All Collections
Apps
Access Control
Avigilon Alta formerly Openpath
Avigilon Alta formerly Openpath

Build your system from the inside out using Alta as your end-to-end access control solution for visitors and auto check-in for employees.

Updated this week

This integration can be used to restrict access to certain areas for visitors and automatically check in employees.


How does Avigilon Alta work with Envoy?

PREREQUISITES

  1. You will need administrative access on your Avigilon Alta ACU to complete this setup. Ensure you have administrative access or work with a local administrator before proceeding with the following steps.

  2. A Premium or Enterprise level plan from Avigilon Alta is required. These are paid plans. Please reach out to Avigilon Alta for more information.

Build your system from the inside out using Avigilon Alta as your end-to-end access control solution. If you’re solving for spaces with both new and legacy systems, Avigilon Alta can be easily implemented to work with whatever you’ve got.

The Envoy + Alta app streamlines the process of logging and distributing access to visitors and employees. With in-depth customization options, including issuing access on either invites or guest sign-in, Envoy will create temporary Cloud Credentials in Avigilon Alta, which automatically and temporarily grants access to specific parts of your building — including automatic expiration and configurable access. Cloud Credentials are shared with your guests by either e-mail or SMS when a phone number is provided and do not require the Alta app to interact with.

For employees, access can be granted or revoked based upon their schedule and Envoy registration status.

Enabling Envoy + Alta

Pre-Configuration: The Envoy Bot

  1. Begin by creating a role for the Envoy Bot.

    1. Go to Users > Roles and click “Create New Role.”

    2. Ensure at least “read” and “write” permissions are granted for View, and View and Edit users.

    3. Ensure "read" permissions are granted for Sites, Entry states, and all Other site items.

  2. Create a user for the Envoy Bot.

    1. Navigate to Users and click the "+" in order to add a new user.

    2. The new user will require an email — if you don't have an administrative alias email address, you could consider something like [email protected], where the addition of “+envoybot” will help differentiate the user in Alta.

    3. The new user should have a recognizable “First” and “Last” name, we recommend “Envoy Bot”.

    4. The new user should have the “Status” defined as “Active” and the role created in the previous step is selected.

    5. Ensure “Portal Access” is toggled on for this new user, this will permit Envoy to access the API in order to generate cloud credentials for your visitors.

    6. Under the “Access” tab in the new user view, ensure the new user has access to all of the relevant doors. This access will later be used for mapping visitor types in Envoy to access permissions.

Step 1 and 2: Installing Alta on the Envoy Dashboard.

  1. After creating a user in Alta for Envoy, go to Apps > All Apps in the Envoy dashboard.

  2. Under Access Control, find Avigilon Alta, then click “Install.”

  3. In the API step, enter administrative credentials created in the first steps and click “Save” to continue.

  4. On the Org step, select the desired Organization from the drop-down and click “Next Step” to continue.

The drop-down menu on step 2 is automatically populated based on the Orgs the administrative account provided in Step 1 has access to. If you do not see your intended Organization than you must revisit your permissions within Avigilon Alta.

Step 3: Envoy Visitors + Alta

Grant your visitors access as they sign into the office. Envoy will create temporary Cloud Credentials in Avigilon Alta, which automatically and temporarily grants access to specific parts of your building

How to configure Avigilon Alta with Visitors:

  1. Visitor types to Atla entries.

    1. Select which entries you want to permit visitor types to access. The visitor will be given Cloud Credentials according to the entry that is selected.

    2. With the “Add another” button, you can map multiple visitor types to different entries.

  2. You can select several options of customization, including:

    1. Only Allow Invited Guests: Toggling this setting will switch to “Sign In” only Cloud Credential issuance when disabled, and “Invite” based Cloud Credentials when enabled. When this option is disabled the “ADVANCE ACCESS” and “ACCESS DURATION” fields can not be obeyed.

    2. Advance Access: This is the length of time the Cloud Credential will work before the invited date and time (e.g., An invite may be for 8 PM on April 13th, but 15 minutes or even 12 hours prior to the meeting can be added to enable to the Cloud Credentials early, allowing visitors to access the facilities for parking or lodgings).

    3. Access Duration: This is the length of time the Cloud Credential will work for. After the access duration expires automatically in Envoy the Cloud Credential will cease to work.

    4. Flow Block List (OPTIONAL): This is the list of visitor types that are blocked from receiving access.

    5. Your Custom Logo (OPTIONAL): This is the logo that is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

    6. Additional Instructions (OPTIONAL): This is the additional instructions / messaging which is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

    7. QR Code (OPTIONAL):

      1. Select a credential type and your card ranges.


Step 4: Envoy Employees + Alta

Envoy employee access can be enabled with Avigilon Alta. On Step 4 Employees, click the checkbox to enable the "Envoy Workplace" option. The integration functions by enabling user profiles in Alta to allow access or moving users in to access groups.

How does it work? (Legacy Functionality without Badge Event Data)

  1. The employee has answered the preconfigured questions by the Envoy admins.

  2. They pass screening based on the set of rules(i.e. Have you been in contact with someone feeling ill over the past 14 days?)

  3. The employee will be approved for the next business day

  4. When they go to the office the next day, the employee will need to "sign-in" order for their credentials to reactivated to allow them to enter the building.

How to configure Avigilon Alta with Employees:

Choose your access method:

Registration and check-in for access

Requirements:

  • Users (employees) are not disabled by default, Envoy did not want to take on the liability to mass disable user accounts. The users must start in a disabled state in order for the integration to enable them later for access

  • In order to disable your employees access in Avigilon Alta, go to the User Profile and set an End Date for access.

Auto check-in with badge swipe

Requirements:

  • Employees remain active in Alta

    • In this case Envoy, does not toggle the user access off and on in Alta.

  • Health check/Registration questions must be disabled. To disable questions, go here, click advanced settings under the Employee reservation flow, and disable the questionnaire.

  • Auto-sign out must be enabled in Location Settings. If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.

  1. Check the Envoy Workplace box to enable.

  2. Only match IDP users (OPTIONAL):

    1. If you would like to only match users synced into Avigilon Alta via IDP, please check this box.

  3. Employee Access Duration: Choose how long you would like Employees to be granted access.

  4. Employee Access Groups (OPTIONAL):

    1. If this box is checked, then groups will be assigned to employees when they sign in.

    2. Choose the groups to assign in the next step.

  5. (OPTIONAL) Excluded Employees

    1. Choose any employees you would want to exclude from the workflow.

  6. Access Methods: Choose your access method.

Badge Event Data

  1. In order to enable Badge Event Data, please check the Share Openpath Badge Event Data with Envoy checkbox and choose one of the following Badge Activity Workflow Options:

  2. Use the Webhook URL to link Envoy and Avigilon Alta in order to track badge events.

How to set up the link between Envoy and Alta for Badge Event Subscription

  1. From the Avigilon Dashboard, got to Configuration > Rules

  2. Create a rule. You can name this Rule "Envoy Badge Event". The trigger will be "Entry" and the event will be "Entry Unlocked."

  3. Under Actions, select Add Action.

    1. Set the type as "Webhook"

    2. Insert the Webhook URL from the Envoy Dashboard into the URL box.

    3. Set the HTTP method as "Post"

  4. Click Save.

  5. Now click edit on your newly created Rule.

  6. Check the "Use JSON Editor" checkbox.

    1. Enter the following into the "requests" object after "url:

      ,"body" : "{{json event}}"

  7. Click Save


    ***If you are configuring for only one location, you have finished the set up. If you are configuring for multiple locations, continue to step 8.***

  8. Create Conditional field and pick the site for the location.


  9. Click Save

  10. Repeat Steps 1 - 8 for each additional location.

    1. Each location must have its own rule.

    2. Each location will also have its own unique webhook URL located in the Employee Step (4) when configuring the integration from the Envoy Dashboard > App.

    3. You must install the integration at every location in Envoy.

How Envoy Visitors entries look in Avigilon Alta

In order to see Visitor Entries, Navigate to Reports > User Activity. Then, you will be able to sort by the bot you created. In this example, we sorted by the user "Envoy Bot Admin"


  • The information about the cloud credentials will be in the "DETAIL" column. The format for these messages is as follows: Envoy ${eventType} ID ${visitorId}, ${visitorName}

How cloud credentials are assigned to Envoy Visitors in Avigilon Alta

Once successfully configured, the Envoy + Alta app will create Cloud Credentials with the user your configured (e.g., Envoy Bot). This user will display the automatically generated temporary Cloud Credentials created for each visitor.

Below is an example of a Cloud Credential, issued over e-mail via Envoy and accessed on a mobile device:

Possible iterations of access

Uninvited visitor signs in

  • They receive access if entries are assigned to that visitor type.

  • They do not receive access if there are no entries assigned to that visitor type.

  • They do not receive access if the customer has selected “ONLY ALLOW INVITED GUESTS”.

Invite created without advance access

  • Credential link will be emailed and texted once the invitee has signed in.

Invite created with advance access

  • Credential link should be emailed x amount of time before scheduled arrival.

Invite is created with advance access and then the invitee signs in

  • The link will be emailed x amount of time before scheduled arrival.

  • The link will not be emailed on sign-in (no duplicate emails).

  • The link will be texted once the invitee signs in.

Invite created with advance access, but deleted > 24 hours of scheduled arrival

  • A credential will be created and removed, and no link will be emailed.

Invite created with advance access, but deleted on the day of scheduled arrival

  • A credential will be created and removed, but a link may still be emailed (though the access control page informs the user that they do not have access).

Invite is created with a visitor type that has access but updated to a visitor type without access

  • A credential will be created, but on an update, that credential will be removed.

Invite is created with a visitor type without access but updated to a visitor type with access

  • A credential will be created on the update.

Invite is created and then updated with a different arrival time

  • The existing credential will be updated with a new start and expiry time.

On any sign-out

  • If access was granted, access will be revoked during sign out.

Did this answer your question?