Skip to main content
All CollectionsAppsAccess Control
Avigilon Alta formerly Openpath
Avigilon Alta formerly Openpath

Build your system from the inside out using Alta as your end-to-end access control solution for visitors and auto check-in for employees.

Updated over a week ago

This integration can be used to restrict access to certain areas for visitors and automatically check in employees.

How does Avigilon Alta work with Envoy?

Build your system from the inside out using Avigilon Alta as your end-to-end access control solution. If you’re solving for spaces with both new and legacy systems, Avigilon Alta can be easily implemented to work with whatever you’ve got.

The Envoy + Alta app streamlines the process of logging and distributing access to visitors and employees. With in-depth customization options, including issuing access on either invites or guest sign-in, Envoy will create temporary Cloud Credentials in Avigilon Alta, which automatically and temporarily grants access to specific parts of your building — including automatic expiration and configurable access. Cloud Credentials are shared with your guests by either e-mail or SMS when a phone number is provided and do not require the Alta app to interact with.

For employees, access can be granted or revoked based upon their schedule and Envoy registration status.


  1. You will need administrative access on your Avigilon Alta ACU to complete this setup. Ensure you have administrative access or work with a local administrator before proceeding with the following steps.

  2. A Premium or Enterprise level plan from Avigilon Alta is required. These are paid plans. Please reach out to Avigilon Alta for more information.

Enabling Envoy + Alta

Pre-Configuration: The Envoy Bot

  1. Begin by creating a role for the Envoy Bot.

    1. Go to Users > Roles and click “Create New Role.”

    2. Ensure at least “read” and “write” permissions are granted for View, and View and Edit users.

    3. Ensure "read" permissions are granted for Sites, Entry states, and all Other site items.

  2. Create a user for the Envoy Bot.

    1. Navigate to Users and click the "+" in order to add a new user.

    2. The new user will require an email — if you don't have an administrative alias email address, you could consider something like [email protected], where the addition of “+envoybot” will help differentiate the user in Alta.

    3. The new user should have a recognizable “First” and “Last” name, we recommend “Envoy Bot”.

    4. The new user should have the “Status” defined as “Active” and the role created in the previous step is selected.

    5. Ensure “Portal Access” is toggled on for this new user, this will permit Envoy to access the API in order to generate cloud credentials for your visitors.

    6. Under the “Access” tab in the new user view, ensure the new user has access to all of the relevant doors. This access will later be used for mapping visitor types in Envoy to access permissions.

Step 1 and 2: Installing Alta on the Envoy Dashboard.

  1. After creating a user in Alta for Envoy, go to Apps > All Apps in the Envoy dashboard.

  2. Under Access Control, find Avigilon Alta, then click “Install.”

  3. In the API step, enter administrative credentials created in the first steps and click “Save” to continue. Also, select your region.

  4. On the Org step, select the desired Organization from the drop-down and click “Next Step” to continue.

The drop-down menu on step 2 is automatically populated based on the Orgs the administrative account provided in Step 1 has access to. If you do not see your intended Organization than you must revisit your permissions within Avigilon Alta.

Step 3: Envoy Employees + Alta

Envoy employee access can be enabled with Avigilon Alta. On Step 4 Employees, click the checkbox to enable the "Envoy Workplace" option. The integration functions by enabling user profiles in Alta to allow access or moving users in to access groups.

Choose your access method:

Check-in Required for Access


  • Users (employees) are not disabled by default, Envoy did not want to take on the liability to mass disable user accounts. The users must start in a disabled state in order for the integration to enable them later for access

  • In order to disable your employees access in Avigilon Alta, go to the User Profile and set an End Date for access.

    • NOTE: This is different from suspended. The users must be active in Alta, but their end date/time must be set to have passed. Envoy adjusts the end date/time when toggling access.

  1. Select Check-in required for access.

  2. Only match IDP users (OPTIONAL):

    1. If you would like to only match users synced into Avigilon Alta via IDP, please check this box.

    2. Note: Because the Identity Provider (IDP) has master control over a user's status in Alta, the access method "toggle user status" will not function while the box is checked. This is by design to prevent conflicts, as the IDP may alter access overriding Envoy. If you would like to only match users that are synced with IDP, you must use the "toggle access groups" option instead.

  3. Employee Access Duration: Choose how long you would like Employees to be granted access.

  4. Select Exempt Employees (OPTIONAL)

    1. Choose any employees you would want to exclude from the workflow.

  5. Access Methods: Choose your access method.

    1. Toggle user status

      1. Envoy edits the end time on the user profile enabling and disabling access.

    2. Toggle Access Groups

      1. Envoy adds and removes groups to user profiles in order to toggle access.

  6. Employee Access Groups (OPTIONAL):

    1. Choose the groups to assign if Toggle Access Groups was selected on previous step.

Auto-check in with Badge Swipe


  • Employees remain active in Alta.

    • In this case Envoy, does not toggle the user access off and on in Alta.

  • Health check/Registration questions must be disabled. To disable questions, go here, click advanced settings under the Employee reservation flow, and disable the questionnaire.​

  • Auto-sign out must be enabled in Location Settings. If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.

  1. Select Auto check-in with badge swipe

  2. Select exempt employees (OPTIONAL)

    1. Employees selected here will not be signed in upon badge swipe

  3. Webhook URL: this URL will be needed for the configuration in Alta.

  4. Complete Badge Event Data Configuration in Alta (see green box below)

Badge Event Data Configuration in Alta

How to set up the link between Envoy and Alta for Badge Event Subscription

  1. From the Avigilon Dashboard, got to Configuration > Rules

  2. Create a rule. You can name this Rule "Envoy Badge Event". The trigger will be "Entry" and the event will be "Entry Unlocked."

  3. Under Actions, select Add Action.

    1. Set the type as "Webhook"

    2. Insert the Webhook URL from the Envoy Dashboard into the URL box.

    3. Set the HTTP method as "Post"

  4. Click Save.

  5. Now click edit on your newly created Rule.

  6. Check the "Use JSON Editor" checkbox.

    1. Enter the following into the "requests" object after "url:

      ,"body" : "{{json event}}"

  7. Click Save

    ***If you are configuring for only one location, you have finished the set up. If you are configuring for multiple locations, continue to step 8.***

  8. Create Conditional field and pick the site for the location.

  9. Click Save

  10. Repeat Steps 1 - 8 for each additional location.

    1. Each location must have its own rule.

    2. Each location will also have its own unique webhook URL located in the Employee Step (4) when configuring the integration from the Envoy Dashboard > App.

    3. You must install the integration at every location in Envoy.

Step 4: Envoy Visitors + Alta

Grant your visitors access as they sign into the office. Envoy will create temporary Cloud Credentials in Avigilon Alta, which automatically and temporarily grants access to specific parts of your building.

How to configure Avigilon Alta with Visitors:

  1. Visitor types to Atla entries.

    1. Select which entries you want to permit visitor types to access. The visitor will be given Cloud Credentials according to the entry that is selected.

    2. With the “Add another” button, you can map multiple visitor types to different entries.

  2. You can select several options of customization, including:

    1. Only Allow Invited Guests: Toggling this setting will switch to “Sign In” only Cloud Credential issuance when disabled, and “Invite” based Cloud Credentials when enabled. When this option is disabled the “ADVANCE ACCESS” and “ACCESS DURATION” fields can not be obeyed.

    2. Early Access: This is the length of time the Cloud Credential will work before the invited date and time (e.g., An invite may be for 8 PM on April 13th, but 15 minutes or even 12 hours prior to the meeting can be added to enable to the Cloud Credentials early, allowing visitors to access the facilities for parking or lodgings).

      1. Note: For Early Access, the OpenPath Access email will be sent upon creation of the invite, but access will not be granted until the day of the Visit.

    3. Access Duration: This is the length of time the Cloud Credential will work for. After the access duration expires automatically in Envoy the Cloud Credential will cease to work.

    4. Your Custom Logo (OPTIONAL): This is the logo that is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

    5. Unlock Page Instructions (OPTIONAL): This is the additional instructions / messaging which is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

    6. QR CODE

      1. Minimum and Maximum card ranges in addition to Facility Code, are required to issue credentials in a digital QR code format.

        1. These are card ranges are created and added to the user. The QR code is generated from the card #. The ranges follow the format that the Brivo side has configured, such as Wiegand 26 bit which gives you a range of 0 to 65,535.

How Envoy Visitors entries look in Avigilon Alta

In order to see Visitor Entries, Navigate to Reports > User Activity. Then, you will be able to sort by the bot you created. In this example, we sorted by the user "Envoy Bot Admin"

  • The information about the cloud credentials will be in the "DETAIL" column. The format for these messages is as follows: Envoy ${eventType} ID ${visitorId}, ${visitorName}

How cloud credentials are assigned to Envoy Visitors in Avigilon Alta

Once successfully configured, the Envoy + Alta app will create Cloud Credentials with the user your configured (e.g., Envoy Bot). This user will display the automatically generated temporary Cloud Credentials created for each visitor.

Below is an example of a Cloud Credential, issued over e-mail via Envoy and accessed on a mobile device:

Possible iterations of access

Uninvited visitor signs in

  • They receive access if entries are assigned to that visitor type.

  • They do not receive access if there are no entries assigned to that visitor type.

  • They do not receive access if the customer has selected “ONLY ALLOW INVITED GUESTS”.

Invite created without advance access

  • Credential link will be emailed and texted once the invitee has signed in.

Invite created with advance access

  • Credential link should be emailed x amount of time before scheduled arrival.

Invite is created with advance access and then the invitee signs in

  • The link will be emailed x amount of time before scheduled arrival.

  • The link will not be emailed on sign-in (no duplicate emails).

  • The link will be texted once the invitee signs in.

Invite created with advance access, but deleted > 24 hours of scheduled arrival

  • A credential will be created and removed, and no link will be emailed.

Invite created with advance access, but deleted on the day of scheduled arrival

  • A credential will be created and removed, but a link may still be emailed (though the access control page informs the user that they do not have access).

Invite is created with a visitor type that has access but updated to a visitor type without access

  • A credential will be created, but on an update, that credential will be removed.

Invite is created with a visitor type without access but updated to a visitor type with access

  • A credential will be created on the update.

Invite is created and then updated with a different arrival time

  • The existing credential will be updated with a new start and expiry time.

On any sign-out

  • If access was granted, access will be revoked during sign out.

Did this answer your question?