1.25k likes | 1.44k Views
Advanced Access Control Course 3000. System Wide Configuration. Segmentation. Documentation Reference System Administration User Guide | Appendix E. Introduction into Segmentation. Segmentation is: The process of dividing an access control database into smaller subsets known as Segments.
E N D
Advanced Access ControlCourse 3000 System Wide Configuration CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Documentation Reference System Administration User Guide | Appendix E CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Introduction into Segmentation • Segmentation is: The process of dividing an access control database into smaller subsets known as Segments. • Initial objects assigned to each segment. • Users • Access Panels • Access Levels • Adds additional levels of permissions to be assigned to objects. • “<All Segments>” • “Segment” (Individual) • “Segment Groups” CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Introduction into Segmentation Cont. • <All Segments> • Any user can view an <All Segments> records/objects • Only <All Segments> users can add, modify, and delete <All Segments> records/objects • Segment (individual) • Users can only add, modify, and delete records/objects that have that same segment assignment as they do. • Segment Groups • Users can add, modify and delete records/objects that are assigned at least one of the segments that are contained within the segment group assigned to the user. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation • Segmentation allows an additional level of permissions to be assigned to an object • Full control • View only access • No Access CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segment Group Segment Group Segment Group Segment 2 Segment 2 Segment 2 Segment 3 Segment 3 Segment 3 User and Object Assignments User Assigned Segments User Logged In Segment Object Assigned Segments User 1 Object 1 User 2 Object 2 <All Segments> <All Segments> <All Segments> Segment 1 Segment 1 Segment 1 User 3 Object 3 User 4 Object 4 User 5 Object 5 *Provided that the user has the proper user permissions to do so. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config) When an <All Segments> user logs into <All Segments>, that user can view, add, modify and delete any object with any segment assignment*
Segment Group Segment Group Segment Group Segment 2 Segment 2 Segment 2 Segment 3 Segment 3 Segment 3 User and Object Assignments User Assigned Segments User Logged In Segment Object Assigned Segments User 1 Object 1 User 2 Object 2 <All Segments> <All Segments> <All Segments> Segment 1 Segment 1 Segment 1 User 3 Object 3 User 4 Object 4 User 5 Object 5 *Provided that the user has the proper user permissions to do so. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config) When an <All Segments> user logs into a segment, they can add, modify and delete only those objects in that segment. The user can also view any object that belongs to <All Segments> or an additional segment that matches their segment.*
Segment Group Segment Group Segment Group Segment 2 Segment 2 Segment 2 Segment 3 Segment 3 Segment 3 User and Object Assignments User Assigned Segments User Logged In Segment Object Assigned Segments User 1 Object 1 User 2 Object 2 <All Segments> <All Segments> <All Segments> Segment 1 Segment 1 Segment 1 User 3 Object 3 User 4 Object 4 User 5 Object 5 *Provided that the user has the proper user permissions to do so. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config) A user assigned to a single segment can add, modify and delete only those objects in their segment . The user can also view any object that has an <All Segments> assignment or an additional segment that matches their segment.*
Segment Group Segment Group Segment Group Segment 2 Segment 2 Segment 2 Segment 3 Segment 3 Segment 3 User and Object Assignments User Assigned Segments User Logged In Segment Object Assigned Segments User 1 Object 1 User 2 Object 2 <All Segments> <All Segments> <All Segments> Segment 1 Segment 1 Segment 1 User 3 Object 3 User 4 Object 4 User 5 Object 5 *Provided that the user has the proper user permissions to do so. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config) When a user logs into their segment group, they can add, modify and delete only those objects that belong to that segment group. The user can also view any object that belongs to <All Segments> or an additional segment that matches any segment in their segment group.*
Segment Group Segment Group Segment Group Segment 2 Segment 2 Segment 2 Segment 3 Segment 3 Segment 3 User and Object Assignments User Assigned Segments User Logged In Segment Object Assigned Segments User 1 Object 1 User 2 Object 2 <All Segments> <All Segments> <All Segments> Segment 1 Segment 1 Segment 1 User 3 Object 3 User 4 Object 4 User 5 Object 5 *Provided that the user has the proper user permissions to do so. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config) When a user logs into a segment within a segment group, they can add, modify and delete only those objects that belong to that segment. The user can also view any object that belongs to <All Segments> or an additional segment that matches the segment that the user has logged into.*
Additional <All Segments> Rules Note: Being an <All Segments> user is not the same as having access to each individual segment • System wide settings can only be configured by an <All Segments> user • BadgeDesigner and FormsDesigner • Archiving Events and Transactions • System Cardholder Options • General System Options • User segment access permissions must be modified, otherwise, all users will have <All Segments> access CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Pre-Enabled Segmentation View Segmentation Disabled No Segment Tabs or Headers CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Enabling Segmentation Once enabled, Segmentation cannot be disabled Default segment is created for placement of pre-existing records CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Post-Enabled Segmentation View Segmentation Enabled New Segment Tabs or Headers CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Adding New Segment • Segments may be added independently or to a new or existing segment group • A segment is created by the New Segment Wizard • Hardware may be moved to new segment • Existing data may be copied to new segment • Access levels and groups may be copied or moved CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard * - Optional • Unique segment name • Segment group assignment* • Move panels from another segment* • Hierarchy of readers and alarm panels will be maintained • Perform full panel download after move • If “Do not copy records or move panels from another segment” is chosen then all associated access levels will not be copied and lost. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard • Copy records from another segment* • Select records to be copied • Copy empty access levels and groups* • Allows creating a similar access level/group scheme in the new segment • Cleaning up source segment* • Removes access levels and groups that may become empty after moving hardware CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard Cont. • Prefix or append text to the names of records for unique identification • Record names are enforced to be unique per segment • Define segment hardware settings CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmentation Wizard CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Post-Segment Added View CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Features Controlled Per Segment • System wide limits are now per segment • Holidays – 20-255 supported • Timezones – 127-255 supported • Access levels – 255-31999 supported • Badge number length – 7-18 digits supported • Number of elevator floors – 1-128 floors CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Features Controlled Per Segment • Access level assignments per badge • Maximum of 128 access levels supported • Total levels • Level allowing no activation dates • Level allowing activation dates • Anti-Passback • User Commands • Access Levels / Assets CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Features Controlled Per Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Segmenting Hardware • Segmenting Access Panels • All downstream devices are automatically given the ISC’s segment assignment and can’t be changed • Pre-segmentation • Configured hardware usually receives assignment during the segmentation process • Post-segmentation • Configured hardware is assigned a segment during the add hardware process • Hardware segment assignment can be modified CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Modifying Access Panel Segment Assignment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
User Segmentation • Initially, users are assigned to <All Segments>. • User segments may need to be modified to accommodate your customers needs. • Specific segment assignments will restrict permissions to view objects in other segments. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
User Segmentation Cont. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Advanced Segmentation • Segment Options • Card Formats • Badges via Badge Types • Cardholders or Cardholders and Visitors • Allow segments to belong to more than one segment group • Access level assignment • Non-system List Builder lists CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Advanced Segmentation Features • Additional control over objects that belong to multiple segments • Primary Segment • Primary segment assignment can be either an <All Segment>, an individual segment or a segment group • Users can add, modify and delete objects and records with the same segment assignment. • Additional Segment • Additional segment assignment can be either an individual segment or a segment group • Users can only view/use objects and records in the additional segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Card Formats Pre-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Card Format Segmentation • Card Formats become assignable per segment • Each segment may now have up to 8 unique card formats • Useful for organizations that require many different card formats • Card formats that belong to <All Segments> will reserve a format for every segment. CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Card Formats Post-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Badge Types Pre-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Badge Types Segmentation *Provided that the user has the proper permission level to perform this task. • Badges controlled by Badge Type • Pre-Segmentation • Users can add, modify, and delete all badge types* • Users can add, modify, and delete cardholder badges* • Users can add, modify, and delete access levels from badges* • Post-Segmentation • Badge Types are initially assigned Primary = <All Segments> • Only <All Segments> users can add, modify, delete badges* • Badge Types are initially set where Available to All = NO • Users can only add, modify, and delete access levels from all badges* CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Badge Types Segmentation *Provided that the user has the proper permission level to perform this task. • Available to All (No Segment Restrictions) • Only <All Segments> Badge Types can be ‘Available to All’ • Only <All Segments> users can edit the Badge Type itself • Allows users to add, modify, and delete cardholder badges of that type as well as access levels • Primary and Additional Segments • Users with Primary Segment (or <All Segments>) access can add, modify, and delete badge types or cardholder badges.* • Users with Additional Segment access can ONLY assign or remove access levels from their segments to existing badges CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Badge Types Post-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Cardholder Pre-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Cardholder Segmentation • Segment Cardholders • Allows Cardholder permissions to be controlled based on segment access • Segment Visitors • Allows Visitor permissions to be controlled based on segment access • Visitor segmentation can only be done if cardholders are segmented CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Cardholder Segmentation *Provided that the user has the proper permission level to perform this task. • Access to Cardholder/Visitor controlled by Segmentation • Pre-Segmentation • Users can add, modify, and delete all cardholders* • Users can add, modify, and delete cardholder badges* • Users can add, modify, and delete access levels from badges* CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Cardholder Post-Segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
Cardholder Segmentation *Provided that the user has the proper permission level to perform this task. • Post-Segmentation • Cardholders are initially assigned Primary = <All Segments> • Only <All Segments> users can add, modify, delete cardholder records* • Any user can view <All Segments> cardholder records* • Any user can assign access levels from their own segment to existing badges* • Cardholders can be assigned primary and additional segments • A users access to these cardholders is then based on their segment CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)
User’s Segment = Cardholder’s Primary Segment • When the user logs into a segment that is the cardholder’s Primary Segment, the user is able to • Add, modify, and delete cardholders associated with the Primary Segment • Add, modify, and delete badges, assets, network accounts • Capture multimedia • Print and encode badges CR3000 - M02.01 - 6.4.500 TU 1 (Sys Config)