Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Set up integration with Bewator Omnis

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Feb 06, 2024 by Josefin Klang (Deactivated)
5 min read

This article is valid for Smart ID 21.04 and later.


This article describes how to configure the Bewator Omnis Service, to enable integration between Smart ID Identity Manager, Physical Access and Bewator Omnis. 

Bewator Omnis is an Access Control System provided by Vanderbilt and managed by a GUI and API to interact with Bewator Omnis through the OmnisAPI.DLL. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Bewator. 

For details on which data can be imported and exported from Bewator, see About import and export to Physical Access.

Prerequisites

The following prerequisites apply:

  • Physical Access and the Bewator Omnis Docker container/service are installed. See Deploy Smart ID.
  • Bewator Omnis server version 6.2.110 or newer is required. The Omnis API (DLL) version 2.2 is required to interact with Bewator Omnis.
  • The message queue server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Install IIS web server

To host the Bewator Omnis Web Service on the Omnis Server, an IIS server must be installed. 

  1. If an IIS server is not installed, then follow Step 1 in https://docs.microsoft.com/en-us/iis/manage/creating-websites/scenario-build-a-static-website-on-iis. to install it. 
  2. Host the web service /BewatorOmnisWebService/, according to Step 2 in the lsam article.

  3. Verify that the web service is hosted correctly, by browsing to the URL: 

    Example: Bewator Omnis web service URL
    http://localhost:<port>/BewatorOmnisWebService.asmx
  4. Configure the following parameters in the web service configuration file \BewatorOmnisWebService\Web.Config
keyData typeRequired or OptionalDescription
omnisipstringRequired

The omnisip is the IP address of Omnis Bewator server where application has been installed.

omnisport intRequired

The port number where Omnis Bewator server is listening. You can find this in the Omnis application at File > Setting > System Setting in the tab connection TCP/IP-port for the BAPSI-protocols.

Omnisidentifier stringRequired

The Omnis Identifier is a unique identifier which is generated when we install Bewator Omnis and add license key. This identifier is required to connect API to the Omnis Server. You find this identifier at File > Person Registry > Administration tab > External Connection. Double click on the external connection and a popup will appear. In this popup we will get the Identifier.

Configure Bewator Omnis Service data fields

The Bewator Omnis data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

Configure database

For information about how to connect to a PACS system, see Connect to a PACS system in PACS admin panel.

For information about group: messagingqueue, see Physical Access database - common parameters.


group: general

keyData typeRequired or OptionalDescription
updatesPerPollintOptional

The maximum number of messages read from the message queue.

Default: 100

group: BewatorOmnis

keyData typeRequired or OptionalDescription
OmnisWebServiceUrlstringRequired

This is the URL of the OmnisWebService hosted on the Omnis Server.

Example: http://localhost:/BewatorOmnisWebService.asmx

cardnumberpaddinglength intRequired

This is a default setting which indicates max length of Access Token number and if number is less than 16 then prepend 0 (zero) to that number. For example, If access token is 1234567 and cardnumberpaddinglength is 10 then access token number will look like this 0001234567.

identifiertypestringRequired

Identifier type is the type of identifier which decides which identifier of access token use for access token number.

accessgroupdelimiterstringRequired

Access group delimiter is used to concatenate organization id and department id and same for name of entitlements like 1-2 and My organization – Department.

homeorganization stringRequiredHome Organization is the organization in Bewator Omnis. Home organization is used while creating users.
entitlementimporttype stringRequired

This type is use to set structure of import and export. Possible values are listed in the following table:

import typeDescription
Department

Used to manage entitlements as a combination of Organization and Department, while ignoring import of access groups.

During export, only the Department entitlement type will be exported. If the entitlement type is not Department, and the entitlement exists in Omnis, then it will be removed from that user.

Organization

Used to manage entitlements by Organization only, while ignoring import of access groups and departments.

During export, only the Organization entitlement type will be exported. If the entitlement type is not Organization, and the entitlement exists in Omnis, then it will be removed from that user.

