Nexus Documentation

Space shortcuts

Page tree

CURL vulnerability information (CVE-2023-38545)
Nexus awareness advisory on Microsoft's update KB5014754

Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

This article describes how to configure the Salto Service, to enable integration between Smart ID Identity ManagerSmart ID Physical Access component and Salto. 

The Access Control System Salto is managed by a GUI. The Salto Service interacts with Salto through a web-based API. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Salto.

For details on which data can be imported and exported from Salto, see About import and export to Physical Access.

Expand/Collapse All

Prerequisites

The following prerequisites apply:

  • Physical Access and Salto Docker container/service are installed. See Deploy Smart ID.
  • Supported Salto client version must be installed. Check the supported versions in Supported PACS connectors in Identity Manager.
  • The message queue server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Configure Salto Service data fields

The Salto data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

To connect to a PACS system:

  1. Log in to Physical Access admin panel as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  2. Click on a system to do updates.
    All database entries are listed. 
  3. To update an entry, click on the icon. Edit as needed and then click Update
  4. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription
serverstringRequired

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.

usernamestringRequired

Username of message queue server.

Default value: “guest”

passwordstringRequired

Password of message queue server.

Default value: “guest”

systemstringRequired

Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription
deleteUserOnNoEntitlementstringOptional

Defines if the user shall be deleted if no active entitlement assignment are present for that user.

Valid values: true or false.

Default: true

deleteUserOnNoAccessTokenstringOptional

Defines if the user shall be deleted if no active access tokens are present for that user.

Valid values: true or false.

Default: true 

heartbeatInterval

intOptional

Heartbeat interval is the time difference between two successive heartbeats, and it is used to know if the system is in active (running) or in inactive (stopped) state.

Default value and minimum value: 60 seconds. If it is set less than 60 seconds, it will be considered as 60 seconds to update the status.

group: general

keyData typeRequired or OptionalDescription
updatesPerPollintOptional

The maximum number of messages read from the message queue.

Default: 100

group: Salto.import

keyData typeRequired or OptionalDescription
DbNamestringRequiredThe name of the database to be used by Salto.
connectionstring stringRequiredThe connection string to the Salto database.
departmentFilterstringOptional

Makes it possible to filter departments with the help of a department name available in Salto database, for example "Admnistration".

Default: NULL.

groupNameTemplatestringRequired

This string will separate the access group name and the department name if useSaltoDepartment is set to true.

Default: “{DepartmentName} – {Name}”.

useUpgradedVersionboolRequired

If set to true, the upgraded version of Salto (Salto Pro-Access Space) will be used. If set to false, the old version of Salto (Salto Pro-Access RW) will be used. 

The table that was called tb_departments in the old version changed name to tb_partitions in the upgraded version and added full supports for Zones, Rooms etc.

EntitlementTypestringRequired

EntitlementType is used to set which type of access elements Physical Access should import and export in Salto Pro-Access Space. Currently, these EntitlementTypes are supported:

EntitlementType

Description

ACCESSLEVEL

If EntitlementType is set to ACCESSLEVEL, only User access levels type access element are imported to Physical Access.

ZONEIf EntitlementType is set to ZONE, only Zones type access element are imported to Physical Access.
STANDARDIf EntitlementType is set to STANDARD, only Doors type access element are imported to Physical Access.
ROOMIf EntitlementType is set to ROOM, only Rooms type access element are imported to Physical Access.
LOCKERIf EntitlementType is set to LOCKER, only Lockers type access element are imported to Physical Access.
SUBSUITEIf EntitlementType is set to SUBSUITE, only SUBSUITE type access element are imported to Physical Access.
ASSOCIATEDIf EntitlementType is set to ASSOCIATED, only ASSOCIATED type access element are imported to Physical Access.
SUITEIf EntitlementType is set to SUITE, only SUITE type access element are imported to Physical Access.

To have support for two types, add it like “ACCESSLEVEL,ZONE”.

Default: “ACCESSLEVEL”.

Salto Pro-Access RW supports only "ACCESSLEVEL". The system will automatically override types configured with other than "ACCESSLEVEL".

group: Salto.export

keyData typeRequired or OptionalDescription
inactiveCardPrefixboolOptional

This is a string prefix to append with card number in case of access token is Inactive. It is used only when removeInactiveCard is false. In that case the title of the user will be inactiveCardPrefix followed by unique card number in such a way that the Title length will be 10. If prefix length is more than 10 characters, then all inactive access tokens of same person will have same title.

Default: "IN"

removeInactiveCardboolOptional

Set this to true if users should be deleted when the card becomes inactive. If it is false, the user will remain in the Salto system, and all the accesses and rom code will be removed, and Title will have the prefix followed by unique card number.

Default: false

importPathstringRequired

The path to the import folder, that the Salto connector can write files to, so that the Salto system can read them. 

Default: “C:\Salto”

For docker version, follow these steps:

  1. Mount the Salto Import directory on the host machine, see Mount Salto CIFS between Linux and Windows

  2. Update the same path in the docker-compose file by adding new volume mapping for the Salto service:

    volumes:
- "<Mount path of host machine>:<Mount path for Docker container>:rw"

example:
- "./mnt/salto_share:/mnt/salto_share:rw"

  3. Update the same path (/mnt/salto_share/) in the ‘importPath’ configuration setting for the Salto service using the Physical Access Admin Panel, see Log in to Physical Access admin panel.

  4.  If Salto connector service(container) is in running condition then restart it to reload updated changes.
importFolderstringOptional

The import folder, that the Salto connector can write files to, so that the Salto system can read them. 

Default: “General”

defaultValidationPerioduintOptional

The default validation period in days for cards that do not have this property set.

Default: 8

exportRowSuffixstringOptional

This value will be added to the end of a row in the files exported, for example "," or ";". 

Default: “”

accessGroupSeparatorstringRequired

This value defines the separator when printing out multiple access group IDs for a person. This value must be the same as the secondary separator in Salto when importing/syncing.

Default: “|”

allowMultipleDepartmentsboolOptional

If set to true, users are allowed to belong to multiple departments. For this scenario, the option Can insert external users into internal access levels in Salto Options > Departments must also be checked. 

Default: false

cardNumberLengthintOptional

The required length of the card number.

Default: 9

cardNumberIdentifierTypestringRequired

This setting indicates which type of identifier can be used for the card number.

Default: mifare

enableAuditOpeningsboolOptional

Set this to true if users should be logged in Audit Openings. This means that whenever there is any ‘key swapping’ / ‘card swapping’, the system should log that in the audit log and shown it in the Audit trail. The flag Audit openings in the key in Salto PACS Users > Key Options must be checked if users can be part of Audit Openings.

Default: true

layoutIdentifierTypestringRequired

This setting indicates which type of identifier can be used for the card layout.

Default: layout

ignoreCardsWithLayoutstringOptional

A “|”-separated string of card layouts that will be ignored when exporting.

Default: “”

useCardNumberAsTitle

bool

Optional

If set to true, the card number is exported into the title field in the user interface.

Default: “true”

userfieldmappingsstringOptional

This setting is the combination of additional fields which can be transferred to Salto. Five general purpose fields can be configured. They can be found in Tools > Scheduled Job

These fields can be shown in the UI by enabling them, using either of the following options:

  • In Salto Space: System > General > Users
  • In Salto: Tools > Configuration > General Options > Users

Set the value as follows: 

Value of userfieldmappings
table_name.value_of_type_column, sequence number of General Purpose fields

where table_name can be: user, email, phone, address or useradditionalfield.

Examples

  • To send the value of a specific column from the user table:
    • user.column,sequence_number

  • To send the value of a specific column from the email table:

    • email.type, sequence_number

See configuration examples in the table below. 

The sequence number added in userfieldmappings must match the sequence number which is configured in the scheduled job in Salto.

useDummyFieldAsCardNumberboolOptional

This setting indicates whether to populate card number in dummy field or not. If you want to populate data in dummy field, you must add field mapping in Salto using mapping configuration settings in Salto (System > Tools > Scheduled Jobs > PACS Import > Mapping Configuration > General Purpose Field 1 [GPF1])

Default: false

Example

Example configuration for userfieldmappings:

IdGroupIndexKeySystemValue
1salto.export0userfieldmappingsSaltouseradditionalfield.Department,1
2salto.export0userfieldmappingsSaltoemail.Work,2
3salto.export0userfieldmappingsSaltouseradditionalfield.Description,3

Make sure that the import fields in Salto(Salto System->Tools->Scheduled Jobs->PACS Import->Mapping Configuration) are configured in the following order. All bullets are static fields, except General Purpose fields which are dynamic and can be configured as user additional fields and tp populate card number data, as mentioned above.

  1. (Action)
  2. User ID
  3. Title
  4. First Name
  5. Last name
  6. Access Level ID List
  7. ROM code
  8. PIN code
  9. User expiration date
  10. Extended opening time
  11. Enable auditor in the key[AuditOpenings]
  12. Zone ID list[ExtZoneIDList] - Supported on Salto Pro-Access Space
  13. Access point ID list[ExtDoorIDList] - Supported on Salto Pro-Access Space
  14. General Purpose fields

The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration. 

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1givenName Cardholder > Users > First Name
2familyName Cardholder > Users > Last Name
3PinPin code

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1Card number of IDC
See more details in group: Salto.export above. 		Cardholder > Users > Title
2Card number of IDC in hexadecimal formatCardholder > Users > ROM code

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1DisplayName (entitlement-DisplayName)

[EntitlementType : AccessLevel]  Cardholder > Users > User Access Level

[EntitlementType : Zone]  Cardholder > Users > Zones

[EntitlementType : STANDARD ,ROOM ,SUITE ,SUBSUITE ,ASSOCIATED ,LOCKER]  Cardholder > Users > Access Point

Restart service

  1. Restart the Salto connector service:

    Restart Physical Access Salto connector
    cd <SMARTIDHOME>/compose/physicalaccess
docker-compose restart smartid-pa-salto

This article includes updates for Smart ID 23.04.

Related information

Copyright 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions