MicroStrategy ONE
Optimizing the Lenel Adapter for MicroStrategy Identity
After the Lenel physical access control system (PACS) adapter is installed, you can optimize it for MicroStrategy Identity. To do this, you customize configuration settings, many of which are not prompted when you install the adapter:
- Configuring How Frequently Automatic Cache Refresh Occurs
- Configuring Whether to Check Access Time Windows
- Configuring Access Panel Time Information
- Configuring Whether to Check Access Levels
- Specifying the Lenel OnGuard User Accounts to Use
- Ensuring that Adapter Segments and Devices Match Data ConduIT Settings
- Configuring the Adapter to Be Available All the Time
The sections below contain only the information required to use Microsoft Internet Information Services (IIS) Manager to configure the physical access control system with MicroStrategy Identity. For the latest information, see Microsoft's documentation.
To Change the Settings
- Open Microsoft IIS Manager.
- Select the Lenel web service, then double-click Application Settings.
- Double-click the setting name and change the value.
You can also use a text editor, such as Notepad, to modify the web.config
file. It is recommended that you change the settings using Microsoft IIS Manager.
Configuring How Frequently Automatic Cache Refresh Occurs
The cacheAutoRefreshInterval setting controls how long, in seconds, between automatic cache refreshes. The cache refresh causes user, portal, and permission changes to take effect in MicroStrategy Identity. The default is 1800
seconds (30 minutes).
To modify this setting, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
The cache on the PACS adapter contains information about each user, door or portal, and permissions, such as whether a user has access to use a door. When that information changes in the Lenel OnGuard PACS, it becomes active in the adapter and, therefore, the physical access points, after the cache is refreshed in the adapter. The cache refresh can take several minutes. For example, with this setting configured as 30 minutes, when a new user is added in the PACS and given access to five doors, the longest she would have to wait until she can begin accessing those doors is 30 minutes. If this is set to 0
, the cache is not automatically refreshed.
You can force a cache refresh at any time. For the URL to use, see Refreshing the Lenel Adapter Cache.
Configuring Whether to Check Access Time Windows
The enableTimeCondition setting controls whether time conditions that are specified in Lenel OnGuard are enforced by MicroStrategy Identity when a user tries to open a door. The default is true
.
To modify this setting, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
You can set times in Lenel OnGuard during which users have access to a portal, such as a door. These can include hours of the day, days of the week, or holidays. This enableTimeCondition setting controls whether MicroStrategy Identity enforces those time conditions. If the user has access to a portal, and if this setting is set to false
, access is allowed regardless of the time conditions. If the user does not have access to the portal, access is not granted regardless of this setting. Unless you are testing, it is recommended that you leave this set to true
.
For example, a user has access to Door 3 from 8 A.M. to 6 P.M. If she tries to access the door at 7 P.M., which is outside the time window, and this setting is true
, she is not allowed in. If she tries at 7 P.M. and this setting is false
, she is granted access. If another user does not have access to Door 3, they are not granted access at any time, regardless of this setting.
Configuring Access Panel Time Information
When MicroStrategy Identity is configured to check access time conditions (see Configuring Whether to Check Access Time Windows), if your access panels for doors or other resources are in time zones that are different from the Lenel adapter machine's time zone, the time zone information for those different panels is needed. Panels in the same time zone as the machine hosting the adapter do not need an entry.
To configure this, you can create an .xml
file with the time information for the panels and place the file on the machine hosting the Lenel adapter. Then you can modify the adapter setting with the .xml
file's location.
Defining Panel Time Information in an .xml File
In an .xml
file, for each access panel that is different from the machine hosting adapter, you define the name; time zone, relative to Greenwich Mean Time (GMT); and whether it should be checked for daylight saving time (also known as summer time). The file should be on the machine hosting the Lenel adapter.
In the .xml
file, define the following for each panel:
- panel name: The name of the panel must match the name in Lenel OnGuard. This is case sensitive.
- gmt_offset: The panel's time zone, relative to GMT. Locations east of GMT are noted with positive numbers; those west of GMT are noted with negative numbers. To find a location's time zone, use a site on the Internet. For example, search for "What is my GMT offset."
- is_dst: The setting for whether to check for daylight saving time (
true
) or not(false)
.
Below is an example timezones.xml
file with two access panels defined: one in the U.S. Eastern time zone and the other on the U.S. west coast in the Pacific time zone. Both panels are checked for daylight saving time.
<panels>
<panel name="HQ front door panel" gmt_offset="-5" is_dst="true" />
<panel name="LA office front door" gmt_offset="-8" is_dst="true" />
</panels>
Defining the .xml File Location
The panelTimezoneMap setting must specify the path and file name of the .xml
file. For example, if you create a timezones.xml
file, you modify the panelTimezoneMap setting to something like the following:
c:\path\timezones.xml
where path
is the path to the folder containing the file.
To modify the panelTimezoneMap setting, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
Configuring Whether to Check Access Levels
In Lenel OnGuard, a user can have multiple access levels that can be used for access permissions. These access levels can be either activated or deactivated. You can use the checkActivateAccessLevel setting to control whether those access levels are enforced in MicroStrategy Identity. The default is true
.
If this setting is true
,the access level status is checked. If it is false
, all access levels will be treated as activated.
To modify this setting, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
Specifying the Lenel OnGuard User Accounts to Use
The OnGuard accounts are the Windows user accounts that have administrator access, via DataConduIT, to the Lenel OnGuard server. These accounts are used to create parallel connections between the Lenel OnGuard server and the Lenel adapter, to improve performance. Four accounts are created by default.
You set these accounts initially when installing the Lenel-Identity adapter, as described in Integrating Lenel OnGuard with MicroStrategy Identity. You can change them as needed, such as if the passwords expire. The user name and password may be the same for all accounts. If more connections are needed, you can add more users in the Lenel OnGuard system, then add their user names and passwords using the information here.
To modify these accounts, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
Below are four example user accounts and passwords, in italics.
onguardUsername1: OnGuard server user name 1
onguardPassword1: OnGuard server password 1
onguardUsername2: OnGuard server user name 2
onguardPassword2: OnGuard server password 2
onguardUsername3: OnGuard server user name 3
onguardPassword3: OnGuard server password 3
onguardUsername4: OnGuard server user name 4
onguardPassword4: OnGuard server password 4
Ensuring that Adapter Segments and Devices Match Data ConduIT Settings
The segment name and device name values should match the OnGuard Data ConduIT settings. The segmentName
must be the same as the DataConduIT Source name, and the segmentDevice
must be the same as the DataConduIT Device name.
segmentName0: segment name 0
segmentName1: segment name 1
segmentDevice0: device name 0
segmentDevice1: device name 1
To modify these settings, use Microsoft IIS Manager Application Settings for the Lenel adapter. For steps, see To Change the Settings.
Configuring the Adapter to Be Available All the Time
You can configure the Application Pools settings to ensure that the adapter is available all the time, is reset (recycled) at a time you specify, and makes an entry in the Windows Event Log when it recycles.
In IIS Manager, in the Application Pools, right-click the Lenel web service and select Advanced Settings:
- In Process Model, change the Idle Time-out to
0
. - In Recycling:
- Change the Regular Time Interval to
0
. - In Specific Times, add a time when the service will not be busy, such as 2 A.M.
- Change the Regular Time Interval to
- In Generate Recycle Event Log Entry, change the Specific Time to
True
.
Related Topics
Integrating Lenel OnGuard with MicroStrategy Identity
Verifying that the Lenel adapter installation is correct
Diagnosing the Lenel adapter healthRefreshing the Lenel Adapter Cache