laws. Product offerings and specifications are subject to change without notice. Actual products may vary from photos. Not all products include all features. Availability varies by region; contact your regional sales manager. Software version: 2.50 Document Number: UM-252 Revision Number: HO Release Date: December 2015 This manual is proprietary information of Software House. Unauthorized reproduction of any portion of this manual is prohibited. The material in this manual is for information purposes only. It is subject to change without notice. Software House assumes no responsibility for incorrect information this manual may contain. © 2015 Tyco Security Products. MI rights reserved. EFTA01225579 Table of Contents Preface 9 How to Use this Manual 10 Finding More Information 12 Conventions 13 Software House Customer Support Center 14 Chapter 1 - Application Server Overview 15 Introduction 16 Understanding The Enterprise Environment 18 Multi-version Support 19 Multi-version Server Synchronization 21 Multi-version Client Support 21 Multi-version Impact on Integrations 25 Using the Administration Client from the MAS 26 Setting the Application Server Interactive 29 Navigation Pane 30 Templates for Object Creation 30 Hardware Tree and Video Trees 30 Advanced Query Tab 31 Using the Administration Client from a SAS 31 Enterprise Architecture Capabilities Summary 32 Licensing 36 ML M2, M3, M4, M5 License Versions 36 Satellite Application Servers (SAS) 36 Validation 37 Chapter 2 - Application Server Architecture 41 Architecture Overview 42 Objects in the Enterprise Architecture 43 Typical Configuration 44 Editing Objects that Reside on a Different Server 45 Editing a SAS Local Object from the MAS 45 C•CURE 9000 Enterprise Architecture Guide 3 EFTA01225580 Server Synchronization 47 Synchronization Results 49 Chapter 3 - Configuring an Enterprise Architecture 51 Setting Up an Enterprise Architecture .52 Privileges in Enterprise Architecture 53 System All Global Privilege 53 Access to Global Common Objects 54 Access to Common Objects 54 Client Access Privileges 56 Operators In Enterprise Architecture 58 Privilege Schedules for Operators 58 Operator Application Server Tab 58 Operator Configuration 60 Accessing the Operator Editor 60 Client Configuration 62 Primary Connection to the MAS 62 Primary Connection to a SAS 63 Dynamic Views in Enterprise Architecture 64 Dynamic View Restrictions 64 Holidays in Enterprise Architecture 66 Chapter 4 - Application Server Editor 67 Application Server Dynamic View 68 Viewing a List of Application Servers 70 Application Server Context Menu 72 Application Server Synchronization Conflicts View 74 Synchronization Conflict View from the MAS 74 Synchronization Conflicts View from a SAS 75 Synchronization Conflicts View Definitions 76 Using the Synchronization Conflicts View 77 Synchronization Conflicts Definitions 79 Application Server Editor 87 Application Server Tasks 87 Accessing The Application Server Editor 87 Using the Application Server Editor 88 Application Server General Tab 89 General Tab Definitions 89 Application Server Groups Tab 91 Adding an Application Server to a Group 91 Application Server Synchronization Tab 92 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225581 Audit Log Synchronization 92 Journal Synchronization 92 Synchronization Tab Tasks 92 Application Server Triggers Tab 94 Application Server State Images Tab 97 State Images Tab Definitions 97 Viewing a List of Application Servers 97 Application Server Context Menu 99 Chapter 5 - Partitions in Enterprise Architecture 101 Partition Overview 102 Types of Partitions 102 Objects and Partitioning 104 Moving Objects to Another Partition 104 Global Only Objects 105 Group Objects 106 Optionally Global Objects 107 Non-Global Objects 109 System Defined Non-Global Objects 110 Editable Intrinsic Local Objects 111 Non-editable Intrinsic Local Objects 112 Non-global MAS Objects 112 Chapter 6 - Personnel in Enterprise Architecture 113 Personnel Overview 114 Configuring Personnel in Enterprise Architecture 115 Global Personnel 117 Global Clearances 119 Assigning Clearances to Personnel from a Dynamic View 119 Global Custom Clearances 120 Custom Clearances and Door/Elevator Groups 120 Removing Expired Custom Clearances from a Personnel Record 120 Disabling Credentials for Inactivity in Enterprise Architecture 121 Editing User-defined Fields in Enterprise Architecture 122 Editing Customer Tab Field Labels 123 Editing C•CURE ID Objects in Enterprise Architecture 124 CHUIDs in an Enterprise 125 Applying CHUID Formats 125 CHUID Templates 125 Handling Credential CHUID Uniqueness Conflicts 125 Query to find Duplicate CHUIDs 126 C•CURE 9000 Enterprise Architecture Guide 5 EFTA01225582 Running a Query for Duplicate CHUIDs in Credentials 127 Personnel Type in Enterprise Architecture 128 Images in Enterprise Architecture 129 Chapter 7 - Hardware in Enterprise Architecture 131 Configuring Hardware in Enterprise Architecture 132 apC Support on a SAS System 134 ISC Controllers are Not Supported on SAS or MAS 134 Chapter 8 - Video in Enterprise Architecture 135 Configuring Video in Enterprise Architecture 136 Chapter 9 - System Variables in Enterprise Architecture 139 System Variables Overview 140 System Variables Dynamic View 141 Personnel Related System Variables 143 Auto Increment Card Number System Variables 143 Disable by Inactivity Enabled and Disable by Inactivity Scan Time System Variables 143 Maximum Clearances Per Person System Variable 143 Maximum Custom Clearances Per Person System Variable 144 PIN Length System Variable 144 Audit/Journal Synchronization System Variables 146 Audit Synchronization System Variable 146 Journal Synchronization System Variable 146 Restarting Drivers When Changing System Variables 147 Chapter 10 - Journal/Audit In Enterprise Architecture 149 Using Journal and Audit Logs in Application Server 150 Synchronizing Log Files 150 Audit Logs 150 Log Management 151 Using System Variables for Synchronization 151 Using an Event to Manually Synchronize Log Files 151 Journal Messages 153 Journal Triggers in an Enterprise 153 Chapter 11 - Central Reporting in Enterprise Architecture 155 Central Reporting 156 Retrieving Enterprise Data 156 Pre-configured Reports 156 Operator Privileges 157 The Reports Dynamic View 157 8 C•CURE 9000 Enterprise Architecture Guide EFTA01225583 Chapter 12 - Central Management in Enterprise Architecture 159 Central Management Overview 160 Central Administration 161 Features: 161 Capabilities: 161 Master Database 161 Application Layouts 162 Default Server 162 Creating Views for Central Monitoring Operators 162 Action Constraints 163 Setting Application Servers Interactive 164 Setting a Server Interactive from the Administration Station 164 Setting a Server Interactive from the Monitoring Station 165 Central Monitoring Station 166 Central Monitoring Overview 166 Features 166 Operator Privileges 166 Master Database 166 Application Layouts 166 Capabilities 167 Receiving Activity Messages 167 Receiving Event Messages 167 Viewing Swipe and Show Activity 167 Central Monitoring Explorer Bar 168 Selecting Objects 169 Components 169 Central Monitoring and Privileges 170 Operator Access 170 Central Monitoring and Actions 171 Using Context Menu Actions 171 Central Monitoring - Performing Manual Actions 171 Chapter 13 - Enterprise Architecture Backup and Restore 173 Back Up and Restore for C•CURE 9000 in an Enterprise System 174 How Synchronization Interacts with Backup and Restore 174 Re-Synchronizing Servers after a Database Restore from Backup 175 Chapter 14 - Import and Export in an Enterprise 177 Importing Data in Enterprise Architecture 178 Import Watcher in the Enterprise Architecture 178 Exporting Data in Enterprise Architecture 178 C•CURE 9000 Enterprise Architecture Guide 7 EFTA01225584 Appendix A - Enterprise Architecture FAQ 179 Enterprise Architecture FAQ 180 Index 187 8 C•CURE 9000 Enterprise Architecture Guide EFTA01225585 Preface The C•CURE 9000 Enterprise Architecture Guide is for new and experienced security system users who want to learn to use this product for the C•CURE 9000 Security Management System. In this preface How to Use this Manual 10 Finding More Information 12 Conventions 13 Software House Customer Support Center 14 C•CURE 9000 Enterprise Architecture Guide Preface 9 EFTA01225586 How to Use this Manual How to Use this Manual This manual contains chapters that provide the following information about C•CURE Application Server. Chapter 1: Application Server Overview This chapter introduces the Enterprise Architecture option, explaining its concept, structure, features, and capabilities. Chapter 2: Application Server Architecture This chapter outlines the Enterprise Architecture configurations and the concept of synchronization. Chapter 3: Configuring an Enterprise Architecture This chapter explains how to configure the Enterprise Architecture. Chapter 4: Application Server Editor This chapter describes the Application Server editor. Chapter 5: Partitions in Enterprise Architecture This chapter describes the use of Partitions in a Enterprise Architecture. Chapter 6: Personnel in Enterprise Architecture This chapter explains how Personnel is managed in Enterprise Architecture. Chapter 7: Hardware in Enterprise Architecture This chapter explains how access control hardware is configured and managed in an Enterprise environment. Chapter 8: Video in Enterprise Architecture This chapter explains how video security hardware is configured and managed in an Enterprise environment. Chapter 9: System Variables in Enterprise Architecture This chapter outlines the use of system variables in an Enterprise Architecture. 10 Preface C•CURE 9000 Enterprise Architecture Guide EFTA01225587 How to Use this Manual Chapter 10: Journal/Audit In Enterprise Architecture This chapter explains the Journal and Audit capabilities in the Enterprise Architecture. Chapter 11: Central Reporting in Enterprise Architecture This chapter describes the central reporting capability of the Enterprise Architecture. Chapter 12: Central Management in Enterprise Architecture This chapter explains how to perform central monitoring in an Enterprise Architecture. Chapter 13: Enterprise Architecture Backup and Restore This chapter describes the backup and restore capabilities of Enterprise Architecture. Chapter 14: Import and Export in an Enterprise 'Ibis chapter describes the Import and Export capabilities of Enterprise Architecture. Appendix A: Enterprise Architecture FAQ This appendix provides questions and answers about the Enterprise Architecture. C•CURE 9000 Enterprise Architecture Guide Preface 11 EFTA01225588 Finding More Information Finding More Information You can access C•CURE 9000 manuals and online Help for more information about C•CURE 9000. Manuals C•CURE 9000 software manuals are available in Adobe PDF format on the C•CURE 9000 DVD. You can access the manuals if you copy the appropriate PDF files from the C•CURE 9000 Installation DVD English \ Manuals folder. The available C•CURE 9000 and Software House manuals are listed in the C• CURE 9000 Installation and Upgrade Guide, and appear as hyperlinks in the online.pdf file on the C•CURE 9000 DVD English \ Manuals folder. These manuals are also available from the Software House Member Center website Online Help You can access C•CURE 9000 Help by pressing Fl or clicking Help from the menu bar in the Administration/Monitoring Station applications. 12 Preface C•CURE 9000 Enterprise Architecture Guide EFTA01225589 Conventions Conventions This manual uses the f >Bowing text formats and symbols. Convention Meaning Bold This font indicates screen elements, and also indicateswhen you should take a direct action in a procedure. Bold font describes one of the following items: • A command or character to type, or • A button or option on the screen to press, or • A key on the keyboard to press • A screen element or name blue color text Indicates a hyper link to a URL. or a cross-reference to a hgure. table. or section in this guide. Regularitak !oaf Indicates a new term. <text> Indicates a variable. The following items are used to indicate important information. Indicates a note. Notes call attention to any item of information that may be of special importance. NOTE Indicates an alternate method of performing a task. TIP 0 Indicates a caution. A caution contains information essential to avoid damage to the system. A caution can pertain to hardware or software. Indicates a warning. A warning contains information that advises users that failure to avoid a specific action could result in physical harm to the user or to the hardware. STOP Indicates a danger. A danger contains information that users must know to avoid death or serious injury. C•CURE 9000 Enterprise Architecture Guide Preface 13 EFTA01225590 Software House Customer Support Center Software House Customer Support Center Telephone Technical Support During the period of the Agreement, the following guidelines apply: • Software House accepts service calls only from employees of the Systems integrator of Record for the installation associated with the support inquiry. Before Calling Ensure that you: • Are the Dealer of record for this account. • Are certified by Software House for this product. • Have a valid license and current Software Support Agreement (SSA) for the system. • Have your system serial number available. • Have your certification number available. Hours Normal Support Hours Monday through Friday. 8O0IMI. to 8:00 . EST. Except holidays. Emergency Support Hours 24 hours/day, seven days a week. 365 days/year. Requires Enhanced SW? x2r Standby Telephone Support (emergency) provided to Certified Technicians. For allother customers. billable on time and materials basis. Minimum charges appty- See MSRP. Phone For telephone support contact numbers for all regions. see 14 Preface C•CURE 9000 Enterprise Architecture Guide EFTA01225591 Application Server Overview This chapter introduces the Enterprise Architecture option and explains how C•CURE 9000 servers operate in an enterprise environment. In this chapter Introduction 16 Understanding The Enterprise Environment 18 Multi-version Support 19 Using the Administration Client from the MAS 26 Licensing 36 C•CURE 9000 Enterprise Architecture Guide Chapter1 15 EFTA01225592 Introduction Introduction The C•CURE 9000 Enterprise Architecture is a licensable option that allows you to configure multiple C•CURE 9000 servers to communicate with a Master Application Server. The Master Application Server (MAS) provide a platform for global management of the Personnel, Video, and access security objects on two or more Satellite Application Servers (SAS) in an enterprise. Figure 1: Basic Configuration: One MAS and Two SAS Systems CCURE 9000 Mow Am:so:won Server thiAS) For Control Monitoring Central Reporting Global Managemerl tin PC (MAS) Satellite APPItcation Szietite Apprication Server 1 Server 2 Client PC -SAS Client PC -31152 O STAR Video Video Ccradlet Server S•ne( The Enterprise Architecture works by synchronizing each SAS system's database with the MAS database. The Master (MAS) contains the global data that is used across every server, such as global Personnel records, global clearance, and global Operators. The global data is synchronized to each SAS so that it can be used to implement enterprise- wide security. The MAS itself does not have any directly connected controllers or video servers, but it can be used to remotely monitor and manage controllers and video servers attached to SAS's in the enterprise. See Typical Configuration on Page 44 for more information. The MAS provide the capability for Central Monitoring of the entire enterprise, using the C•CURE 9000 Monitoring Station application. From a central Monitoring Station connected to the MAS, you can view Events, Activities, and status on every SAS in the enterprise. Alternatively, you can connect to a particular SAS to monitor that system and its connected hardware. See Central Monitoring Station on Page 166 for more information. In addition, the MAS provide a Central Reporting capability, because its database include information about all objects that are replicated from the satellite servers. See Central Reporting on Page 156 for more information. Each Satellite (SAS) server contains database records for the video and access security hardware connected to it, as well as local personnel, clearance, privilege, and other data. Each SAS synchronize with the Master so that SAS local data is replicated to the MAS for central management and monitoring. 16 Chapter1 C•CURE 9000 Enterprise Architecture Guide EFTA01225593 Introduction MI data is synchronized immediately when saved (or queued if a server is offline), except for Journal and Audit data, which is synchronized on a configurable schedule. Network latency and load on the MAS and SAS databases can effect synchronization performance. Operator Privileges are used to provide system users with exactly the information they need, and deny access to information they do not need or should not be able to view. These capabilities let you deploy multiple C•CURE 9000 servers in an enterprise environment, solving scalability and wide area network issues and providing a platform for central monitoring, global management, and central reporting. Starting with a baseline of version 2.40 Service Pack 2, the MAS and each SAS in an Enterprise can be NOTE running different versions of C•CURE 9000, as long as the MAS installed version is equal to or later than the SAS version on each server. If the MAS uses version 2.50, then each SAS must use either version 2.40 Service Pack 2 or version 2.50. C•CURE 9000 Enterprise Architecture Guide Chapter 1 17 EFTA01225594 Understanding The Enterprise Environment Understanding The Enterprise Environment The Enterprise Architecture provides an administrator with the ability to view and manage all aspects of access control and video security from one application - the Administration Workstation attached to the MAS. From this vantage point, you can: • View and edit all Personnel, Credentials, and Clearances. • Configure and manage all access control hardware. • Configure and manage all video security hardware. • Create Queries and Reports that can summarize data from every server in the Enterprise, or from a limited subset of data based on a Query you construct. (Status values are not synchronized from SAS to MAS, so reports on the MAS cannot provide the latest status values.) Using the Administration Client from the MAS on Page 26 explains how a client application attached to the MAS provides the ability to choose whether to view and manage the entire enterprise or to view and manage a specific SAS system from a central location. Using the Administration Client from a SAS on Page 31 explains how a client application attached to a SAS differs in scope but provides the ability to configure Global and local objects from the SAS. The Enterprise Architecture also provides the ability to perform Central Monitoring from a Monitoring Station client application attached to the MAS. See Central Monitoring Station on Page 166. You can create and run Centralized Reports from a client application attached to the MAS. See Central Reporting on Page 156 18 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225595 Multi-ver SC 71 Support Multi-version Support For an established Enterprise consisting of a MAS and one or more SAS systems, upgrading to a new version of C•CURE 9000 is a large and potentially formidable task. Previously, the MAS needed to be upgraded first, and then each SAS would be upgraded one-by-one, without any ability to connect to the MAS previous to their upgrade. For a large Enterprise this could mean that some SAS systems would be out of contact with the MAS for a considerable time. To overcome this problem, C•CURE 9000 is providing Multi-version support - the ability for SAS systems not yet upgraded to the version the MAS is running to connect to the MAS, synchronize records, identify conflicts, and attach clients to the MAS to configure and monitor the Enterprise. From the MAS perspective, a Global Operator has the ability to attach to both upgraded and non-upgraded SAS systems, with some limitations due to the version differences. The Multi-version process begins with an Enterprise where the MAS and every SAS is currently at the same version, and the MAS is upgraded. Therefore, only two versions of C•CURE 9000 can be involved: ■ The new version to which the MAS has been upgraded ■ The previous version at which all SAS systems were operating. If an Enterprise currently has a MAS at one version and SAS systems with differing versions, it is necessary to update all SAS systems to be at the same version as the MAS to establish a common baseline, prior to beginning to upgrade the MAS to take advantage of Multi-version support. The intention still is to proceed with upgrading every SAS to match the new MAS version. The difference is that until that point, all the SAS systems can participate in the Enterprise, within version-specific limitations. To enable upgraded clients to communicate with previous version SAS systems, during the upgrade a copy is made of the C•CURE 9000 client applications from the previous version so that these applications can be launched when needed if the upgraded client detects it is running in a Multi-version Enterprise. Example: If a Global Operator on the MAS opens the Monitoring Station, and that Operator is currently interactive with SAS systems that have been upgraded and some SAS systems that have not been upgraded, separate Monitoring Station windows open: ■ The current upgraded version of the Monitoring Stations is opened for upgraded SAS systems that are interactive. ■ The previous version of the Monitoring Station is opened for SAS systems that have not been upgraded and are interactive. C•CURE 9000 Enterprise Architecture Guide Chapter 1 19 EFTA01225596 Alulleverson Support Figure 2: Multi-version Client Example C•CURE 9000 Master Aophcauco Server (MAS) Satellite Appica:o-, Server 2 VIOUS SION Previous Version Monitoring Station See the C•CURE 9000 Release Notes for the upgrade version to determine the previous versions that are supported for Multi-version in a given release. The following table summarizes the capabilities provided by Multi-version support. 20 Chapter! C•CURE 9000 Enterprise Architecture Guide EFTA01225597 Multi-version Support Table 1: Multi-version Support Capabilities Summary Category Effects Multi-version Server Synchronization occurs between the upgraded MAS and alprevious version SAS systems, but data differences Synchronization resulting from the upgrade are not synchronized. When a SAS is upgraded, the MAS and SAS re-synchronize to take care of any data not previously synchronized. See Multi-version Server Synchronization on Page 21. See Table 2 on Page 22 for detals on the supported connections and limitations. Mutti-verson Client Client applications that are upgraded can attach to upgraded MAS and SAS, but have limftations in communicating Support with previous version SAS systems. Client applications that are not upgraded are limited to connecting to previous version SAS systems, with limitations. See Mutti-version Client Support on Page 21. Mutti-verson Integration A previous version Integration that Is not enterprise-aware wilcontinue to operate with a previous version SAS, but Impact not with an upgraded MAS or SAS. An upgraded Integration wal only work correctly with an upgraded SAS, because the Integration's instaler wilnot retain the previous version of the integration to launch when communicating with a previous version SAS. See Multi-version Impact on Integrations on Page 25. Mufti-version Server Synchronization Multi-version Support changes the way that data is synchronized between the MAS and each SAS in two respects: ■ Synchronization is allowed to occur if the SAS version of C•CURE 9000 is different from the MAS version. However data differences resulting from the MAS upgrade are not synchronized (these differences are flagged in the database, however, so that they can be synchronized at a later time). ■ When the SAS is upgraded to match the MAS version, the MAS and SAS re-synchronize to take care of any data not previously included in the Multi-version synchronization. The status of Multi-version synchronization for an Enterprise is summarized on the Application Server Dynamic View on Page 68, so that you can readily determine the Multi-version synchronization status between a SAS and the MAS, or between the MAS and all SAS systems. Multi-version Client Support The way a client application behaves in the Multi-version Enterprise depends upon the server(s) to which the client application connects. When you launch a client application in a Multi-version environment, a message box is displayed to tell you how the client is affected by operating in that Multi-version environment. Example: You launch an upgraded Monitoring Station client that connects to the MAS. The following message appears to let you know you are operating in a Multi-version Enterprise: You are running this dient while your Enterprise is in the process of upgrading. The dientfimdionality is limited to performing tasks on objects owned by servers that match your version of the client. As a result, the 'Default Server' and C•CURE 9000 Enterprise Architecture Guide Chapter! 21 EFTA01225598 Mufti-version Support 'Read Data from' server lists only contain servers that are compatible with your dient. Where applicable, Right-click menus are disabled for objects owned by incompatible servers. When running the Monitoring Station (MS), the upgraded MS automatically starts the previous version of the MS so that you can monitor newly both upgraded servers and ones that haven't been upgraded yet. Each version of the MS is limited to loading Application layouts that reference compatible servers. If your Monitoring Station client was configured to be interactive with both upgraded and previous version SAS systems, your upgraded Monitoring Station client displays information from the upgraded SAS systems, and launches a previous version of the Monitoring Station to display information from any interactive previous version SAS systems. Table 2 on Page 22 below applies to remote clients - a client application on one system connecting to a C•CURE 9000 server on a different system. A local client residing on a server is assumed to be connecting to its local server using the same version between client and server. Table 2: Client Support ha Multl-Version Environment Client Connect to: Supported? Details Previous Previous Supported Connected to a previous version SAS. the user cannot edit Global ohpects. with the exception version version SAS with of adding and removing PersonnelClearances. tvlonrtoring (with restrictions If the user attemptstodouble-chckon a Global °Died the following status message isdisplayed Station Upgraded asa bubble from the Administration client ton in the Notification area (lower right corner) of Client MAS in the the display: Enterprise) You aro running in a Multi-Version environment and the object that you have selected is incompatible with this version of the client. Previous Previous Supported Connected to a previous version SAS. the user cannot edit Global objects. with the exception version version SAS with of adding and removing Personnel Clearances. Admin (with restrictions The previous version Admin client limits the user to selecting partitions owned by the SAS Client Upgraded server in the 'New Object' drop down list. NIAS in the Enterprise) This restriction results in the 'right-click' context menu being disabled for all Global objects except Personnel obscts and then by further restricting the supported commands to Assign Clearances and Remove Clearances . If the user attempts to double-click on a Global ObjeCt the following status message isdisplayed asa bubble from the Administration client ton in the Notification area (lower right corner) of the display: You aro running in a Multi-Version environment and the object that you have selected is incompatible with this version of the dent. 22 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225599 Multi-version Support Table 2: Client Support in a Mufti-Version Environment (continued) Client Connect to: Supported? Details Previous Upgraded Supported The Monitoring Station only loads Application Layouts belonging to servers that match its version MAS (with with version. Monitoring Multi-version restrictions If a Monitoring Station hasApplication Layouts that can be interactive with both upgraded and Station SAS systems in previous version servers, the layouts are onty interactive with compatible (previous version) the Enterprise) SefVers. The Monitoring Station does not allow the user to select an incompatible (upgraded) server in the Read Data fromdrop-down list. The drop-down list will onty show compatible servers. The Monitoring Station only shows Events and Activities associated with objects that belong to servers that haven't been upgraded. If the user selects a Global object in a Dynamic View, the following message is displayed as a bubble from the Administration client icon in the Notification area (lower right corner) of the display: You are runningin a Multi-Version environment and the object that you have selected is incompatible with this version of the chant. If the Monitoring Station determines if there are no compatible Application Layouts avalable or no compatible interactive servers, the following message is displayed: Youarorunningthisclient while your Enterpriseisin the process of upgrading and the Monitoring Station that you haveLaunchedis/knifed to connecting with upgraded servers. As a result. this dent is attempting toload a Monitoring Station that is compatible with the remaining servers that haven't been upgraded. Unfortunately. this operator isn't globaland/or there aren't anycompatibki application layouts assigned to this operator. A compatiblelayout is one that belongs to a server that hasn't been upgraded and has been assigned to the operator or has been set to 'Interactive'. To rectify. pleaselogin using a globaloperator and assign compatiblelayouts to the operator or make the compatible servers interactive with this operator. The client willnow terminate. Previous Upgraded Not The Administration client cannot connect to the upgraded MAS. A message is displayed: version MAS (with Supported The server that you are connecting to has been upgraded anc!isnot available untilyou Admin Multi-version upgrade this client to a compatible version. Client SAS systems in the Enterprise) Previous Upgraded SAS Not Message Displayed: Version Supported The server that you are connecting to has been upgraded andis not available anti/you Monitoring upgrade this client to a compatible version. Station Previous Up-graded SAS Not Message Displayed: Version Supported The server that you are connecting to has been upgraded and isnot available untidy/au Admin upgrade this client to a compatible version. Client C•CURE 9000 Enterprise Architecture Guide Chapter 1 23 EFTA01225600 Table 2: Client Support in a Multi-Version Environment (continued) Client Connect to: Supported? Details Upgraded Upgraded Supported. Launches a current version Monitoring Station to interact with upgraded MAS/SAS systems. Monitoring MAS (with Launches a previousversion Monitoring Station to interact with previousversion SAS systems Station Mutti-version in a Multi-version Enterprise. SAS systems in the Enterprise) The upgraded Monitoring Station does not allow the user to Right-click on objects that are owned by previous version servers. The upgraded Monitoring Station does not allow the user to select a server in the Read Data from drop-down that doesni match the version of the client. Incompatible (not-upgraded) servers are not listed. The upgraded Monitoring Station only shows Events and Activities associated with objects that belong to servers that have been upgraded. Upgraded Upgraded Supported The upgraded Administration client limits the user to selecting compatible servers in Eno Read Admin MAS (with with Data fromdrop-down list. Incompatible (not-upgraded) servers are not listed. Client Mutti-version Restrictions The upgraded Administration client limits the user to selecting compatible servers in the SAS systems in Default Server drop down list. Incompatible servers are not listed. the Enterprise) The upgraded Administration client limits the objects that the user can Right-click on to those objects residing in Partitions that are owned by compatible servers. This restriction results in the right-click context menu being disabled for incompatible objects. If the user attempts to double-click on an incompatible object, the following status message is displayed as a bubble from the Administration client icon in the Notification area (lower right corner) of the display: You are running in a Multi-Version environment and the object that you have selected is incompatible with this version of the client. Upgraded Previous Not Displays the message: Monitoring version MAS or Supported. The server Maryou have selected has mot been upgraded and is not available. Station SAS The program then terminates. Upgraded Previous Not Displays the message: Admin version MAS or Supported Theserver* that you have selected has not been upgraded anti iS net available. Client SAS The program then terminates. Upgraded Upgraded SAS Supported No Limitations. Admin client Upgraded Upgraded SAS Supported No Limitations. Monitoring Station 24 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225601 Multi-version Support Table 2: Client Support in a Multi-Version Environment (continued) Client Connect to: Supported? Details Upgraded Upgraded Limited When the Web Client connects to the MAS, the user won't be able to edit Personnel objects Web MAS or SAS Support that belong to a SAS that hasn't been upgraded. Consequently, the Edit. Add. Delete and Client (with Mutti- Assign Clearance buttons for these objects are all disabled when the user selects these version objects. SAS systems in When the Web Client connects to a SAS, the user has unrestricted access to Personnel the Enterprise) objects belonging to partibons owned by the, SAS but is restricted to assigning Clearances to Global objects. Thus, the Edit. Add and Delete buttons are disabled when the user selects a Global Object. The following message isdisplayed: You are running this client white your Enterpriseisin the process of upgrading. This client functionality is limited to performing tasks on objects owned by compatible servers. As a result, you'll&be restricted to editing objects that are compatible with the current version of this Web Client. Previous Upgraded Not The the following message isdisplayed, and the user is logged out after 10 seconds: version MAS or SAS Supported You are running thisclient white your Enterpriseisin the process of upgrading. Web unfortunately this version of the Web Client is not compatible with the version of the Client server to which you have connected. The client w01automatics*be fogged out. Multi-version Impact on Integrations Most if not all Integrations are not enabled to take advantage of Multi-version support. If you install an updated version of an Integration on an updated SAS, it will work correctly with that SAS. If you upgrade or patch an integration on a SAS client while you have a Multi-Version environment, the update or patch will only affect the newly installed client and no longer affect the old client, since the integration's installer won't be Multi-Version aware. This will result in the integration working in the new client but not working with the old client. C•CURE 9000 Enterprise Architecture Guide Chapter! 25 EFTA01225602 Using the Administration Client from the MAS Using the Administration Client from the MAS When you are using the Administration and Monitoring application on the MAS, you have a Server Options pane that allows you to choose your vantage point for viewing and managing objects in the enterprise by selecting your Default Server and your New Object Partition. Selecting a Default Server The Default Server you select is the server that the Administration or Monitoring application uses as a source for any dynamic views you open. The Default Server drop-down list shows each of the servers in the Enterprise by system name. The MAS server name is indicated by an asterisk (*). Figure 3: Default Server Selection on the MAS 7C•CURE 9000 - Administration Station (americ Help rver Option Default Server: * 6O52TPubsMAStw • 8O52TPubsMAStw 6O52TWOOD twoodsrvr-2k3 bos2TPubsSA52 bos2TPubsSAS1 1 E BOS2MBROWN L i New • 'Operator JO - This drop-down box allows you to select the server from which to view objects. • If you select the MAS as your vantage point, you can view objects in the Global Partition, the MAS Partitions, and each SAS Partition. • If you select a SAS server in the list as your vantage point, you can view objects in the Global Partition and the Partitions on the SAS you chose. You cannot view Partitions on other SAS servers. Example: If you are a Global Administrator running the Administration application from the MAS, your Default Server is initially the MAS, and if you open a dynamic view of Personnel, you can see all Personnel in the Global Partition, all Personnel on the MAS, and all Personnel on every SAS. 26 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225603 Using the Administration Client from the MAS Figure 4: GlobalAdministrator Default Server = MAS• Al Data from MAS and Each SAS is Displayed Reed data from: MAS giant PC (MAS) CCURE 9000 ster Application Server MAS) SAS1 SAS2 S:•S3 If you change your Default Server to a particular SAS in the enterprise and re-open the dynamic view of Personnel (click lasi), your viewpoint will change to read data from that SAS, and you can see only the Global Personnel and the Personnel in Partitions that exist on that SAS. C•CURE 9000 Enterprise Architecture Guide Chapter! 27 EFTA01225604 Using the Administration Client from the MAS Figure 5: GlobalAdministrator Default Server = SAS2 - Ony Data from SAS and Global Partition *Displayed Read de:a from SAS 2 Cher: PC (MAS) SA'S 3 Selecting a New Object Partition When you are connected to a MAS as your primary server, you can choose a Partition to be your New Object Partition. This becomes the Partition that objects are created in when you click New in the Configuration pane, the Personnel pane, etc. The Partitions that appear in the drop-down list depend upon the server currently chosen as your Default Server. If you choose the MAS in the Default Server drop-down list, folders visible in the Hardware and Video Imes, and Queries displayed in the Advanced Search pane are not filtered (all available objects replicated to the MAS are displayed). But the only Partitions available for New Object Partition selection are the Global Partition and any Partitions that reside on the MAS. 28 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225605 Using the Administration Client from the MAS Figure 6: New Object Partrhon Selection (tent 9000 - Administration Station (amerk Help Server Options a Defauft Sever: le BOS2TPthelk:451w L:j New Ob)ect Patton: I Configuration New • `Operate LI 6.1 If you choose a SAS in the Default Server drop-down list, you can chose from a list showing all local Partitions on the SAS, and the Global Partition, if allowed by Privileges. Reading Data from a Selected Server When you are connected to the MAS, an additional drop-down list called Read Data from is available in the Content Area so that you can choose which MAS/SAS server you want to view data from for a particular Dynamic View. Thus you can display Dynamic Views from different servers in the same Content Pane on the MAS. Figure 7: Reading Data from the MAS Operator List 7 0 Schedule 7, 41 Operator x 1 Views w Woe "It r Thl I—I Sf-, (Read Data from: * BOS2TPubsMAStw (Status values are not available on the MAS) Drag columns to group by here Options and Tools For an Administration client connected to a MAS, the selections in the Options and Tools pane run in the context of that SAS primary connection. When the Options and Tools pane is selected, the Server Options drop-down list is hidden. However, the tools which display a Dynamic View are able to read data from a different server once launched by making a selection in the Read Data from drop-down list.. Setting the Application Server Interactive If your primary connection is the MAS, the Application Server Dynamic View has a selection on the context menu named Set Interactive for SAS systems in the view. If you set a SAS in the view to Interactive, that server sends messages to the MAS Monitoring Station or Administration Client. Setting Application Servers Interactive on Page 164 for more information. C•CURE 9000 Enterprise Architecture Guide Chapter 1 29 EFTA01225606 Using the Administration Client from the MAS Navigation Pane The Type Selection Combo Box, such as in the Configuration Pane, is used to select a class of objects.When the selected server in the menu bar is a SAS, the Data View shows objects which are owned by the SAS, in addition to the Global objects if there are any. The functions of the New button and New Template button are affected by the selection of the Default Server and Partition. There are two cases which depend on whether a local or Global partition is selected. 1. If a local partition is selected, the object is created using data available from the Default Server which owns the selected partition. 2. If the Global partition is selected, the new object is also created and edited using data from the Default Server. But because the Global partition is visible on all servers, a Global object may be created with any Default Server selected. For example, if the Default Server is SAS-A, the New Object Partition is Global and the user creates a new Privilege. In this case the Exception objects which can be added to theP privilege are objects owned by SAS-A and Global objects. If the Operator selects the Personnel pane and creates a new Global Personnel object, the Clearances available for selection are the Clearances owned by SAS-A and Global Clearances. Global objects reside in the MAS Global partition, but you can edit most of these objects from a SAS. Global Only objects can only reside on the MAS in the Global Partition. Currently there is only one such object: CHUID Format. See Editing C•CURE ID Objects in Enterprise Architecture on Page 124 for more information. There are some predefined Global system variables and personnel types which can be edited from a NOTE SAS as well as the MAS. Templates for Object Creation The list of templates available for object creation from the New button depends on the selected Default Server and the New Object Partition. If you select the local Partition then the templates are those which belong to the Default Server and the Global templates. You can only create Local-only object using templates owned by the local server. You can only create Global objects from Global templates. If the Global partition is selected as the 'New Object Partition' then only Global templates are selectable. The rules for using templates for optionally-global objects are detailed in Optionally Global Objects on Page 107. Hardware Tree and Video Trees The Default Server selection determines the set of Folders displayed in the Hardware and Video trees. When a SAS is the Default Server, only the Folders and objects from the SAS are displayed. When the Default Server is the MAS, all Folders from all servers are visible in the trees. The Hardware and Video Trees will continue to function as in previous versions when the Default Server is a SAS. In order to create an object in the tree, the 'New Object Partition' selected will have to match the Partition of the Folder or parent object. When objects are created or edited in the Hardware and Video panes, the data in the editors for those objects will be from the server which owns the object. The Trees will be refreshed to reflect new objects created on the Default Server, and object deletions. 30 Chapter1 C•CURE 9000 Enterprise Architecture Guide EFTA01225607 Using the Administration Client from the MAS When the Default Server is the MAS, and you create or delete an object from a SAS, it is not displayed until the Tree is refreshed manually, or if the SAS is set to be interactive (see Setting Application Servers Interactive on Page 164). Advanced Query Tab Like other places in the context pane, the Default Server selection will determine the list of queries which are displayed in the advanced query tab. When a SAS is the default server, only the queries from that SAS are displayed. When the default server is the MAS, all queries from all servers are displayed. Using the Administration Client from a SAS When you are using the Administration Application on a SAS, your Server Options pane only allows you to select the Partition in which you can create objects. You cannot choose a Default Server -the SAS to which you are connected is your only Default Server. The selections in this drop-down list are limited to the partitions on the SAS you are connected to, and the Global Partition if you have the appropriate Privileges. Figure 8: New Object Partition on the SAS CCURE 9000 - Administration Station (amell Help Server Options New Object Partition: Default: BOS2MBROWN Configuration N Operator In the Content area, the Read Data From: drop-down list is not available; you can only read data from the perspective of the SAS to which your Admin Application is attached. Figure 9: Reading Data from the SAS Operator x Ei ApplicationLayout Report A Personnel Views • Fief M8 rI—I Thl v c1/4.4) Drag columns to group by here The Default Server selection affects the following: • Limits the set of partitions selectable in the New Object Partition combo box. • Determines what data is displayed in the Display Pane when the Operator clicks the Search Button ti t • Filters the set of Queries displayed in the Advanced search pane to those known by the Default Server. This set is dynamically refreshed. • Filters the set of Folders visible in the Hardware and Video trees. C•CURE 9000 Enterprise Architecture Guide Chapter! 31 EFTA01225608 Using the Administration Client from the MAS If a SAS is selected as the Default Server, then the New Object Partition combo box shows the partitions owned by the selected server and the Global partition. Enterprise Architecture Capabilities Summary The Enterprise Architecture option provides the following capabilities. Global Administration of Personnel Objects Global Personnel - You can create Personnel in the Global Partition that can be used at every SAS in the Enterprise. A cardholder whose record is in the Global Partition can be configured for access at any SAS by assigning a local or Global Clearance to the person. Personnel administration is simplified because cardholders who need access to multiple locations do not need to have separate Personnel records maintained at each server. Global Clearances - Allow you to specify doors and elevators from any SAS for assignment to Personnel, simplifying management of security access to buildings where Personnel require access to facilities across the enterprise. Global CHUIDs - Allow you to use CHUIDs for Personnel across the enterprise. Global Card Formats - Provide Card Formats that can be used on multiple servers. Personnel Types - Allow you to assign Personnel Types to Personnel on any server in the enterprise. Personnel Groups - You can create Personnel Groups that contain Global Personnel. Global Badge Layouts - You can create Badge Layouts that can be assigned to both Global and local Personnel on multiple servers. Global Administration of Security Objects Some objects besides Personnel can be created and administered Globally in Enterprise Architecture. Global Holidays - You can create Global Holidays that can be used on multiple servers. Global Operators - An Operator created in the Global Partition can access both MAS and SAS systems. Global Privileges - A Privilege object that is created in the Global Partition can be assigned to Operators created at any SAS. Needed to control access to Global objects. Centralized Reporting You can create queries and reports on the MAS that can view information across the enterprise. Queries and reports on the MAS can include Global objects and also those local objects that are resident on SAS systems. Instead of running a different report at each server in the enterprise to manage security objects or system activities, you can create a single report at the MAS and collect data from every SAS. (Status values are not synchronized to the MAS, so status reports are not centralized.) See Central Reporting on Page 156. 32 Chapter1 C•CURE 9000 Enterprise Architecture Guide EFTA01225609 Using the Administration Client from the MAS Central Monitoring of Events and Activities across an Enterprise A Monitoring Station connected to the MAS can provide a Central Monitoring capability for every server in the Enterprise Architecture. you can: ■ View Activities and Events from each SAS in the enterprise. ■ Display Swipe and Show activity from multiple SAS servers. ■ View objects in the Explorer Bar from the MAS or from a selected SAS. ■ Perform manual actions on objects that are visible in the Monitoring Stations; for example, you can choose Unlock Door from a Door's context menu, and the action is directed to the correct SAS for the object. See Central Monitoring Station on Page 166. Central Management of Access Card Enrollment By setting up a Smart Card or Proximity enrollment device on an Administration client connected to the MAS, you can perform access card enrollment from a central location for Global Personnel or Personnel on a connected SAS using the Enroll \ Program Smart Card button on the Personnel Badging tab. Central Badging and Photo Imaging You can configure C•CURE 11.) on the MAS and perform Central Badging and Portrait Image capture for Global and local Personnel. You can edit Personnel from the MAS and configure Badge Layouts, Portraits, signatures, and fingerprints. You can also preview and print badges from the Personnel Badging tab or from a Dynamic View of Personnel. Global and Local Operator Privileges Privileges in the Enterprise Architecture environment can be tailored so that Operators on your enterprise systems can have access to all the data they need, and can be denied access to data that they should not access. In essence, Privileges in the Enterprise Architecture have been consistently extended to apply to the MAS and every SAS in the enterprise. An Operator at the MAS can have SYSTEM ALL privileges to the entire enterprise, or can be limited via Privilege to Global or local MAS objects only. An Operator at a SAS can have access to their SAS server's local Partitions and to Global Partition on the MAS, or could be limited to access only a single local Partition. Single Card Access Across an Entire Enterprise Global personnel can be configured to have access to any Door or Elevator in the Enterprise (subject to card formats supported by individual readers). Increased Scalability of Security Hardware and Video Because you can spread the management of security controllers and video servers over multiple SAS systems in an enterprise, each SAS may be positioned close to its relevant field hardware - limiting traffic to the MAS and optimizing performance. C•CURE 9000 Enterprise Architecture Guide Chapter! 33 EFTA01225610 Using the Administration Chent from the MAS End to End Encryption Available (via SQL Database Encryption Options) Microsoft SQL Server 2008 R2 offers advanced database encryption options that can be enabled via SQL to provide additional securi for all our data. For more information see Database Encryption in SQL Server 2008 Enterprise Edition on Support for 40 Satellite Servers For this version of C•CURE 9000, the Enterprise Architecture supports up to 40 SAS servers connected to a single MAS. Automated Synchronization of Enterprise Security Databases Enterprise Architecture uses the Microsoft Synchronization Framework to keep the databases at the MAS and at each SAS synchronized. New Global objects created at the MAS are propagated to each SAS, and local objects created at each SAS are propagated to the MAS. Central Management of Video and Hardware Resources While no access security hardware or video cameras and servers are directly connected to the MAS, an Operator at the MAS can view and edit the configurations of these devices centrally from the MAS, and create Schedule and Holidays that can be used to control how these resources are used. An Administration or Monitoring application connected to the MAS can perform manual actions on Hardware and Video devices connected to SAS servers in the enterprise. Multi-version Support Because the process of upgrading an entire Enterprise can take significant time, The C•CURE 9000 Enterprise Architecture has been designed to support multiple versions of C•CURE 9000 to co-exist in an Enterprise. When upgrading an Enterprise, The MAS must be upgraded first, but each SAS can still connect to the MAS before it is upgraded to the current version, provided certain criteria are met. Complete instructions for upgrading the MAS and each SAS to a new version are provided in the C•CURE 9000 Installation and Upgrade Guide. Remote Editing of Global and Server-specific Data A Global Operator on the MAS can edit objects that reside on the MAS and on any SAS in the system. If the MAS Operator edits a hardware object on a SAS, the object is loaded from the SAS into the appropriate editor on the MAS for editing, and when the Operator saves the object, the object is saved to the SAS where it resides, and is then synchronized to the MAS. If the connection to the SAS fails during the edit, when the MAS Operator tries to save the object, an error is returned and the edit fails. However, if the SAS where the object resides is not available when the edit begins, the object appears as read-only in the object editor on the MAS. 34 Chapter1 C•CURE 9000 Enterprise Architecture Guide EFTA01225611 Using the AdmInistratbe Client from the MAS Similarly, if a SAS Operator edits a Global Partition object, the object data is loaded into the appropriate editor on the SAS for editing, and when the Operator saves the object, the object is saved to the MAS Global PArtition where it resides and then synchronized to each SAS. If the MAS is not available when the edit begins, the object appears as read-only in the object editor on the SAS. If the connection to the MAS fails during the edit, when the SAS Operator tries to save the object, an error is returned and the edit fails. Application Server systems in multiple domains must have domain trusts established in order to NOTE authenticate user requests across servers in the different domains. There are some exceptions and complications to these general rules. More information is provided in Editing Objects that Reside on a Different Server on Page 45. Restrictions on Events in an Enterprise Architecture from caliber (USE-26314) The Enterprise Architecture does not support the activation of Events or other objects across Application Servers. On the Triggers tab of any object (or the Action tab for Events), you can only include trigger objects that reside on the same Application Server as the object to which you are adding the Trigger. The only two object types that exist on the MAS that can trigger object state changes are Events and Data Imports. Their Triggers and Actions are restricted to objects residing on the MAS. Example If you edit an Event that resides on the MAS, in the Event Action tab, any action you create must only target objects that also reside on the MAS. C•CURE 9000 Enterprise Architecture Guide Chapter 1 35 EFTA01225612 La:I/Sing Licensing Ml, M2, M3, M4, M5 License Versions The Enterprise Architecture is a licensable option that needs to be purchased for each application server in the enterprise. Each server has its own software license; client workstations do not need a license, but the server licenses determine how many clients can connect to each server and to the enterprise as a whole. The MAS has dedicated MAS model number licenses. Each SAS has its own license, using the model numbers available for C•CURE 9000 servers. Each SAS license can be for a different model - all SAS systems in an Enterprise do not need to be the same model. Each application server will have it's own local license regardless if it is a MAS or SAS. The metered values will be counted if they are local to the server only. That is, all object change,deletion, and creation will be evaluated for inputs, outputs, readers, and cardholders on the local server and the value limits will be enforced. MI objects in the Global Partition will be ignored by the SAS. MAS licenses do not include inputs, readers, and outputs because access control hardware cannot be connected to the MAS. Master Application Server (MAS) will count: ■ Number of Global Cardholders ■ Number of Clients - that can connect to the MAS ■ Number of Badging Stations - that can connect to the MAS ■ New license option for Application Server environment Table 3: MAS Licenses (Default/Maximum MAS (Master Application Server) MI M2 M3 M4 M5 GlobalCardholders 1.000 10.000 25.000 100.000 250.000 Combined Clients 5/100 5/100 5/100 10/100 10/100 Badging Clients 1/100 1/100 1/100 2/100 2/100 The values are defaults and maximums. MAS Temp License: Yes MAS Eval License or MAS Eval DVD: No Example: You have a MAS M2 license that allows 10,000 Global cardholders and 5 simultaneous clients. You have a SAS with a Series P license that allows 45,000 cardholders and 10 simultaneous clients. An Operator at the SAS Administration station could potentially access 55,000 personnel, with 10,000 in global and 45,000 on the SAS. You could potentially have 5 clients attached to the MAS and 10 different clients attached to the SAS. Satellite Application Servers (SAS) Each Satellite server can utilize a different C•CURE 9000 Model, Series L through Series S; 39 Chapter! C•CURE 9000 Enterprise Architecture Guide EFTA01225613 SiteServer Series A,B,C. ■ Global Cardholder Objects are not counted against the SAS license. ■ New license option for Application Server environment. The license limits for number of objects allowed is counted on the local server's license. Objects in the Global Partition not counted against any SAS license. On the MAS, the cardholders in the Global Partition are counted against the MAS licensed value. Simultaneous clients are measured separately for each MAS/SAS against its licensed capabilities. Because the ISC controllers are not supported in an Enterprise Architecture environment, the NOTE SC server component cannot be licensed if the Application Server license option is enabled, so this service will not be able to start on a MAS or SAS. Validation The type of installation performed on a given C•CURE 9000 server determines what type of licenses can be validated. On a server installed as a MAS: ■ Validates a MAS license: Model M1 - M5 These models will always have the "AppServer" option checked. NOTE ■ Does not validate with any other models -> A, B, C, L through S. On a system installed as a Satellite server. ■ Validates licenses: Model A, B, C, L through S. ■ Validates regardless if the "AppServer" option is on or off. • Off scenario, is for the case when the customer no longer wants their server to be in an AppServer environment. If the AppServer option is now off, we should warn the user that the system will no longer "Replicate" with a Master server because the appserver license option is off. Prompt them if they want to continue or cancel. • If the AppServer option is on, it should continue as a normal SAS. ■ Does not validate with MAS Models: M1-M.5. On a system Installed as a Standalone Server: ■ Validates licenses: Model A, B, C, L through S. If "AppServer'' Option is checked, the license should fail to validate and prompt the user with the cause. Assuming when upgrade, it will prompt the user if they want to upgrade to an AppServer NOTE environment? ■ Does not validate with MAS Models: M1-M5. C•CURE 9000 Enterprise Architecture Guide Chapter 1 37 EFTA01225614 If the license limits are exceeded or the system detects tampering with the database values in the license: ■ The Crossfire Framework Service shuts down and will not restart ■ A message is sent to the System Application Event Log and the C•CURE 9000 Journal The type of installation performed on a given C•CURE 9000 server determines what type of licenses can be validated. • If you install a server as a MAS, only the MAS license types can be validated. • If you install a server as a SAS, only the license types that are valid for a SAS can be validated. The MAS license types will not validate. • If you install a server as a standalone C•CURE 9000, the MAS license types, and any license with the Application Server option enabled, will not validate. If the license limits are exceeded or the system detects tampering with the database values in the license: • The Crossfire Framework Service shuts down and will not restart • A message is sent to the System Application Event Log and the C•CURE 9000 Journal • On a MAS, new Personnel cannot be added and changes to Personnel cannot be saved. Rules All MAS models are configured with the following Options: ■ Application Server ■ Software House Connected Web Service ■ Software House Import Watcher ■ Software House NextGen Client MonitoringStation ■ Software House NextGen Client AdministrationStation ■ CCure9000License ■ NGResEditor ■ WebStar ■ CCUREIDPrintQueueManager ■ WinShell All other Models can be configured with any and all options. The only caveat that the option of Application Server and SC driver are mutually exclusive. License Matrix Matrix of all licenses are in Table 4 on Page 39. 38 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225615 Licensing Table 4: Model Matrix (DefauWMaximum Online Online Configured Simultaneous Concurrent Badging Model Online Inputs Outputs Readers Carholders Clients.' Clients DEV 8 8 2 20 3 1 L 1,000 1,000 16 7,000 10/30 1/30 M 1,000 1,000 32 12,000 10/30 1/30 N 1,000 1,000 64 40,000 10/30 1/30 P 5,000/10,000 5,000/10,000 128 45,000 20/256 2/256 Q 5,000/10,000 5,000/10,000 256 250,000 30/256 2/256 R 5,000/10,000 5,000/10,000 512 250,000 40/256 3/256 R+ 7,500/10,000 5,000 1,000 500,000 80/256 5/256 S 10,000 10,000 2,500 500,000 100/256 10/256 MI 0 0 0 1,000 5 1 M2 0 0 0 1,000 5 1 M3 0 0 0 25,000 5 1 M4 0 0 0 100,000 10 2 M5 0 0 0 250,000 10 2 I A client is equivalent to a single Monitc ring Station application, Administration application, or a Web Client. C•CURE 9000 Enterprise Architecture Guide Chapter 1 39 EFTA01225616 Licensing 40 Chapter 1 C•CURE 9000 Enterprise Architecture Guide EFTA01225617 2 Application Server Architecture This chapter provides information about the Application Server Architecture. In this chapter Architecture Overview 42 Objects in the Enterprise Architecture 43 Typical Configuration 44 Editing Objects that Reside on a Different Server 45 Server Synchronization 47 Synchronization Results 49 C•CURE 9000 Enterprise Architecture Guide Chapter 2 41 EFTA01225618 Architecture Overview Architecture Overview The Enterprise Architecture resides on multiple C•CURE 9000 servers, configured in a hub and spoke arrangement, with a Master Application Server as the central hub, and Satellite Application Servers as the spokes. The C•CURE 9000 Enterprise Architecture provide the capability of managing a multi-site location, including: Enterprise Reports and Queries - configuration, Journal, and Audit data from all Satellite Application Servers can be collected in queries and reports. See Central Reporting on Page 156 for more information. Enterprise Monitoring - the Monitoring Station application can perform real-time monitoring of access, activities, events, and status across the entire enterprise. See Central Monitoring Station on Page 166 for more information. Enterprise Personnel Management - Personnel can be defined as local to a single server or global to the entire enterprise. That way, duplication of personnel records is avoided, while still providing the ability to grant appropriate access to Personnel who need to access multiple facilities. See Configuring Personnel in Enterprise Architecture on Page 115 for more information. Enterprise-wide scalability - because the access and video hardware can be distributed over multiple servers, the enterprise system can be configured to manage a greater number of devices across a wider geographic area. For more information, see: ■ Configuring Hardware in Enterprise Architecture on Page 132 ■ Configuring Video in Enterprise Architecture on Page 136 The C•CURE 9000 Enterprise Architecture uses the Microsoft Sync Framework to connect multiple C•CURE 9000 Servers. The Microsoft Sync Framework is a comprehensive synchronization platform enabling collaboration and offline for applications, services and devices with support for any data type, any data store, any transfer protocol, and network topology. See Server Synchronization on Page 47 for more information. The Microsoft Sync Framework allows the C•CURE 9000 Master Application Server (MAS) to aggregate configuration information from multiple Satellite Application Servers (SAS) into a SQL Server 2008 database for central monitoring and reporting. The MAS can also synchronize global data from the central database to each of the satellite servers, so that global personnel who need access to facilities across the enterprise can be centrally administered. Each of the C•CURE 9000 Satellite Application Servers has an independent SQL Server database that contains data for local personnel, access control hardware, and video servers and cameras, as well as global data such as personnel, clearances, and badges. If the Master Application Server is offline, each of the Satellite Application Servers can operate independently, managing their local resources as well as maintaining the ability to administer access control for global personnel. When the Master application server is back online, all data from SAS systems is updated and synchronized with the MAS. Each SAS maintains a log of changes so it can update the MAS when connectivity is restored (the MAS also maintains a change log). However, if the memory limit of the log is reached, that SAS or MAS stops logging, and when connectivity is restored the SAS or MAS that stopped logging cannot automatically update the other systems, and synchronization with the MAS dens not resume. If this occurs, the SAS (or MAS) must be restarted; this causes a full re-synchronization, and from that point on, the SAS and MAS synchronize normally. 42 Chapter 2 C•CURE 9000 Enterprise Architecture Guide EFTA01225619 Objects in the Enterprise Architecture Objects in the Enterprise Architecture Enterprise Architecture objects in C•CURE 9000 are divied into three primary categories: ■ Global Only Objects - are objects that can only reside in the Global Partition. See Global Only Objects on Page 105. ■ Optionally Global Objects - are objects that can reside either in the Global Partition or in a local Partition on the MAS or on a SAS. See Optionally Global Objects on Page 107. ■ Non-global Objects - are object that can only reside in a local Partition; these objects cannot be created in the Global Partition. See Non-Global Objects on Page 109. The following additional categories of objects are handled differently: ■ Group Objects on Page 106. ■ System-defined Not Synchronized Objects on Page 110. ■ Editable Not Synchronized Objects on Page 110. C•CURE 9000 Enterprise Architecture Guide Chapter 2 43 EFTA01225620 Typical Configuration Typical Configuration The Enterprise Architecture uses a central server, called a Master Application Server (MAS), to serve as the focal point of a multiple server configuration. Each of the Satellite Application Servers (SAS) connect to the MAS over a local or wide-area network. The Enterprise Architecture supports one MAS and up to 40 SAS servers in a configuration. The MAS server provides central administration, monitoring, and reporting for all aspects of the C•CURE 9000 Enterprise Architecture. Global Operators at the MAS can view, edit, monitor, and report on all of the objects in the enterprise. Each SAS server provides direct management of security hardware and video components, as well as Global and local Personnel, Schedules, Areas, Intrusion Zones, and Events. The data from each SAS server is synchronized to the MAS so that the master server has access to enterprise wide data. Global data from the MAS is synchronized to each SAS so that the SAS servers have access to that data. Figure 10: Typical Enterprise Architecture Configuration In this configuration, one SAS server controls several Video and Access Control Hardware components, while a second SAS shown has a single Video Server and iSTAR controller to manage a smaller site. As shown, additional SAS servers can be attached to the MAS to manage additional local or remote sites. Client connectivity can be local or remote, or via a C•CURE 9000 Web Client. Both servers and clients can communicate or a local area network or a wide area network. 44 Chapter 2 C•CURE 9000 Enterprise Architecture Guide EFTA01225621 Editing Objects that Reside on a Different Server Editing Objects that Reside on a Different Server In an Enterprise Architecture, there is only one situation where you can edit an object that resides on a different server: You are an Operator on a SAS who is editing an object that resides in the Global Partition at the MAS. See Objects and Partitioning on Page 104 for more information about the types of objects in an enterprise, and the rules for editing these objects: In this case, the object you are editing is visible to you, and editable, but it is actually resident in a Partition on a different server. • Global Only Objects on Page 105 - objects that exist only in the Global Partition on the MAS. • Optionally Global Objects on Page 107 - objects that can reside in the Global Partition on the MAS, but can also be created on a SAS. • Non-Global Objects on Page 109 - objects than can only reside on a single SAS or MAS and are not able to exist in the Global Partition. Editing a Global Object from the SAS if you are creating or editing a record that resides in the Global Partition from a client on a SAS, the changes you make to properties in the record are actually saved on the MAS. However, if the connection to the MAS fails during editing, you will be allowed to open the object's editor, but when you attempt to save the object, the save action fails if the MAS is still unavailable. If the connection to the MAS is unavailable offline when the edit starts, the object will initially be read-only, and the title bar of the Admin client will indicate that the MAS is offline. The one exception is the Personnel editor; the Clearances tab will be available for editing a Global Personnel object from a SAS. If you are editing Clearances (only), your edit is saved at the local SAS even if the MAS is unavailable. As soon as the MAS is available, the changes are synchronized to the MAS. However, if any changes other than Clearance edits are made to the Global Personnel record when the MAS is unavailable, the save action fails. When you are on a SAS and editing a Global object, the object's data is retrieved from the NOTE SAS database, and may not be the most up to date version if the same Global object has been very recently edited. For example, if you save a Global object on a SAS and then immediately open it, you may not see the changes you just made. Editing a SAS Local Object from the MAS Local objects can be directly edited only at the SAS responsible for the Partition in which they reside. However, a Global administrator at the MAS can create or edit a SAS local object remotely if the connection to the SAS is available. If the connection to the SAS fails during editing, the Operator on the MAS receives an error message indicating that their attempt to save changes failed. If the connection to the SAS is unavailable when the edit starts, the object initially is read-only, and the title bar of the Administration client indicates that the SAS is unavailable. C•CURE 9000 Enterprise Architecture Guide Chapter 2 45 EFTA01225622 Editing Objects that Reside on a Different Server If you are on the MAS, you can add an object to a partition owned by a SAS; in that case, the add will be proxied to the SAS. Similarly, if you are on a SAS, you can add an object to the global partition, in that case, the add will be proxied to the MAS. 40 Chapter 2 C•CURE 9000 Enterprise Architecture Guide EFTA01225623 Server Synchronization Server Synchronization Server synchronization is the process by which the servers in an Enterprise Architecture exchange data and keep each of the server databases current. This process also provides a means for the individual SAS systems to operate when they are unable to communicate with the MAS. In the Enterprise Architecture, all servers have Partitions to contain data "owned" by that server. Each server (MAS and SAS) has a Default Partition, and can have additional user-created Partitions. The data residing in a SAS system's local Partitions is natively resident in the local system's database so that local editing functions and control can be maintained if the connection to the MAS is not available. On a MAS default or local Partitions, the data resides on the MAS and is not replicated to the other systems in the Enterprise Architecture. Generally, data manipulation for Partition data is restricted to the Application Server that owns the Partition. However, for many types of objects, an Operator can make use of or edit the object even if the Operator is not on the local SAS or MAS. As long as the target SAS or MAS can be communicated with, the object can be edited remotely and updates are synchronized in real time with the owning server. If the owning server (SAS or MAS) is unavailable, the remote edit operation fails and an error message is displayed to the Operator. See Editing Objects that Reside on a Different Server on Page 45 for more information. "Global" data that is shared among the SAS and MAS servers resides in the Global Partition on the MAS. This data is synchronized to all SAS systems. The exception to the remote editing limitation is that, as long as you are editing on a SAS, you can add or remove Clearance assignments from Personnel even if the person being edited is owned by the MAS and the owning server is unavailable. Example: If you are editing a Global Personnel record at a SAS, and the MAS (where the Global Personnel record resides) is unavailable, you can still assign local or Global Clearances to the person. Your change is saved locally on the SAS and when the MAS becomes available, the change is synchronized. Only Clearance assignments can be changed while the connection to the MAS is unavailable. No other NOTE field in the Personnel record can be changed, or the edit will fail. As a result, Local administrators can maintain their SAS system's data separately from the Enterprise data and regardless of whether the connection to the MAS is present. When the MAS is unavailable, the SAS system looks and acts as if it is a standalone server. Synchronization Process With the exception of Journal and Audit Logs, data changes made at any SAS are synchronized to the MAS in real time. For information, see Journal and Audit Synchronization on Page 48. Local data changes made at the MAS to data in the Global Partition are broadcast to each SAS. Upon receipt of the message, the SAS executes synchronization of the specific object type (and any related objects) to bring that data down locally form the MAS. C•CURE 9000 Enterprise Architecture Guide Chapter 2 47 EFTA01225624 Server Synchroelzatbe At startup, each SAS synchronizes its data with the MAS. The SAS receives Global Partition data from the MAS and sends local Partition data to the MAS. The SAS system must complete the start-up synchronization before it can be completely available to Operators. This process can take a long time (possibly more than an hour) if a large amount of data needs to be synchronized. When a SAS starts up it needs to communicate with the MAS to initialize synchronization. If it is unable to do so (typically because the MAS is down or unreachable), then it starts and runs properly but will not be synchronized with the entire Enterprise system. The SAS indicates that it needs to be restarted once it detects that the MAS is available. Until that restart happens, changes to Global data will not be recognized by the SAS and its connected hardware, and changes to local data will not be recognized by the MAS. If you are restarting your entire enterprise, you should plan it so that the MAS is online when any SAS is restarted. If you are planning a restart of a specific SAS, you should attempt to assure the MAS is available during that restart. If this is not possible, then you will need to restart the SAS again when the MAS is online. If an entire enterprise system is being restarted, it is wise to start one SAS at a time, not progressing to subsequent SAS's until each in turn has started its driver services successfully. This is easiest to determine by watching the Server Configuration utility's Extension Services line, which displays "(Loading)" until the application server has started its drivers. At runtime, the SAS synchronizes any local Partition changes with the MAS. At startup of the MAS, the SAS either sends changes from memory, or if the MAS has been down for a long time and enough changes have occurred, the SAS goes into the synchronization state called RESTART REQUIRED, and requires a restart before any synchronization can occur. All fields are synchronized in the objects being synchronized, with the following exception: fields that contain "real- time" status information (which is updated by the SAS or the driver as the status changes) are not synchronized to the MAS. For this reason, each Dynamic View on the MAS displays the message Status values are not available on the MAS. Users can see status values (and all other values) in Dynamic View for SAS systems that are set to Interactive (see Setting Application Servers Interactive on Page 164). Journal and Audit Synchronization Journal/Audit data from each SAS is synchronized on a scheduled basis. You can set the Schedule for Journal and Audit synchronization for a specific SAS in the Application Server editor for that SAS. See Application Server Synchronization Tab on Page 92. You can also configure an event to be triggered when the synchronization of the Audit or Journal database from the SAS to the MAS fails. For detailed steps, see the Application Server Triggers Tab on Page 94. Application Server Objects The Application Server objects that define the Application Servers themselves (MAS and SAS) are located in the MAS database, and can be viewed in two ways: • Application Server Editor on Page 87 • Application Server Dynamic View on Page 68 48 Chapter 2 C•CURE 9000 Enterprise Architecture Guide EFTA01225625 Synchronization Results Synchronization Results C•CURE 9000 Enterprise Architecture synchronizes changes in objects on the MAS and each SAS so that Operators have accurate and up to date information about objects in the enterprise. Global objects that reside on the MAS are synchronized to each SAS so that they are available for local use, and local objects on each SAS are synchronized to the MAS so that MAS Operators have updated information about objects on each SAS for Central Monitoring and Central Reporting. Whenever changes are made to an object, C•CURE 9000 attempts to synchronize the object (as appropriate) to the MAS and each SAS. During the process of synchronizing records between the MAS and associated SAS systems, certain data conditions can cause synchronization failure for an object (from SAS to MAS or from MAS Global Partition to each SAS). These synchronization conflicts can be caused by database errors or conflicting edits by Operators. Example: An Operator on SAS1 tries to add a Global Clearance to a Personnel record while disconnected from the MAS, but that Clearance on the MAS has been deleted. When a conflict occurs during synchronization, a record is written to a synchronization conflicts table in the database. This table is used to generate a list of conflicts that can be displayed as a Dynamic View. That Dynamic View, called Synchronization Conflicts, is available from the Application Server Dynamic View. The Synchronization Conflicts view allows you to view, search, and filter on the conflicts, and resolve or delete the conflicting records. For more information about using this Dynamic View to find and resolve conflicts that have occurred, see Application Server Synchronization Conflicts View on Page 74. Synchronization Conflict Examples and Resolutions Sometimes you need to take manual steps to resolve synchronization conflicts that occurred as a result of conflicting Operator actions. Example 1: As Global Operator, you decide to move a Personnel record to the Global Partition to make that person available at more than one SAS. However, when the MAS attempts to synchronize that record to each SAS, there is another Personnel record already existing at one SAS that has the same CHUID as the Global Personnel record, and this causes a Synchronization Conflict. To resolve this conflict, you would need to change the CHUID of the Global Personnel record, and save the change to cause synchronization to succeed. Example 2: An Operator on a SAS deletes a local Personnel Type, and at the same time a Global Operator edits a Personnel record on the MAS and adds that Personnel Type to the person. If synchronization is delayed because the MAS is temporarily offline to that SAS, two conflicts occur: Conflict error message generated from the SAS: Personnel Type cannot be deleted because it is referenced by a Personnel record. Conflict error message generated from the MAS: Personnel cannot replicate due to missing Personnel Type. To resolve this conflict, a Global Operator on the MAS should first delete the reference to the Personnel Type in the Personnel record, and then delete the Personnel Type from the list of Personnel Types visible on the MAS C•CURE 9000 Enterprise Architecture Guide Chapter 2 49 EFTA01225626 Synchronization Results (because the deletion of the Personnel Type at the SAS did not synchronize, the deleted Personnel Type will still be visible at the MAS). 50 Chapter 2 C•CURE 9000 Enterprise Architecture Guide EFTA01225627 3 Configuring an Enterprise Architecture This chapter provides information about configuring servers and client applications in an Enterprise Architecture. In this chapter Setting Up an Enterprise Architecture 52 Privileges in Enterprise Architecture 53 Operators In Enterprise Architecture 58 Operator Configuration 60 Client Configuration 62 Dynamic Views in Enterprise Architecture 64 Holidays in Enterprise Architecture 66 C•CURE 9000 Enterprise Architecture Guide Chapter 3 51 EFTA01225628 Selling Up an Enterprise Architecture Setting Up an Enterprise Architecture The following general steps explain how to set up an Enterprise Architecture environment. 1. Prepare the system you will use for a MAS. Refer to the C•CURE 9000 Installation and Upgrade Guide to: ■ Ensure the system meets specifications for processor, memory and disk space. ■ Ensure that a supported operating system is installed. ■ Ensure that a supported version of Microsoft SQL Server is installed. ■ Ensure that the MAS installer's Windows account is configured as a system administrator and a SQL sysadmin. ■ Ensure that you have a C•CURE 9000 License for a MAS. 2. Install C•CURE 9000 as a MAS on the intended system. 3. Make sure that the MAS is running successfully and the Administration client and Monitoring Station client can be accessed. 4. Prepare each system you will use for a SAS. Refer to the C•CURE 9000 Installation and Upgrade Guide to: ■ Ensure the system meets specifications for processor, memory and disk space. ■ Ensure that a supported operating system is installed. ■ Ensure that the SAS installer's windows account is configured as a system administrator on the SAS system and a SQL sysadmin on the MAS. ■ Ensure that the SAS installer's Windows account is configured as a SYSTEM ALL Global Operator on the MAS. ■ Ensure that you have a C•CURE 9000 License for each SAS. ■ If you are upgrading more than one standalone C•CURE 9000 server to a SAS, you need to use the SaToSasMigration Utility (included with C•CURE 9000 version 230 and later) for each standalone system after the first. 5. Install C•CURE 9000 as a SAS on each intended system. 6. Install and configure the security and video hardware on each SAS. 7. Create Global Personnel and Clearances on the MAS. 8. Create local Personnel and Clearances (as needed) on each SAS. 9. Verify that all security hardware, video hardware, and Personnel are correctly synchronized between the MAS and each SAS. 10. Proceed to configure additional objects such as Schedules, Holidays, Badge Layouts, Areas, etc. 11. Make sure to do frequent backups, especially to MAS and SAS after each SAS is added. 52 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225629 Privileges in Enterprise Architecture Privileges in Enterprise Architecture The Privilege object is a standard optionally-global object, thus it follows all the rules specified in Rules for Modifying Optionally-Global Objects on Page 107. Privileges can only reference objects in the same Partition in which the privilege exists. This existing property of Privileges prevents global Privileges from containing references to local objects in Partitions other than Global. The Privilege Exceptions tab allows you to create Privilege exceptions, but only objects in the same Partition as the Privilege can be selected as exceptions. The following changes to Privileges are in effect in an Enterprise Architecture: • System MI Global Privilege on Page 53 • System MI Privilege for SAS on Page 53 • System All Privilege for MAS on Page 54 • Access to Global Common Objects on Page 54 • Access to Common Objects on Page 54 System All Global Privilege The System All - Global Privilege exists in the Global Partition, and gives an Operator created in the Global Partition access to all objects in an Application Server environment. An Operator created in the Global Partition and assigned the SYSTEM ALL [Global] Privilege is effectively a Global System Administrator. This Operator has: • Full access to all Global and Local objects on the MAS and SAS servers. • When logged on to a SAS, has full access to all objects replicated to that SAS. • When logged on to the MAS, has full access to all objects in the entire enterprise. Only a Global Operator who has System All Privilege can grant that Privilege to another Operator. An Operator who resides in the Global Partition and is not assigned the SYSTEM ALL [Global] Privilege has more limited Privileges, as assigned by the Privileges they have. System All Privilege for SAS An Operator created in a SAS default Partition with System All Global Privilege (only) has the following abilities and restrictions: • Full access to all Local objects on the SAS. • Read access to Global objects that are accessible to the SAS where the Operator resides. • This Operator is restricted from performing context menu actions on Global objects (such as manual actions and exporting selections), unless assigned additional Privileges. • Has no access to any objects that reside on other SAS servers (therefore not replicated to their SAS). • If this Operator logs on to the MAS, they have exactly the same access to objects (and restrictions) to objects on the MAS as on their SAS. C•CURE 9000 Enterprise Architecture Guide Chapter 3 53 EFTA01225630 Privileges in Enterprise Architecture The SAS owns the SAS default Partition, but does not own the Global Partition or any other partitions that are located externally to the SAS. Therefore, this SAS Operator is able to create and manipulate objects on only this SAS (and in the Global Partition) and cannot view objects on any other SAS in the enterprise. An Operator who resides in a SAS Partition and is not assigned the SYSTEM ALL [Global] Privilege has more limited Privileges, as assigned by the Privileges they have. System All Privilege for MAS An Operator created in the MAS default Partition with System All Global Privilege (only) has the following abilities and restrictions: • Full access to all Local objects on the MAS (objects in Partitions other than Global). • Read access to Global objects that have been added to the MAS where the Operator resides. • This Operator is restricted from performing context menu actions on Global objects (such as manual actions and exporting selections), unless assigned additional Privileges. • Has no access to any objects that reside on any SAS servers. • This Operator can only log on to the MAS. Access to Global Common Objects A new Privilege, Access to global common objects, is available if the Enterprise Architecture option is licensed. This Privilege is similar to the Access to common objects Privilege, but it pertains to the Global Partition. This Privilege is needed because a Privilege can only grant access to objects in the partition in which it resides. When you create a new Operator,you can assign the Access to common objects Privilege and also the Access to global common objects Privilege. When you add the Enterprise Architecture option to a server, the Database Update process that occurs assigns Access to global common objects to all existing Operators. The Privilege is read-only. If you try to edit this Privilege, Save and Close is unavailable. Access to global common objects and Access to common objects differ in several ways: • Access to global common objects does not have a corresponding template created along with it. Because the new Create Copy button is enabled for Privileges, a template is not necessary. • Access to common objects has all references to global objects removed from it. • Access to global common objects resides in the Global Partition, while an Access to common objects Privilege is in the default Partition for each SAS and the MAS. • Access to global common objects contains references allowing read-only access to the following global objects: Application Server, Audit Log, Card Format, CHUID Format, Journal, Partition, Personnel Type, Personnel Views, Privilege, Report Form, Schedule, System Variables, and User-defined Fields. Access to Common Objects The Privilege known as Access to Common Objects has changed so that it is available for each SAS system's default Partition. Table 5 on Page 55 lists the classes and their respective Privileges. All classes are No Access unless 54 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225631 Privileges in Enterprise Architecture otherwise specified. Table 5: C Ou utt Privileges Classes of Objects Permissions Application Layout Read. View. Popup view. View in current tab Application Server Read. View. Popup view Audit Log Read Card Format Read CHUID Format Read DynamicViews Read, View, Popup view, View in current tab Images No Access. Exception object for Default Image -Read Journal Read Partition Read Personnel Type Read PersonnelViews Read Privilege Read Query Read. View. Popup view, View in current tab Report Form Read. View. Popup view. View in current tab Schedule Read System Variables Read Floors Read ISC Comm Ports Read CCTV Protocols Read Time Zones Read User-defined Fields Read Mother Objects Read C•CURE 9000 Enterprise Architecture Guide Chapter 3 55 EFTA01225632 Privileges in Enterprise Architecture Client Access Privileges It is important to configure client access Privileges to ensure that your Operators are able to access data they need, and at the same time limit the viewable data. Example: You are the Global administrator for an enterprise that has a MAS and two SAS systems. You are responsible for the overall administration. At each site, there is a local administrator responsible for managing local personnel and hardware and a guard using the Monitoring Station to control access, manage alarms, and perform manual actions. At the MAS there is an assistant administrator responsible for global personnel, central monitoring, and central reporting. In general, Operators who are not granted System MI Privileges need to be assigned Privileges NOTE sufficient to let them work in an enterprise environment. Typically this means that they need Access to common objects for their Partition, and Access to global common objects. Also, each Operator needs to have at least Read access to the Operator object in order to log in to C•CURE 9000. This can be provided by either: • Granting Full Privilege to Partition for the Partition in which the Operator resides. • Creating a separate Privilege that provides Read access to the Operator class (if you do not want to grant Full Privileges to the Operator). Table 6 on Page 56 shows examples of the way you could set up the Operators in an Enterprise. Table 6: Operator Priviege Examples Creation Operator Privilege Partition Global Global Responsible for the entire system and can move freely from the MAS or to any SAS. This operator's record is Administrator located in the Global Partition and would have the following Privileges: SYSTEM ALL T his operator has the ability to create/update/delete alobjects in the Enterprise system. MAS Local MAShome Responsible for the local operations on the MAS servers. This operator record is boated in the MAS Default Administrator Partition and would have the following Privileges: Access to globaloommon objects (Global( Access to common objects [Default: MAShomej F ull privilege for partition: Default (Default: MAShomel T his operator hascreate/update/delete allobjects in their MAS respective Partitions and is able to see objects in the Global Partition and Partitions on their system. c.271t. Access toglobaloommon objects Ploball t.i,..-I I':. ng Read access to common objects (Default: SAS1homej Silt i Read access to common objects (Default: SAS2homel A Privilege that provides Read access to the Operator class. 56 Chapter 3 CCURE 9000 Enterprise Architecture Guide EFTA01225633 Privileges in Enterprise Architecture Creation Operator Privilege Partition SAS 1 SAS1home Responsible for the bcaloperations on the SAS1 server. This Operator record is located in the SAS system's Administrator Default Partition and would have the following Privileges: System All ISAS1I This Operator has aeate/update/delete allobjects in their SAS system's respective Partitions and are able to see objects in the Global Partition and Partitionson their system. SAS1 Guard SASlhome Access to global common objects pbbaf] Access to common objects (Default: SAS1homel A Privilege that provides Read access to the Operator class. SAS 2 SAS2home Responsible for the local operations on the SAS2 server. This Operator record is located in the SAS system':, Administrator Default Partition and would have the following Privileges: System All ISAS2I This Operator has create/update/delete allobjects in their SAS system's respective Partitions and are able to see objects in the Global Partition and Partitions on their system. SAS2 Guard SAS2home Access to global common objects (Global] Access to common objects IDefautt: SAS2home( A Privilege that provides Read access to the Operator class. C•CURE 9000 Enterprise Architecture Guide Chapter 3 57 EFTA01225634 Operators In Enterprise Architecture Operators In Enterprise Architecture Operator configuration for Application Servers is similar to a standalone partitioned server. All C•CURE 9000 objects are created and reside in a single Partition and cannot span multiple Partitions. The Privileges given to an Operator and the server to which an Operator is connected to determine what objects can view, create, and delete. Enterprise Architecture provides new Privileges that are based upon the Partition in which the Operator record is being created. If you create a limited Privilege for a Global Operator (rather than assigning the System All Privilege) NOTE that Global Operator must be assigned at least Read access to the Operator object or he/she will not be able to log on to C•CURE 9000. Privilege Schedules for Operators A Schedule that resides on a SAS is a non-global Schedule, and it is never active on the MAS itself, so an Operator assigned a SAS Schedule is treated by the MAS as if the Schedule is inactive. Example: An Operator assigned a Privilege with a SAS Schedule (rather than the Global ALWAYS Schedule) will not be allowed to log on to the MAS, and if logged on to a SAS, will not be able to save a change to a Global object. If you need an Operator with Privilege restrictions who also needs access to Global objects and to the MAS, assign him/her an additional Privilege that references a Schedule residing on the MAS. in this way, the Schedule will be active when the Operator logs on. Operator Application Server Tab You can configure the Application Servers with which an Operator can be Set interactive from the Application Servers tab. Only a Global Operator at the MAS can Set interactive with Satellite (SAS) systems. The Application Servers tab is only available if the Operator you are editing resides in the Global partition. The Application Servers tab provides you with the ability to select the Application Servers which are set to Interactive mode for a given Operator. (See the definition of Set Interactive in Application Server Context Menu on Page 99 for more information.) When the server is in interactive mode, the Operator receives Event Notifications, Object Creation/Update and Delete Notifications and other activity-related messages. When this Operator logs into the MAS, by default the servers specified in the list of servers assigned in the Application Servers tab are in interactive mode. 58 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225635 Operators In Enterprise Architecture Figure 11: Applicalson Servers Tab a Operator - pwilson l7 =7 1l a al Save and Close Save and New Name paalson Desersecri Team Developer Enabled Partition Global Application Selves State image* ) Selena I lAYoul I Gimes i Woad/. Comm.:cab= Steven 'Add Remove Name Desaiption Special Domain Considerations for the Operator The Operator object is a standard, optionally-global object and follows all the rules specified in Optionally Global Objects on Page 107. However, there are some special considerations: 1. The combination of Domain name and Username must be unique for all operators across the entire enterprise. If the same user needs to log into different domains at different application servers, you cannot use a global operator. Instead you will have to create two different local operators. 2. If you want to allow an Operator to log into two different SAS machines with the same domain and usemame, you must create a global operator for them. Otherwise, they will not be able to create both separate local operators and have them replicate successfully. If an operator references a global privilege, the global privilege is able to reference only NOTE global objects. The global privilege cannot reference local objects. Therefore, if a global operator exists and if they have any privilege other than SYSTEM ALL, the operator has to be assigned local Privileges separately for each SAS to which the Operator will log in. C•CURE 9000 Enterprise Architecture Guide Chapter 3 59 EFTA01225636 Operator Configuration Operator Configuration As a SAS or MAS Administrator, you can create Operators for the SAS or the MAS in the same way you would for a standalone partitioned server. Operators are created in a specific Partition and do not span multiple Partitions. See Privileges in Enterprise Architecture on Page 53 for more information about the Privileges that are available in ?Enterprise Architecture to create Operators with full or limited access to Global objects. Accessing the Operator Editor The Operator Editor in C•CURE 9000 lets you create and modify Operator Objects so that they are able to access the Administration Workstation and Monitoring Station and perform functions according to Operator Privileges. You can access the Operator Editor from the Administration Station of the SAS or the MAS. Select Configuration from the Navigation Pane, and Operator from the Configuration drop-down menu. The Operator editor Layout tab has an additional field if you are editing an Operator from the MAS. The Application Server drop-down list lets you select the MAS or SAS from which you assign Application Layouts to the Operator. For each server in the Enterprise, you can separately choose the Application Layouts to which you want to give the Operator access. The example below shows a MAS Operator assigned Application Layouts from more than one server. The Application Layout on the left is on the MAS, while the Application Layout on the right is on a SAS. ay...tact. ktenntdcbc. 2 .,:v In. C.tes Op.a. hen> 1.45 6164 Omits mimic* Qawds Na. P NM hake OW P paled PS filed Grog WO IGnal Kolosibl Sown I Stliensgs Geed ISA 'Goal Anicatalas I Use Meal Kok/S.5,n • ecn:innwa- 40 00,15.". Nal I Dubois% Nal r:etiutgaricalotapo. De DS/ 4O:4elotapa, NOV.*: Iht0tOVeO 4 Application Layout on the MAS Application Layout on a SAS Whenever you create a new Operator in an Enterprise, the Operator is assigned the "Access to common objects" Privilege and also the "Access to common global objects" privilege. The Database Update process assigns "Access to common global objects" to all existing Operators. This privilege (or a higher level Privilege such as Full Privilege for partition: Global or SYSTEM ALL) is required for an Operator to log in and use C•CURE 9000 in an Enterprise Architecture. The "Access to common global objects" privilege is read-only. 60 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225637 Operator Configuration To Configure a Global Operator 1. From the MAS Server, select Global as the New Object Partition. 2. In the Navigation Pane of the Administration Workstation, click the Configuration pane. 3. Click the Configuration drop-down list and select Operator. 4. Click New to create a new Operator. 5. Enter a name and textual description for this Operator in the Name and Description fields. 6. By default, an Operator created in the Global Partition is assigned the SYSTEM ALL [Global] Privilege. 7. Click the Layout tab to assign one or more Application Layouts for the Operator to use when running the Monitoring Station. On the Layout tab, you can use the Application Server drop-down list to assign Application Layouts from different servers to the Operator. Select an Application Server in the drop-down list, to choose to assign Application Layouts from that server. 8. Click Add to add Application Layouts from that server to the Operator. You can choose layouts from multiple servers, and all of them will be saved when you Save and Close. 9. Click the Application Servers tab and click Add to assign the Application Servers in the enterprise that you want to be in Interactive mode for this Operator. 10. Click Save and Close to save the new Operator record. To Configure a Local Operator 1. From the MAS or SAS Default Server, select the Partition in which you want to create the Operator as the New Object Partition. 2. In the Navigation Pane of the Administration Workstation, click the Configuration pane. 3. Click the Configuration drop-down list and select Operator. 4. Click New to create a new Operator. 5. Enter a name and textual description for this Operator in the Name and Description fields. 6. By default, an Operator created in a local Partition is assigned three Privileges. • Access to global common objects [Global] • Full privilege for Partition Default [<Partition Name>1 • Access to common objects [Default: <Partition Name>] 7. Add any additional Privileges you need to assign to the Operator. 8. Click the layout tab and then click Add to assign one or more Application layouts for the Operator to use when running the Monitoring Station. 9. Click the Application Servers tab and click Add to assign the Application Servers in the enterprise that you want to be in Interactive mode for this Operator. 10. Click Save and Close to save the new Operator record. C•CURE 9000 Enterprise Architecture Guide Chapter 3 61 EFTA01225638 Client Configuration Client Configuration You can connect to a specific C•CURE 9000 server as a primary connection using either a local or remote client application (Administration application or Monitoring Station). When you run a C•CURE 9000 client application, you connect to the server (MAS or SAS) specified in the application's configuration file. The objects you can see in a client application depend upon your primary connection, and the server from which you are reading data. Primary Connection to the MAS If the client application is configured to connect to the MAS, and you are a valid Operator in the MAS database, you are logged in with the MAS as your primary connection. Upon connection to the MAS, the client application sets the connection to all SAS systems configured for you in the Operator editor to Interactive, and all other SAS systems in the enterprise to Non-interactive. See Operators In Enterprise Architecture on Page 58 for more information. From the MAS, you can access the Application Server Dynamic View to view and change the Client Connection type for each SAS. See Application Server Dynamic View on Page 68 for more information, and for definitions of the Client Connection States available. Reading Data from the MAS If you select the MAS system in the Read Data from drop-down list, the Dynamic View displays data from the Global Partition, any local MAS Partitions, and all local SAS Partitions on each SAS system. The information available in the Dynamic View differs depending upon which SAS systems are set to Interactive and which are set to Non-interactive. Interactive: • The Dynamic View does not initially display information in status-type fields for SAS systems set to Interactive. For example, a value for the Active on Server field for a Schedule may not be visible. • The Dynamic View receives object updates from SAS systems to which it is Interactive. Thus, if the Active on Server field value changes, that change will be displayed in the Dynamic View. • If you manually refresh the Dynamic View, the information for an Interactive SAS system's status-type fields is cleared, but a subsequent update to the field's value will display the change. Non-interactive: • The Dynamic View does not initially display information in status-type fields for SAS systems set to Non- interactive. For example, a value for the Active on Server field for a Schedule may not be visible. • The Dynamic View does not receive object updates from SAS systems to which it is Non-interactive. Thus, if the Active on Server field value changes, that change is not displayed in the Dynamic View. • If you manually refresh the Dynamic View, the information for a Non-interactive SAS system's status-type fields is cleared, but a subsequent update to the field's value is not displayed. 62 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225639 Client Configuration Reading Data from a SAS If you are displaying a Dynamic View from the MAS with a SAS server selected in the Read Data from drop-down list, the Dynamic View behaves as if the primary connection is the selected SAS. That is, the Dynamic View displays only the Global and local Partition objects that would be visible if you were viewing the data from a client connected to that SAS. Primary Connection to a SAS If the client application is configured to connect to a particular SAS, and you are a valid Operator in the SAS database, you are logged in with the SAS as your primary connection. Depending upon Privilege settings, an Operator at a SAS client can view, create, and modify objects in the Global Partition and local Partitions on that SAS, but can never see objects in partitions on other SAS systems in the enterprise (even if the Operator has Privileges to see objects on other SAS systems). C•CURE 9000 Enterprise Architecture Guide Chapter 3 63 EFTA01225640 DynamicViews in Enterprise Architecture Dynamic Views in Enterprise Architecture In the Enterprise Architecture, a Dynamic View allows a Global Operator at the MAS to view and manage objects from different servers. When viewing a Dynamic View while logged in to the MAS, you can select the server in the Enterprise Architecture from which to view enterprise data. You view data as if that server were your primary connection, so you can view objects from that server's local Partitions, as well as Global data, if you have sufficient Privilege. • The Read Data from field in the Dynamic View toolbar shows from which server the displayed objects are being read. • You can select a different server from the drop-down list to view data as if your primary connection was to that server. Figure 12 on Page 64 displays a Dynamic View from the MAS. Figure 12: Dynamic View from the MAS lawsk Yew x ..Z 06-1I0Y 4 004 "fl'"w'Ummmmml..._ WINIAS.mweermhambankt04.6. Ha m OeMaap. Zoe ammiaaw Casa WM KIWI U Mn! II: :ma aw. Sea} onaiata OcitsMaM WW Wad IQ 5.:IWWW. DedwiliiVes Dasalaw IP Ceara' OeM I tIHMatmata wed DEHMMIOSHWartita OHM 'IOH:PaiWa. Pawed Wm CHWIWa b ?WWI OeM HIHi Wawfa HOObWo DataWal bawds DIM POW Wed.9. NW MaaaHro• Daaram la awl Pah OeM la HIKawa. WaVYM Dela ktkoad HMS 1097PaciaSa Mr Hans , DOMIWW Heel Paw Dena En:, ne. wv. Doi ConeWle. Oetelim ro WI Cora* Dna IOWNxiii.P. ‘1101.8MW.002// Ws Ila bLot r matirawaHHHHOOP WS PO 4VININWth• 0•11111102 Ow mew it de OHMSrad DWI WSW WH2 OHMS Cowl eau ad HAWS N OIY WHINHOW GI raw%rar OWE lira VA area ad OWNS HatIM W WHO eta _a NtaelHOes The Read Data from drop-down list is not available when you are logged in to a SAS, because you can only view that MS and the Global Partition. For partitioned objects, the right-most column of Dynamic Views on the MAS display the Partition in which an object resides. Dynamic View Restrictions When an Operator launches a Dynamic View on the MAS, some restrictions apply. • The Dynamic View Read Data from setting and the Interactive/Non-interactive settings affect how the Dynamic View displays status-type properties and updates from object creation, deletion, and modification. See Client Configuration on Page 62 for more details on updates to Dynamic Views. • When the Dynamic View Read Data from is set to the MAS, the Toolbar in the Dynamic View displays the message "Status values are not available on the MAS." • If the selected server is unavailable or becomes unavailable, the combo box with the server name will have a label appear after it saying "Disconnected." • If you want to retrieve only records from a specific SAS, either: 84 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225641 Dynamic Views in Enterprise Architecture ■ Log in with a Privilege which gives you a view only of the SAS's Partitions ■ Select the SAS in the Read data from drop-down list ■ Create a query which explicitly selects records with only the Partitions belonging to that SAS ■ If a query created at the SAS is run with the 'Read Data from' server as the MAS, it finds all records which match the query criteria and which the Operator is allowed to see, whether the records are on the SAS where the Dynamic View is located or on another server. ■ If a query created at one SAS is run with a second SAS selected in the Read Data from drop-down list, the data displayed is from the second SAS. ■ If a query created at the MAS is run with the 'Read Data from' server as the MAS, it shows all action records from all events and other objects defined on any SAS anywhere, not just records defined on the MAS. Removing the Partition Column from a Dynamic View If you do not want the Partition Column visible in a Dynamic View for an Object Type, you can create a Dynamic View and mark the Partition Column as hidden, then choose Make default view, and save the Dynamic View. See the C• CURE 9000 Data Views Guide chapter on Dynamic Views for more information. To hide the Partition Column while you are viewing a Dynamic View, you can right-click on the column headings and clear the Partition column to hide that column. However, this change is in effect only while the view is open. If you close the view and open it again, the column reappears. C•CURE 9000 Enterprise Architecture Guide Chapter 3 65 EFTA01225642 Holidays in Enterprise Architecture Holidays in Enterprise Architecture The holiday object is a standard, optionally-Global object following all the rules specified in the Optionally Global Objects on Page 107. There are two special considerations: ■ You can activate Global Holidays on a local SAS even if the MAS is offline because the active state for a Holiday is calculated at each local SAS server. ■ There is a limit of 256 holidays that can be downloaded to an apC. This apC limit is enforced by the Holiday Groups you add to the apC. There is a system-wide limit of 24 holiday groups per SAS. In other words, if you are creating a global holiday group on the MAS, each SAS is checked so that the maximum number of holiday groups is not exceeded. However, the total number of local and global holidays on the MAS can exceed 24 groups. 66 Chapter 3 C•CURE 9000 Enterprise Architecture Guide EFTA01225643 4 Application Server Editor This chapter explains how to use the Application Server editor to manage Application Servers in your Enterprise. In this chapter Application Server Dynamic View 68 Application Server Synchronization Conflicts View 74 Synchronization Conflicts Definitions 79 Application Server Editor 87 Using the Application Server Editor 88 Application Server General Tab 89 Application Server Groups Tab 91 Application Server Synchronization Tab 92 Application Server Triggers Tab 94 Application Server State Images Tab 97 C•CURE 9000 Enterprise Architecture Guide Chapter< 67 EFTA01225644 Application Server Dynamic View Application Server Dynamic View The Application Server Dynamic View displays the Application Servers in the enterprise. Figure 13 on Page 68 displays the list of application servers available from the MAS. Figure 13: DynamicView - Application Server 7;-CY "s 5 " 10"`' Cost 2 Slabs values way nal b• avaabloontbe WS 0 ag coorA, It, goo tv hts* "N I Walla I Stabs I Clenatenearn Sum I SPessubm Sin bft202802Vreell tos20292/01•41 0.Y. Pain Rory lo Spthcree tot2029XYCSO2 Ottst defame.kt Odra Doccmected Reedilo Synchtnze aitt=at An Application Server Dynamic View launched from the Search button reflects data from the Default Server. The Dynamic View menu bar has a drop-down list of servers from which you can select a server. Once a Dynamic View is launched, you can select a different server for that view from which to start reading data. When a different server is selected within the Dynamic View, the list is immediately refreshed to start reading from the selected server. Changes on objects are sent to the Dynamic View once it is opened, and the view reflects up-to-date values. If you use the Read Data from drop-down list to select the MAS, the Dynamic View displays the MAS and each SAS in the Enterprise in the list of Application Servers. The Status and Synchronization Status columns reflect the status of each Application Server as known to the MAS. If you use the Read Data from drop-down list to select a SAS, the Dynamic View displays only the SAS you selected, and the MAS, in the list of Application Servers. The Status and Synchronization Status columns reflect the status as known to the SAS. Table 7 on Page 68 describes the columns available from the Application Server Dynamic View display. Table 7: Application Server Dynamic View Columns Column Description Name The system name of each Application Server. 88 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225645 Application Server Dynamic View Table 7: Application Server DynamicView Columns (continued) Column Description Description The textual description of each Application Server. The system fills in a default description when the Application Server is created. Status The status of each Application Server. Each server is either Online (communicating with the server selected in Read Data From) or Offline (not communicating with the server select in Read Data From). Client The Client Connection State is the current state of the connection between this Admin or Monitoring application (client) and Connection each Application Server. The possible values are: State • Primary: This is the application server to which client-to-server requests are made. • Interactive: This client is currentty receiving dynamic server-to-client activity and state changes from this server, in addition to the primary server. • Non-Interactive: Thisdient isnot currentty receiving activity and state changes from this server. You can disconnect a client application that is currentty interactive from an Application Server by right-clicking and choosing Disconnect from the context menu. Disconnecting prevents the current client from receiving activity and state changes from that Application Server. You can connect a client application that is currentty Non-Interactive from an Application Server by right-clicking and choosing interactive from the context menu. Connecting allows the current client to receive activity and state changes from that Application Server. The default behavior for dients is to be interactive with allonline non-isolated application servers in the same region as the client's primary appbcation server. Alloffline/isolated/other-region application servers are Disconnected. Synchronization The values shown in the Synchronization Status column, and their meanings, are dependent upon whether you are Status considering the status of the local server or a remote server. The status values are explained in Table Bon Page 69. Example: If you set the Read Data From drop-down list to read data from the MAS, the MAS is the local server, and each SAS in the list is a remote server. Table 8: Synchronization Status Values Status Description Synchronization Status of Local Server Ready to Synchronize The local MAS/SAS and allof its partner Application Servers are ready to perform synchronization. Ready to Synchronize The local MAS/SAS is ready to perform synchronization, but one or more partner Application Servers are not. You can - One or more partner determine which server(s) are not ready by viewing the Synchronization Status of the remote servers. My remote server servers has a that snot 'Ready to Synchronize• has some problem with the local server. problem The MAS and SAS The localSAS has a different version of C•CURE 9000 than the MAS. This status does not appear for a local MAS are running because the MAS version is presumed to be correct. incompatible versions Restart SAS to The localSAS needs to have its services restarted so that synchronization can proceed. Restart the CrossFIre reinitialize Framework Service and the CrossF ire Server Component Framework Service. synchronization C•CURE 9000 Enterprise Architecture Guide Chapter 0 69 EFTA01225646 Application Server Dynamic View Table 8: Synchronization StatusValues (continued) Status Description Aconfiguration The local MAS/SAS isnot property oonfigured for synchronization. T his could also indicate a license problem. See the problem prevented Windows Event Viewer Application Log (Start>Administrative Tools>Event Viewer, then select Windows synchronization (See Logs>Ap pIlcatIon) to view any appbcation errors that have recentty occurred. This may indicate the problem. Event Server) Synchronization Status of Remote Server Unknown T he remote partner Application Server is not connected. Ready to Synchronize T he remote Application Server is ready to synchronize. Ready to Synchronize Indicates that there are unresolved conflicts that may need to be resolved. Synchronization will continue. Conflicts are - There are Conflicts listed on the Application Server Synchronization Conflicts View on Page 74. See Using the Synchronization Conflicts View on Page 77. Ready to Synchronize This status is displayed at the MASonty. It indicates that one or more SASs have a different but compatible version of - Some partners have C•CURE 9000 different software versions Ready to Synchronize This status isdisplayed at a SAS only. It indicates that the MAS has a different but compatible version of C•CURE 9000. - MAS has a different software version Synchronizing -The This status isdisplayed on the MASonty. It indicates that the system hasdetected that the MAS database has been MAS database has restored since the last synchronization. and that synchronization is proceeding. been restored Synchronizing -The This status is displayed on a SAS onty. It indicates that the system has detected that the SAS database has been restored SAS database has since the last synchronization, and that synchronization is proceeding. been restored The MAS and SAS The remote SAS has a version of C•CURE 9000 that is incompatible with the MAS. Synchronization is disabled because are running of this incompatibility. To resolve this condition, the incompatible system(s) should be upgraded to a compatible version. incompatible versions Restart SAS to The remote SAS needs to have its services restarted so that synchronization can proceed. Restart the CrossFire reinitialize Framework Service and the CrossFire Server Component Framework Service. synchronization A configuration The remote Application Server encountered a configuration error and cannot initialize for synchronization. See the problem prevented Windows Event Viewer Application Log on the remote server (Start>Administrative Tools>Event Viewer, then select synchronization (See Windows Logs>Application) to view any application errors that have recenttyoccurred. This may indicate the Event Server) problem. Viewing a List of Application Servers When you select Application Server from the Options & Tools pane, a dynamic view opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. See Application Server Dynamic View on Page 68 for explanations of the columns in this list. 70 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225647 Appication Server Dynamic View You can double-click on any Application Server in the list to edit it, or you can right-click on an Application Server in the list to display a context menu that gives you options such as Edit, Add to Group, and Fmd in Journal. See Application Server Context Menu on Page 99 for more information on the context menu. You can view a list of Application Servers from the Administration Client or the Monitoring Station. • To View a List of Application Servers from the Administration Client Application on Page 71 • To View a List of Application Servers from the Monitoring Station on Page 71 You can change the interactive status of an Application Server from the Administration Client or the Monitoring Station. See Table 29 on Page 100 for more information on Interactive mode. • To View a List of Application Servers from the Monitoring Station on Page 71 • To Change Interactive Mode for an Application Server from the Monitoring Station on Page 72 To View a List of Application Servers from the Administration Client Application 1. In the Administration Client, on the Options & Tools pane, select Application Server. 2. A dynamic view opens that displays a list of all Application Servers that are configured in the Co CURE 9000 database. 3. You can use the buttons on the Dynamic View toolbar to filter, group, print, or query on the list. 4. To change the columns that are displayed in the view, right-click on the Column headings and select the columns you want to display. 5. You group the view by any column heading by clicking on a Column heading and dragging the heading to the Drag columns to group by here area. The view is re-configured to group items by the column heading. Example If you drag the Priority column heading to the Drag columns to group by here area, the view is re- displayed with Priority as the group heading, and the Application Servers grouped by priority. Click the a to expand the list of Application Servers in that Priority. • 4(li I To View a List of Application Servers from the Monitoring Station You can view a list of Application Servers from the Monitoring Station if your Application Layout includes the Explorer Bar. C•CURE 9000 Enterprise Architecture Guide Chapter < 71 EFTA01225648 Applitatbn Server Dynamic View 1. In the Monitoring Station, on the Options & Tools pane, select Application Server from the Hardware Status Explorer Bar. 2. A dynamic view called Status List - Application Server opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. 3. You can use the buttons on the Dynamic View toolbar to filter, group, print, or query on the list. 4. To change the columns that are displayed in the view, right-click on the Column headings and select the columns you want to display. 5. You group the view by any column heading by clicking on a Column heading and dragging the heading to the Drag columns to group by here area. The view is re-configured to group items by the column heading. To Change Interactive Mode for an Application Server from the Admin Client 1. From the Dynamic View list of Application Servers on the MAS, select an Application Server and right-click. 2. To set the Application Server to non-Interactive (if the Client Connection State for this Application Server is Interactive), choose Set Non-interactive from the context menu. 3. To set the Application Server to Interactive mode (if the Client Connection State for this Application Server is Non-interactive), choose Set Interactive from the context menu. To Change Interactive Mode for an Application Server from the Monitoring Station 1. From Status List - Application Server, select an Application Server and right-click. 2. To set the Application Server to non-Interactive (if the Client Connection State for this Application Server is Interactive), choose Set Non-interactive from the context menu. 3. To set the Application Server to Interactive mode (if the Client Connection State for this Application Server is Non-interactive), choose Set Interactive from the context menu. Application Server Context Menu If you are viewing the Application Server Dynamic View on a SAS, and you right-click on a SAS system, the context menu is displayed as follows: a Edit re. Export selection... Find in Audit Log... Find in Journal... Synchronization Conflicts If you are viewing the Application Server Dynamic View on a SAS, and you right-click on the MAS system, the Synchronization Conflicts selection will not be visible. 72 Chapter < C•CURE 9000 Enterprise Architecture Guide EFTA01225649 Application Server Dynamic View If you are viewing the Application Server Dynamic View from the MAS, the context menu displays as follows if a SAS is selected (the Set Interactive or Set Non-interactive menu selection does not appear if you right-click on the MAS row of the Application Server Dynamic View). a- Edit Export selection... Find in Audit Log... Find in Journal... Set Interactive Synchronization Conflicts The context menu that opens when you right-click on a Application Server in the Dynamic View of Application Servers includes the following selections. Table 9: Application Server Dynamic View Context Menu Selection Description Edit Click this menu selection to edit the Application Server record. The Application Server Editor opens. Export Allows you to export the selected Application Server records to an XML or CSV file. Selection Find in Audit Opens a Query Parameters dialog box in which you can enter prompts and/or modify the query criteria to search for entries in Log the Audit Log that reference the selected record. When found, the results display in a separate Dynamic View. Find in Journal Opens a Query Parameters dialog box in which you can enter prompts and/or modify the query criteria to search for entries in the Journal that reference the selected record. When found, the resuttsdisplay in a separate . Set Interactive This selection is available onty if you are a Global Operator viewing the Application Server Dynamic View from the MAS. The Set Interactive or Set Non-Interactive menu selection does not appear if you right-click on the MAS row of the Application Server Dynamic View. Click this menu option to set the selected SAS to Interactive mode. An interactive SAS sends update messages to the Monitoring Station and updates to MAS Dynamic Views, the Hardware tree, and the Video tree. • Dynamic views which are Reading Data from the MAS receive allobject notification messages from interactive SAS servers. That means that new and deleted object changes are displayed, and changes to object states are displayed temporarity (MAS Dynamic Views do not dynamicalty display status updates - if you refresh one of these dynamic views, all status data disappears). In contrast, for SAS sewers which are non-interactive, no status data and no object additions or deletions are displayed. Manual refresh causes the object changes to be displayed. • Hardware and Video trees which are displayed white the Default Server is the MAS also receive object notifications from interactive SAS servers. That means that new and deleted object changes are displayed. In contrast, for SAS sewers that are non-interactive. no object additions. changes. or deletions are displayed on the tree until it is ma nua lty refreshed. Synchronization This selection is available onty if you are viewing the Application Server Dynamic View from the SAS. Conflicts Click this menu selection to open the Application Server Synchronization Conflicts Dynamic View. See Application Server Synchronization Conflicts View on Page 74. C•CURE 9000 Enterprise Architecture Guide Chapter 4 73 EFTA01225650 Application Server Synchronization Conflicts View Application Server Synchronization Conflicts View The Application Server Synchronization Conflicts View is accessed from the Synchronization Conflicts menu selection on the Application Server Dynamic View context menu for a specific SAS. (See Figure 14 on Page 74). Figure 14: Application Server Synchronization Conflicts Context Menu a Edit th Export selection... Find in Audit Log... Find in Journal... Synchronization Conflicts This view displays any existing conflicts that were logged between the MAS and this particular SAS, and can be useful for resolving conflicts that hamper server synchronization. The following sections provide more information about the this view. • Synchronization Conflict View from the MAS on Page 74 • Synchronization Conflicts View from a SAS on Page 75 • Synchronization Conflicts View Definitions on Page 76 • Using the Synchronization Conflicts View on Page 77 The system avoids creating duplicate Synchronization Conflict records if the same conflict re-occurs. Since conflicts are identified by Object ID, Object Type, and Conflict Type, it is possible (although rare) for the same record to appear in the conflicts twice if it has multiple conflict types. 1. When a conflict is detected, the system, using the three identifiers mentioned above, checks to see if a matching record already exists. 2. If such a record does exist, the system updates it with the latest Object Name and Error Description. Consequently, at any point in time, the record shows when the conflict first occurred, the data necessary to identify and find the record, and its most recent name and error text. For an overview of Synchronization Conflicts, with a few sample conflicts, see Synchronization Results on Page 49. To see the most current list of conflicts in this view, you need to refresh the Conflict View by clicking NOTE Synchronization Conflict View from the MAS If you open this view as an Operator on the MAS, the toolbar includes the Read Data from drop-down list that allows you to choose to view Synchronization Conflicts from the viewpoint of any SAS system. See Figure 15 on Page 75. 74 Chapter< C•CURE 9000 Enterprise Architecture Guide EFTA01225651 Application Server Synchronization Conflicts View Figure 15: Synchronization Conflicts View from the MAS mens•ZLitFo y COO Read pet•Item, BOSSiellOvai Cost: Is C egi columns ss you, b"•••• CaiblMoltke I OMmlID I Olio" Two I Olio:Mao I Diedico I USW DcoMp6on I Calk, Tws a 10/11/2010 9939)AM 2037152[04 Oposte tatelCOLOtChW ensues 044110.5 or, SAS se Lad tooted/se • lin 4 kola be am collets tall 1 r en n c., tense tow %odds 10.012/201025350/14 209420W Ow*. nal onKs 00.0445 4rdS*5 oe Loud ion tate, bird to ,ples beam calico nil ion 014 ow tan foram oonatt4 smog 10/4/2010 31703PM 209152= AmIcabmSow. B05343ROWN Pen Ma Bon 14.4.5 ard SAS 444 Outtios Row/ 12,410 to mot woo.* Key coLcc41 ard the MOO [MOS* Reno/ K. bean Or& one col ooxoed 10/4/2010 Sall F14 tOMOS Ocuunce sum Na Ayala:47 kinMa Deuce oft k• A gensal too no *rem* 01BBOCO wool occoloi Kok Oa m pa frokOw*. i mot cloaca Saws wad 10/4/2010 nz11FM 209152031 OeteteCe Hen 1/144 knibb benMa °mance to. 4:4 • "nod OM tot ctorance 1,441Soiree caused l'urric4 *mica dab nay dox 10/4/2010 tanPM IMO SyshonVo•Mos Prowrollw945 born Ma BathWM and SAS es OtoketPiney gala WO brniell • low nth Kenai-cal and the une ovsnIsr Pon* caIntel Dry one <oi wtteed 10/4201032216 FM 2097152034 Omen antlei Ida Ma Mr Botbil4.5 rd SAS at CksIcss Prowl Zny to ma a go i te . noh Aey col K. Lcc1and edrt wbN MMn Orip °neon succeed 10/1/2010 32210 F14 2097152(05 Optima oToicoulms boo Ma BollWS rd 545w OurkstoPirms. Ionia not awn* Kw cobroil ore/ tp., merpoMY 4SY Flow. wain,* Dry as anImand 10/4/2010 /Z216 PM 209152007 O000ss "ROW twin he Mw Boil WS •4 SAS ow Okolca•Ftims. Synchronization Conflicts View from a SAS If you open this view as an Operator on a SAS, the toolbar does not provide the Read Data from drop-down box because you can only view the conflicts that affect this specific SAS. See Figure 16 on Page 76. C•CURE 9000 Enterprise Architecture Guide Chapter < 75 EFTA01225652 Application Server Synchronization Conflicts View Figure 16: Synchronization Confbcts View from a SAS vK.•ZiOA TVID. c..... pi D.2 I. -rey /, e ConlonOmen ONNIID Otiose Tms Cemst MOne Dona. Coin Oomesa Casa Try* *12201095950MA 2097155201 Oppas Ravna.jcio.tes Iron MM BM WAS end 9.5 re lcal Pm wale a • Itorg to tab* the more *mike mat be Oat re an MS K.vologe ilioccOld 1012a010 9 59.50/41 2087152(01 Cows anlinCesfittohn IranMr Both MS am SAS arm Loud magoin bal.*. ars anima ma Ppmyfl pow worm. stio. sacceed ":, 412010 317t8 PM 21:071520C4 Aselams San. BOSMIROWM konMes OW WAS rd 94 vs Ckokme Priam VW. tO ober% a Poe *NI kayos laniard toIre corny; Ny. Roam an Nam Ody a* ce, su:cood '342310317M PM BMWS Cleininanin Net Asulailo ban Mai Cleeinar Seib, Artemis's Ns *arc* 83106CONna <awed rePlcoS as lops NSW:nma in min doola^vman 'D./010MM FN 20/7152031 Claw* IMen MA bialale kNOFN Nome, aen, iar Apron/ re Pa deatince {pea cjeaan Nested 1' trowel:draft char van; ecc. * )13310 34.15PM l SolmaNadska PorscorelOmmpS Ian MEN Bee M.S aM SAS me Lupins Rimy ammo Irv" le ow', Pen. *ma LCNIrd limns ring MN ROM.° n. Win Orly cos Ca— • :.4.2010 3 2216 PM 209115.201 Ocestor anences_gmhas kw Nom BahINS rd SA5 in Cvgleme Pnrsrf • IMP b Mesta Max. Kay en Lccal am ihe nom [catty key. Ream row Veen Orly °sec* staxeml 110410103216 PM 2097152COS Op•mm iiiiintaJAN ionMs MONS N Wm mac. Priory YAM w Wens wax. macal sad to on piney bif MPS motive, Kw Wymanbrand • )L201032216 PM =WM Oporam Nmantpticem. ha Mb Bee Mk? end SAS we Oaks,Pisan. Synchronization Conflicts View Definitions The view contains the columns described in Table 10 on Page 76. Table 11 on Page 77 provides more explanations of possible messages in the Conflict Description and Conflict Type columns. Table 10: Synchronization Conflict View Columns Column Description Conflict date/time Lists the date and time the conflict first occurred for this record. Object ID Lists the Object ID of the object involved in the conflict. Object Type Lists the type of object involved in the conflict. Object Name Lists the name of the object involved in the conflict. If the object does not have a Name field. thiscolumn displays Not Available. Direction Lists the direction of the synchronization attempted. If the Direction is from MAS. it indicated that a Global object on the MAS failed to synchronize to one or more SAS systems. If the Direction is to MAS. it indicates that a local object from a SAS failed to synchronize with the MAS. Conflict Provides a description of the synchronization conflict that occurred. Description Conflict Type Lists the Conflict Type. 76 Chapter 0 C•CURE 9000 Enterprise Architecture Guide EFTA01225653 Application Server Synchronization Conflicts View Table 11: Possible Messages in Synchronization Conflicts Conflict Type Conflict Description Meaning A generalerror has The specific Wet text is shown. A database error occurred during synchronization. occurred. Example: In the example, it is likely an Application Layout on the SAS was deleted at Operator application layout pair for nearlythe same time as a user edited a Global Operator record and added a operator "MAHON" cannot replicate reference to the Application Layout that wasdeleted. due to missing application layout Deleted local row with This item wihave to be deleted and A row was updated on the remote server, but it was deleted in the past on the no metadata, conflict recreated on the MAS local server. with Remote update. Row Deleted Locally Both SAS and MAS have A row was deleted on both the local and remote server. and remotely independently deleted the row (ignored internally). Deleted Local row, This item wihave to be deleted and A row wasdeleted on the local server but updated on the remote server. conflict with Remote recreated on the MAS row update Duplicate Primary Key Both MAS and SAS are trying to insert A row wascreated on the local and remote server (they have the same on Localand Remote a row with the same primary key. Only Primary Key). row insert one can succeed. Local row update This 0em will have to be deleted and A row was updated on the local server but deleted on the remote server. oonfbcts with remote re-created on the SAS. delete Local row update Both MAS and SAS are trying to A row was updated on the local and remote server. conflicts with update the same row. Only one remote row update. can succeed. Using the Synchronization Conflicts View You can use the Synchronization Conflicts View to resolve conflicts in the list, so that objects with conflicts in the database can synchronize correctly. When you select one or more rows in the list and right-click, a context menu appears that lets you choose a conflict resolution action to take. See Figure 17 on Page 77. Figure 17: Synchronization ConflictsView Context Menu X Delete tib Export selection... Verify and delete conflict Edit associated record The context menu for Synchronization Conflicts provides a context menu with the selections in Table 12 on Page 78. C•CURE 9000 Enterprise Architecture Guide Chapter< 77 EFTA01225654 Application Server Synchronization Conflicts View Table 12: Synchronization Conflicts Context Menu Selections Selection Description Delete Click this selection to delete the selected Synchronization Conflict records. Export Click this selection to export one or more selected Synchronization Conflict records to an XML or CSV fie. See the C•CURE 9000 Selection Data Views Guide for more information about exporting selections. Verify and Clidahis selection to attempt to resolve and delete one or more conflicts. See Verify and Delete Conflict On Page 78 for more delete information. conflict Edit Click this selection if you want to edit the record. This selection only appears d you select a single row and that row has an associated associated record and an editor for viewing that record. This function is useful for locating the record invoNed in the conflict, especially if the record conflict desorption identified a field in the record that caused the conflict. You can open the editor for the record to see if you can determine the source of the conflict. Verify and Delete Conflict You can select one or more rows in the Synchronization Conflicts View and use the context menu selection Verify and delete conflict to attempt to resolve conflicts shown in the view. When you select this menu item, the dialog box shown in Figure 18 on Page 78 opens, listing the items you selected. You can click a next to an item to see an explanation of the conflict and how it was resolved, or why it could not be resolved. In the example shown, several records were successfully resolved and their entries in the Synchronization Conflicts View were deleted. However, sometimes the Verify and delete conflict function cannot resolve the conflict, and a message to that effect is displayed. The record might have been deleted, or the record might not be accessible for some other reason. Figure 18: Verify and Delete Conflict Verify and dells IIIIIIiiiiiiiiiIIIIIIIIIII .. Type OperatorNone amencas sNa [Globs] 1 Type. Operator Name. emencas_mbrown (Gobi] •. Type: MapServerOpeaorPar. Marne t.4ct Avalable Et Type: SWHSYSTEM_OPEFtATOFt9000 Name: N/A F . Type: Timeherval. Nene: Not Avaiable ' The record has been success/Lily resolved F.-Type': HardwareFolder. Name: Pat2 (Pat2] The record has been successfily resolved. E • Type: %MaoFolded% Name: Pat2 [Part2] L The record has been successkily resolved a Type: ApplicationSenter. Name: 80S2MBROWN L•-• Type: limeIrterval Name: Not Available OK Print Email 78 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225655 Synchronization Conflicts Definitions Synchronization Conflicts Definitions The following tables list the types of synchronization conflicts that can occur, and information about troubleshooting these errors. Table 13 on Page 79 lists Badge Layout object Conflicts. Table 14 on Page 80 lists Card Format Conflicts. Table 15 on Page 80 lists Credential-related Conflicts. Table 16 on Page 81 lists Clearance object Conflicts. Table 17 on Page 82 lists Door, Floor, and Elevator object Conflicts. Table 18 on Page 82 lists CHUID Format object Conflicts. Table 19 on Page 83 lists Reader object Conflicts. Table 20 on Page 83 lists Area object Conflicts. Table 21 on Page 83 lists Schedule object Conflicts. Table 22 on Page 83 lists Privilege object Conflicts. Table 23 on Page 84 lists Personnel object Conflicts. Table 24 on Page 84 lists Personnel-related object Conflicts. Table 25 on Page 85 lists Operator-related object Conflicts Table 26 on Page 85 lists Document object Conflicts Badge Layout Object Conflicts Table 13: Badge Layout ObjectConflicts Conflict Example Resolution Badge Layout cannot replicate Card format deleted on SAS at same time that a user edits global Edit the Badge Layout and remove the due to missing card format1. badge layout and adds reference to the card format in field 1. Card Format in Field. Then delete the Card Format. Badge Layout cannot replicate Card format deleted on SAS at same time that a user edits global Edit the Badge Layout and remove the due to missing card format1. badge layout and adds reference to the card format in field 2 Card Format in Field. Then delete the Example: Card Format. Badge Layout cannot replicate Card format deleted on SAS at same time that a user edits global Edit the Badge Layout and remove the due to missing card format1. badge layout and adds reference to the card format in field 3. Card Format in Field. Then delete the Card Format. Badge Layout <name> cannot be Global badge layout deleted on MAS at same time that a user Edit the Personnel record and remove deleted because it is referenced by edits a local personnel record and adds a reference to the badge the reference to the deleted Badge a credential. layout in a credential. Layout. C•CURE 9000 Enterprise Architecture Guide Chapter 4 79 EFTA01225656 Synchronization Conflicts Definitions Card Format Object Conflicts Table 14: Card Format Object Conflicts Conflict Example Resolution Card Format Card format <name> cannot be Card Format deleted on SAS at same time that a user edits a Edit the Badge Layout and remove deleted due to first reference in global badge layout and adds a reference to the card format in the Card Format in Field 1. Then badge layout record. field 1. delete the Card Format. Card format <name> cannot be Card Format deleted on SAS at same time that a user edits a Edit the Badge Layout and remove deleted due to second reference in global badge layout and adds a reference to the card format in the Card Format in Field 2. Then badge layout record. field 2. delete the Card Format. Card format <name> cannot be Card Format deleted on SAS at same time that a user edits a Edit the Badge Layout and remove deleted due to third reference in global badge layout and adds a reference to the card format in the Card Format in Field 3. Then badge layout record. field 3. delete the Card Format. Card Format <name> cannot be Local card format deleted on SAS at same time that a user edits a Edit the Reader and remove the deleted because it is referenced by global reader record and adds a reference to the card format. Card Format that was deleted. a reader format record. Card Format cannot replicate due CHUID Format deleted on MAS (A user at the MAS, while the Edit the Card Format and remove to missing CHUID Format. MAs was offline to the SAS. disabled the CHUID format and then the CHUID Format that was deleted it). deleted. At the same time, a user edited local a Card format and added a reference to the deleted CHUID Format. Card Format Field Table Card Format cannot replicate due Card format record cannot replicate due to missing CHUID Edit the Card Format and remove to missing Card format. format, and this prevents the Card Format Field record the CHUID Format that was associated with the Card Format from replicating. deleted. Credential-related Objects Table 15: Credential-related Objects Conflicts Conflict Example Resolution Credentialwith card # <number> cannot Badge layout deleted on SAS at same time that a user Edit the Global Credential and remove replicate due to missing badge layout. editsglobalcredential and adds reference to the badge the Badge Layout that wasdeleted. Layout. CredentiaI ca nnot replicate due to prior Personnel record cannot replicate due to missing Edit the Personnel record and assign replication error in parent personnel Personnel Type, and this prevents the Credential record a valid Personnel Type. record. associated with the person from replicating either. 80 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225657 Synchronization Conflicts Definitions Conflict Example Resolution Credential with card # <number> cannot CHUID Format deleted on MAS (A user at the MAS. while Edit the Credential and remove the replicate due to missing CHUID format: the MAs was offline to the SAS, disabled the CHUID CHUID Format that wasdeleted. format and then deleted it). At the same time, a user edited a local Credential and added reference to the CHUID Format. User-defined field cannot replicate Credential record cannot replicate due to duplicate Edit the Personnel record that because its associated credential with CHUID, and this prevents the User-defined Field record contains the duplicate CHUID and card number <number> cannot replicate. associated with the credential from replicating either. assign a valid CHUID. Credentialwith card # <number> cannot Acredential is created on MAS in a global personnelwith Edit either the Personnel record on replicate due to duplicate CHUID. CHUIDYY at same time that a credential is created on the MAS or the Personnel record on SAS in a local personnel with same CHUID W. the SAS and assign a valid CHUID. Clearance Conflicts Table 16: Clearance Object Conflicts Conflict Example Resolution Clearance Clearance <name> cannot be Globaldearance deleted on MAS at same time that a user Edit the Personnel record and remove deleted because it is referenced by edits a local personnel record and adds a reference to the the reference to the Clearance. Then a personnel record. clearance. delete the Clearance. Clearance Item Clearanceltem for Clearance Door deleted on SAS at same time that a user editsglobal Edit the Clearance and remove the <name> cannot replicate due to clearance and adds a reference to the door in the clearance reference to the deleted Door. missing door. item list. Clearanceltem for Clearance Door group deleted on SAS at same time thata user edits Edit the Clearance and remove the <name> cannot replicate due to globaldearance and adds a reference to the door group in reference to the deleted Door Group. missing door group. the clearance item list. Clearanceltem for Clearance Floor deleted on SAS at same time that a user editsglobal Edit the Clearance and remove the <name> cannot replicate due to clearance and adds a reference to the floor in the clearance reference to the deleted Floor. missing floor. item list. Clearanceltem for Clearance Floor group deleted on SAS at same time that a user edits Edit the Clearance and remove the <name> cannot replicate due to globalclearance and adds a reference to the floor group in reference to the deleted Floor Group. missing floor group. the clearance item list. Clearanceltem for Clearance Elevator deleted on SAS at same time that a user editsglobal Edit the Clearance and remove the <name> cannot replicate due to clearance and adds a reference to the elevator in the reference to the deleted Elevator. missing elevator. clearance item list. Clearanceltem for Clearance Elevator group deleted on SAS at same time that a user edits Edit the Clearance and remove the <name> cannot replicate due to globaldearance and adds a reference to the elevator group reference to the deleted Elevator Group. missing elevator group. in the clearance item list. C•CURE 9000 Enterprise Architecture Guide Chapter 4 61 EFTA01225658 Synchronization Conflicts Definitions Conflict Example Resolution Clearanceltem for Clearance Schedule deleted on SAS at same time that a user edits global Edit the Clearance and remove the <name> cannot replicate due to clearance and adds a reference to the schedule in the reference to the deleted Schedule. missing schedule. clearance item list. Door, Floor, and Elevator Object Conflicts Table 17: Door. Floor, and Elevator Object Conflicts Conflict Example Resolution Door Door <name> cannot be deleted Localdoor deleted on SAS at same time that a user edits a Edit the Clearance and remove the because it is referenced by a global clearance record and adds a reference to the door. reference to the deleted Door. Then delete clearance. the Door. Floor Floor <name> cannot be deleted Local floor deleted on SAS at same time that a user edits a Edit the Clearance and remove the because it is referenced by a global clearance record and adds a reference to the floor. reference to the deleted Floor. Then delete clearance. the Floor. Elevator Elevator <name> cannot be Local elevator deleted on SAS at same time that a user Edit the Clearance and remove the deleted because it is referenced by edits a global clearance record and adds a reference to reference to the deleted Elevator. Then a clearance. the elevator. delete the Elevator. CHUID Object Conflicts Table 18: CHUID Object Conflicts Conflict Example Resolution CHUID Format <name> cannot be CHUID Format deleted on MAS at same time that a Edit the Credential and remove the reference deleted because it is referenced by a user edits local person and adds the CHUID Format to the deleted CHUID Format. Then delete the credential. to a credential. CHUID Format. CHUID Format <name> cannot be Local Card Format deleted on SAS at same time Edit the CHUID Format and remove the deleted because it is referenced by a that a user edits a CHUID record and adds a reference to the deleted Card Format. The card format record. reference to the card format. delete the CHUID Format. 82 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225659 Synchronization Conflicts Definitions Reader Format Object Conflicts Table 19: Reader Format Conflicts Conflict Example Resolution Reader Format for Reader <name> Global Card format deleted on MAS at same time that a user Edit the Reader and remove the cannot replicate due to missing card edits local reader and adds reference to the reader format. reference to the deleted Card format. Format. Area Personnel Group Link Conflicts Table 20: Area Personnel Group Link Conflicts Conflict Example Resolution Area Personnel Group Linkcannot Global Personnelgroup deleted on MAS at same time that a Edit the Area object and remove the replicate due to missing personnel user edits a bcal Area and adds reference to the Personnel reference to the deleted Personnel group. Group. Group. Schedule Conflicts Table 21: Schedule Conflicts Conflict Example Resolution Schedule <name> cannot be deleted Local schedule deleted on SAS at same time that a Edit the Operator record and remove the because it is referenced by an operator user edits a global operator and adds a reference to reference to the deleted Schedule. Then privilege record: the schedule. delete the Schedule. Privilege Table 22: Privilege Object Conflicts Conflict Example Resolution Privilege <name> cannot be deleted Global privilege deleted on MAS at same time that a Edit the Operator record and remove the because it is referenced by an user edits a bcaloperator record and adds a reference reference to the deleted Privilege. Then operator record: to the privilege. delete the Privilege. C•CURE 9000 Enterprise Architecture Guide Chapter 0 83 EFTA01225660 Synchronization Conflicts Definitions Personnel Objects Table 23: Personnel aged Conflicts Conflict Example Resolution Personnel Personnelcannot replicate due Personnel Type deleted on SAS at same time that a user edits Edit the Personnel record and remove to missing Personnel Type: global Personnel and adds reference to the Personnel Type. the reference to the deleted Personnel Type. Personnelcannot replicate due Operator deleted on SAS at same time that a user edits global Edit the Personnel record and remove to missing Operator: Personnel and adds reference to the Operator. the reference to the deleted Operator. Personnel record <name> Global Clearance deleted on MAS at same time that a user edits Edit the Personnel record and remove cannot be deleted because of a a local Personnel record and adds a reference to the Clearance. the reference to the deleted Clearance. reference to a clearance: Then delete the Personnel record. User-defined field cannot Personnel record cannot replicate due to missing Personnel Edit the Personnel record and remove replicate because its associated Type, and this prevents the User-defined Field record the reference to the deleted Personnel personnelcannot replicate. associated with the person from replicating either. Type. Personnel: <personnel name>, Personnel record cannot replicate because the Windows Edit the Personnel record and change cannot be replicated because Principal user name field ihas to same value as another the Windows Principal field to a unique Windows Principal is not unique. Personnel record already replicated. Thisvalue must be unique. value. Personnel-related Objects Table 24: Personnel-related Object Conflicts Conflict Example Resolution Image Image cannot replicate due to prior Personnel record cannot replicate due to missing Edit the Personnel record and remove replication error in parent personnel Personnel Type, and this prevents the Image record the reference to the deleted Personnel record. associated with the person from replicating either. Type. Personnel Clearance Pair Clearance cannot be added to Global Clearance at MAS isdeleted at same time local Edit the Personnel record and remove personnel <name> because the Personnel record at SAS is added which references the the reference to the deleted Clearance. clearance YY is missing. error comes Clearance. from MAS Personnel <name> can not be deleted Global Clearance at MAS is deleted at same time local Edit the Personnel record and remove because it references a clearance Personnel record at SAS is added which references the the reference to the deleted Clearance. YY.error comes from SAS Clearance. Then delete the person. Personnel Type 84 Chapter 0 C•CURE 9000 Enterprise Architecture Guide EFTA01225661 Synchronization Conflicts Definitions Conflict Example Resolution Personnel type cannot be deleted Global Personnel type deleted on MAS at same time that a Edit the Personnel record and remove because it is referenced by a user edits a local Personnel record and adds a reference the reference to the deleted Personnel personnel record. to the Personnel Type in this Personnel record. Type. Then delete the Personnel Type. Operator-related Conflicts Table 25: Operator-related Object Conflicts Conflict Example Resolution Operator Operator XXcannot be deleted Gbbaloperator deleted on MAS at same time that a user edits a Edit the Personnel record and because it is referenced by a local personnel record and adds a reference to the operator. remove the reference to the personnel record. Operator. Then delete the Operator. Operator XXcannot replicate due to Application layout deleted on SAS at same time that a user edits Edit the Operaot and remove the missing Application layout. global operator and adds reference to the Application layout. reference to the deleted Application Layout. Operator XXcannot be replicated Aglobaloperator on MAS ismodified to have domain name AA and Edit the SAS Operator to remove because combination of domain user name BB at the same time as a beat operator on SAS is or change the conflicting domain name and user name is not unique. modified to have domain name AA and user name BB. and/or user name. Operator Privilege Pair OperatorPrivilegePair for operator Global Privilege deleted on MAS at same time that a user edits a Edit the Operator to remove the XXcannot replicate due to missing local Operator and adds a reference to the Privilege. reference to the Privilege. privilege OperatorPrivilegePair for Operator Local Schedule deleted on SAS at same time that a user edits a Edit the Operator to remove the XXcannot replicate due to missing global Operator and adds a reference to the Schedule. reference to the Schedule. schedule Operator Application Layout Pair Operator Application Layout Pair for I Local ApplicationLayout deleted on SAS at same time that a user Edit Operator to remove the Operator XXcannot replicate due to edits a global operator and adds a reference to the Application reference to the Application missing application Layout: Layout. Layout. Document Objects Table 26: Document Object Conflicts Conflict Example Resolution Document C•CURE 9000 Enterprise Architecture Guide Chapter 0 85 EFTA01225662 Synchronization Conflicts Definitions Conflict Example Resolution Document <name> cannot be Global Document deleted on MAS at same time that a user Edit the Personnel record and remove the deleted because it is referenced edits a local Personnel record and adds a reference to the reference to the deleted Document. Then by a personnel record. Document in this Personnel record. delete the Document. 88 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225663 Applcabon Server Editor Application Server Editor The Application Server Editor lets you configure the settings for an Application Server that is part of your C•CURE 9000 system. The editor shows the IP Address, Location, Priority, Synchronization Queue Size, and Current Status of the Application Server. The Partition Responsibility table displays the partitions this application server is managing. For more information about Application Servers, see the Introduction on Page 16. When you select Application Server from the Options & Tools pane, a dynamic view opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. ■ Viewing a List of Application Servers on Page 97 gives instructions for opening the Application Server Dynamic View. ■ Table 7 on Page 68 provides explanations of the columns in the Application Server Dynamic View. ■ Application Server Context Menu on Page 99 provides information about the tasks you can perform using this menu. The Application Server Editor contains the following tabs: ■ Application Server General Tab on Page 89 ■ Application Server Groups Tab on Page 91 ■ Application Server Synchronization Tab on Page 92 ■ Application Server Triggers Tab on Page 94 ■ Application Server State Images Tab on Page 97 Application Server Tasks ■ Accessing the Application Server Editor on Page 87 ■ Viewing a List of Application Servers on Page 97 Accessing The Application Server Editor You can access the Application Server Editor from the C•CURE 9000 Options & Tools pane. To Access the Application Server Editor 1. Click Options & Tools > Application Server. A Dynamic View showing all of the Application Servers on the system appears. 2. Double-click on the Application Server you wish to edit. The Application Server Editor opens. 3. Right-click on an Application Server in the list to open the context menu for that Application Server. C•CURE 9000 Enterprise Architecture Guide Chapter < 87 EFTA01225664 Using the Application Server Editor Using the Application Server Editor The Application Server editor is available on the MAS and on each SAS to let you see the names and status of the Application Servers in the enterprise. From the Application Server editor, you can: ■ Use the General tab to view information about the Application Server, including the list of Partitions for which the server has responsibility. See the Application Server General Tab on Page 89. ■ View the Groups to which this Application Server belongs. See the Application Server Groups Tab on Page 91. ■ Set the Schedules for the Audit Log Synchronization and the Journal Synchronization (available only for a SAS). See the Application Server Synchronization Tab on Page 92. ■ Add Triggers to the Triggers tab that can activate an Event based on the current status of the Application Server or the Synchronization Status of the Application Server. See Application Server Triggers Tab on Page 94. ■ View and change the state images for this Application Server from the State Images tab. See the Application Server State Images Tab on Page 97. When you connected to the MAS and you open the Application Server for a SAS, the only changes that can be made are to the triggers tab. All other fields are read-only or disabled. 88 Chapter < C•CURE 9000 Enterprise Architecture Guide EFTA01225665 Application Server General Tab Application Server General Tab The Application Server General tab allows you to configure your Application Servers by setting the Location for the server. You can also view which partitions the Application Server is responsible for managing, and the size of the Synchronization Queue. The Application Server General tab is shown in Figure 19 on Page 89. Figure 19: Application Server General Tab General Tab Definitions Field Description Name This field displays the name of the Application Server. This field defaults to the computer name of the Application Server. This field cannot be modified. Description Type a description of the Application Server in the Description field. Consider using thedescription to help identify the location and purpose of the Application Server. IP Address This read-only field displays the IP Address of this Application Server. This field is populated automatically. C•CURE 9000 Enterprise Architecture Guide Chapter 0 89 EFTA01225666 Application Server General Tab Field Description Current Status This read-onty field displays the current status of this Application Server. Possible status values are: • Online • Offline Location Type in a textual description of the location of this Application Server that will help you identify the location or purpose of the Application Server. This field is editable only by a client connected to the SAS or MAS being edited. Otherwise this field is read- only. Synchronization Sets the maximum size of the Synchronization Queue on this Application Server. On the MAS. this setting controls the size of Queue Size each synchronization queue the MAS creates. The MAS creates a separate queue for each SAS. The minimum value for this field is 500. The maximum value is 10,000,000. If you have a more than the minimum amount of memory. you can set this size higher than the default value. If you have no extra memory and/or a low transaction rate, set it lower. This field is editable only by a client connected to the SAS or MAS being edited. Otherwise this field is read-only. The default value for a SAS is 10,000. The default value for a MAS is 100,000. Partition This table displays the Partitions that thisApplication Server is responsible for managing. Responsibny 90 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225667 Applcabon Server GroupsTab Application Server Groups Tab The Application Server Groups tab lists the Groups of which this Application Server is a member. Groups are used for organizing C•CURE 9000 objects, and for applying Events and Actions to multiple objects of the same type. Groups are created by accessing the Groups Editor from the Configuration Pane. You can configure groups of most C•CURE 9000 security objects, such as doors, personnel, controllers, and holidays. A Group of Application Servers consists of one or more Application Servers that are configured in a C•CURE 9000 database. Each member of the group is an Application Server. Adding an Application Server to a Group You can add an Application Server to a Group using the following procedures. To Add an Application Server To a Group 1. In the Navigation Pane of the Administration Workstation, click Options & Tools to open the Options & Tools pane. 2. Double-click Application Server in the list of Options. A Dynamic View opens showing all Application Server objects. 3. Select the Application Server in the list that you want to add to a group, then right-click and select Add To Group from the context menu. 4. In the Group dialog box that appears, click on the Group to which you want to add this Application Server. 5. The Application Server is added to the Group. To Add an Application Server to a Group from the Groups Tab The Groups tab shows the Groups of which this Application Server is already a member. If this tab is NOTE blank, then the Application Server does not currently belong to a Group. You can use this procedure to add other Application Servers to one of those Groups. 1. From the Application Server Editor on Page 87, click on the Groups tab. 2. Double-click an Application Server Group in the Group row. The Group editor General tab appears. 3. Click the Add button in the Group General tab to add an Application Server object to the Group. The Selection dialog box that opens displays a list of existing Application Servers that can be added to the Group. 4. Select the Application Server that you want to add to the Group and click OK. The Application Server that you selected is added to the Group. C•CURE 9000 Enterprise Architecture Guide Chapter< 91 EFTA01225668 Applcatcri Server Syrichroluzabon Tab Application Server Synchronization Tab The Synchronization tab appears in the Application Server editor when you are editing a SAS Application Server record. The Synchronization tab allows you to enter a Schedule for Audit Log Synchronization and a Schedule for Journal Synchronization. If you are viewing the Application Server for the MAS, this tab is not available. Also, if you are editing a SAS Application Server record from the MAS, these fields are read-only. To optimize synchronization performance, Software House recommends coordinating the Schedules for each SAS so that Audit Log Synchronization and Journal Synchronization are performed at different times. Example: SAS 1 is set to perform Audit Log Synchronization at 1:00 AM and Journal Synchronization at 2:00 AM. SAS 2 is set to perform Audit Log Synchronization at 3:00 AM and Journal Synchronization at 4:00 AM. Audit Log Synchronization Audit Log synchronization is used to combine an Audit Log from a SAS system in the enterprise with the Audit Log at the MAS for central reporting and monitoring. Unlike database synchronization, Audit Log synchronization occurs on a scheduled basis so that overall performance of the MAS and SAS is not affected. When the Schedule you assign for Audit Log synchronization becomes active, the SAS sends its Audit Log changes to the MAS for synchronization. Journal Synchronization Journal synchronization is used to combine the Journal from a SAS system in the enterprise with the Journal at the MAS for central reporting and monitoring. Unlike database synchronization, Journal synchronization occurs on a scheduled basis so that overall performance of the MAS and SAS is not affected. When the Schedule you assign for Journal synchronization becomes active, the SAS sends its Journal changes to the MAS for synchronization. Synchronization Tab Tasks To Assign an Audit Log Synchronization Schedule 1. From the Options & Tools pane on your SAS, click Application Server. The Application Server Dynamic View opens. 2. Double-click on the SAS you wish to edit. The Application Server Editor opens. 3. Click on the Synchronization tab. 4. Click Q and select a Schedule for Audit Log Synchronization. 5. Click Save and Close to save your changes to the SAS Application Server. To Assign a Journal Synchronization Schedule 1. From the Options & Tools pane on your SAS, click Application Server. The Application Server Dynamic View opens. 2. Double-click on the SAS you wish to edit. The Application Server Editor opens. 92 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225669 Application Server Synchroolzatba Tab 3. Click on the Synchronization tab. 4. Click in and select a Schedule for Journal Synchronization. 5. Click Save and Close to save your changes to the SAS Application Server. Journal/Audit Synchronization by Event There is an event action to initiate a Journal/Audit synchronization, as shown in Figure 20 on Page 93. Figure 20: EventActionTab EiSaveandClose Save and New Name: syncluounal 01446P6C417 p Earthed Partner, Deface SDS2TWOOD Grog I Oabezz I Meagan Rate 'Gags I Sims mom •feAdd ! lir Remove Action CieeMls Resalable B'Synchronize Leg from H SaltrameHeuse Crensf ere CanyrionObotett,letenelLeg 1 Select Log Type Journal Log C•CURE 9000 Enterprise Architecture Guide Chapter 4 93 EFTA01225670 Application Server TriggersTab Application Server Triggers Tab You can create a trigger that activates an Event based upon the Synchronization Status of a MAS or SAS, the Status of a SAS, or the failed Status of the Audit/Journal Synchronization from the SAS to the MAS. Triggers on Application servers can activate only events local to the Application Server to which the Client is connected while configuring the trigger. Application Server Triggers are saved locally, and are not synchronized between servers. You can only create and/or edit a server's Application Server Triggers from a client with a Client Connection State of Primary to that server. (Edit the MAS Application Server triggers from a MAS Administration client.) The event will stay active as long as the Application Server stays in that state (it is not a momentary event activation). Example 1 You can create a trigger that sets off an Event if a SAS goes offline. You can define the Event to notify an administrator and display on the Monitoring Station so corrective action can be taken. From the SAS Application Server Triggers tab: 1. Click Add. 2. Click inside the Property column, then click to select the Property Synchronization Status for the trigger. 3. Click in the Value column and select SAS is offline or disconnected from the MAS. 4. Click in the Action column and select Activate Event 5. Click 0 in the Event field that appears and select the Event you want to trigger. Example 2 You can create a trigger that sets off an Event if the synchronization of the Audit/Journal database from a SAS to the MAS fails. You can define the Event to notify an administrator and display on the Monitoring Station so corrective action can be taken. 1. Click Add. 2. Click inside the Property column, then click 0 to select the Property Audit Synchronization Status or Journal Synchronization Statusfor the trigger. 3. Click in the Value column and select Failed. 4. Click in the Action column and select Activate Event 5. Click 0 in the Event field that appears and select the Event you want to trigger. SAS Status The following SAS Status values are available as trigger values: ■ Online ■ Offline 94 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225671 Application Server I riggers-fah Synchronization Status of MAS/SAS Depending upon where you are editing an Application Server from, the Synchronization Status trigger values available can differ. The following Application Server Synchronization Status values are available as trigger values. Table 27: Synchronization StatusValues Editing a SAS from that SAS SAS is offline or disconnected from the MAS (recommended) Initializing SAS is queuing synchronization requests for the MAS Synchronizing normally Restart SAS to reinitiakze Synchronization Editing a SAS from the MAS Initializing Synchronizing normally Restart SAS to reinitialize synchronization Editing the MAS from the MAS MAS isoffline or disconnected from every SAS (recommended) MAS is disconnected from at least one SAS Initializing MAS is queuing synchronization requests for every SAS MAS is queuing synchronization requests for at least one SAS Synchronizing normally Restart SAS to reinitialize synchronization Editing the MAS from a SAS MAS isdisconnected from at least one SAS Initiating MAS is queuing synchronization requests for at least one SAS Synchronizing normaity Restart SAS to initialize synchronization Status of Audit/Journal Synchronization The following is available as the trigger value for the Audit Synchronization Status and Journal Synchronization Status from the SAS to the MAS: • Failed Creating an Application Server Trigger You can use the Triggers tab to create a trigger for Status, Synchronization Status, or Audit/Journal Synchronization Status properties that activates the Event you select when the status changes to the value that you specify. To Create an Application Server Trigger 1. From the Options & Tools pane, click Application Server. 2. Select the Application Server you want to edit to create a trigger and right-click. 3. Click Edit from the context menu that appears. The Application Server editor opens. C•CURE 9000 Enterprise Architecture Guide Chapter < 95 EFTA01225672 Appbcation Server Triggers Tab 4. Click the Triggers tab. 5. Click Add. 6. Click inside the Property column, then click CI to select a Property for the trigger. 7. In the dialog box that appears, select a Property (choices are Status, Synchronization Status, Audit Synchronization Status, or Journal Synchronization Status). 8. Click in the Value column and select a value to trigger on from the drop-down list. 9. In the Action column, select Activate Event from the drop-down list. 10. A field that allows you to select the Event to activate displays. Click ID and select the Event you want to trigger. 11.If you want to add another property on which to trigger an Event, click Add and repeat the preceding steps. 12. Click Save and Close to save your changes. 96 Chapter < C•CURE 9000 Enterprise Architecture Guide EFTA01225673 Applcabon Server State Images Tab Application Server State Images Tab The State Images tab displays the default images used to indicate Application Server states on the Monitoring Station application. This tab provides a means to substitute custom images for the default images, so that the custom images appear in the Monitoring Station application to represent the Application Servers. To Change the Image for an Application Server State 1. Double-click the existing image. A Windows Open dialog box appears, allowing you to browse for the folder in which you have placed replacement images. 2. When you locate the replacement image, select it and click Open to add it to the image listing. 3. To restore the default image, right-click on the new image and select Restore Default 4. After viewing this tab, click Save and Close to save the Application Server configuration. State Images Tab Definitions The following default State Images appear on the Application Server State Images tab. Table 28: State Images Tab Default Images Button Definition fsi Unknown 0 Online Off ne Li Viewing a List of Application Servers When you select Application Server from the Options & Tools pane, a dynamic view opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. See Application Server Dynamic View on Page 68 for explanations of the columns in this list. You can double-click on any Application Server in the list to edit it, or you can right-click on an Application Server in the list to display a context menu that gives you options such as Edit, Add to Group, and Fmd in Journal. See Application Server Context Menu on Page 99 for more information on the context menu. You can view a list of Application Servers from the Administration Client or the Monitoring Station. • To View a List of Application Servers from the Administration Client Application on Page 98 • To View a List of Application Servers from the Monitoring Station on Page 98 C•CURE 9000 Enterprise Architecture Guide Chapter < 97 EFTA01225674 Application Server State Images Tab You can change the interactive status of an Application Server from the Administration Client or the Monitoring Station. See Table 29 on Page 100 for more information on Interactive mode. . To View a List of Application Servers from the Monitoring Station on Page 98 • To Change Interactive Mode for an Application Server from the Monitoring Station on Page 99 To View a List of Application Servers from the Administration Client Application 1. In the Administration Client, on the Options & Tools pane, select Application Server. 2. A dynamic view opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. 3. You can use the buttons on the Dynamic View toolbar to filter, group, print, or query on the list. 4. To change the columns that are displayed in the view, right-click on the Column headings and select the columns you want to display. 5. You group the view by any column heading by clicking on a Column heading and dragging the heading to the Drag columns to group by here area. The view is re-configured to group items by the column heading. Example If you drag the Priority column heading to the Drag columns to group by here area, the view is re- displayed with Priority as the group heading, and the Application Servers grouped by priority. Click the a to expand the list of Application Servers in that Priority. 0 I To View a List of Application Servers from the Monitoring Station You can view a list of Application Servers from the Monitoring Station if your Application Layout includes the Explorer Bar. 1. In the Monitoring Station, on the Options & Tools pane, select Application Server from the Hardware Status Explorer Bar. 2. A dynamic view called Status List - Application Server opens that displays a list of all Application Servers that are configured in the C•CURE 9000 database. 3. You can use the buttons on the Dynamic View toolbar to filter, group, print, or query on the list. 4. To change the columns that are displayed in the view, right-click on the Column headings and select the columns you want to display. 98 Chapter < C•CURE 9000 Enterprise Architecture Guide EFTA01225675 Appitatbn Server State Images Tab 5. You group the view by any column heading by clicking on a Column heading and dragging the heading to the Drag columns to group by here area. The view is re-configured to group items by the column heading. To Change Interactive Mode for an Application Server from the Admin Client 1. From the Dynamic View list of Application Servers on the MAS, select an Application Server and right-click. 2. To set the Application Server to non-Interactive (if the Client Connection State for this Application Server is Interactive), choose Set Non-interactive from the context menu. 3. To set the Application Server to Interactive mode (if the Client Connection State for this Application Server is Non-interactive), choose Set Interactive from the context menu. To Change Interactive Mode for an Application Server from the Monitoring Station 1. From Status List - Application Server, select an Application Server and right-click. 2. To set the Application Server to non-Interactive (if the Client Connection State for this Application Server is Interactive), choose Set Non-interactive from the context menu. 3. To set the Application Server to Interactive mode (if the Client Connection State for this Application Server is Non-interactive), choose Set Interactive from the context menu. Application Server Context Menu If you are viewing the Application Server Dynamic View on a SAS, and you right-click on a SAS system, the context menu is displayed as follows: D, Edit 7)k. Export selection... Find in Audit Log... Find in Journal... Synchronization Conflicts If you are viewing the Application Server Dynamic View on a SAS, and you right-click on the MAS system, the Synchronization Conflicts selection will not be visible. If you are viewing the Application Server Dynamic View from the MAS, the context menu displays as follows if a SAS is selected (the Set Interactive or Set Non-interactive menu selection does not appear if you right-click on the MAS row of the Application Server Dynamic View). C•CURE 9000 Enterprise Architecture Guide Chapter< 99 EFTA01225676 Application Server State Images Tab Edit Export selection... Find in Audit Log... Find in Journal... Set Interactive Synchronization Conflicts The context menu that opens when you right-click on a Application Server in the Dynamic View of Application Servers includes the following selections. Table 29: Application Server Dynamic View Context Menu Selection Description Edit Click this menu selection to edit the Application Server record. The Application Server Editor opens. Export Allows you to export the selected Application Server records to an XML or CSV file. Selection Find in Audit Opens a Query Parameters dialog box in which you can enter prompts and/or modify the query criteria to search ((menthes in Log the Audit Log that reference the selected record. When found, the resutts display in a separate Dynamic View. Find in Journal Opens a Query Parameters dialog box in which you can enter prompts and/or modify the query criteria to search for entries in the Journal that reference the selected record. When found, the resuttsdisplay in a separate . Set Interactive This selection is available onty if you are a Global Operator viewing the Application Server Dynamic View from the MAS. The Set Interactive or Set Non-Interactive menu selection does not appear if you right-click on the MAS row of the Application Server Dynamic View. Click this menu option to set the selected SAS to Interactive mode. An interactive SAS sends update messages to the Monitoring Station and updates to MAS Dynamic Views, the Hardware tree. and the Video tree. • Dynamic views which are Reading Data from the MAS receive allobject notification messages from interactive SAS servers. That means that new and deleted object changes are displayed, and changes to object states are displayed temporarity (MAS Dynamic Views do not dynamicalty display status updates- if you refresh one of these dynamic view s. an status data disappears). In contrast, for SAS servers which are non-interactive, no status data and no object additions or deletions are displayed. Manual refresh causes the object changes to be displayed. • Hardware and Video trees which are displayed while the Default Server is the MAS also receive object notifications from interactive SAS servers. That means that new and deleted object changes are displayed. In contrast. for SAS servers that are non-interactive. no object additions. changes. or deletions are displayed on the tree until it is manually refreshed. Synchronization This selection is available only if you are viewing the Application Server Dynamic View from the SAS. Conflicts Cbck this menu selection to open the Application Server Synchronization Conflicts Dynamic View. See Application Server Synchronization Conflicts View on Page 74. 100 Chapter 4 C•CURE 9000 Enterprise Architecture Guide EFTA01225677 5 Partitions in Enterprise Architecture This chapter explains how Partitions are used by Application Servers in an Enterprise Architecture environment. In this chapter Partition Overview 102 Objects and Partitioning 104 Global Only Objects 105 Optionally Global Objects 107 Non-Global Objects 109 C•CURE 9000 Enterprise Architecture Guide Chapters 101 EFTA01225678 Par lit1071 Overview Partition Overview Partitioning is the creation of different sub-divisions. The classic example is that of the landlord with administration rights to an entire building and tenants with rights only over their own apartments. When an Enterprise Architecture system is created, the following partitions are created automatically: • Global - A protected system-wide partition that resides on the MAS given the name "Global". It contains objects that are shared across the application servers (SASS) in the multiple application server environment. This partition cannot be deleted. • Default (MAS) - A partition that is the default partition for the Master server and given the name "Default: MAS". • Default (SAS) - The default partition created when a satellite server is created and given the name "Default: SAS1", "Default: SAS2", etc. Each Application Server can manage a selected subset (one or more Partitions) of the security devices and Personnel contained in the database. This allows greater flexibility in load balancing of security and personnel assets. You can use the Partition Editor to create additional Partitions for a SAS, as necessary. Do not attempt to create Partitions with the same name on different SAS or MAS systems. If two 0 Partitions in the Enterprise have the same name, synchronization conflicts would result, so validation is performed when you create a Partition that prevents saving a Partition with the same name. Best practice is to prefix Partition names with an identifier that is specific to the MAS or each SAS. Types of Partitions Global Partition The Global partition, the system-wide partition that resides on the MAS, contains the intrinsic objects listed in Non- editable Intrinsic Global Objects on Page 105 and Editable Intrinsic Global Objects on Page 105, created when the system is installed. None of these objects can be deleted by users and because they are global, they can be referenced by local objects on any SAS, and also by global objects. Some of these global partition objects cannot be edited by users, while others can. The Global objects are owned by the MAS, but replicated to all SASes. (Hardware objects can never be put in the Global partition.) MAS Default Partition This partition contains the objects local to the MAS server that are not global and exist only on the MAS. Typically these include Reports, Queries, Dynamic Views, and Data Export. MAS Local (User-Created) Partitions You can create additional local partitions on the MAS system in your enterprise. These Partitions are available only to a client connected to the MAS; the objects in these Partitions are not synchronized to any SAS system. 102 Chapter 5 C•CURE 9000 Enterprise Architecture Guide EFTA01225679 Partition Overview SAS Default Partition This partition contains the objects local to this SAS server that are not global and exist only on this SAS. This is the default Partition where Hardware and Video objects created for this SAS reside. These partitions are synchronized with the MAS. SAS Local (User-Created) Partitions You can create additional partitions on any SAS system in your enterprise. Typically you would create these partitions on a SAS that you wished to further organize and/or subdivide for Personnel or any other C•CURE 9000 objects. You can place any local objects, including Hardware and Video objects, in these Partitions. These Partitions are synchronized with the MAS. C•CURE 9000 Enterprise Architecture Guide Chapter 5 103 EFTA01225680 Objects and Par lthoning Objects and Partitioning There are three categories of objects in Enterprise Architecture: • Global Only Objects on Page 105- objects that exist only in the Global Partition on the MAS. Optionally Global Objects on Page 107 - objects that can reside in the Global Partition on the MAS, but can also be created on a SAS in a local SAS Partition. • Non-Global Objects on Page 109 - objects than can only reside on a single SAS or MAS and are not able to exist in the Global Partition. All objects that are created in the context of a Partition cannot span multiple Partitions. In any Enterprise Architecture system, Partition automatically appears as the right-most column of those displayed for the Dynamic views of all partitioned objects. (If you do not want a particular dynamic view to display the Partition field, you have to do the following: add the Partition field to your dynamic view and then set it to hidden. That will cause the Partition field to not display.) Only Time Zones and Digital Certificates are not partitioned. NOTE Moving Objects to Another Partition Optionally Global objects can be moved from a local Partition to the Global Partition. Example: A local administrator moves an object from the local partition to the Global partition. ■ Scenario 1: The user is connected to the SAS and performs the operation. The SAS proxies the call to the MAS and the operation is performed there. This causes the MAS to send a notification of the change to the SAS and a synchronization is performed. • Scenario 2: The user is connected to the MAS and performs the operation. The MAS performs the operation locally, and the notification goes out to each SAS, which triggers a synchronization causing the local record to be updated. Whenever you try to change an Object from a local Partition to the global Partition, you NOTE receive the following warning, and are given a chance to cancel the change: "This change from a local to a global partition cannot be undone. If you want to change the object back to a local partition, you must delete the object and re•create it. Do you want to continue?" Restrictions for Moving Objects An object cannot be moved from the Global partition to local partitions. An object cannot be moved from a partition owned by one SAS to a partition owned by a different SAS. Partitions themselves cannot be moved from one application server to another. 104 Chapter 5 C•CURE 9000 Enterprise Architecture Guide EFTA01225681 Gobal OnyObiects Global Only Objects Non-editable Intrinsic Global Objects These are non-editable objects that are intrinsic to the Global Partition; these objects are created when C•CURE 9000 is installed. These non-editable objects have a single, predefined name, which is translated in the language of the NOTE MAS, and cannot be changed. ■ Groups (see Group Objects on Page 106): • MI Doors Group/All Inputs Group/All Outputs Group/All Areas Group/All Events Group/All Elevators Group/All Floors Group/All Readers Group/All WAS Doors Group ■ Privileges: • System MI • Full privilege for partition: Global • Access to global common objects ■ Schedules: • Never • Always • Nightly Editable Intrinsic Global Objects These are editable objects that are intrinsic to the Global Partition; these objects are created when C•CURE 9000 is installed. ■ Four System Variables in the Personnel Category • Maximum Documents Per Person • Maximum Cards Per Person • Use General PIN for PIN Only Access • Allow Activation after Expiration ■ Personnel Type: • None • Employee • Contractor ■ CHUID Formats: • Card Only • Ml predefined CHUID Format Templates ■ CCTV Protocol: • American Dynamics CCTV Switch ■ Report Form: C•CURE 9000 Enterprise Architecture Guide Chapter 5 105 EFTA01225682 GobalOnlyObjects • Default Form • Advanced Form To look up in the Audit Log any changes made to these objects in prior versions, you will NOTE need to search for the object by Name, instead of Object ID. (These objects had their Object ID changed in C•CURE 9000 v.2.0 to make them synchronize correctly.) Group Objects The Group object is an special object that can be used to create groups of like objects, such as a Group of Personnel, or a Holiday Group. Predefined $ALL Groups are always Global-only objects. The following Groups are considered $ALL Groups: ■ MI Doors Group ■ MI Areas Group ■ MI Floors Group ■ MI Inputs Group ■ MI Events Group ■ MI Readers Group ■ MI Outputs Group ■ MI Elevators Group ■ MI WAS Doors Group Only one type of Group is an optionally-Global object: the Personnel Group. MI other Groups are Non-Global objects. If a group is Global, it can only contain members which reside in the Global Partition. If a Group resides in a SAS, it can only contain members which reside in the Global Partition or reside in the Group's Partition on the SAS. 106 Chapters C•CURE 9000 Enterprise Architecture Guide EFTA01225683 Optionally G obaI Objects Optionally Global Objects The following types of objects are referred to as Optionally Global objects since they can be global or local depending on the Partition to which the user assigns them. If these objects are made global, they reside in the Global Partition and are available on the MAS and all SASs; if they are local, they reside in a local Partition on a single SAS (or in a local Partition on the MAS, with the exception of Clearances). ■ Personnel ■ Clearances ■ Images ■ Badge layouts ■ Card Formats ■ Personnel types ■ Holidays ■ Personnel Groups ■ Operators ■ Privileges ■ Documents ■ Pre-defined Log Messages Rules for Modifying Optionally-Global Objects All objects assigned to the Global Partition with properties that reference other objects can only reference objects in the Global Partition. Example: If you have a Global Personnel record, the Badge Layout field in the credential can only contain a Global Badge Layout; it cannot contain a Badge Layout reference from a local SAS. • Objects assigned to the Global Partition can have "link table" references (objects assigned from other tables, such as Personnel references to Clearances) from any local Partition (either from a SAS or the MAS). Example: A Global Personnel record can have Clearances local to different SASs, such as SAS1., SAS2, and SAS3. A global clearance can reference a door on SAS1., SAS2, and SAS3. • When you are changing a local record to be a global record, the system checks to be sure the local record does not have any single-link references to other local objects; if it does, the partition change is stopped. • All objects assigned to MAS-only partitions can reference objects from any other partition owned by the MAS, which live only on the MAS. (These are not the global partition; they are other partitions defined on the MAS and local only to the MAS). • Global objects can be directly edited only at the MAS. However, a user at the SAS with proper privileges can edit the object via proxy, if the connection to the MAS is live. This appears to the SAS as though the object is being edited directly, with the following exceptions: C•CURE 9000 Enterprise Architecture Guide Chapter 5 107 EFTA01225684 Optionalty Global Obiects • If the edit fails for any reason, or if during editing, the connection fails, the user on the MAS will get a message back with the error. • If the connection to the MAS is offline when the edit starts, the object is initially read-only, and the Administration title bar indicates that the MAS is offline. The personnel screen is the one exception as the whole screen is read-only except for the Clearances tab. — If the only edit being made is to the personnel clearance link table, then the edit can occur even if there is no connection to the MAS. In that case, the change is synchronized later. • When the edit is performed remotely from the MAS server, the change may not be seen on the local server for several seconds —the user may not see the change they just made if they immediately reopen the same record. ■ When editing a Global object, the data read for the object depends on where the object was retrieved from. If read from the MAS, the editor loads data from the MAS. If read from a SAS, the editor loads data from the SAS. ■ Local objects can be directly edited only at the SAS. However, a user at the MAS with proper privileges can edit the object via proxy, if the connection to the SAS is live (The following rules are exactly parallel to the editing of global objects on the SAS, except for the last rule): • If the edit fails for any reason, or the connection fails during editing, the user on the MAS will get a message back with the errorlf the connection to the SAS is offline when the edit starts, the object will initially be read- only, and the title bar of the admin will indicate that the SAS is offline. The personnel screen is the one exception as the whole screen is read-only except for the Clearances tab. — If the only edit being made is to the personnel clearance link table, then the edit can occur even if there is no connection to the SAS. In that case, the change is synchronized later. • Objects owned by a local SAS can only reference global objects and objects owned by the same SAS that owns the object being edited. The selection list enforces this by showing the user only the objects that they can reference. ■ If you are on the MAS, you can add an object to a partition owned by a SAS; in that case, the add will be proxied to the SAS. Similarly, if you are on a SAS, you can add an object to the global partition, in that case, the add will be proxied to the MAS. ■ Direct editing of the dynamic view is allowed for rows in the dynamic view that point to objects not owned by this server. ■ Object Templates are treated like any other type of object: they can be global or local. • If you want to create a local object using a template, you can use a template local to the SAS where the object is being created, or a global template. • If you want to create a global object using a template, you must use a global template. Otherwise, you could be setting up inappropriate local links in your global template. 108 Chapter 5 C•CURE 9000 Enterprise Architecture Guide EFTA01225685 Non-Global Objects Non-Global Objects User-created objects that are not Global only or Optionally Global are considered non-global objects. They are one of the following two types: ■ Objects that reside on only a single SAS (locally) and are replicated to the MAS. ■ Objects that are in a Partition on the MAS other than the Global Partition, residing locally only on the MAS. Example: An iSTAR controller or a VideoEdge video server is a non-global object. You can only create it in a Partition on a SAS. The object, however, is synchronized to the MAS, allowing it to be viewed and managed from the MAS. ■ You cannot move a non-global object to the Global partition. ■ Non-global objects can be edited on the SAS that owns them and, subject to privileges, on the MAS. • If the MAS owns the object, it can be edited only on the MAS. • If the SAS owns the object, it can be edited on either the SAS or the MAS. ■ If your New Object Partition is set to Global, you cannot create a non-global object (the New button is unavailable). To create a non-global object, you must change your New Object Partition to a Partition other than Global. ■ A local Operator with appropriate Privileges, on a Server that owns a Partition can create a non-global object in that Partition. ■ A Global Operator connected to the MAS can create or edit a non-global object in any partition for which they have privileges. The object is read from the Server that owns the object's partition and is saved on that Server. If the Server that owns the object is offline or not connected, the object can only be viewed on the MAS (Read- only screen) and cannot be modified. In the preceding case, the Read Data from combo box has a label showing that the SAS is not NOTE connected. Non-Global Objects with Fixed Partitions There are a few objects that do not need to be able to be assigned to different partitions, but do need to be replicated from SAS to MAS. ■ Hardware tree objects: • Floors • ISC Comm ports ■ Video tree object: • CCTV Protocols These objects are handled in the same way: 1. Each is given a fixed partition ID that is always set to "Default partition for xxx" (where xxx is the name of the particular Application Server the object resides on). 2. The Partition ID is visible on the the object's dynamic view and on its Editor screen. 3. The object's partition cannot be changed. C•CURE 9000 Enterprise Architecture Guide Chapter 5 109 EFTA01225686 Non•Global Obiects 4. The object can be replicated to the MAS, where you can see the SAS it belongs to by viewing its partition assignment. System Defined Non-Global Objects There are a several intrinsic objects that are non-global. These objects, some of which are editable and some of which are not, have a separate copy at their own SAS and a copy replicated to the MAS, like any other non-global object. System-defined Not Synchronized Objects There is a special class of objects which are created by the system (intrinsic objects) that are not synchronized between Application Servers. These objects are protected (cannot be deleted) and many of them cannot be edited. These objects can be referenced by local objects on the SAS or objects on the MAS, but they cannot be referenced by Global objects, since they are not Global objects. The following not-synchronized intrinsic objects cannot be edited: • Local System Operator • MI predefined SmartCardTemplates (these have names that start with SWH) • Audit default Query • Journal Default Query • MI predefined Queries, Dynamic Views, and Reports, which are used as samples and are created when an Application Server is first started after installation. All these objects have names that start with SWH. Editable Not Synchronized Objects There are a number of system created intrinsic objects that are not replicated but which can be edited by users. Just like the non-editable objects, these objects can be referenced by local objects on the SAS or objects on the MAS. However, this results in some limitations for these objects. You can edit these objects at both the MAS and the SAS, and other objects can refer to them, but each Application Server has its own instance of the object that is distinct from other objects of the same name at the MAS and each SAS. Example: The Remove Report Results event could be renamed by an Operator at a SAS to be called Once Nightly Event, and could have several new actions added to it. When viewed at the MAS, none of these changes would appear, because the MAS would have its own separate Remove Report Results object.. The configuration of these objects at each SAS cannot be viewed at the MAS, unlike all other objects. Because these objects are used by other objects in the system, it is important that Operators not make changes that would alter the meaning and usage of these objects. Table 30 on Page 111 lists all editable but not synchronized intrinsic objects. 110 Chapter 5 C•CURE 9000 Enterprise Architecture Guide EFTA01225687 Non-Global Objects Table 30: Editable But Not Synchronized IntrinsIcOWects Object Type Object Application Layouts Default Application Layout, Default View 1, Default View 2 Dynamicviews Audit Log View, Credentials View, Digital Certificates View Holidays View, Journal View, Personnel View, Report Form View Report Results View, Reports View, Schedules View System Variables View, Time Zone View Event Remove Report Results Audit LogBade* Event Journal LogBademEvent Schedule Audit Log Backup Schedule Journal Log Backup Schedule Images Client_mapStripe1.bmp SwipeShow Default View 1, Default View 2 Time Zones More than 100. (Al time zones are predefined, the user cannot add new ones). System-created Personnel Views (Can only be enabled/disabled, no other editing). Editable Intrinsic Local Objects ■ Hardware Folder: • Company Name (Hardware tree) • Company Name (Video tree) ■ Intrinsic Card Formats (user-created Card Formats are optionally Global): • MIFARE Serial Number • Smart Card Serial Number • Simplex Wiegand 36 • Simplex Wiegand 26 • HID Keypad • HID Simplex Grinnell 36 • Standard Wiegand 26 • Software House 37 • HID Corporate 1000+ C•CURE 9000 Enterprise Architecture Guide Chapter 5 111 EFTA01225688 Non-Global Objects Non-editable Intrinsic Local Objects Each SAS system has a separate copy of these system-defined objects, and these copies are synchronized with the MAS. ■ Privileges: • Access to common objects • Full Privilege for Partition: <Partition-name> Non-global MAS Objects Several types of non-global objects can be created on the MAS so you can run reports, dynamic views and exports, customized for the MAS, in part to support Central Monitoring and Central Reporting. Each of these MAS local objects can only reference Queries that belong to Partitions owned by the MAS. (The Queries themselves are also MAS local objects.) Here are some examples: ■ Data Export ■ Dynamic View ■ Report ■ Query Example: If you look at the Dynamic View for Reports on the MAS, you can see the pre-defined Reports for the MAS, as well as the user-defined reports on the MAS and each SAS. You cannot, however, see the pre-defined Reports that exist on each individual SAS. If you then proceed to edit one of the MAS pre-defined reports, you see that only MAS Queries are available for use with the report. In addition, all MAS local Reports can link only to Report Forms that are also local to the MAS. 112 Chapter 5 C•CURE 9000 Enterprise Architecture Guide EFTA01225689 6 Personnel in Enterprise Architecture This chapter explains how Personnel and related objects are configured on Application Servers in an Enterprise. In this chapter Personnel Overview 114 Configuring Personnel in Enterprise Architecture 115 Global Personnel 117 Global Clearances 119 Global Custom Clearances 120 Disabling Credentials for Inactivity in Enterprise Architecture 121 Editing User-defined Fields in Enterprise Architecture 122 Editing Customer Tab Field Labels 123 Editing C•CURE ID Objects in Enterprise Architecture 124 CHUIDs in an Enterprise 125 Personnel Type in Enterprise Architecture 128 Images in Enterprise Architecture 129 C•CURE 9000 Enterprise Architecture Guide Chapter 9 113 EFTA01225690 Personnel Overview Personnel Overview The Enterprise Architecture provides all the features and benefits of C•CURE 9000 Personnel, and in addition, it allows you to configure Global Personnel and related objects. Global Personnel records can be used across an enterprise that consists of multiple C•CURE 9000 servers. A Global person can be assigned Clearances on any and all C•CURE 9000 servers in the enterprise. ■ The person's record and access credentials can be managed centrally but be applied locally. Therefore, a Global person's access credentials can be used at multiple facilities throughout a geographically distributed enterprise. ■ Global Personnel records are created in the Global Partition on the MAS so that they can be available to every SAS in the enterprise. Personnel can also be defined as local if the Personnel need to have access credentials only for one C•CURE 9000 server. This can be done by simply creating a Personnel record in a local Partition owned by a SAS. See Configuring Personnel in Enterprise Architecture on Page 115 for more details on Personnel in an Enterprise Architecture and Disabling Credentials for Inactivity in Enterprise Architecture on Page 121 You can define/create the following Personnel-related objects as Global: ■ Personnel - see Global Personnel on Page 117 ■ Clearances - see Global Clearances on Page 119. ■ Custom Clearances - see Global Custom Clearances on Page 120 ■ Images - see Images in Enterprise Architecture on Page 129. ■ User-defined fields - see Editing User-defined Fields in Enterprise Architecture on Page 122. ■ Personnel Types - see Personnel Type in Enterprise Architecture on Page 128. ■ CHUID Formats - see CHUIDs in an Enterprise on Page 125. ■ Badge functions - see Editing C•CURE ID Objects in Enterprise Architecture on Page 124. 114 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225691 Configuring Personnel in Enterprise Architecture Configuring Personnel in Enterprise Architecture The configuration of Personnel and Personnel-related objects differs from a standalone C•CURE 9000 server environment in the following ways. ■ Personnel records are an optionally-Global object. They can be created in the Global Partition or in any local Partition, such as the Default Partition on a SAS. ■ The INT6, Text12, and Text13 fields are unique only across a single Partition. Therefore, for a Global Personnel record, these fields have unique values in the Global Partition, but these fields are not guaranteed to have a unique value compared to the same fields in another partition. Example A Personnel record in the Global Partition has a Text12 value of "2347" that represents an Employee Number. That value is unique for Text12 in the Global Partition. But a Personnel record in a SAS local Partition would not be prevented from having a Text12 value of "2347". ■ For personnel records being saved on a SAS, the CHUID is unique for all records existing on that SAS. However, it is not guaranteed to be unique across all Personnel records existing at the MAS but owned by local SAS systems. Instead, on the MAS, when you save a credential and change the CHUID field of a Global credential record, it verifies that there are no other records which exist on the MAS which have the same CHUID. No verification is done at the MAS for local records (which are owned by a SAS), when they are replicated up from a SAS. See CHUIDs in an Enterprise on Page 125 for more information on the types of CHUID replication conflicts that can occur. ■ The CHUID format field determines how the CHUID is constructed for each personnel record. The CHUID Format is a special type of record which is always Global; therefore CHUID Formats are always available at any SAS. ■ The Autoincrement card number system variables are treated similarly to the Int 6, etc., uniqueness: The autoincrement value is unique for all records on a particular SAS. See Auto Increment Card Number System Variables on Page 143. ■ The AutoGeneratePlN feature is also unique across a given SAS only. If you are on a SAS editing a local record, a PIN which is unique to that SAS only is generated. If you are on the MAS editing a Global record, a PIN which is unique across the whole MAS is generated. ■ The Maximum Clearances Per Person system variable is enforced only per SAS. In other words, when assigning local or Global Clearances to a Global Personnel record, each SAS is checked so that the maximum number of Clearances (local + global) per person for that SAS is not exceeded. However, the total number of local Clearance assignments on all SAS systems plus Global Clearances assignments for each person on the MAS is not limited. See Maximum Clearances Per Person System Variable on Page 143 ■ Custom clearances assigned to a global Personnel record are always global, while custom clearances assigned to a local Personnel record are always local. Consequently, on each SAS a global person can be assigned up to the maximum number of global custom clearances per person set by the MAS system variable. See Maximum Custom Clearances Per Person System Variable on Page 144. ■ The Pin Length system variable will be enforced only per Application Server. In other words, you can set a different PIN length on each SAS and on the MAS. See PIN Length System Variable on Page 144 for more information. ■ Documents assigned to a Global Personnel record must be Global. ■ See Editing User-defined Fields in Enterprise Architecture on Page 122 for rules about how User-defined Fields defined as unique fields work. C•CURE 9000 Enterprise Architecture Guide Chapter 6 115 EFTA01225692 Configuring Personnel in Enterprise Architecture The following fields are considered "real-time" and are not synchronized: ■ ArealD ■ AreaAccessTime 116 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225693 Global Personnel Global Personnel Global personnel can be directly edited at the MAS. MI objects assigned to the Global Partition can have single-link references only to other objects in the global partition. This affects the following fields: ■ Personnel record Personnel type field ■ Personnel record Operator field ■ Credential object CHUID Format field ■ Credential object Badge layout Field A check for valid single-link fields is done by the Selection control that lists objects that can be assigned to a field, and also in the field validation code. It is also enforced during Data Import. When you are changing a local Personnel record to be a Global Personnel record by moving it to the Global Partition, a check is made to make sure the local Personnel record does not have any single-link references to other local objects; if it does, the change of Partition is not allowed (Because a Global Personnel record cannot reference local- only objects). MI objects assigned to MAS-only Partitions can reference single-link objects from any other Partition owned by the MAS because these objects exist only on the MAS Clearance and Custom Clearance assignments for Global Personnel can be made to clearances on any SAS or on the MAS. These Clearance/Custom Clearance assignments are synchronized to the appropriate SAS systems. Editing Personnel from the MAS Local personnel can be directly edited only at the SAS. However, a properly privileged Operator at the MAS can edit the person remotely, if the connection to that SAS is online. ■ If the edit fails for any reason, or the connection fails, the Operator on the MAS gets a message back explaining the error. ■ If the connection to the SAS is offline when the edit starts, the Personnel editor initially is read-only and the title bar of the Administration client indicates that the SAS is offline. ■ Personnel records residing on a local SAS can only reference Global objects and objects owned by the same SAS that owns the Personnel record being edited. For example, a Personnel record owned by SAS1 cannot reference a Badge Layout or a Clearance owned by SAS2. This rule is enforced by restricting the selection list to showing the Operator only objects that can be referenced. This rule is also be enforced for Data Imports for linked objects. When the edit is performed remotely on the MAS server, the change may not be seen on the local SAS system for several seconds. As an Operator on the MAS, you can add an object to a Partition owned by a SAS; in that case, the object is added remotely to the SAS. When you add the object, you are allowed to choose any template you want to use, based on the list of the templates available to the MAS (even if some of those templates don't exist on the SAS to which you are adding the object). Direct editing of Personnel from the Dynamic View is allowed for rows in the Dynamic View whether or not they point to objects owned by the MAS. (If you can see the objects, you can edit them.) C•CURE 9000 Enterprise Architecture Guide Chapter 6 117 EFTA01225694 Global Personnel Editing Personnel from a SAS The following rules apply if you are editing Personnel from a SAS: ■ Personnel residing in a SAS Partition can be fully edited at the SAS. These records can reference linked objects residing in the Global Partition or by this SAS. ■ Global Clearance and Custom Clearance assignments are allowed to Personnel residing on this SAS. These assignments are replicated to the MAS; they can be made whether the MAS is online or offline. ■ Global personnel can be directly edited only at the MAS, however, a properly privileged user at the SAS can edit the Global Personnel record remotely, if the connection to the MAS is online: • If the edit fails for any reason, or the connection fails, the Operator on the SAS receives a message back with the error. • If the connection to the MAS is offline when the edit starts, the Personnel editor is initially read-only, except for the Clearances tab, and the title bar of the administration client indicates that the MAS is offline. • If the only edit the Operator is making is to Personnel Clearances, then the edit can happen even if there is no connection to the MAS. In that case only, the change is made locally (not remotely as is usual) and synchronized later. Global and local Clearances from any SAS can be assigned. • Global Custom Clearances can be assigned to Global Personnel at a SAS, even when the MAS is offline. • When a Global Personnel record is edited, it can reference only other linked objects owned by the Global Partition. When the edit is performed remotely on the SAS server, the change may not be seen on the local server for several seconds. As an Operator on a SAS, you can add an object to the Global Partition; in that case, the added object is remotely saved to the MAS. When you perform the edit, you are allowed to choose any template you want to use, based on the list of the templates available to the SAS (even if some of those templates don't exist on the MAS to which you are adding the object). Direct editing of the Personnel Dynamic View is allowed for rows in the Dynamic View whether or not they point to objects owned by the SAS. (If you can see the objects, you can edit them.) 118 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225695 Global Clearances Global Clearances The Clearance object is a optionally-Global object. A Global Clearance can contain doors and schedules from the local SAS systems. You can create Global Clearances if you need to provide access credentials to Personnel who must access Doors or Elevators configured on separate SAS systems. Assigning Clearances to Personnel from a Dynamic View When multiple Personnel from different SAS systems are selected in a Dynamic View, the selections available in the context menu are limited to Clearances that can be assigned to the selected Personnel. Example If multiple Personnel are selected from different SAS servers, then the Assign Clearances context menu selection functions differently depending on the Partition ownership of the selected Personnel. Table 31: Assigning Clearances from a DynamicView Selected Personnel Clearances can be assigned from: Global partition only AA SAS partitions. plus Global. One SAS Only the SAS that owns the Personnel, plus Global. One SAS and Global partition Onty the SAS that owns the Personnel. plus Global. Multiple SAS systems Gbbalelearancesonty. C•CURE 9000 Enterprise Architecture Guide Chapter 6 119 EFTA01225696 Global Custom Clearances Global Custom Clearances In an Enterprise Environment, although Custom Clearances relate to Doors/Elevators that are specific to a particular SAS, assigning Custom Clearances works as follows: ■ Custom Clearances assigned to a Global Personnel record are always global. ■ Custom Clearances assigned to a Local Personnel record are always local. Custom Clearances and Door/Elevator Groups If the MAS is offline, you can add the same Custom Clearance at both the MAS and SAS. Once the MAS is back online, only one Custom Clearance should remain in the database. Each Custom Clearance can include only one Clearance item (either a Door/Door Group or an Elevator/Elevator Group). Since a Door/Elevator group can only include Doors or Elevators from the same SAS, even a global Custom Clearance will have only Door(s) or Elevator(s) for one specific SAS. However a global person can have multiple custom clearances which are relevant for different SASes in the system. When you view a Custom Clearance Dynamic View at a particular SAS, you see only those global Custom Clearances that are applicable to Doors and Elevators at that SAS, in addition to the local Custom Clearances for the SAS. The default Dynamic View for Custom Clearances in an Enterprise environment includes the following columns: ■ Personnel Name ■ Access Type ■ Clearance Item Name ■ Schedule Name ■ Partition Name Right-clicking any of these column headings opens a context menu with other possible Custom Clearance fields that you can choose to display as columns. Removing Expired Custom Clearances from a Personnel Record To remove Custom Clearances in an Enterprise environment you must create the following: ■ An Event on the MAS to remove an expired Global Custom Clearance. ■ A separate Event at the relevant local SAS to remove an expired Local Custom Clearance. 120 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225697 Disabling Credentials for Inactivity in Enterprise Architecture Disabling Credentials for Inactivity in Enterprise Architecture The Disabling by Inactivity capability, which allows you to configure your C•CURE 9000 system to automatically disable Personnel Credentials that have not been used for a specified period of time, has some special requirements in the Enterprise environment. Only Card Admits are considered 'card activity' by the Disabling for Inactivity service. NOTE Card Rejects do not count. Since Credentials are expired on their own server, the two Personnel category System Variables, Disable by Inactivity Enabled and Disable by Inactivity Scan Time, must be configured appropriately on each individual MAS and SAS server. ■ A Global Person's Credentials are expired by the MAS server based on the MAS's settings, but using information propagated from each SAS server. The MAS will only expire a Global person's Credentials if there has been no reported card activity (Card Admits) on any of SAS servers in the Enterprise system for the time period set on the MAS. Example: John Scott is a Global Person who regularly travels between the three facilities in an Enterprise Architecture system: SAS1. in San Francisco, SAS2, in Los Angeles, and SAS3 in Boston. Say that John has no Card Admits at SAS3 in Boston for a length of time that exceeds the Inactivity Period set on the MAS for his Personnel Type. • If he still continues to have Card Admits at SAS1. and/or SAS2, his Credential will not be expired by the MAS server. • If at some point no Card Admits are reported for John at any of the SAS sites in the system for an inactivity period longer than that set on the MAS, his Credential will be expired. ■ A Local Person's Credentials are expired by the SAS server based on the SAS's own settings. Software House assumes that the MAS and all its SASes are synchronizing normally on a regular basis. Delays in synchronization can cause inaccurate expirations, as well as inaccurate data on any of the Inactivity Reports. C•CURE 9000 Enterprise Architecture Guide Chapter 6 121 EFTA01225698 Editing User-defined Fields in Enterprise Architecture Editing User-defined Fields in Enterprise Architecture Although User-defined Fields can be defined for any Partition, they are treated as Global-only objects when created, edited, and synchronized. All User-defined Field definitions, no matter what partition they reside in, are synchronized to all SAS systems. All User-defined Field objects are owned by the MAS, regardless of the Partition in which the User-defined Field object resides. Table 32 on Page 122 summarizes when User-defined Fields can be edited. Table 32: Editing User-defined Fields Client Status Operation Allowed Client connected to the MAS. Create, Edit, View, Delete. Client connected to a SASowning the Partition in which the User-defmed field resides,and MAS is available. Create, Edit, View, Delete. Client connected to a SAS, and MAS is unavaiable. View only. Client connected to a SAS that does not own the Partition in which the User-defmed field resides. No pdvieges (cannoteven view). The Partition where a User-defined field resides can control which Operators (and Mich SAS systems) have privileges to the User-defined field. The User-defined fields are replicated to all SAS systems, even those that do not own the User-defined fields' Partition, but Operators connected to those SAS systems cannot view or edit the User- defined fields. Uniqueness for User-defined fields is enforced only within Partitions owned by a single SAS or MAS, and within the Global Partition itself. Examples A User-defined field in a Global Personnel record is unique only across all other Personnel records that reside in the Global Partition. A Personnel record in a Partition other than Global could have an identical value. A User-defined field in a non-Global Personnel record in a SAS is unique only across all other Personnel records that reside in any Partition owned by that SAS. A Personnel record in the Global Partition, or in a Partition owned by a different SAS or the MAS could have an identical value. 122 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225699 Edrbng Customer Tab Field Labels Editing Customer Tab Field Labels The Personnel Customer tab and Customer Extended tab field labels (such as Teal through Text25 and Intl through Int9) are treated as Global only objects that are available for every Personnel record on each SAS and on the MAS. These fields are synchronized across all SAS systems to make them available to client applications at each SAS. Thus only one set of Custom Personnel field labels (including all language translations) available across all servers in the enterprise. The labels for these fields are stored in TranslatedResource objects for each Language. When a client system starts a C•CURE 9000 application such as the Administration or Monitoring Station, the resources needed to display these fields is saved or updated to the client's local disk in the same manner as in previous versions. Once the Customer field labels are synchronized to a SAS, a client of that SAS, starting up via the WinShell shortcut icon, will create the proper resource assemblies on the client's machine. The mechanism to update the resource files on the client's local disk is the same as in previous versions. Only an Administration application with the MAS as the primary connection and the New Object Partition set to Global can change the labels on the Customer tab and Customer Extended tab fields, because it will have the Personnel Customer tab Design button enabled. This button is not available on any other Administration application. If you upgrade a standalone C•CURE 9000 to an Enterprise Architecture SAS, any previously existing TranslatedResource entries are removed. If your Enterprise already has customized versions of these fields, these will replace the previous version. If you have not customized these fields, you will need to recreate your custom field translations on the MAS. C•CURE 9000 Enterprise Architecture Guide Chapter 6 123 EFTA01225700 Editing C•CURE ID Objects in Enterprise Architecture Editing C•CURE ID Objects in Enterprise Architecture If you are editing objects that reside on a remote server, and the remote server is not connected, some functions may not be available. Examples You are connected to the MAS, editing a Personnel record that resides on SAS1, when SAS1 is not connected to the MAS. You are connected to SAS1, editing a Personnel record that belongs to the MAS, when SAS1 is not connected to the MAS. • If you are editing a Personnel record that resides in a Partition on a remote server, and that server is not connected to your primary server, the Print Badge button and the Preview Badge button are unavailable. • If you try to perform Batch Print Badges from a Personnel Dynamic View, and one or more personnel you select reside in a remote Partition on a remote server, and that server is not connected to your primary server, the badges for remote personnel fail to print, and a printing error message window is displayed that explains the error. • If you are editing remote Personnel when the remote server is not connected, the buttons on the Personnel Badging tab that launch C•CURE ID functions will be disabled. • If you try to edit a remote Badge Layout when the remote server is not connected, the Launch C • CURE ID Badge Designer button is disabled. Note that the Badge Layout has three identical linked object fields, the Card Format fields. Like all such linked fields, if the badge layout is Global, the card formats referenced must also be Global. 124 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225701 CHUIDs man Enterprise CHUIDs in an Enterprise In the Enterprise Architecture, each CHUID format object resides in the Global Partition. That means that CHUID formats can only be created and edited on the MAS; it also means that all Operators who can access the Global Partition can view all the CHUID formats. However, because changing a CHUID Format can have a large impact throughout the enterprise, only an Operator on a client connected to the MAS can create or modify a CHUID Format. An Operator connected to a SAS can use the CHUID Format editor to view, Enable/Disable, or validate fields of a CHUID Format. But a SAS Operator cannot create or change the fields and format of the CHUID Format. Once you have saved a CHUID Format, you cannot change the fields and their formats. You can edit the Name, Description, and the Enabled setting. If you want to modify a CHUID Format, you need to make a copy of the CHUID Format to edit it. Making a Copy of a CHUID Format 1. Select CI-IUID Format in the Personnel pane and click Qs to display a list of CHUID Formats. 2. Open the CHUID Format you want to copy by double-clicking it. The CHUID Format Editor opens. 3. Use the Create Copy button to make a copy with a different name. 4. Edit the copy to make modifications. 5. Click Save and Close to save the copy. Applying CHUID Formats If you use the Apply this CHUID Format button to apply a CHUID Format to existing credentials that currently use a different CHUID format, it is best to do so at a time when no new credentials are being added to the enterprise. If another Operator is creating credentials at the same time that have not yet been synchronized to the MAS, these credentials might not be changed to use the CHUID Format you applied. If this does occurs, you can apply the CHUID Format again to those records using the Apply this CHUID Format button at a later time. CHUID Templates C•CURE 9000 comes with a set of CHUID Format templates. These intrinsic templates are Read-only. You can use these templates to create new CHUID Formats from the MAS by clicking the drop-down list of the New button and selecting a template to use as a basis for the new CHUID Format. If a new CHUID Format or a change that is made to any CHUID Format causes a change in the Maximum CHUID Format length, the iSTAR drivers are notified to initiate a full download. In order to minimize downloads, the system calculates the maximum CHUID Length by considering all non-template CHUID Formats, not just the enabled ones. Handling Credential CHUID Uniqueness Conflicts There are two ways that CHUID uniqueness conflicts can be created. Both methods can happen most often when the MAS is offline to one or more SASes: C•CURE 9000 Enterprise Architecture Guide Chapter 6 125 EFTA01225702 CFIUIDs in an Enterprise • Create a Credential for a Global Personnel record which has particular CHUID on the MAS, while at same time, a Credential for a local Personnel record is created with the same CHUID on the SAS. This can also happen on update instead of create. • Change the Partition of a Person which contains a particular CHUID to be Global instead of local, when a local Personnel record from another SAS system which has not yet synchronized to the MAS already contains the same CHUID. When synchronizing from MAS to SAS, CHUID uniqueness conflicts can occur and create synchronization conflicts, preventing the associated Credential record from replicating to the SAS. However, when synchronizing from SAS to MAS, none of this happens — the record with a duplicate CHUID just replicates to the MAS, with no error. However, when you try to edit one of the affected Personnel on the MAS, which had a replicated CHUID conflict, you cannot save the credential record until you correct the CHUID conflict. In order to make it easier to find and manage CHUID uniqueness conflicts on the MAS, a Query to find Duplicate CHUIDs on the MAS allows you to easily create a report or dynamic view which displays all Credentials that have CHUID uniqueness conflicts involving Global Personnel records. This query, or a report that includes it, by default excludes CHUID uniqueness cases which only involve local Personnel records owned by different SAS systems, since those cases do not cause any synchronization conflicts and do not prevent saving of any credential records on the MAS. Query to find Duplicate CHUIDs A new predefined query can provide information about duplicate CHUID records stored in the system. The result of the query execution is a list of the Credential records limited to credentials that have duplicate values in the CHUID field. The query has the ability to filter the duplicate records by any field in the Credential records. There is one additional field called Is Conflict available in the search criteria that can filter duplicate credentials. This field is not displayed in the Dynamic View of duplicate credentials. Duplicate CHUID records can exist on the MAS server only. SAS servers prevent creation of duplicate CHUID values through the restrictions in the SQL database. This predefined query as well as the ability to create such a query manually is not installed on standalone C•CURE 90(10 systems or on SAS systems, only on the MAS system. New Query Type: Credential with Duplicate CHUIDs A new custom subtype 'Credential with Duplicate CHUIDs' is created to support the request of getting cards with duplicate CHUIDs. This type is available for selection from the 'Instance Query' menu of the Credential type, from 'Sub Type' list on the Query editor and from the 'Sub Type' list of a Report editor. If this subtype is selected on the Report editor it allows assigning a query to the report of the same type. MI the fields the report can show on the layout are the same but it selects only the records with the duplicate CHUID values even if the query is not selected. Selecting this subtype on the Query UI allows the user querying on all the fields from the Credential type. It also creates a virtual field 'Is Conflict' (see below) so the user can filter out records that cause replication conflicts from the records that are duplicates but do not cause the conflict. If the query of this type is used it always limits the selected list of Credentials to the cards with duplicate CHUID values even if no parameters are specified in the query. New Query Field: Is Conflict There are two type of duplicate records the system shall recognize: 126 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225703 CHUIDsIn an Enterprise 1. All the duplicate records belong to different SAS servers. This case consider to be a normal case because it is allowed to create local credentials with the same CHUID on different SAS servers. (The system prevents creating duplicate CHUID records within one SAS server but allows if the same CHUID is assigned to local records located on different SASs). If all the records with the same CHUID value are local SAS records the field 'Is Conflict' is defined as false for that records. 2. If there is a group of records with the same CHUID value and one record in the group belongs to a global partition, the case represents a conflict because the global MAS record is rejected once the system replicates it to a SAS that already has a local credential record with the same CHUID. The field 'Is Conflict' is defined as true for all the records in the group for this case. Running a Query for Duplicate CHUIDs in Credentials You can run a pre-defined Query from the MAS to find Duplicate CHUIDs in Credentials. To Run the Predefined Query for Duplicate CHUIDs in Credentials 1. From the MAS Data Views pane drop-down, select Query. 2. Click as i to see a Dynamic View of pre-defined queries. 3. Select SWH-01 - MAS Credentials With Duplicate CHUID. 4. When the query starts, it asks you to specify the 'Is Conflict' parameter. • If Is Conflict is left undefined, the query shows all the records with the duplicate CHUID values located on the MAS server. • If Is Conflict is set to True, the result shows the credential records that cause conflicts during replication from MAS to a SAS only. • If Is Conflict is set to False, the result shows the records that are duplicates but do not generate any replication conflicts. 5. Click Run to run the Query. C•CURE 9000 Enterprise Architecture Guide Chapter 6 127 EFTA01225704 Per sonnet Type in Enterprise Archdecture Personnel Type in Enterprise Architecture The Personnel Type object is a standard optionally-Global object. You can change a Personnel Type object from a local object in a SAS partition to a Global object in the Global Partition. You cannot change the Partition of a local Personnel Type object to another local Partition on a different SAS. A possible synchronization conflict could occur for a Personnel Type object if an Operator on the MAS assigned a Personnel Type to a Personnel record while a user on a SAS deleted the Personnel Type referenced by that Personnel record. 128 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225705 Images in Enterprise Architecture Images in Enterprise Architecture The Image object is a standard optionally-Global object. However, it is unusual in that it can have (one of) several possible owners: ■ A Personnel record (most commonly) ■ A Badge Layout record (in the case of a static image) ■ No owner (in the case of dynamic badge layout) ■ Created by System (In case of system image) This is a local object (client_magstripel.bmp) which cannot be modified, and it is replicated to the MAS. In the first two cases above, the Image is part of an existing object, and it is synchronized as part of that object. It inherits the Partition of the object in which it is contained. For a dynamic Image, the Image is not owned by any other object. In this case, the Image can have its Partition explicitly set by the Operator, instead of inheriting it from the object containing it.. The Image can reside in a local or a Global Partition when it is created. C•CURE 9000 Enterprise Architecture Guide Chapter 6 129 EFTA01225706 Images in Enterprise Architecture 130 Chapter 6 C•CURE 9000 Enterprise Architecture Guide EFTA01225707 7 Hardware in Enterprise Architecture 'Ibis chapter explains how security hardware is configured in an Enterprise Architecture. In this chapter Configuring Hardware in Enterprise Architecture 132 C•CURE 9000 Enterprise Architecture Guide Chapter 7 131 EFTA01225708 Configuring Hardware in Enterprise Architecture Configuring Hardware in Enterprise Architecture Access Control hardware can only reside on a SAS - hardware components cannot be created or configured to reside in a MAS Partition because the MAS is not licensed to use any C•CURE 9000 hardware drivers. However, the hardware that is configured for each SAS is visible at the MAS because the objects representing the hardware are replicated and synchronized at the MAS. An Operator connected to the MAS can also create and edit new hardware on each SAS. An Operator can use the Default Server drop-down list to limit the scope of the hardware visible at the MAS. If the Operator selects a SAS system in Default Server, the Hardware tree shows only the hardware from the selected SAS, and new Hardware objects can be created on that SAS. Example: If you have an iSTAR cluster with two controllers configured on one SAS named BOS1 in your enterprise, and another iSTAR cluster with three controllers on a second SAS named BOS2, you can view, manage, monitor and report on both of these iSTAR clusters from the MAS (named BOSMAStw. See Figure 21 on Page 132. Figure 21: (STAR Controllersvisible from the MAS tro •••••••-=4-ilfla l' 9000 Server Options 7. -4 iSTAAContsflar X Ctlaut Unit: *mg - Z Li 4,46 Y 13. It.ol Dote two • tt HAStm - Con. ROAMS,. • tom Obtect &Mont 0,e0 0:, to coo•P to kola*: 80•06ttOwtt • NMI I Own*, I PetiznIkne I 61M1 CdpACIa I NA./ 80 SI Hardware L MA Edge I) Oslo 1 N15.4. 8051 Ref L' 'l a • ESTAR tope Moat Del,. 13052 Itadmebee 1 Stud. m TAR Edge') Clan1 COM V0CZ Reams, GIVI top E Qs* 1 Cat•A 80 51 : tj Dodd fawns tit! Fba C./ C•mtoYtroe (Peek.,Dela 805M\$. • 12 CosteiroNter• rosilenNtlaut 8051 • t., /STAR Gala SAStIbi :_t MAR Edge A Ciao i Lt 6IAREdy B Cinol • j:Il C•agiaryflont IPatilenDdia 8052 • tia 6TAFI PAW SA.52 IN P ril iSTAREds.0 Clatte2 C4 STAR East. Clay 2 I. 12 61AA Up E Qs. 2 If you select a SAS in the Default Server drop-down list, you can only see the iSTAR Cluster and iSTAR controllers that are configured on that SAS (see Figure 22 on Page 133 showing a Dynamic View of 8O62 iSTAR Controllers). 132 Chapter 7 C•CURE 9000 Enterprise Architecture Guide EFTA01225709 Configuring Hardware in Enterprise Architecture Figure 22: iSTAR Controllers Visible with BOS2 as Default Server Server Options ve., so:-. .20 rs•sPeor"."" rt Qimy f -:. KM CeibaIn X lb xxIng•I‘Mt Next 0 y <420. ia.soatao.: oxs..: A Nex0peve~ (XXI GO.... x pox, In Am Next WS: J ii Ns I Paltratise I MAR Eto.0Ms.: Neal IOW re SIMICSOPawl Dna IOW • O.M Cott - GMMet Oat Oxxa tiC62 Nos IM I Sewn ..we . ova 0~4. • 6C Corn Pon ! Cevenffin ihnenDs... 1052 . ComanAism tPosolDetsie Mama : Cowen.. ohemethaut SOSNut Cavante. pesetas** I:30 .2 Caxeixan 0,atamOolaat ••0 M2 If you are connected to the first SAS, BOS1, you can only see one iSTAR Cluster with two controllers - the iSTAR cluster that is in the BOS1 Default Partition. See Figure 23 on Page 133. Figure 23: STAR ControllersVistle from BOS1 Server Options - ' ---/ MAR Chest J ISTAR [Wray .. Niw Objsct &Mere V'e's -17O431 .Vceei. Count 2 lOthiult 0051 ,,c,0,4t, he•," Hardware Ilan* Duation Notion Mao - eSTAR Clusta '. , S 0ITAKEdgea :l re, I tdy/. ,i-..., Xar&ratAl(n, 6 TAREd9X8CX.IX011 Dela 0051 Hardest 1.2 Doted Cabitses u2 Ma Ccatatortieis iPasisonDetake 10 acC ConmPalt _Iti STAR Chtbx I (Edge) J 6Tha rdoeek Woe i j STAR Edge B Otte. I i7 Paii2iPailicaPaci21_ Of you are connected to BOS2, you can only see one iSTAR Cluster with three controllers - the iSTAR cluster that is in the BOS2 Default Partition. See Figure 24 on Page 133. Figure 24: STAR ControlersVisible from BOS2 Server Options b, USW Cceitroir X Object EMS° Vicws*ZIThicaKYVI Count 3 Dia 8062 column: to croup 171Et' te Hardware Vane Dexnpisx, PatlianNatos SLI • riSTARCluste . v . 6fAF1Edge C Owe 2 Heniseee bee i Sosth MAP EdgeDCluea2 0da& B0S2 Mai0naos . STAR Edge E Outs 2 Wait 0052 1.2 NIA Cutlass 41 Moo I CanWselstne (Petition Oslsul - In 40C Cast. Pats nix) :kJ 6Thli asks SAS2 n STAR Edge CCia 2 2 6TAR Edge 0 Owls 2 1 81AR Edge E Pater 2 . C•CURE 9000 Enterprise Architecture Guide Chapter 7 133 EFTA01225710 Configuring Hardware In Enterprise Architecture apC Support on a SAS System apC controllers are supported in an enterprise environment. apC Hardware Audit, which prevents the apC driver service from having to do a full download to each apC every time the driver restarts, is now supported. When the apC driver service on a SAS is restarted, the apC panels connected to that SAS no longer need to perform a full download. ISC Controllers are Not Supported on SAS or MAS The Enterprise Architecture does not provide support for ISC Controllers. C•CURE 9000 version 2.0 or later in standalone mode continues to support ISC Controllers. 134 Chapter 7 C•CURE 9000 Enterprise Architecture Guide EFTA01225711 8 Video in Enterprise Architecture This chapter explains how Video servers and cameras are configured in an Enterprise Architecture.. In this chapter Configuring Video in Enterprise Architecture 136 C•CURE 9000 Enterprise Architecture Guide Chapter 8 135 EFTA01225712 Configuring Video In Enterprise Arehrtecture Configuring Video in Enterprise Architecture Video hardware can only reside on a SAS - video components cannot be configured directly on a MAS because the MAS is not licensed to use any C•CURE 9000 hardware drivers. However, the hardware that is configured for each SAS is visible at the MAS because the objects representing the hardware are replicated and synchronized at the MAS. Example: If you have an Intellex Video Server with two cameras configured on one SAS named BOS1 in your enterprise, and another Intellex Video Server with three cameras on a second SAS named BOS2, you can view, manage, monitor and view video from both of these Intellex Video Servers from the MAS (named BOSMAStw. See Figure 25 on Page 136. Figure 25: Intellex Servers visible from the tvIAS a 4.C..alrfliab 9000 Server Options j SW Cotscier ILL-; Mani Video Saves x Ogialt 214•0; yam • Z DI pa 7 7c,19 StIsbd Data haul: • DC6/492pi • aunt 2 Il• BOSKOStw :LI Stab...values snot ovailable °mho WAS Ow Conn &lbw lOotalt:E0SottiStu A Duty column, to group b/ hey, Nona De.a i Psetat Video 0 ISt A BOS1 Donut EIOSI Ell - IlMrpn v nn sent LI 0 - troika SO52 Dna 8052 Yoko nee j Seat', Vdeo . 1 RO/OCOt LJ Cospen0lemp Penton Detaull 805) ts lade. A BOS1 L2 0:00eVitare P'encnDead 80521 e, Inking A BIM From the first SAS, BOS1, you can only see one Intellex Video Server - the Intellex Video Server that is in the BOS1 Default Partition. See Figure 26 on Page 136. Figure 26. Intelex ServersVisible from 80,51 . e In. 9000 Server Options It 9.; ' ' '''-- If intact video x • I ii New Object Partition: Count 2 Vstelvitipta%V4POS ION'S, 80$1 . [ ,,,; column: to stout, Pliwn Video Nene Demme Patine Nees .clew • Intel Video Serve • O IntelstA BOS1 Oita SOS1 Vdeo nee Vdeo j Floloccit Ea Cavern lane PantionDelault 8051 IntitlexA SCIS1 From BOS2, you can only see one Intellex Video Server - the Intellex Video Server that is in the BOS2 Default Partition. See Figure 27 on Page 137. 136 Chapter 8 C•CURE 9000 Enterprise Architecture Guide EFTA01225713 Configuring Video in Enterprise Architecture Figure 27: IntellexServersVisthie from SAS2 H410 C -C-- 2..2:: '7O7)O Server Options j 640flontoolst j' L. Intellex Vldeo Stever x i • 4 P New Object EscUtion: Views'Zip i;) t V `41 LOS COY* 2 [Default 8O52 • Video Hien6 040:140cm PalmNam New - lintellet Video Server • CI • 0 I 'aka 88052 Dart 8042 WW2*, I Seams Vac J Rossi, La CarprOlame ratAalDelalt 8052 W IrtelenA BOS2 For C•CURE 9000 Connected Program Video in egrations, refer to the product documentation for information on how a given product is supported in an Enterprise Architecture environment. C•CURE 9000 Enterprise Architecture Guide Chapter 8 137 EFTA01225714 Configuring Video In Enterprise Archdecture 138 Chapter 8 C•CURE 9000 Enterprise Architecture Guide EFTA01225715 9 System Variables in Enterprise Architecture This chapter describes how system variables are used in an Enterprise Architecture. In this chapter: System Variables Overview 140 System Variable Dynamic View 141 Personnel Related System Variable 143 Audit/Journal Synchronization System Variables 146 Restarting Drivers When Changing System Variable 147 C•CURE 9000 Enterprise Architecture Guide Chapter 9 139 EFTA01225716 System Variables Overview System Variables Overview In the Enterprise environment, the following four system variables in the Personnel category are global; they reside in the global partition and apply to all application servers: • Maximum Documents per Person • Maximum Cards Per Person • Use General Pin For PIN Only Access • Allow Activation After Expiration MI other system variables are local; they apply to each individual application server and consequently must reside in that SAS's default local partition. The global system variables are always global, while all the other system variables are always local; no operator can choose whether to make a system variable local or global. In fact, an operator cannot choose which partition the system variable resides in. Global system variables behave as follows: • Like all other global objects, changes to these system variables are synchronized from the MAS to all SAS servers, and thus affect the entire enterprise. • The four global system variables can be edited from a SAS as well as the MAS as long as the SASand the MAS are connected. Local system variables behave as follows: • A separate copy of these system variables exists for each SAS, and also for the MAS. • When editing an object on the MAS, sometimes the client validation requires the value of a system variable. In that case, the proper value of the system variable is used based on the SAS partition of the object being edited. Example: If a person is owned by SAS3, then the system variable values associated with SAS3 are used in Personnel validation of, for example, PIN Length. 