AccessGroup

Used to manage entitlements by AccessGroup only, while ignoring import of organizations and departments.

During export, only the AccessGroup entitlement type will be exported. If the entitlement type is not Accessgroup, end the entitlement exists in Omnis, then it will be removed from that user.

AccessGroupDepartment

Used to manage entitlements as a combination of AccessGroup and Department, while ignoring import of organizations.

During export, both the AccessGroup and Department entitlement type will be exported. If the entitlement type is not AccessGroup or Department, and the entitlement exists in Omnis, then it will be removed from that user.

AccessGroupOrganization

Used to manage entitlements as a combination of AccessGroup and Organization, while ignoring import of departments.

During export, both the AccessGroup and Organization entitlement type will be exported. If the entitlement type is not AccessGroup or Organization, and the entitlement exists in Omnis, then it will be removed from that user.

Example

IdGroupIndexKeysystemvalue
1general0updatesperpollBewatorOmnis100
2BewatorOmnis0deletepersononnoaccess BewatorOmnisfalse
3BewatorOmnis0cardnumberpaddinglength BewatorOmnis16
4BewatorOmnis0identifiertypeBewatorOmnismifare
5BewatorOmnis0accessgroupdelimiterBewatorOmnis-
6BewatorOmnis0homeorganization BewatorOmnis

Home Organization


group: omnis.export

keyData typeRequired or OptionalDescription
userfieldmappingsstringOptional

The userfieldmappings is the combination of all additional fields which we can send to Bewator Omnis. Currently, we can configure fields (Address, Email, PhoneHome, PhoneMobile, PhoneOffice and Remark) of Omnis. To export these fields to Omnis, we need to do the following configuration.

The value in configuration setting is a combination of table_name.value_of_type_column,field_name_of_omnis. This configuration setting is the mapping between the Physical Access table field and the Omnis field. We can send user column fields by adding configuration like user.column_name,omnis_field_name.

Example

The following is an example of userfieldmapping:

IdGroupIndexKeysystemvalue
14omnis.export1userfieldmappingsBewatorOmnisphone.mobile,PhoneMobile
15omnis.export1userfieldmappingsBewatorOmnisAddress.work,Address
16omnis.export1userfieldmappingsBewatorOmnisEmail.work,Email
20omnis.export1userfieldmappingsBewatorOmnisphone.home,PhoneHome
21omnis.export1userfieldmappingsBewatorOmnisphone.office,PhoneOffice
22omnis.export1userfieldmappingsBewatorOmnisuseradditionalfield.remark,Remark

Bewator Omnis field mapping

The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration. 

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Bewator Omnis service: 

SR NoPhysical Access field (Web API)Bewator Omnis field (UI)
1Service Configuration (homeorganization)Organization (Organization directory on UI)
2givenname (givenName)givenname (givenName)
3familyname (FamilyName)LastName (Sirname)
4pin (Pin)PIN (PIN)
5validto (ValidTo)validTo (Time limit access To)

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Bewator Omnis service: 

SR NoPhysical Access field (Web API)Bewator Omnis field (UI)
1CardNumber (identifiers-type-value)CardCode (Kortnummer)
2assigneeId(assignee)AssignedPersonId (User)
3As per ValidTo and Status of CardStatus (Status)

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Bewator Omnis service: 

SR NoPhysical Access field (Web API)Bewator Omnis field (UI)
1assigneeid (assignee -value)ExternalId (Selected User Name)
2Entitlement.ExternalId (First part before Group delimitator)Organization (Organization)
3Entitlement.ExternalId (Second part after Group delimitator)Department (Department)
4Entitlement.EntitlementTypeUsed to set type of structure we want to use to import and export entitlement assignment.

Restart service

  1. Restart the Bewator Omnis connector service:

    Restart Physical Access Bewator Omnis connector
    cd <SMARTIDHOME>/compose/physicalaccess
docker-compose restart smartid-pa-omnis


Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions