OPENPATH ADMIN PORTAL USER GUIDENEW FEATURES MARCH 2022llYou can mute Smart Readers and Video Readers. See HARDWAREDASHBOARDNew accounts configure integrations and apps using the App Marketplace.Older accounts will continue to use the Integrations page and will bemigrated to the App Marketplace soon. See INTEGRATIONS AND APPMARKETPLACEGETTING STARTEDThe Openpath Control Center is an online portal where Administrators can configurethe Openpath Access Control system through an Internet browser. This user guide willexplain how to get started in the Control Center, manage users and hardware, andprovide access to your entries.Note: Some features in the Control Center are only available in certain softwarepackages and as add-on features. Also, depending on your role, not all of thesefeatures may be visible to you.TERMINOLOGYllACU: A cloud-based control panel that manages access to a secured area.Cloud Key Credential: A credential that lets users generate links to providetemporary access through the Openpath Mobile App or through the ControllllllCenter.Control Center: An online portal that lets administrators manage users, set upentries and permissions, and troubleshoot hardware.Credential: A key presented to a reader to gain access to an entry. Examplesinclude cards, key fobs, and mobile credentials.Entry: A door, gate, turnstile, elevator floor, or other point of access. Oftensecured with a reader or wireless lock.Entry State: Determines whether an entry is locked or unlocked and defineswhat kinds of credentials and trigger methods are valid.Mobile Credential: An access method tied to a user's smartphone through theuse of the Openpath Mobile App.Version 3.9 Openpath 20224

lllllllllOpenpath Mobile App: Used for providing mobile credentials and remoteunlock for users. The app is available for iOS and Android devices.Remote Unlock: A feature that lets users unlock an entry via the OpenpathMobile App without needing to be in range of the Reader.Request to Exit: A sensor that detects when someone is exiting an entry whichlets the Smart Hub ACU know to unlock the door.Schedule: A set of defined dates and times that can be used to restrict accessto entries or users.Site: A physical location (usually a building) that contains zones and entries.Smart Reader: A device installed near an entry capable of reading informationstored on key cards, fobs, and Openpath mobile credentials.Trigger Method: A combination of credential type and 1FA/2FA.User: A person defined in the Control Center with credentials.Wiegand Reader: A device installed near an entry capable of readinginformation stored on a Wiegand card and transmitting to an access controllllunit.Zone: Contains one or more entries within a site. Zones are the units of physicalaccess permissions that you assign to users and groups.1FA: Single-Factor Authentication.2FA: Two-Factor Authentication.LOGGING IN1. Go to There are two ways to log in. If you received admin credentials throughOpenpath, use the Login tab. In order to use the Single Sign On (SSO) tab, yourorganization must have enabled the feature when setting up GOOGLE G SUITE,MICROSOFT AZURE ACTIVE DIRECTORY, ONELOGIN, or OKTA.Note: If you try logging in via SSO and get an error asking for your namespace, that isbecause your organization has enabled SSO for two or more identity providers. Askthe admin who set up the identity provider integrations for the correct namespace touse. See also USER DATA MODEL .Version 3.9 Openpath 20225

Figure 1 Login screenDASHBOARDSACTIVITY DASHBOARDOnce logged in, you'll see the Activity Dashboard. This page shows a live feed ofaccess events from the past hour, as well as statistics about event activity and activeusers. Click on the name of a user to go to their User Details.Figure 2 Activity DashboardVersion 3.9 Openpath 20226

CAMERA SNAPSHOTSIf you have the Cisco Meraki integration enabled or you have Video Reader Prosinstalled, you'll see a Camera column in the Activity Dashboard, where you can viewsnapshots of entry events by hovering over the Play icon. Click on the Play icon toview the video footage in the Meraki dashboard. Snapshots may take up to a minuteto appear in the Openpath Control Center.Figure 3 Camera snapshots in Activity DashboardENTRY DASHBOARDThe Entry Dashboard shows a live status of every entry in your site.Figure 4 Entry DashboardVersion 3.9 Openpath 20227

This is where you can see your organization's usage statistics as well as the currentlock state for entries. The data on the Dashboard is real time, so as soon as an entryunlock request is made or denied or a lock state changes, the data displayed willupdate immediately.If you have a Cloud Key and remote unlock permissions (and the entry's state alsoallows remote unlock requests), you can unlock entries from the Main Dashboard byclicking the Unlock button next to the entry's name.Note: If a door is ajar or not properly closed, the Door Ajar alarm will be prominentlydisplayed in the Door State column.HARDWARE DASHBOARDThe Hardware Dashboard is where you can get a high level overview of yourorganization's Controllers (ACUs) and readers.CONTROLLER STATUSThe Hardware Dashboard indicates the online status of ACUs and Video Readers(listed as Controllers and Video Controllers) in the Status column:lllA green dot indicates the ACU is online and communicating normallyA yellow dot indicates the last message received from the ACU is more than 12minutes oldA red dot indicates the ACU is offline: the last message received from the ACU ismore than 60 minutes old OR more than 20 minutes old and the VPN is downVersion 3.9 Openpath 20228

Figure 5 Hardware DashboardREMOTE DIAGNOSTICSIn the Controller (and Video Controller) Status table under the Remote Diagnosticscolumn, you can perform the following actions:lIdentify: Identify a Controller to verify that the physical wiring matches theControl Center configuration. Clicking this will cause the Status LED on thellController to flash green.Refresh: Refresh a Controller to send the latest data from the physical device tothe Control Center.The Restart functions will restart individual software services on the Controller:o Restart API Server: The core application that processes authorization,authentication, and execution of unlock requests. Restart this service ifyou're having issues with the mobile app, such as unlock requests notoworking.Restart Cloud Communicator: The service that receives live messagesfrom the cloud, including entry-related configuration changes, userpermissions changes, and cloud-based unlock requests. Restart thisservice if changes (new credentials, new schedules) made on the ControlCenter aren't syncing with the ACUs or if you're experiencing issues withoremote unlock requests.Restart Hardware Communicator: The service that sends and receivesdata between the ACU core and peripheral hardware. Restart this service iflyou're experiencing issues with readers or expansion boards.Mute: Muting a Controller changes its status icon to gray on the HardwareDashboard. It will not affect any alerts or rules regarding the Controller, and itwill only appear as muted on your browser.Note: Restarting a service may interrupt the affected service for up to 60 seconds. Werecommend restarting services one at a time, waiting a few seconds after restartingone before restarting the next.You can also perform Remote Diagnostics actions on readers. Expand a Controller tosee its associated readers. Under the Remote Diagnostics column, you can performthe following actions:lIdentify: Identify a reader to verify that the physical wiring matches the ControlCenter configuration. Clicking this will cause the following:Version 3.9 Openpath 20229

the reader's outer ring LED will light upo the reader's center dot will light up greeno the reader's buzzer will beep several timesRestart: Restart a reader to force a reboot. This will interrupt services providedollby the reader for up to 60 seconds.Mute: Muting a Reader changes its status icon to gray on the HardwareDashboard. It will not affect any alerts or rules regarding the Reader, and it willonly appear as muted on your browser.CUSTOM DASHBOARDSThe Custom Dashboard feature lets you create personalized views comprised ofwidgets that you can use in your org in addition to Openpath's default dashboards(Activity, Hardware, and Entry).To create a custom dashboard:1. Next to the dashboard dropdown, click the Add Dashboard button ( )Figure 6 Add Dashboard2. Enter a name for the dashboard, then click SaveFigure 7 Name and save dashboard3. Click the edit icon to change settings, add widgets, make a dashboard yourdefault view, or delete a dashboardVersion 3.9 Openpath 202210

Figure 8 Edit dashboarda. Activity Feed Widget is a live feed of entry activity logb. Entry Controls Widget lets you pin one or more entries to the dashboardand lets you temporarily unlock them instantly, or keep them unlocked for5, 10, 15, or 60 minutesi. Note: You will need a Cloud Key credential and appropriate accessto the entry (or entries) in order to trigger unlocksc. Lockdown Widget displays all lockdown plans in the org, with buttons totrigger and revert plansi. Note: You will need user permissions on the lockdown plans to triggerand revertd. User Verification Widget lets you monitor access events at a particularentry and displays a user's photo when they unlock an entrye. Event Feed Widget is a live feed of entry events, door ajar and doorpropped open alarms, lockdown activationf. Occupancy Widget shows you the occupancy of Areas configured usingAnti-Passbacki. Note: You will need to configure Anti-Passback and set occupancylimits to use this widgetg. Hardware Widget displays the number of controllers and readersconfigured in the system as well as their online statush. Statistics Widget displays the total events, number of active users, andVersion 3.9 Openpath 202211

percentage of active users from the last 12 hoursi. Video Player Widget displays a live feed of the selected Video Reader4. You can click and drag to place the widget anywhere on the dashboard, as wellas resize the widget by clicking and dragging the lower righthand corners5. Click Save Changes when you're done customizing the dashboardFigure 9 Custom DashboardThe custom dashboard that you created will appear in the Dashboard dropdown.Your dashboard will be viewable and editable to all other Super Admin users in yourorg.CAMERASThe Cameras page shows all cameras in your org, including Cisco Meraki camerasand Openpath Video Readers. Clicking on a Cisco Meraki camera will take you to theCisco Meraki dashboard, while clicking on a Video Reader will open a live feed andshow a list of events.Version 3.9 Openpath 202212

Figure 10 Openpath Video Reader live feedUSERSThe Users tab lets you manage and import users, as well as create and define groupsand roles for users.USER MANAGEMENTThe User Management screen is where you can view and manage users. You canexport user data to CSV by clicking the Export to CSV icon. Filters can be used on anyof the columns to narrow down the users shown in the view. Click the Filter Columnsicon to show or hide columns.Version 3.9 Openpath 202213

Figure 11 User ManagementThe Identity Provider column will list the master user database from where the userswere created (within the portal, from Active Directory, G Suite, etc.). You can togglethis column to show the namespace. For more information, see USER DATA MODEL .CREATE USERllllTo create a new user, click the Add User button ( ) on the top right corner. Enterthe user's name, email address, and start/end date.If the user belongs to another Organization, check the box Add a user from anexisting namespace and enter the NamespaceThe External ID field can be used for employee IDs or other useful information.If desired, click Change Photo to upload a User photo, or take a new photo usingyour device's built-in camera or webcam. This photo will appear on the ControllCenter and in the user's Openpath mobile app.If the user is an admin and requires access to the web portal, click the PortalAccess slider and then add the Super Admin role.Note: Only give portal access to users who require it, like an office manager orsecurity guard. If you want to give someone limited access to the Control Center,create a role with GRANULAR PERMISSIONS.Version 3.9 Openpath 202214

Figure 12 Create UserIMPORT USERSIn addition to creating individual users, you can also import and update users with aCSV file. You can also import users by using a directory service integration. SeeINTEGRATIONS AND APP MARKETPLACE.To add and update users with a CSV file:lGo to Users Import Users (or from the User Management page, click the ImportlUsers button)Click Download Sample CSV and fill out all required fields in the format showno Note: If you are updating users, you can click the Export Data icon on theUser Management page to download a CSV of all users, then modify thatVersion 3.9 Openpath 202215

llllfile to importOn the Import Users page, click Show Fields to view examples of acceptablevaluesSave the file as a CSV file (Excel file extensions will not work). Example:openpath-bulk-import-users.csvOn the Import Users page, click Select CSV File and locate the file.Select the Namespace:o Select Local if you're adding new users or updating existing ones and youdon't use an IDP.n Note: If using the Local namespace, choose whether you want to skipexisting users or update them using the How To Handle Existing Usersodropdown.Select Google G Suite, Microsoft Azure AD, Okta, or OneLogin if you wantto update existing users you previously synced with Openpath (new usersllwill not be added).Click Upload File.The Upload Status field will log all users added, updated, and skipped. This stepmay take a few minutes. When finished, you'll see an "IMPORT COMPLETE"message along with any errors that may have occurred.ISSUE CREDENTIALSOnce you have created users, you can issue credentials. Credentials are what letusers have access to entries.Note: When adding card credentials, be aware of whether you have high frequency(HF) readers, which require MIFARE/DESFire cards, or low frequency (LF) readers, thatuse Wiegand cards.llTo issue credentials, click on a user to go to their User Details, then click on theCredentials tab in the upper righthand corner.Select the type of credential you want to issue. Choose from:o Mobileo Cloud Key (used for providing Guest Access Links)o Card: Openpath/MIFARE (CSN) — Fast (select this for Openpath HF key fobsooVersion 3.9and cards)Card: Openpath DESFire (Encrypted) — Secure (select this for Openpath HFcards)Card: Wiegand ID (select this for Openpath LF key fobs and cards) Openpath 202216