140 Chapter 9 C•CURE 9000 Enterprise Architecture Guide EFTA01225717 System Variables Dynamic View System Variables Dynamic View On the MAS, System Variables are grouped by Default Partition and then by Category in the System Variables dynamic view, as shown in Figure 28 on Page 141. The dynamic view on the MAS displays a copy of the local system variables belonging to each SAS in the Enterprise System —whatever that number is —as well as the system variables for the default MAS partition, and the global system variables, as shown in Figure 28 on Page 141. FIgure 28: System Variables Dynamic View on a MAS tg, System Variables wfl E3 Genial views - D Coin: 589 Status valtsesese noi arable on the MAS. Pechlwn Category Delatlt BOS2M8ROWN 116) Delault BOS2TPubsht4Stw(18) J Delatit bosZtRabsSAS2(16) si DelatIt BOS2TWOOD (16) !I Delatit luoodzrvr2k3116) D GIcto' :I I 141 s On the SAS, the System Variables dynamic view includes a non-editable Partition Name field on the far right for each variable, as shown in Figure 29 on Page 142. The dynamic view on the SAS displays the default partition for that SAS's system variables. (The partition name for a system variable owned by a SAS named "SAS1" will be "Default: Sas1".) These system variable control the server that owns the system variables. For global system variables, there is only one copy of the system variable, whose partition is always Global. C•CURE 9000 Enterprise Architecture Guide Chapter 9 141 EFTA01225718 System Variables Dynamic View Figure 29: System Variables Dynamic View on a SAS --I vprog•Zi_JeiBY Oneriar. Mainnts. IlentrInoirroditleft “..,5 .1Pt poem '11in I oftd wire iffituson *louvre lie CIA tin,. ',init., es FYN Gttel .1/44m4 no Moth.Fittnyeet.4-1cerium. et eh...hio isiinflaarhoC610941.•0114All est. wee en:remote P.4o. ween aioncutabealwilcirtsin Soleonr.n Ks.9 dos eanesuc aria le enr Ton epea0.0tle ce..is OM? elms*, Orh Pe citeltroitil 4x..t pp, cloia ..pram do. Ciao 1.0.46.4 wileat‘tvo bbenf mealro, Os, ml cob net eats typo or Ia.. 1••••••••••• • tine weird. 41.1n.Ore/ be ale ouloa• arrt•••/ none. 011110.1f'110 eqw.00, di* Mu. Thonwes. abigb area MN it pinien1toad 7 0.-I .sr , o,y 1B03,C0.1. a Ice Iwo* yeas. by ran sig..,irwn.w -bed et • paicnna etanaccrtrorq ect.tai•tfrotil Ivey onenang wow., pipl • ownrroowto it! ItlO -irlionaSeyee PIN iserOrola net:ran williarelOnaasyCtivel pietavOriCtrdimalt Itege•PNIesallvr.Chnzenst.PsrnearaMn , mmCketiveiPet temsanirarber develop/Ail o , Par II 1W Deb*, Fan*, atusnapsun linakecesiatechteepor BOSUffeim. lie iSTA.Relts "%dia snits. MC Sypae pIDOclesenteipz, Jena) 142 Chapter 9 CCURE 9000 Enterprise Architecture Guide EFTA01225719 Personnel Related System Variables Personnel Related System Variables The personnel-related system variables involve changing how personnel validation works. It is possible for an operator to lower the value of one of these system variables in a way that makes existing personnel records invalid. In such cases, the system permits the change to the system variable and does not check to see if any personnel records violate the new value. Later on, however, when the record is being edited, if it violates the new system variable value, it cannot be saved. Example: The PIN Length or Maximum Clearances per Person variables. Auto Increment Card Number System Variables The Auto increment card number system variables are separately unique for all records on each SAS. Each SAS (and the MAS) has its own Auto increment card number start system variable. The system administrator at each SAS is responsible for configuring their SAS with a separate non-overlapping auto increment card number. The MAS also has to be configured with its own range for global records, which must not overlap any of the ranges of any SAS. Disable by Inactivity Enabled and Disable by Inactivity Scan Time System Variables The Disable by Inactivity Enabled and Disable by Inactivity Scan Time system variables must be configured appropriately on each individual server, both MAS and SAS, since Credentials are expired on their own server. A global Person's Credentials are expired by the MAS server using the latest card activity information propagated from each SAS server. Only Card Admits are considered 'card activity' by the Disabling for Inactivity service. NOTE Card Rejects do not count. Software House assumes that the MAS and all its SASes are synchronizing normally on a regular basis. Delays in synchronization can cause inaccurate expirations, as well as inaccurate data on any of the related Inactivity Reports. Maximum Clearances Per Person System Variable The Maximum Clearances Per Person system variable is enforced differently for global and local personnel. For Global Personnel - The system variable is enforced per Application Server. Consequently, when local and/or global clearances are being assigned to a global personnel record, the system validates separately for each Application Server that the maximum number of clearances per person (local + global) is not exceeded for that Application Server. ■ The number of global clearances that can be assigned to a global person can not be greater than the value of the Maximum Clearances Per Person system variable on the MAS. ■ For each SAS, the number of global clearances plus the number of local clearances for that SAS must not exceed the value of the Maximum Clearances Per Person system variable for that SAS. Example: If the Maximum Clearances Per Person system variable on the MAS is set to 10 while it is set to 20 for SAS1 in Boston and to 25 for SAS2 in NYC, then you can only assign 10 local clearances on SAS1 and 15 local C•CURE 9000 Enterprise Architecture Guide Chapter 9 143 EFTA01225720 Personnel Related System Variables clearances on SAS2 to a global person who already has 10 global clearances. For Local Personnel - The system variable is also enforced per Application Server. But when local and/or global clearances are being assigned to a local personnel record, the system simply validates that the maximum number of clearances per person (local + global) does not exceed the value set for that SAS. The system does not care about the Maximum Clearances Per Person value set for global clearances on the MAS. Example: If the Maximum Clearances Per Person system variable on a SAS is set to 5, you can assign a local person on that SAS 5 global clearances. This is true even if the Maximum Clearances Per Person value set for global clearances on the MAS is 3. (You could also assign that local person 4 global clearances and 1 local clearance.) The following situations are essentially handled in the same way. The system permits excess clearances to be added to the system. Later, however, when the personnel record is being edited, the clearance numbers have to be reduced to the maximum allowed before the record can be saved. ■ Due to the simultaneous addition of clearance assignments to a personnel record on the MAS and on a SAS, it is possible for a personnel record on the SAS to exceed the maximum number of allowed clearances. ■ If you are assigning global clearances to global personnel, a special situation can occur if the assignment is happening on a SAS not currently connected to the MAS. In this case, the SAS has no information about the clearance assignments on the other SASes. Consequently, it can validate only that assigning this global clearance does not exceed the maximum number of clearances allowed on itself; no validation is done for the global clearance exceeding the maximum number of clearances allowed for the other SASes. This situation can easily cause the maximum number of clearances to be exceeded. ■ If the apC or iSTAR driver detects that the maximum number of clearances is exceeded, it writes an entry in the system trace log for each personnel record it tried to download that had this problem. In addition, only the number of clearances allowed are downloaded to the controllers. Maximum Custom Clearances Per Person System Variable Since custom clearances assigned to a global Personnel record are always global while custom clearances assigned to a local Personnel record are always local, enforcing the Maximum Custom Clearances Per Person system variable in an Enterprise environment is quite simple. ■ A global person can have the maximum number of global custom clearances per person set on the MAS (up to the maximum of 20) at each different SAS in the system. Example: If the Maximum Custom Clearances Per Person system variable on the MAS is set to 15, then you can assign 15 global custom clearances on each SAS in the Enterprise system: 15 global custom clearances on SAS1, 15 global custom clearances on SAS2, and 15 global custom clearances on SASS. ■ A local person can only have the maximum number of local custom clearances per person set for his/her SAS— up to the maximum of 20. PIN Length System Variable The PIN Length system variable is enforced per Application Server. In other words, you can set a different PIN length for each SAS and for the MAS. When the PIN length for an Application Server is reduced by editing the system variable, an operator trying to edit that record will be unable to save any changes until the PIN length has 144 Chapter 9 C•CURE 9000 Enterprise Architecture Guide EFTA01225721 Personnel Related System Variables been reduced to the maximum allowed size. As a result Software House recommends that the system administrator set the PIN length for all Application Servers to the same value. As long as the operator can display PINS, they can open the Personnel dynamic view, NOTE add the PIN column, and filter on all PINs with a value "> a specified value". This makes it easy to find all personnel who have exceeded the maximum PIN size. C•CURE 9000 Enterprise Architecture Guide Chapter 9 145 EFTA01225722 Audit/Journal Synchronization System Variables Audit/Journal Synchronization System Variables The C•CURE 9000 audit/journal synchronization operation from a SAS to the MAS requires the upload of a great many database records. Therefore, batch mode is used to upload these records block by block. The size of the block is defined by system variables, one in the Audit category and one in the Journal category. Audit Synchronization System Variable The Audit category system variable is named Audit Sync Upload Block Size. It has a type of integer, a default value of 1000, a range of 100 to 10000, and the following description: "This setting affects only Satellite Application Server and defines how many Audit records will be uploaded to Master Application Server in each block for batch-upload sync operation." Journal Synchronization System Variable The Journal category system variable is named Journal Sync Upload Block Size. It has a type of integer, a default value of 1000, a range of 100 to 10000, and the following description: "This setting affects only Satellite Application Server and defines how many Journal records will be uploaded to Master Application Server in each block for batch- upload sync operation." 148 Chapter 9 C•CURE 9000 Enterprise Architecture Guide EFTA01225723 Restarting DriversWhen Changing System Variables Restarting Drivers When Changing System Variables The following local system variables require the driver (iSTAR and apC) to be shut down before you can modify the system variable: • Personnel Category \ Maximum Clearances Per Person • Personnel Category \ Maximum Custom Clearances Per Person You must also restart the apC driver in order to change the following: • Personnel Category \ PIN Length • apC Category\ Maximum Issue Code • apC Category\ Maximum Clearances Per Person on apC • apC Category\ Maximum Number of apC Clearances • apC Category \ Is Using Activation Dates • apC Category \ Is Using Deactivation Dates If you try to change any the preceding system variables on the MAS while the driver on the SAS is running, the system displays a message that the change is not allowed. You must go to the SAS, shut down the driver, change the system variable, and then restart the driver. The following local system variables require a restart of the appropriate driver(s) to take effect: • apC Category \ Hours of Down Time require full download • apC Category \ Minimum number of changes require full download • apC Category \ Minutes between sending date and time • Hardware Driver Category \ Default base priority for causes • iSTAR Category\ Many iSTAR system variables require driver restart. The descriptions for these iSTAR system variables specify if a restart is needed. • WAS Category\ WAS transaction time • WAS Category\ WAS Status poll time For the preceding system variables, even if you edit them on the MAS rather than the SAS, you must later go to the requisite SAS and stop and restart the appropriate driver for the change to go into effect. C•CURE 9000 Enterprise Architecture Guide Chapter 9 147 EFTA01225724 Restarting Drivers When Changing System Variables 148 Chapter 9 C•CURE 9000 Enterprise Architecture Guide EFTA01225725 10 Journal/Audit In Enterprise Architecture This chapter explains how Journal and Audit work in an Enterprise Architecture. In this chapter: Using Journal and Audit Logs in Application Server 150 Log Management 151 C•CURE 9000 Enterprise Architecture Guide Chapter 10 149 EFTA01225726 Using Journaland Audit Logs in Application Server Using Journal and Audit Logs in Application Server C•CURE 9000 logging functions allow you to review previous system activity in the Journal and configuration changes in the Audit Log. The data is collected at the SAS and the MAS in separate log files. The log files have two components: 1. The Activity Journal maintains a record of activity monitored by the system. Records in the Activity Journal can provide a historical view of activity that has occurred within the system, and can verify events when serious issues occur. Journal messages can also provide statistical information on resource usage or help locate people or assets within a facility. 2. The Audit Log provides a history of all configuration changes to the system objects within C•CURE 9000. Changes are recorded as they occur and a record of each is stored in the Audit Database. Depending on your Privilege, you can view the Audit Log at any time. An Operator with the Access to common global objects privilege has Read-Only access to Journal and Audit logs as global objects. Synchronizing Log Files Log file synchronization is used to combine the Journal and Audit data from a SAS system in the enterprise with the Journal and Audit logs at the MAS for central reporting and monitoring. Unlike database synchronization, Journal and Audit synchronization occurs on a scheduled basis so that overall performance of the MAS and SAS is not affected. When the Schedule you assign for Journal or Audit synchronization becomes active, the SAS sends its Journal changes to the MAS for synchronization. You can schedule the synchronization of your SAS logs to the MAS from the Administration Station of the SAS whose logs you want to synchronize. You can only upload from the SAS to the MAS on the SAS. You cannot use a remote connection or request the upload from the MAS. There is a configurable option on the Administration Station for specifying a schedule to synchronize the journal and the audit data. See Synchronization Tab Tasks on Page 92. You can also configure an Event to be triggered when the synchronization of the Audit or Journal NOTE database from the SAS to the MAS fails. For detailed steps, see the Application Server Triggers Tab on Page 94. Audit Logs Audit logs are accessible through the reporting interface and the results of these report types can be generated and displayed in the Report View page or saved in the desired file format. For more information on configuring, querying, and scheduling maintenance on an Audit Log, see the C• CURE 9000 System Maintenance Guide. 150 Chapter 10 C•CURE 9000 Enterprise Architecture Guide EFTA01225727 Log Management Log Management To enable efficient management of the potentially large numbers of log entries in the C•CURE 9000 Audit Log and Journal databases, see the C•CURE 9000 System Maintenance Guide. The SAS log files are synchronized with the MAS log files on a configured basis. Because these log files can get very large, it is recommended that the synchronization process occurs when the MAS and SAS are not busy. See Application Server Synchronization Tab on Page 92 for instructions on how to setup the synchronization schedule for the SAS. The journal/audit logs remain on their current scheduled synchronization interval even if the MAS is shut down and restarted. Managing the log files is necessary so that: • Your databases do not get too large. • You can retrieve off-loaded volumes for viewing. For the best perfonnance, the maximum number of concurrent log file synchronizations should be NOTE four. In C•CURE 9000, you can efficiently manage the potentially large numbers of log entries in the Audit Log or Activity Journal by using system variables to set a predetermined maximum message numbers allowed in these logs. You can also control the size of the log file partition and the number of days to store the data. See Using System Variables for Synchronization on Page 151 for more information. Using System Variables for Synchronization To synchronize C•CURE 9000 audit log and activity journal from a SAS to a MAS requires that a large number of database records are uploaded. Microsoft Sync Framework uses one database transaction to do synchronization operations. C•CURE 9000 uses batch mode to upload these records block by block with each block size defined by a system variable. The audit log and activity journal records are uploaded on a configurable basis. Two system variables are available for a synchronization operation from SAS to MAS: Audit Sync Upload Block Size and Journal Sync Upload Block SizeFor more information on these system variables, see Audit/Journal Synchronization System Variables on Page 146. Using an Event to Manually Synchronize Log Files You can control the synchronization of log files by creating an event that causes these files to synchronize without waiting for the configured schedule. You must create the event on the SAS to upload the log files to the MAS. To Create an Event for Synchronization 1. From the SAS, in the Administration Client, click on the Configuration pane. Select Event 2. Click New. The Event Editor opens. C•CURE 9000 Enterprise Architecture Guide Chapter 10 151 EFTA01225728 Log Management 3. Type in a name for this Event in the Name field. and optionally the Description of the event you are creating. Check Enabled to make the Event available to the Operators.. 4. At the Default state, check Armed. 5. From the Options tab, select Send state changes to Journall or any of the other available options. 6. From the Messages tab, optionally choose to display a message when the event is activated or deactivated. 7. From the Action tab, click Add. From the Action column, select Synchronize Log from SAS. Save and Clole See end Net c.reele Copy Marne Sex Eat jk-scrguan I. Enabled Rabbet. Delat* Goal I Mme.kdg.•.e I Nett I Meant kat I Pa Cortoneon froedshled Lag Mwea.I sta. •• Add Ramon teem Resettle icncheace Leg from S.15 n SoletweRcuse CronFere Can 8. Optionally check Resettable. 9. From the Log Type combo-box at the bottom of the Event window, choose the type of log file you want to synchronize: Audit or Journal Log. Select Log Type: OUT3i AixS Le 10. On the Event State Images tab, choose the State Images settings that you want to use for the Event. 11. Click Save and Close to save the event you have just configured. After you have created the event on the SAS, you can activate the event from either: • Administrative Workstation - From the Configuration Pane, select Event and click as. Select the name of the Event you have just created. Right-Click for the context menu and select Activate. • Monitoring Station - From Non Hardware > Events > Status List - Event, Right-click on the name of the event you have just created and select Activate. 152 Chapter 10 C•CURE 9000 Enterprise Architecture Guide EFTA01225729 Log Management Journal Messages 'There are journal messages for System Activity that refer to the state of the Audit and Journal Synchronization: started, aborted, completed, or failed to start. At the start of the synchronization process, a journal message is sent out and another message is sent when the process is completed. The Messages are system activity messages with text in the format as follows: • Application Server "Server X" started Audit Synchronization. • Application Server "Server X" aborted Audit Synchronization. • Application Server "Server X" completed Audit Synchronization. • Application Server "Server X" failed to start Audit Synchronization due to Master Application Server offline. • Application Server "Server X" started Journal Synchronization. • Application Server "Server X" aborted Journal Synchronization. • Application Server "Server X" completed Journal Synchronization. • Application Server "Server X" failed to start Journal Synchronization due to Master Application Server offline. Journal Triggers in an Enterprise A Journal Trigger is a Query-like object that evaluates Journal Messages and pulses an event when the criteria specified in the trigger is logged in the Journal. Journal Triggers in an Enterprise are Local Only objects, and only trigger Events that are local objects on the same server as the Journal Trigger. Journal Triggers cannot be created in the Global Partition You can create Journal Triggers on a SAS that evaluate Global objects, but each SAS is not aware of Journal Triggers on other SASs. The MAS displays Journal Triggers from all SASs. When you create a Journal Trigger on a SAS, you can select any object (Global or local) to be evaluated (as allowed or constrained by Privileges). However, when you are editing a SAS Journal Trigger while connected to the MAS, you cannot select objects from a different SAS. If you are editing a Journal Trigger located in a local Partition on the MAS, you can only select Events local to the MAS to be activated by the trigger. You can select objects from other Partitions in the query that defines the trigger. Example: You have created a Journal Trigger on a local MAS Partition. You can select objects to evaluate from other Partitions (such as an Object Changed State for an object that resides in a SAS Partition. But you can only use the Journal Trigger to activate an Event that is local to the MAS Partition in which the Journal Trigger resides. Because the MAS does not have any directly-connected hardware, many of the possible Journal Messages are never created on a MAS. You cannot use MAS Journal Triggers to evaluate Journal Messages that are generated on a SAS and NOTE are replicated to the MAS (such as . SAS Journal Messages do not generate notifications on the MAS when they are generated at a SAS, so the MAS Journal Trigger cannot evaluate these messages. C•CURE 9000 Enterprise Architecture Guide Chapter 10 153 EFTA01225730 Log Management 154 Chapter 10 C•CURE 9000 Enterprise Architecture Guide EFTA01225731 11 Central Reporting in Enterprise Architecture This chapter describes how central reporting is used in an Enterprise Architecture. In this chapter: Central Reporting 156 C•CURE 9000 Enterprise Architecture Guide Chapter 11 155 EFTA01225732 Central Reporting Central Reporting C•CURE 9000 Reports provide the capability to create detailed reports about any C•CURE 9000 object, to customize the appearance of reports, print reports, view reports, save reports for later printing/viewing, or convert reports to several output formats. The MAS database allows for Enterprise-wide reporting. MI SAS data is synchronized up to the MAS. Central reporting and configuration is available from the MAS because it receives configuration, journal, and audit data from all Satellite Application Servers. For general information on designing and running Reports, see the Reports chapter in the C•CURE 9000 Dalai Views Guide. An Operator connected to the MAS, with appropriate Privilege, can run Reports that reside in the MAS default Partition which can include data from every server in the enterprise. Reports can only reside in local Partitions, not in the Global Partition. Report objects created on the MAS are not synchronized to other SAS systems. Therefore, Operators cannot create a report that is shared between all the SAS servers. However, a report object created on the MAS can get data from any particular SAS. Retrieving Enterprise Data The data contained in a report depends upon which specific application server you are connected to, and where the report resides. The same request made from a different application server could return different results because the local data is different. If your client application is actively connected to the MAS when you run a report, then the report runs on the server that owns the report. If the report resides in a Partition owned by the MAS, then all the data in the enterprise that the Operator has access to can be included in the report. MI of the pre-configured Reports that reside in the MAS default Partition can report on enterprise data, as can user-cleated reports that reside in that Partition. Conversely, if your client application is connected to the MAS and you run a report that resides in a Partition owned by a SAS, then the data returned only contains the data residing at the SAS, as well as the global data to which you have access. You can use the Read Data from drop-down list to select a Report that resides on a specific SAS to get data from a particular SAS and from the Global Partition, based on your Privileges. You can also use the Read Data from drop-down list in the Report Viewer or in the Query attached to a report to redirect the report to gett data from any other server. This technique allows applying a report from SAS1 to get data from SAS2 (when the client is connected to the MAS). If your client application is actively connected to a particular SAS, or if it is connected to the MAS but you log in to it as a local SAS Operator, you can only run the Reports that reside on that SAS, and the data returned by the Report contains only data from that SAS and from the Global Partition, based on your Privileges. Pre-configured Reports The Default Partitions of each SAS and of the MAS have the same set of pre-configured C•CURE 9000 reports. These reports are created when the SAS/MAS is installed. The pre-configured reports are not synchronized to other servers, and they cannot be modified. However, you can edit these reports and save copies (using the Create Copy button) that can be modified. 158 Chapter 11 C•CURE 9000 Enterprise Architecture Guide EFTA01225733 Central Reporting Operator Privileges If you are a Global Operator, you can run reports that show data from the entire enterprise. You can attach a query to the report that filters out data from specific partitions. For example, if you want to create a Personnel Report that lists all personnel who are not global, you can attach a Query that specifies Partition Name <> Global, and your report does not list Global personnel, only the personnel from non-Global partitions. You can run reports from the MAS that can show data from across the Enterprise. However, if you run the same report from a SAS, you will only see data that is visible from that SAS and the global data from the MAS. The Reports Dynamic View The Report Dynamic View displays a new column that lists the Partition in which the report resides. See Figure 30 on Page 157 for the columns displayed in the Reports View. By default, the report is executed on the server that owns that Partition and displays all the data from that server the Operator can see. Notice that the Partition of the report does not limit the scope to one Partition, but to the entire server that owns the Partition. An Operator on the MAS can select an available server from the Read Data from drop-down list to see a list of the Reports available on that server. Figure 30: MASReportsView iomm VIM • a . n11•511360 Oil n • 1052TRASSO a • Stow woo semi aeon w6 Pia flovNem 11p.. latNaro Os011e PS WNW AK Rom Debt Iwo ROA led VC e..40pM Oola OORINitolOs Sam tion vs al gas la* WI IvAiDt Agues Sallo091•Coluidoi sisi • nodal Dela it.. KOS' ImS Spited moat et limas, UIY ISOS2ThYOS• PKOISOOOPOO1 sa 031.00:04. 0 Oft wO11.1W OW I, Wok ago tnnOT ISOLWROMI.97.1 D:Oi,Ib. sawals co3,00n founotoOVI O. :OsPma wrote eta d WOO:In 44 007. Be Pawed lo‘twoll VW" SICIrsirnN Orw>ve DOlot ion OVA Ito denOMR,. rg.09 SpedSped 00.8A 90421.0MON ba C4ribent YS denS••••••••= afichatile OISOMOMPDSICIetunOt IMF WOO hen*ANA Sped SWIS flustOstoplon AS& DSO it., UtS1 Lot alea wiroArarob* GY BOUTIMENS ..WE. 0.4.0eXWIte. BOSZTNNAlyhi *Sae a scown 04•••ei Report Results When a Report Result is created by running a report, it is created in the Partition defined by the New Object Partition drop-down list, so it is possible to run a report that gets data from one server and stores its results on another server. For example, an Operator on the MAS can select a SAS in the Default Server drop-down list, run a report, then select a different SAS in the Default Server drop-down list, and click Save Result on the Report Viewer. In this instance, the report result is saved on the second SAS. If a Report Result is created by activating an event or by executing the Run on Server command, it is stored on the server where the report is executed. Report Results are not replicated from SAS to MAS. If a Dynamic View of the Report Results objects is displayed and the Read Data from drop-down list points to the MAS, only the Report Results stored on the MAS are displayed. To review local SAS report results, the Operator has to select that particular SAS system in the Read Data from drop- down list. C•CURE 9000 Enterprise Architecture Guide Chapter 11 157 EFTA01225734 Central Reporting 158 Chapter 11 C•CURE 9000 Enterprise Architecture Guide EFTA01225735 12 Central Management in Enterprise Architecture Central Monitoring in the Application Server offers you an enterprise view of events, activities, and views. In this chapter: Central Management Overview 160 Central Administration 161 Central Monitoring Station 166 Central Monitoring Explorer Bar 168 Central Monitoring and Privileges 170 Central Monitoring and Actions 171 C•CURE 9000 Enterprise Architecture Guide Chapter 12 159 EFTA01225736 Central Management Overview Central Management Overview Central Management involves two components, the Central Administration Station and the Central Monitoring Station, which need access, rights and privileges, and a set of tasks that are defined through the configuration process. Configuration is performed at the MAS by the Administrator. As the administrator creates Activity Layouts for each Operator, access and privilege are configured. 180 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225737 Central Administration Central Administration Central Administration takes place on the MAS. The Central Administrator configures personnel, operators, synchronization, and other Enterprise tasks. Central Administration gives you the capability to control all of the C•CURE 9000 capabilities in the enterprise from a single Administration client application. Features: The Central Administration Station offers the following features: • Data synchronizes between the MAS and the SAS. See Server Synchronization on Page 47 • Enterprise Reporting and Configuration - Receives configuration, journal, and audit data from all Satellite Application Servers. See Central Reporting on Page 156 • Global Personnel Management - Defines global data that should be shared at every Satellite Application Server, for example, personnel clearances and badges. See Personnel Overview on Page 114 Capabilities: • Administering personnel and performing clearances across an Enterprise - See Personnel Overview on Page 114 and Assigning Clearances to Personnel from a Dynamic View on Page 119 for more information. • Central control of card enrollment - See CHUIDs in an Enterprise on Page 125 • Network authentication and distributed management - See Using the Administration Client from the MAS on Page 26 Centralized reporting enables a single card to be valid across an entire enterprise. See Central Reporting on Page 156. • Supports multiple CHUIDs See CHUIDs in an Enterprise on Page 125. • Encryption available (SQL database encryption options). See the C•CURE 9000 Installation and Upgrade Guide for more information. • Support for 20 servers. See the C•CURE 9000 Installation and Upgrade Guide for more information. • Central badging and photo imaging. See Editing C•CURE ID Objects in Enterprise Architecture on Page 124. • Supports automated synchronization. See Enterprise Architecture Capabilities Summary on Page 32. • Central management of video and hardware resources. See Enterprise Architecture Capabilities Summary on Page 32. Master Database In the Central Administration environment, the configured Master Application Server (MAS) resides on an enterprise server with the Master database that contains the superset of all the enterprise data. MI data is synchronized in real time except for Journal and Audit data which is synchronized on a configured basis, and status values (see Dynamic View Restrictions on Page 64 for more information). C•CURE 9000 Enterprise Architecture Guide Chapter 12 161 EFTA01225738 CentralAdminstratan Application Layouts Application Layouts for central monitoring are built around the same concept of multiple Panes containing Viewers as the standalone Monitoring Station. However, in an Enterprise Architecture, the Application layouts can show an Operator on the MAS a view of Activity/Events on all systems in the enterprise, or from discrete individual servers. See the C• CURE 9000 Monitoring Station Guide for more information. As administrator, you can define Application layouts for specific Operator views. For example, you may want an Operator to view only events in a specific Partition or a specific application server. Default Server When connected to the MAS, the Administration Station provides a drop-down list which lets you select your vantage point on the MAS. You can access the MAS or any of the application servers attached to the MAS from the Default Server drop-down list. If you are an Operator on the MAS you can change vantage points by selecting a server from the Read data from drop-down list. See Understanding The Enterprise Environment on Page 18 Creating Views for Central Monitoring Operators A Global Administrator can create views and Application layouts for Central Monitoring Operators that allow them to monitor activities and perform manual actions according to the privileges that you assign them. The Operator can have any number of SAS and MAS layouts assigned to them. There are two kinds of Application layouts: ■ An Application layout created on a SAS - the Operator can view only the messages from the server that "owns" the layout. ■ An Application layout created on a MAS - the Operator can view the messages from all the interactive SAS servers and the MAS server. (See Setting Application Servers Interactive on Page 164). For example, you can have a configuration that consists of an Operator that has a MAS layout showing only the critical events on the Activity viewer and additionally having two SAS layouts where each SAS layout is configured to show all events from that SAS. Placing these layouts on different screens can help the Operator/Guard monitor several servers but avoid the flood of activity events on a single list. If the controls are attached to a SAS layout, the Operator receives messages from the SAS even if the SAS is not interactive but he does not receive messages from any other SAS servers. The Central Monitoring Operator may need to: • Respond to Alarms • Change Global Personnel data • Perform Event Actions • Generate global reports 182 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225739 Central Adrmastratoon To Configure an Application Layout 1. Design the appropriate layout for the responsibilities assigned to the Operator. Create an Application Layout. See the C•CURE 9000 Data Views Guide for more information on this step and the next three steps. 2. Add up to 6 panes per view to the layout. 3. Add Viewers to the Panes. 4. Lock the layout if you do not want Operators moving or changing the layout. 5. Assign the layout to Operators. See the C•CURE 9000 Software Configuration Guide for more information. It is important to configure privileges of the Central Monitoring Operator in a way that they cannot NOTE modify the configuration of the system. The configuration should just provide actions the Operator is responsible for. Application Layout provides additional filtering of activity messages. The Administrator can limit an NOTE activity viewer to show only messages of certain types and configure the Operator to have a subset of application servers in the interactive mode (taking away the ability to turn on/off interactive mode for the servers through the Monitoring Station). Action Constraints In the Activity or Event Viewers, an action on a Global Object is taken in the context of the server that sent the activity message. If you select multiple objects from different Application Servers, the set of items available in the context menu is limited by the ownership of the object. For example, if multiple Personnel are selected from different servers, then the Assign Clearances action behaves differently depending on the ownership of the selected Personnel. See Table 33 on Page 163 Table 33: Actionsand Assign Clearances Multiple Personnel Selected from: Clearances shown from: Global partition only AI SAS partitions One SAS only SAS owning Personneland Global One SAS and Global partition SAS owning Personneland Global Multiple qd:kgq Globalelearance only For the Change Partition action, the list of available partitions is constrained by multiple selections. If local-only objects are included in the selection, then the Global partition is not selectable. If the class of objects is optionally global, then the Global partition is selectable. You can find more information on privileges and partitions in Access to Global Common Objects on Page 54. C•CURE 9000 Enterprise Architecture Guide Chapter 12 183 EFTA01225740 CentralAdminstrat•on Setting Application Servers Interactive An Application Server object has an activity named Interactive which sets the Server in Interactive mode. Once set Interactive, the SAS sends Activity Messages to the MAS. The Activity Viewer and Event Viewer, as well as Dynamic Views, start to display information from the Activity Message received. At the Central Monitoring Station startup (when the Monitoring Station application is started from a client attached to the MAS), Events are fetched from all servers that are set as interactive. Whenever a server is interactive, that server's list of active events is added to the Event Viewer. When a server is disconnected, its Events from that server are removed. The Dynamic View of Application Server objects shows which servers are currently in the Interactive mode. If you are reading data from the MAS, setting the server Interactive does not automatically show newly added objects in a dynamic view and hardware/video folders. You have to use the Read Data from drop-down list to select the server you want to observe, and perform a refresh operation. The ability to have multiple Interactive Application Servers is limited to Global operators where the operators connect their Monitoring Station application to the MAS server. Local operators are limited by their privilege to receive activity messages from their local server only. Setting a Server Interactive from the Administration Station You can set an Application Server as interactive for the Central Monitoring Station Operators by assigning the Application Server records to the Operator record on the Operator Editor Application Server tab. See Figure 31 on Page 165 for a view of the Operator Editor. Servers assigned to the Operator record become interactive automatically when the Central Monitoring Station starts up. The Operator you are editing must be in the Global partition. You can then select the application servers which are assigned to the Operator. To configure a Global Operator, see Accessing the Operator Editor on Page 60 184 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225741 CentralAdministration Figure 31: Operator Edda. Set Interactive. 0perotor • amerlees mbi0 Sere end One Sere end Nett Earns rrtetna:_entid Lietaloben Enabled Pet0fon Gkbal Gavial L./6w' Gicvps Avokainn Save:luso s ay s I late/Kim Conwranchorc Sewers 'add Name Detcectm tvo,trer•2: 3 Dealt dexroon Ict der.. AcacthonSelvel mudwa.2k3 B0$2T`i00D Defeat de>"cnon qt Coot Accic4)onSeive; 80S2TW000 ■ Setting a Server Interactive from the Monitoring Station If the Operator has the appropriate privileges, they can set a server interactive (on or off) if it is displayed in the Dynamic View. To Set an Application Server Interactive 1. From the Central Monitoring Station Explorer Bar, go to Hardware Status and click on Application Server. The Status List of Application Servers displays. 2. Right-click on the server name that you want to set interactive. Click Set Interactive from the Context Menu. The server must be online in order for the Interactive selection to be available. 