Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

This article describes how to configure the Unison Pacom Service, to enable integration between Smart ID Identity Manager, Physical Access and Unison Pacom. 

Unison is an Access Control System provided by Pacom and managed by a GUI and a web service on the server and the service interacts with Unison through the wcf service. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Unison.

For details on which data can be imported and exported from Unison Pacom, see About import and export to Physical Access.

Expand/Collapse All


The following prerequisites apply:

  • Physical Access and Unison Pacom Docker container/service are installed. See Physical Access installation and upgrade.
  • The wcf service is installed.
  • The Message Queue Server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Configure Unison Pacom Service data fields

The Unison Pacom data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

To connect to a PACS system:

  1. Log in to Physical Access admin panel as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  2. Click on a system to do updates.
    All database entries are listed. 
  3. To update an entry, click on the icon. Edit as needed and then click Update
  4. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.


Username of message queue server.

Default value: “guest”


Password of message queue server.

Default value: “guest”


Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription

Defines if the user shall be deleted if no active entitlement assignment are present for that user.

Valid values: true or false.

Default: true


Defines if the user shall be deleted if no active access tokens are present for that user.

Valid values: true or false.

Default: true 



Heartbeat interval is the time difference between two successive heartbeats, and it is used to know if the system is in active (running) or in inactive (stopped) state.

Default value and minimum value: 60 seconds. If it is set less than 60 seconds, it will be considered as 60 seconds to update the status.

group: general

keyData typeRequired or OptionalDescription

The maximum number of messages read from the message queue.

Default: 100

group: unison

keyData typeRequired or OptionalDescription

The hostname and path to the Unison.AccessService. The path should always point to the .svc file for the service.

usernamestringRequiredThe username to use when connecting to the Unison Service.
passwordstringRequiredThe password to use when connecting to the Unison Service.
cardmaxlengthstringRequiredThis is maximum length of card number which we send to Unison. This is default setting in case of access profile setting is not available.
identifiertypestringRequiredThis is the type of identifier of access token. This setting indicates which type of identifier we want to use for card number.
personnumberfieldstringRequiredThis the unique value of person which is used to send on unison side to represent person uniquely.
layoutidentifiertypestringRequiredThe layoutidentifiertype is used to set identifier type of layout. This setting is required to configure access profiles.



group: cardformatmappings

The optional setting cardformatmappings can be used to configure access profiles. If cardformatmappings is used, then all its settings are required to be configured, otherwise the connector will throw an error. This setting directly depends on the setting layoutidentifiertype.

keyData typeRequired or OptionalDescription
layout stringRequired

This is the value of the identifierType which we have configured in setting layoutidentifiertype.

The connector will fetch the value of layout from access token identifiers, for example, Standard Magnetkort, and search in the configuration group cardformatmappings for the same value of layout, that is, Standard Magnetkort. If this setting is found, then the card will be exported with this configuration.

profilestringRequiredThe unison card profile to use when matching profiles to the Unison Service. For matching profile name, the profile key is assigned to the card.

A comma-separated list of identifier types to match in access token identifiers. If a complete list exists in the identifier, then the only system will transfer the data in the associated fields. Otherwise the card will be marked with errors. 

By default, the system will use the default profile from Unison with identifiertype and cardmaxlength configurations to transfer access tokens to Unison.

keyData typeDescription

A comma-separated list of unison system fields to transfer data. System will match predefined types CardNumber, SystemNumber, VersionNumber and MiscNumber.


A comma-separated list of access token format types to validate encoding format for the associated profile. The System will match predefined types Hex, Dec and Binary.


A comma-separated list of lengths of identifier types to validate the length of access tokens identifier.


The table below shows a sample configuration of an access profile called Standard Magnetkort. The access token identifiers are configured in the following way:

"Identifiers": [
   {"type": "mifare","value": "999809"},
   {"type": "Layout","value": "Standard Magnetkort"},
   {"type": "SystemNumber","value": "100000"},
   {"type": "VersionNumber","value": "01"}
14cardformatmappings0layoutUnisonStandard Magnetkort
15cardformatmappings0profileUnisonStandard Magnetkort

In the cardformatmappings configuration, remove extra spaces from key and value and make sure that all keys are in lowercase.

group: userfieldmappings

This mapping is used to export values of user related objects such as User, Email, Address, Phone and Useradditionalfields table fields to Unison fields. For exporting user table fields configuration settings will be combination of Table_name.column_name, field_id_of_Unison and for rest of the table it will be Table_name.value_type, field_id_of_Unison.


The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration. 

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1givenname (givenName)firstName (förnamn)
2familyname (FamilyName)lastName (efternamn)
3pin (Pin)pinCode (PIN)
4Collection of multiple fields of User,email,address,phone and emailfields(Fields defined in UI)

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1CardNumber (identifiers-type-value)CardNumber (Kortnummer)
2Configuration Card Profile (identifiers-type-value)ProfileKey (kort profil)
4Configuration Card Profile (identifiers-type-value)SystemNumber (Systemnummer)

Configuration Card Profile (identifiers-type-value)

6Variable “Misc-” + AccessTokenIDMiscNumber (Not on UI)

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1assigneeid (assignee -value)userKey (Selected User Name)
2entitlementid (entitlement-value)groupKey (Group Name)
3validfrom (ValidFrom)validFrom (giltig fr.o.m.)
4validto (ValidTo)validTo (giltig t.o.m.)

Restart service

  1. Restart the Unison Pacom connector service:

    Restart Physical Access Unison Pacom connector
    cd <SMARTIDHOME>/compose/physicalaccess
    docker-compose restart smartid-pa-unison

This article is valid for Smart ID 21.04 and later.

Related information