lEnter the required information then click Create.ADD A MOBILE CREDENTIALAfter you add a mobile credential, click Send to email the user instructions on how toset up their mobile device as a credential. The Activation Pending column indicatesthat an email has been sent, but the user has not yet activated their mobilecredential.ADD A WIEGAND CREDENTIALIf you're adding a Wiegand credential, you need to specify the card format. ForOpenpath LF cards, select Prox 26-bit (H10301).If you're unsure of the card format, you can use the Raw 64-bit option and enter thecard number. If you're unsure of the card number, you can swipe the card at thereader and take note of the rejected access entry under Reports Activity Logs. Thecard number will be displayed under the Credential Detail column.If you'd like to send card credential data to a third-party control panel, set Use forGateway to Enabled. You must also configure the Wiegand reader to enable thisfeature. See WIEGAND DEVICE.USER ACCESSThe Access tab on the User Details page is where you can assign groups, sites, andzones, as well as enable Remote Unlock for a user.llllllUse the Groups field to add a user to a group and give them access to zonesavailable for that group. See CREATE GROUPS.Alternatively, you can manually assign access to sites and zones by using thetoggle buttons.Enable Override Permission to give the user permission to unlock entries in theLockdown (Override Only) state.Enable Remote Unlock to let the user unlock a door remotely (i.e. physicallyoutside of Bluetooth range of the door reader) using the mobile app.The Group Schedules column will display any applicable Group Schedules ifyou assigned a group with a schedule.The User Schedule column lets you assign user-specific schedules. See USERSCHEDULES .Version 3.9 Openpath 202217

Figure 13 User AccessUSER SECURITYThe Security tab is where you can manage Multi-Factor Authentication (MFA)credentials. You cannot add MFA credentials for other users — only view and delete.You can add a MFA credential for yourself under MY PROFILE .MANAGING USERSFrom the User Management screen, use the checkboxes and Batch Actions tochange the status of individual or multiple users:lllllActivate Users: reactivates a suspended userSuspend Users: disables credential usage and admin portal access (if grantedto the user)Delete Users: revokes access from the user but still keeps the user in the systemfor reporting and record keeping purposesReset Anti-Passback: if using Anti-Passback, resets a user's Anti-Passbackstate. See ANTI-PASSBACK AND OCCUPANCY MANAGEMENT.Create Mobile Credentials: automatically creates mobile credentials for theselected usersVersion 3.9 Openpath 202218

lllSend Mobile Credentials: send mobile setup emails to the selected users. If auser has multiple mobile credentials, they'll receive multiple setup emails.Disable Remote Unlock: disables remote unlock permissions for the selectedusersEnable Remote Unlock: enables remote unlock permissions for the selectedusersGUEST ACCESS LINKS AND WEBHOOK URLSUsers with Cloud Keys can share temporary Guest Access Links and generatewebhook URLs. Webhook URLs can be used to unlock entries via a web browser orintegrated into software or external services.lTo generate links, click on a user to go to their User Details, then click on theCredentials tab in the upper righthand corner. Next to the Cloud Key credential,llclick Get Webhook URL.A window will pop up where you can select which entries the URL will unlock:o Choose the entrieso Edit the labels (optional)o Provide a descriptiono Enter a Start and End Time (optional)o Click Generate LinksUse the Guest Access Link for sharing access with a person; use the API Link foryour own software or other external service.Version 3.9 Openpath 202219

Figure 14 Generate Webhook URLNote: A Cloud Key can have multiple webhooks for multiple entries associated with it.Deleting a Cloud Key credential will also remove all the valid webhooks associatedwith it.GROUP MANAGEMENTThe Group Management page is where you can create and manage groups for users.Groups let you assign access and entry permissions for one or more users, andthey're useful for organizing your user base by department or role. You can exportgroup data to CSV by clicking the Export Data icon.Version 3.9 Openpath 202220

Figure 15 Group ManagementCREATE GROUPSlTo create a new group, click the Add Group button ( ) on the top right corner.lEnter a name, description, and assign users.Next, select which sites and/or zones this group will have access to.When you have finished, click the Save button to save your new group.lVersion 3.9 Openpath 202221

Figure 16 Create GroupROLE MANAGEMENTA role is a set of portal access permissions that can be assigned to users. There aretwo default roles that cannot be edited:llSuper Admin — gives full portal access with edit permissionsSuper Admin Read-Only — gives full portal access with read permissionsNote: Users with the Super Admin role can assign and revoke portal access for otherusers.Version 3.9 Openpath 202222

Figure 17 Role ManagementCREATE ROLESllTo create a new role, click the Add Role button ( ) on the top right corner. Entera name, description, and assign users.Select the permissions you'd like this role to have, then click the Save button inthe lower right corner.Note:llYou cannot create a role with more permissions than you have, and you cannotassign a role with more permissions to yourself or another admin.You can assign multiple roles to the same user. The user's permissions will becumulative across all assigned roles.GRANULAR PERMISSIONSGranular Permissions gives additional specificity when creating Roles. For example,you create a role that limits access to just the Entry Dashboard (see example below).Or, create a role with full portal access but only for one site.Note: Hardware Dashboard is tied to the "Hardware" permission, not the Dashboardpermissions.Note: You cannot limit access to a specific site's users—if you create a role that hasaccess to users, that role will have access to all users within that org.Version 3.9 Openpath 202223

Figure 18 Create RoleUSER SCHEDULESThe User Schedules page is where you can define schedules for users and groups.User and Group Schedules are useful if you want to restrict access or trigger methodsfor certain users/groups. For example, you can define normal business hours foremployees or require that certain users only use key cards.You can export schedule data to CSV by clicking the Export Data icon.Figure 19 User SchedulesVersion 3.9 Openpath 202224

CREATE USER SCHEDULElllTo create a User/Group schedule, click the Add User Schedule button ( ) on thetop right corner. Enter a name, then click Save.Next, click on the Scheduled Events tab to define the schedule. Click the AddEvent button.Choose between a Repeating Event and a One-Time Event. In this example,we're creating a normal business hours schedule, so we'll define a RepeatingllEvent.Enter a Start and End Time, choose a Time Zone, and select which days thisevent will occur.Enter a Start Date and End Date (optional), and set the Scheduled State.Note: A User/Group schedule cannot be more permissive than what the entry allows.In this example, we've defined the Scheduled State as "Standard Security" which onlyworks if the entry state is also set to Standard Security or Convenience (but not say,Strict Security).Figure 20 Edit User ScheduleMULTIPLE SCHEDULESYou can assign multiple User/Group schedules to users/groups. Access is cumulativeof the assigned schedules. For example, if a user has a group schedule that givesaccess 9:00 am to 5:00 pm and a user schedule that gives access 3:00 pm to 9:00pm, then that user will have a combined access of 9:00 am to 9:00 pm.Version 3.9 Openpath 202225

CUSTOM FIELDSYou can create custom, optional fields for users that appear when you create andedit users, and also appear in the User Management table.1. To create a custom field, click on the Add Custom Field button ( ) on the topright corner2. Enter a name for the field and select a Field Type from the dropdown:a. Checkboxb. Datec. Dropdownd. Text3. The field is enabled by default—if you do not want to use the field just yet, clickthe slider to disable4. Click Save5. If you selected a Dropdown field, click Create Dropdown Item and enter aname, click Save, then repeat for the remaining dropdown options6. The fields you create will appear at the bottom of User Details and can beviewed in the User Management table by clicking Filter Columns and clickingthe checkbox next to the fieldFigure 21 Custom FieldsSITESSites are physical locations (like office buildings) comprised of zones and entries. Youshould create a site for every location where you have Openpath installed.Version 3.9 Openpath 202226

SITE MANAGEMENTThe Site Management page is where you can view and manage sites. You can exportsite data to CSV by clicking the Export Data icon.Figure 22 Site ManagementCREATE SITESllTo create a new site, click the Add Site button.Enter a Site Name, address, and phone number, then click the Save button.ZONE MANAGEMENTThe Zone Management page is where you can view and manage zones. Zones aregroups of one or more entries that you can assign to sites. Zones are useful forbreaking up large sites into smaller areas like floors or common areas (in multitenant scenarios). Most significantly, zones are the units of physical accesspermissions that you assign to users.You can export zone data to CSV by clicking the Export Data icon. Click the FilterColumns icon to show or hide columns.Version 3.9 Openpath 202227

Figure 23 Zone ManagementZONE SHARINGZones can be shared between multiple Openpath customers. This is useful if you're alandlord who wants to share a zone of common entries with multiple tenants.Recipients cannot edit shared zones.CREATE ZONEllTo create a zone, click the Add Zone button ( ) in the top right corner.Enter a name and description (optional) and select the site to which the zonewill be assigned.o Note: A zone can only be assigned to one site, but a site can have multiplelllzones assigned to it.Next, add User Groups and Users to the zone (optional).If you want to share this zone to a different Organization, enter the Org ID(s)(optional).Click the Save button to save your new zone.ANTI-PASSBACK AND OCCUPANCY MANAGEMENTAnti-Passback lets you define a sequence in which entries must be accessed in orderto gain entry. Sequences are defined using Areas — each Area contains a set ofinbound and outbound entries. For each Area, after every successful inbound entrythe user must exit through an outbound entry before entering an inbound entryagain. This feature is commonly used with parking gates and helps prevent usersfrom sharing credentials with other users. You can also use Anti-Passback to limitoccupancy and prevent users from accessing inbound entries until enough users exitthrough outbound entries.Version 3.9 Openpath 202228

lllTo set up Anti-Passback on a zone, click on the zone to edit it, then click on theAnti-Passback tab in the upper righthand cornerEnter an Expiration time in seconds after which the Anti-Passback state willreset for the user.Enable Reset Anti-Passback Periodically to configure a schedule during whicha user is not limited to Anti-Passback logic until after their second unlocklllattemptEnable Use Contact Sensor to only change a user's Anti-Passback state untilafter the Contact Sensor reports openEnable Shared-To Orgs Can Reset Anti-Passback if you want orgs sharing thiszone to have permission to reset Anti-Passback for their users.Lastly, define the Area(s) within the zone to be enforced by Anti-Passbacko Enter a nameo Set the Inbound Mode and Outbound Mode, which determines how theosystem reacts to Anti-Passback breaches:n None — access is granted; no additional responsen Alert — access is granted and an event is generatedn Enforce — access is denied and an event is generatedAdd Inbound and Outbound Entriesn Note: An entry can only be used once within an Area, either asInbound or Outbound but not both; however an entry can be used inmultiple Areas. In addition, all entries within an Area must reside onthe same ACU, and all entries belonging to the parent zone mustoreside on the same ACU.If limiting occupancy, select either Alert or Enforce (definitions above)from the Occupancy Limiting Mode dropdown, then enter the OccupancyooLimitClick Add AreaClick SaveInternally, the ACU tracks each user's most recent direction of movement (inbound oroutbound) within each Area. When the user's most recent direction is known, then anattempt by that user to move in the same direction again will result in an AntiPassback Breach event. When the user's most recent direction is unknown, as in thecase of a newly created Area, or following a scheduled or manual Reset action, thenthe user's next movement will be allowed in either direction, after which normal ruleswill apply again.Version 3.9 Openpath 202229

Anti-Passback Breach events can trigger alerts. See ALERT SETTINGS . They can also beused to trigger custom integrations. See RULES ENGINE .Note: Anti-Passback logic also applies to Cloud Key credentials and other remoteunlock methods.

you're having issues with the mobile app, such as unlock requests not working. o. Restart Cloud Communicator: The service that receives live messages from the cloud, including entry-related configuration changes, user permissio