3. If the selected server is currently Interactive, you can right-click on the server name and click Set Non-interactive to change the server to Non-interactive for this Operator. C•CURE 9000 Enterprise Architecture Guide Chapter 12 185 EFTA01225742 Central Monitoring Station Central Monitoring Station Central monitoring offers you an enterprise view of events, activities, and views. Central monitoring is performed by a Global operator using the Monitoring Station from the MAS to monitor activities across the Enterprise. Central Monitoring Overview The Central Monitoring Station lets you keep track of Events, Activities, Access and Device Status, and ongoing security access from an Enterprise level. You can perform Central Monitoring operations across multiple Application Servers in the system and stay aware of all system activity. The Central Monitoring Station is always connected to the MAS. From this vantage point, the Operator can switch from one server to another. If your system running the Central Monitoring Station loses it connection to the MAS, much of the NOTE Central Monitoring functionality will not work until the connection is restored. Features The Central Monitoring Station offers the following features: ■ Activity and Event messages from multiple Application Servers are viewable in a single Activity Viewer. ■ Swipe and Show activity from multiple Application Servers is viewable from a single Swipe and Show Viewer. ■ Replication of data across the system - The remote application servers replicate appropriate data with the MAS. ■ Enterprise Reporting and Configuration - receives configuration, journal, and audit data from all SASs. ■ Global Personnel Management - defines global data that should be shared at every SAS, for example, personnel clearances and badges. Operator Privileges Central Monitoring provides the ability to connect a Monitoring Station client to multiple Application Servers simultaneously. The Monitoring Station Operator can see activities and events from several application servers at once. Operators have privileges to perform manual actions and view activities and events on a global level. Only a Global Operator can connect their Monitoring Station application to the MAS server and use it as a Central Monitoring Station. (CMS). A local Operator (with only SAS Privileges) who connects their Monitoring Station to the MAS will see only notifications from their SAS. Master Database In the Central Monitoring environment, the configured Master Application Server (MAS) resides on a regional server with the Master database that contains the superset of all the enterprise data. MI data is replicated in real time except for Journal and Audit data which is replicated on a configured basis. Application Layouts The application layouts are built around the same concept of multiple Panes containing Viewers as the SAS Monitoring Station. 188 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225743 Central Monitoring Station Capabilities The Central Monitoring Station provides an Administrator/Operator with the capability of viewing and monitoring the following: Administering personnel and performing clearances across an Enterprise ■ Receiving Activity Messages on Page 167 ■ Receiving Event Messages on Page 167 ■ Selecting Objects on Page 169 ■ Central Monitoring and Actions on Page 171 Receiving Activity Messages The Operator can receive Activity Messages from multiple Application Servers in a single Activity Viewer. The Activity Viewer has a server column which identifies the Application Server from which the message was sent. Figure 32: Activity Viewer I ; , Da* • Tao Atha, Mbar iononoidnoi2514. 0418/2010 2079 FIIIRSO•dlOw•-alI.* kin IGUdfiCad 164CE4 %/go tn. Per badina.31 bachn,21.3 10n8,2010 Z04.33 PM lUnlroon 1):67911aces. *wen '6x41 Pee. 005214/00071x1 eosawcoo 110/111/2010 2 01 37 PIORcpcied itlArse cod) 041,3031i actors *parse Veal Pelall 10/18/2010 20433 BOSZTWOOD BOSITWCODI PO 10/18/20.0 20. 43M IIWlV20, 0 20316 PHIAdnhod talinon...hcosIGithst 'Cod 70:622614ribal.mbiDolia iw:cdeve4.3t ON) bexchnia3 Receiving Event Messages The Operator can receive Event Messages in an Event Viewer from multiple Application Servers. The Event Viewer has a Server column which identifies the Application Server which sent the message. Viewing Swipe and Show Activity You can select objects in the Explorer Bar from the Master Application Server (MAS) or a selected Satellite Application Server (SAS). C•CURE 9000 Enterprise Architecture Guide Chapter 12 187 EFTA01225744 Central Monitoring Explorer Bar Central Monitoring Explorer Bar In a Central Monitoring Station, the Explorer Bar has an entry for Application Servers that launches a Dynamic View of Application Servers. From the Explorer Bar, the Operator can select a server in the "Read data from" combo box which determines the source of the collection displayed in the Dynamic Views opened from the Explorer Bar. The Dynamic View shows all objects known at the selected server. See Figure 33 on Page 168 Figure 33: CentralMonitoring Station - Explorer Bar • lOSITINASL0SIrt • • Coats ill SPA* 1, OAS • Raids • Arotellems la Caws III Teas a, CM/Donis IS CCTV Omni C 'Caws Warns With the Explorer Bar, you can launch multiple Dynamic Views from different servers for each class of objects shown. For example, you can select a SAS and see a Dynamic View of Doors. However, the Dynamic View is no longer cached and every time a new view of the same type is opened, the layout is reset to the default. Restrictions on the Dynamic View are as follows: • The status values of SAS objects are not replicated to the MAS. The Monitoring Station shows only blanks for status values when you launch the dynamic views from the Explorer Bar and it has the MAS server selected in its "Read data from" combo box. • You cannot view the creation or deletion of objects until you manually refresh such a Dynamic View. • You can select a particular SAS server in the "Read data from" combo box of a Dynamic View screen if it is important to obtain information about status. However, in this mode, only objects from a particular SAS and the global objects are displayed. 188 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225745 Central Monitoring Explorer Bar Selecting Objects You can select objects in the Dynamic Views launched from the Explorer Bar from the MAS or a selected Satellite Application Server (SAS). Components in the Central Monitoring environment, the Explorer Bar offers similar objects on the MAS that you find on the SAS. The following components have some differences in the Enterprise environment if they are placed on an Application Layout owned by the MAS: Table 34: Explorer Bar Component Differences Component Description Event Viewer Lists all active events avalable from al the interactive servers. When a server is disconnected or set to non-interactive mode, the events of this server are removed from the Event Viewer. Context Menu Aright-dick menu that allow actions On the object owned by a specific server. Actions are avalable on objects in a Dynamic View, Actions an Activity Viewer, an Event Viewer, and Swipe and Show pane. Al the actions induding the actions on a Global object is taken in the context of the server that sent the Actissity message, if an object is selected on a view. If an object (or several objects is selected on a Dynamic View, the context menu behaves the same way as in the Admit application. Object Viewer The Object Viewer displays an object assigned to the viewer in the context of ownership.The object view of a local object uses the context of the owner of the object. The object view of the global object uses the context of the owner of the Application Layout. Operator Shows all the online operators logged into any server. Menu Application Using an action from the context menu, you can set a server to Interactive to view events and activities in the Central Monitoring Servers environment. Setting a server to interactive mode adds that servers adore events to al MAS application Layouts. Swipe and Swipe and Show activity indicates the name of the Application Server from which the entry is sent. Show C•CURE 9000 Enterprise Architecture Guide Chapter 12 169 EFTA01225746 Central Monrtoring and Privileges Central Monitoring and Privileges Privileges are used to limit the scope of what an Operator can see. Depending on the Application Layouts and the Privileges assigned to you as an Operator, you can perform certain tasks and view certain objects from the Central Monitoring Station. For example, the Administrator can limit privileges of the Operator to see objects from only certain partitions. There are also differences between local and global operators. Local Operators cannot see objects from other SAS servers so only global Operators can use the Monitoring Station application to perform Central Monitoring tasks. Operator Access You can have read access to regular objects and also to objects which are in the Global partition. A privilege can grant you access to objects in the same partition as that of the privilege. Operators can have access to Global objects in the Central Monitoring environment. The Access to common global objects privilege is read-only. For information about Privileges and Operators, see the C•CURE 9000 Software Configuration Guide or see Privileges in Enterprise Architecture on Page 53. 170 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225747 Central Mondaring and Actions Central Monitoring and Actions In Central Monitoring, actions (right-click menu items) are redirected to the server which owns an object. For example, if you take the Activate action on an Event, the event is activated on the correct server. This rule applies for actions selected on objects in a Dynamic View in the Event Viewer, in an Activity Viewer and in a Swipe and Show pane. Using Context Menu Actions For any objects that are visible from the Central Monitoring Station, the Operator is able to use actions that are available on that object. For example, Unlock Door unlocks a door selected in an Activity Viewer message or in a Dynamic View. The manual action is directed to the correct server for that object. Central Monitoring - Performing Manual Actions If you are an Operator known to the server's database, you have the ability to create and edit objects on a specified server and to perform manual actions on those objects. Some Operators may need to be assigned limited access to objects across servers. For example, an Operator may need access only to Personnel and only to edit and assign clearances. A Global Operator with the right assigned Privileges can be limited to this function. Because manual actions on Global objects are created in the default Partition where the manual action happens, if an Operator needs to perform manual actions on Global objects, that Operator should be given full access to manual actions in the default Partition of this server, or the Operator will not be able to control these manual actions fully. Restrictions: ■ Depending on their Operator Privileges, a local MAS operator may not be able to see or edit objects which are not owned by the MAS. ■ Depending on their Operator Privileges, a local SAS operator connected to the MAS may not be able to see or edit objects owned by a different SAS. C•CURE 9000 Enterprise Architecture Guide Chapter 12 171 EFTA01225748 Central Monitoring and Actions 172 Chapter 12 C•CURE 9000 Enterprise Architecture Guide EFTA01225749 13 Enterprise Architecture Backup and Restore This chapter explains how to perform backup and restore database management in an Enterprise Architecture environment. In this chapter Back Up and Restore for C•CURE 9000 in an Enterprise System 174 C•CURE 9000 Enterprise Architecture Guide Chapter 13 173 EFTA01225750 Back Up and Restore for C•CURE 9000 in an Enterprise System Back Up and Restore for C•CURE 9000 in an Enterprise System You can use the regular database maintenance tools provided in C•CURE 9000 to back up the main C•CURE 9000 databases on a regular basis so the data is available for recovery in the event of a system crash, or you can back up and restore the C•CURE 9000 databases directly in Microsoft SQL. For more information, see the "Database Maintenance for C•CURE 9000" chapter and Appendix A, "Backing Up and Restoring the SQL Server Database" in the C• CURE 9000 System Maintenance Guide. The following differences exist in an Enterprise Architecture Configuration: ■ A MAS cannot back up and restore a SAS database. Each SAS has to back up and restore its own database. ■ After a database restore is completed, you need to signal the restored server to re-Synchronize with the other servers in the enterprise, using the Enterprise DB Restore Integrity Check option in the Server Configuration Application. See Re-Synchronizing Servers after a Database Restore from Backup on Page 175. You must perform a backup of the MAS databases after each installation of a new SAS system. You must make a MAS backup because a MAS system crash without a backup that includes all SAS systems could result in one or more SAS systems that cannot connect to any MAS - the SAS expects to be able to connect to a specific MAS, but the MAS has no record of that SAS being included in the enterprise. How Synchronization Interacts with Backup and Restore Whenever a database is restored from a backup, the restored system —a SAS, for example—is now live, but out-of- date with its synchronization partner —the MAS. This is because since the time when that restored backup was made for the SAS, normal transactions occurred on both the SAS and the MAS. The system is going to lose the transactions that occurred since the backup was made, causing the following ■ The SAS may have entries it is responsible for that do not exist on the MAS. This happens when these entries had been deleted after the backup was made. ■ The SAS may be missing global entries that the MAS has. This happens when those global entries were made after the backup. ■ The SAS can have global entries that the MAS does not have. This happens when the global entries were deleted from the MAS after the backup was made. ■ The MAS can have entries the SAS does not, for which the SAS is responsible. This happens when entries were added to the SAS after the backup was made. ■ The SAS has incorrect values for some global records. This happens when these global records were changed after the backup was made. ■ The MAS has incorrect values for some records the SAS is responsible for. This happens when those records were changed after the backup was made. For Synchronization to continue to work correctly, the enterprise system must make an adjustment when the restored Application Server starts up. This happens when you restart the restored server with Enterprise DB Restore Integrity Check enabled in the Server Configuration Application for that server. The Synchronization process is now re-run to re-synchronize the servers and resolve the preceding issues. Example: After a database is restored on an Application Server, the data on the server reflects that which was 174 Chapter 13 C•CURE 9000 Enterprise Architecture Guide EFTA01225751 Back Upend Restore for C•CURE 9000In an Enterprise System restored. In other words, if changes were made to Personnel on a SAS (in a partition owned by that SAS) and it became necessary to restore that database to a time before those changes, those Personnel changes would be lost —even if they had synchronized to the MAS. Once the restored SAS was brought online it would synchronize and the MAS would reflect the restored values as well. When restoring a MAS database, the data in the Global partition will be restored NOTE throughout the Enterprise system. Re-Synchronizing Servers after a Database Restore from Backup For Synchronization to continue to work correctly after you restore the MAS or a SAS from a database backup, you need to re-synchronize the restored system with the other servers in the enterprise. You must perform this procedure on each server (MAS or SAS) that you restore from backup. To Re-Synchronize Servers after Restoring 1. Complete the restore from backup for your server. See the C• CURE 9000 System Maintenance Guide for instructions. 2. Run the Server Configuration Application on the server that was restored, using Start>A11 Programs>Software House>C•CURE 9000>Server Configuration Application. 3. On the Settings tab, enable Enterprise DB Restore Integrity Check to begin re-synchronization. 4. Start the CrossFire and Component Framework services. The integrity check takes additional time to run, so there may be some delay before the Administration Application or Monitoring Station can connect to the server. Enterprise DB Restore Integrity Check is a run-once option. If you perform a subsequent restore from backup, you need to repeat this procedure. During day-to-day operations, this option should not be enabled because it may affect performance. C•CURE 9000 Enterprise Architecture Guide Chapter 13 175 EFTA01225752 Back Up and Restore for C•CURE 9000 in an Enterprise System 176 Chapter 13 C•CURE 9000 Enterprise Architecture Guide EFTA01225753 14 Import and Export in an Enterprise 'Ibis chapter describes the Data Import and Data Export capabilities of the Enterprise Architecture environment. In this chapter Importing Data in Enterprise Architecture 178 C•CURE 9000 Enterprise Architecture Guide Chapter 14 177 EFTA01225754 Importing Data in Enterprise Architecture Importing Data in Enterprise Architecture Data Import works the same way as it does with a standalone C•CURE 9000 server. The major difference is that imported data is physically saved in the database of the server that owns the Partition into which the data is imported. Therefore, for performance reasons, it is best practice to perform the import of the data at the server that will own the data. Example: Your configuration has a MAS in Denver, a SAS in Boston, and a SAS in Los Angeles. The Boston SAS System owns the FloorlPartition. The MainCampusPartition is owned by the Los Angeles SAS system. If you wanted to perform a Data Import at the Los Angeles SAS, and some of the records you import are designated to reside in FloollParlition on the Boston SAS, these records are rejected because the Los Angeles SAS system is not aware of the Floorl Partition. However, if the import is performed on the MAS system in Denver, the records are saved on the proper servers, but the performance of the import will be slower than importing the data records separately at each SAS system. Import Watcher in the Enterprise Architecture The Import Watcher on a SAS or MAS can only run an Automated Import that resides in a Partition on that SAS/MAS. Example: The Import Watcher on the MAS can only run Automated Imports that reside in a MAS local Partitions. Exporting Data in Enterprise Architecture Data Export works the same way as it does with a standalone C•CURE 9000 server. The major difference is that exported data is physically read from the database of the server that performs the export. However, the data exported from the MAS can differ from the data exported from the SAS if the synchronization of any object changes from SAS to MAS is delayed. Therefore, for performance reasons, it is best practice to perform the export of the data at the server that owns the data. If you want to export only objects from a specific SAS, log in as an Operator with the privileges which gives you a view only of the partitions belonging to the SAS. You can export only the records to which you have the privilege or partial privilege to view. You can use C•CURE 9000 Export to do the following: ■ Export data to be imported by another database or a Human Resources or other external database. ■ Export files in both manual and automated modes. ■ View historical logs for all exports. ■ Convert the internal data schema into an external XML document. 178 Chapter 14 C•CURE 9000 Enterprise Architecture Guide EFTA01225755 A Enterprise Architecture FAQ 'Ibis appendix contains a list of commonly asked questions and answers about Enterprise Architecture. In this appendix Enterprise Architecture FAQ 180 C•CURE 9000 Enterprise Architecture Guide Appendix A 179 EFTA01225756 Enterprise Architecture FAO Enterprise Architecture FAQ What is Enterprise Architecture? Enterprise Architecture is a purchasable option for C•CURE 9000 that lets you establish a Global framework for distributed management of security objects and personnel. Using Enterprise Architecture, you can have multiple C•CURE 9000 servers, distributed regionally, managing local (and Global) personnel, local hardware, and local video resources, while centrally managing and monitoring the entire enterprise from a Master Application Server (MAS). The local satellite application servers (SAS) systems can make use of global resources defined at the MAS to provide access control at each locale. Operators at the MAS can manage and monitor resources across the enterprise, or can be restricted via Privilege and Partitions to managing any subset of the enterprise. Operators at a SAS can manage only local objects at the SAS (and Global objects on the MAS), while utilizing available Global objects to provide access to Personnel as needed at each site. Local SAS Operator access to Global objects can be limited via Privileges.) See Architecture Overview on Page 42 for more information. What is an Application Server? An Application Server is a C•CURE 9000 server that participate in the Enterprise Architecture. A Satellite Application Server (SAS) is a C•CURE 9000 server with local security objects (such as Personnel, access control hardware, and video servers and cameras), and a local SQL database that is synchronized with a Master Application Server (MAS) to provide enterprise level management and monitoring. See Introduction on Page 16 for more information. What is the Microsoft Sync Framework? The Microsoft Sync Framework version 2.1 is a comprehensive synchronization platform enabling collaboration for applications, services and devices, with support for any data type, any data store, any transfer protocol, and network topology. Microsoft's Synchronization Framework operates using time stamps for data changes. So when data is synchronized, it is time stamped and the next time a synchronization is initiated, all data that has changed since the last synchronization operation is performed, and at that point can be filtered based on specific business rules. What is a MAS? A Master Application Server acts as the central server in an Enterprise Architecture. It aggregates information about security objects that reside on Satellite Application Servers, and provides a platform for central monitoring of activities and events across the enterprise. See Introduction on Page 16 for more information. What is a SAS? A Satellite Application Server (SAS) is a C•CURE 9000 server that contains local data for personnel, hardware, and video security objects, and local configuration data (such as Maps, Schedules, Holidays, Queries, etc.) that can be used to manage access control and video surveillance at a local site in an enterprise. See Introduction on Page 16 for more information. 180 Appendix A C•CURE 9000 Enterprise Architecture Guide EFTA01225757 Enterprise Architecture FAQ Can Video or Access Control Devices be Connected to a MAS? Video and access control hardware cannot be directly connected to a MAS. The MAS is prevented from running the driver services that control video and hardware objects. The MAS server license do not include license to run the hardware and video drivers. The MAS is designed to synchronize the databases of all Satellite servers, so that the enterprise can be centrally managed, not to provide connection of video and hardware. Even though the MAS does not have any directly connected hardware, the MAS can view, manage, and control all the video and access control hardware that is connected to each SAS in the enterprise, as well as getting notification messages from the hardware located on the SAS systems. See: ■ Configuring Hardware in Enterprise Architecture on Page 132 ■ Configuring Video in Enterprise Architecture on Page 136 Can a MAS act as a Badging Station? A MAS can be used for designing and printing of badges for Personnel in the enterprise. Badge layouts designed at the MAS can be saved in the Global partition and can be applied to local Personnel. Global and local Personnel badges can be printed at a badging printer connected to the MAS or to an Administration client workstation connected to the MAS. Editing C•CURE ID Objects in Enterprise Architecture on Page 124. What is a Global Object? A Global object is a security object that resides in the Global Partition on the MAS, and is available for use (subject to privileges) on each SAS in the enterprise. Objects in the Enterprise Architecture on Page 43. What is a Local Object? A local object is a security object that resides in a local Partition on a MAS or SAS, and is available for use only on the server in which it resides. A local object can be viewed or edited from the MAS, but it does not reside on the MAS or on another SAS. A local object from a SAS or the MAS cannot be viewed or accessed on a different SAS. What is an Optionally-global Object? A type of object which can either be made Global (resides on the MAS and is available to every SAS) or local (resides on at most a single SAS or the MAS and can be viewed/edited from the MAS). There are a limited number of object types which can be optionally global. A specific object cannot be both Global and local at the same time. An enterprise can have some objects of a type that are Global while other objects of the same type are local. For example, you can have some Global Personnel in an enterprise, along with some local Personnel objects. See Objects in the Enterprise Architecture on Page 43. What is a Local-only Object? An type of object which can reside on only a single SAS or the MAS, in a Default or user-created Partition. It cannot reside on multiple SAS systems, not can it reside in the Global Partition. Many types of objects must be local-only. See Objects in the Enterprise Architecture on Page 43. C•CURE 9000 Enterprise Architecture Guide Appendix A 181 EFTA01225758 Enterprise Architecture FAQ Can You Edit a Global Object from a SAS? An Operator on a SAS can edit a Global object if they have the correct Privileges. The MAS system must be running and available on the network for editing capability to be available. Can a Global Event Trigger Local Events on One or More Satellite servers? Global Events and Triggers are not supported in version 2.0 or later of C•CURE 9000. Can You Move a Local Object to the Global Partition? Yes, you can change the Partition of some types of local objects (optionally Global object types) to the Global Partition, so that the objects become available throughout the enterprise. If an object is a local-only object type, it cannot be moved to the Global Partition. However, if the local object you are moving to the Global Partition has links to local objects, the local object may need to be modified before the change of Partition is allowed. See Moving Objects to Another Partition on Page 104. Can You Move a Global Object to a Local Partition? Once an object has been made global (residing in the Global Partition), it cannot be moved to a local Partition. The object could be recreated at the local Partition and then deleted from the Global Partition See Moving Objects to Another Partition on Page 104. How Does a MAS Communicate with a SAS? The MAS communicates with a SAS using the Microsoft Synchronization Framework. It synchronizes changes to Global data to each SAS, and it receives updates to local data from each SAS so that the MAS contains a complete picture of all security objects in the enterprise. What is Synchronization? Synchronization is the process used to make sure that all Global objects are available to every SAS system in the enterprise, and that all data in the databases on each SAS is available to the MAS for central monitoring and central reporting. What are Synchronization Conflicts? When C•CURE 9000 attempts to synchronize records between the MAS and SAS systems, sometimes errors can occur that prevent synchronization. Usually such errors occur when two Operators modify related data independently on two different servers. Example: An Operator on SAS1 tries to add a Global Clearance to a Personnel record, but another Operator on the MAS is deleting that Global Clearance. When the servers attempt to synchronize these conflicting edits, a synchronization conflict could occur. 182 Appendix A C•CURE 9000 Enterprise Architecture Guide EFTA01225759 Enterprise Architecture FAQ These errors are logged in the database and can be displayed and resolved by an Operator using the Synchronization Conflicts Dynamic View. In some cases the Operator has to edit data on one of the servers (or on both servers) to resolve the conflict manually. How Do You Resolve Synchronization Conflicts? From the Application Server Dynamic View, you can open a Synchronization Conflicts Dynamic View for a SAS that lists all of the synchronization conflicts for that server. You can right-click on a conflict in the list and you can click Delete to delete the conflict record, or you can right click and select Verify and Delete conflict. You can also edit the object that is listed in the conflict record by choosing Edit associated record. See Application Server Synchronization Conflicts View on Page 74. What is a Global Partition? The Global Partition is a system Partition that resides on the MAS and is available to every SAS. The Global Partition is protected (cannot be deleted) and encompasses objects that are shared across application servers. The contents of the Global Partition are synchronized to each SAS. Objects that arenon-Clobal object types cannot be created in the Global Partition What is a Default Partition? A system Partition that resides on every SAS and the MAS. Each server has its own default Partition. The Default Partition is created automatically during installation and cannot be deleted. The Default Partition is the primary Partition for objects on a SAS. It is automatically selected in the New Object Partition drop-down list each time the Operator selects a new server in the Default Server drop-down list. What is a Local Partition? A Local Partition is a user-created Partition on a SAS or the MAS that can contain local-objects that are available only to that specific SAS and to the MAS. Can a Partition be Moved from One Application Server to Another? A Partition cannot be moved directly from one Application Server to another Application Server. Nor can you move local objects directly from one SAS to another. You can still move local objects on a single SAS from one Partition to another within the SAS, and you can move optionally Global objects from a local SAS Partition to the Global MAS Partition. However, you can export objects from one SAS, delete them on that SAS, and then import them to a different SAS. (You cannot import the same object on several SAS servers because each object must have a unique value in its GUID field. If the same object is imported on different SAS servers, it will likely generate synchronization conflicts.) What is Central Monitoring? Central Monitoring lets you keep track of Events, Activities, Access and Device Status, and ongoing security access from an enterprise level. Central Monitoring lets you see activities and events from several application servers at once. Operators have privileges to perform manual actions and view activities and events on a global level. Privileges are constrained by C•CURE 9000 Enterprise Architecture Guide Appendix A 183 EFTA01225760 Enterprise Architecture FAQ local and regional access rights. Central Monitoring becomes availalbe when a Global Operator connects a Monitoring Station application with the MAS Server. See the Central Monitoring Station on Page 166 for more information. What is Central Reporting? Central Reporting is the ability to create Queries and Reports on the MAS that can contain data from throughout the enterprise. Because information about all objects, Audits, and Journal entries are visible to a Global Privileged Operator, the Operator can create and run Reports that cover the entire enterprise. For example, an Operator can print a list of doors in all the areas a particular Global person went through during the last week (assuming the person visited several different areas during this week). See Central Reporting on Page 156. Can ISC Controllers be Used in the Enterprise Architecture? ISC controllers are not supported in Enterprise Architecture. Can apC Controllers be Used in the Enterprise Architecture? apC controllers are supported in Enterprise Architecture. apC Hardware Audit, which prevents the apC driver service from having to do a full download to each apC every time the driver restarts, is now supported. When the apC driver service on a SAS is restarted, the apC panels connected to that SAS no longer need to perform a full download. Can a SAS Communicate with More than One MAS? A SAS can communicate only with the MAS designated as its master server. You cannot switch an installed SAS to communicate with a different MAS. Can a SAS Communicate to Another SAS? There is no direct SAS-to-SAS communication in the Enterprise Architecture. Each SAS communicates only to the MAS. The MAS communicates with each SAS in the enterprise. What is Upstream Communication? Communication from Server to Client (an example is notifications) is termed upstream communication. What is Downstream Communication? Communication from Client to Server (for example, persistent changes such as update/delete/create) is termed downstream communication. What is a Global Administrator? A Global Administrator is an Operator who has access to all the data/application servers in the enterprise when connected to the MAS. This Operator's record resides in the Global Partition, and has Global SYSTEM ALL Privileges assigned on the MAS. What is a Global Operator? 184 Appendix A C•CURE 9000 Enterprise Architecture Guide EFTA01225761 Enterprise Architecture FAQ A Global Operator is an Operator whose Operator record resides in the Global Partition, but who does not have Global SYSTEM ALL Privileges. This Operator, when connected to the MAS, may have the Privilege to access to all the data/application servers in the enterprise. What is a Local Administrator? A Local Administrator is an Operator whose Operator record resides in a local Partition on a SAS in the enterprise, and who has access to all data at the local server (SAS) and global data at the MAS, subject to Privilege limitations and exceptions. Usually a local administrator has SYSTEM ALL Privilege on the local SAS. However, that Privilege does not give the local administrator the rights to see data from other SAS systems when connected to the MAS. Can the Enterprise Architecture Support Multiple Languages? The Enterprise Architecture follows the standard method of translation that the 9000 uses, and all character data in the 9000 is already stored in UTF-8 or Unicode. There should not be issues with different SAS servers being used in different languages, even if the languages are in different language families and code pages. There are three caveats, however: • The operating system on an Application server should be a version that properly displays characters from other code pages (using the correct fonts). • Each C•CURE 9000 database has a collation (sort order), which is typically based on the default set by the operating system. If different Application Servers have databases with different language-based collations sequences, then the sort order for the same objects may be different on different Application Servers. Data stored in the C•CURE 9000 database (names of objects or labels on a report's layout, for example) are not translated. Each client displays the same object name the way it was originally entered. However, each client shows the user interface elements using the language package installed on that particular client. C•CURE 9000 Enterprise Architecture Guide Appendix A 185 EFTA01225762 Enterprise Architecture FAQ 186 Appendix A C•CURE 9000 Enterprise Architecture Guide EFTA01225763 Index A C Access C•CURE ID Objects 124 Card Enrollment 33 Card Enrollment 33 to Common Global Objects privilege 54 Central to Common Objects privilege 54 Badging 33 actions Imaging 33 context menu, central monitoring 171 Management on Global Objects 163 Hardware 34 Activity Messages 167 overview 160 Administration client 26 Video 34 MAS 26 Monitoring 32 SAS 31 Database 161 Application Server Explorer Bar 168 Context Menu 72, 99 Global Objects Access 170 Dynamic View 68 introduction 16 Editor 87 Manual Actions 171 accessing 87 overview 166 using 88 Privileges 170 General Tab 89 Reporting 32 Groups Tab 91 introduction 16 Interactive 169 overview 156 making Interactive 164 CHUID Operator Application Server tab 58 Format 125 State Images tab 97 in Enterprise system 125 Synchronization Conflicts View 74 Clearance Synchronization tab 92 overview 119 Triggers tab 94 Client Application Server Partitions 101 Configuration 62 Assigning Client Configuration 51, 63 Global Clearances 119 Common Global Objects 54 Audit Log Common Objects, Access 54 in Application Server 150 Configuration 44 Synchronization 47 Configure clients 51 Synchronization System Variable 146 Configuring Clients 62-63 Configuring Personnel 115 B Conflict, Verify and Delete 78 Backup and Restore 174 Conflicts View 74 C•CURE 9000 Enterprise Architecture Guide Index 187 EFTA01225764 Index context menu Executor 169 actions, central monitoring 171 Explorer Bar 168 Context menu, Synchronization Conflicts View 77 Components 169 Conventions used in this manual 13 Exporting Data 178 Credentials, disabling for inactivity 121 System Variables for 143 F FAQ 180 Custom Clearances 120 Field Labels 123 removing from personnel record 120 viewing at a SAS 120 G Customer Support Center 14 Global Customer Tab, Field Labels 123 Objects Common 54 D Global Administration 32 Data Export 178 Global Clearance 32,119 Data Import 178 Global object 170 Data Synchronization 17 Global Objects 106 database 161 Global Objects, edit from SAS 45 Database Backup 174 Global Objects, Optionally 107 Database Restore 174 Global Operator 33 Default Server 26, 31 Global Operator, Configuration 61 Disabling Credentials for inactivity 121 Global Partition, CHUID Format 125 Dynamic Views, Global 64 Global Personnel 32,117 Dynamic Views, menu bar 64 Global Privileges 33 E Global System MI Privilege 53 Editable Not Replicated Objects 110 Global System Variables 140 Editing Global Objects 45 Editing Objects remotely 45 H Hardware Configuration 131-132 Editing User-defined Fields 122 Hardware Tree, SAS 30 Emergency Support Hours 14 Holiday Groups 66 Encryption 34 Holidays, Global 66 Enrollment 33 Holidays, limits 66 Enterprise Architecture 18 Enterprise Architecture Configuration 44 Enterprise Architecture FAQ 180 Images in Enterprise Architecture 129 Enterprise Architecture Objects 43 Import Watcher 178 Enterprise Architecture, Hardware 131 Importing Data 178 Enterprise Architecture, Personnel 113 Interactive Application Server 164 Event Messages 167 Interactive mode, for Server 58 Event Viewer 169 Interactive, set 29 Event, Manually Synchronize Log Files 151 Events in an Enterprise 35 188 Index C•CURE 9000 Enterprise Architecture Guide EFTA01225765 Index Object Viewer 169 J Objects Journal Moving to another Partition 104 in Application Server 150 Objects and Partitioning 104 Synchronization System Variable 146 Objects in Enterprise Architecture 43 Journal Messages 153 Objects, Not Replicated 110 Journal Synchronization 47 operator L Central Monitoring 162 Licensing a MAS 36 Operator Configuration 60 Licensing a SAS 36 Operator Menu 169 List of Application Servers 70, 97 Operator Privileges 56, 58,157 Local Objects, edit from MAS 45 Operator, Application Servers tab 58 Local Operator 33 Optionally Global Objects 107 Local Operator, Configuration 61 Local System Variables 140 P Partitions in an Entrerprise Architecture 101-102 Log Management 151 Perosnnel Type 128 M Personnel Customer Tab 123 Manual Actions Personnel in Enterprise Architecture 113 Central Monitoring 171 Personnel Overview 114 Manually Synchronize Log Files 151 Personnel System Variables 143 MAS 16 Auto Increment Card Number 143 MAS License 36 Disable by Inactivity Enabled 143 MAS System All Privilege 54 Disable by Inactivity Scan Time 143 Master Application Server 16 Maximum Custom Clearances Per Person 144 Maximum Clearances Per Person PIN Length 144 Personnel System Variables 143 Personnel, Global 117 Microsoft Sync Framework 42 Pre-Installation for Enterprise Architecture 52 Microsoft Synchronization Framework 42 Privileges 170 Monitoring Station client 26 Privileges, Global 33 Moving Objects to another Partition 104 Privileges, Local 33 Multi-version and Integrations 25 Privileges, Operator 58 Multi-version Client Support 21 Multi-version Server Synchronization 21 R Remote Editing, Global Data 34 Multi-version Support 19 Reports View 157 N Restarting Drivers when changing System New Object Partition 28 Variables 147 Normal Support Hours 14 Restore 174 Not Replicated Objects 110 S 0 SAS 16 Object Creation, Templates 30 SAS License 36 C•CURE 9000 Enterprise Architecture Guide Index 189 EFTA01225766 Index SAS System All Privilege 53 U Satellite Application Server 16 User-defined Fields, Editing 122 scalability Hardware 170 V Scalability Verify and Delete Conflict 78 Hardware 33 Video Configuration 136 Video 33 Video Tree, SAS 30 Selecting Objects in Dynamic Views 169 view Server Options 31 Central Monitoring 162 Server Options pane 26 View Server Synchronization 47 Report 157 Setting Up Enterprise Architecture 52 Viewing a List of Application Servers 70, 97 State Images tab, Application Server 97 Swipe and Show 169 Sync Framework 42 Synch Framework 42 Synchronization 34 Synchronization Conflicts 49 Synchronization Conflicts View 74 Synchronization Conflicts, Definitions 79 Synchronization tab 92 Synchronizing Log File 150 Synchronizing Data 17 System-defined Objects 110 System All Privilege 53 Global 53 MAS 54 SAS 53 System Variable Dynamic View 141 Global 140 Local 140 Personnel 143 Restarting Drivers 147 Synchronization 151 T Telephone Technical Support 14 Template, Object Creation 30 Triggers tab, Application Server 94 190 Index C•CURE 9000 Enterprise Architecture Guide EFTA01225767