1 Introduction:

Access Experts integration with the Facial Recognition readers manufactured by SAFR. The integration supports various versions of the SAFR readers which are referenced in this document. The integration is a licensed feature which enables the connection of SAFR Reader(s) to an Access Expert Instance and incorporates the readers as directly integrated/connected devices. There is no limit to the number of SAFR Readers that can be on a single system and there is no need for a local SQL database engine or SAFR enrollment station.

Upon initial release, the integration will treat the SAFR Reader as an intelligent controller but a separate controller is utilized to control the I/O for a door. In future versions of the integration, the SAFR reader will be treated as an intelligent controller and a door controller thus eliminating the need for an additional controller.

Through the use of Event Definitions and Alarm Actions, the integration can also be expanded to enable custom alarm and alert notifications which are generated from within the Access Expert system, allowing for features like immediate notification if disconnected, Execute Procedures or other actions available when using Event Definitions and Alarm Actions.

Connecting SAFR SCAN Facial Recognition readers with Access Expert will allow SAFR SCAN to be managed through Access Expert’s Desktop, Web or Mobile client, synchronized people between Access Expert and all connected SAFR SCAN devices, and aggregate and review events in Access Expert including monitoring and reporting.

Depending upon the SAFR SCAN ordered, the units can provide single form to three from authentication including face, PIN and Card.

1.1 Prerequisites:

1. Access Expert Hosted Instance
2. Access Expert SAFR Reader license(s)
3. SAFR Reader
4. Mercury Controller

It is recommended that System Integrators become familiar with the 3^rd Party products supported by Access Expert.

1. For complete SAFR and SAFR SCAN documentation, please visit: http://docs.real.com.
2. For complete SAFR online training, please visit: https://safr.com/resellers/
3. Mounting and installation instructions can be found here: https://docs.real.com/guides/scanquickstart/SAFR+SCAN+Quick+Start+Guide.pdf

Similar to setting up a traditional intelligent controller in an Access Expert system, the deployment of a SAFR Reader(s) will require some setup of the reader through its internal web page as well as configurations within Access Expert. Advanced features are setup within the SAFR Reader itself.

1.2 SAFR SCAN Layout

Light Ring

IR & LED Lights

Camera

Video Area

Speaker

Microphone

SAFR SCAN’s are available in a variety of versions.

SFR-SC100	Facial Authentication Indoor/Outdoor Station, RGBIR Sensor, Face Priority Auto Exposure, 3.5”/9cm Capacitive Touch Screen, IR LED, White LED, Wiegand, OSDP, I/O, Audio Full Duplex, PoE/12V DC
SFR-SC200RF	Facial Authentication Indoor/Outdoor Station, RFID 26, 34, 35, 37-Bit, Custom up to 254 Bits, RGBIR Sensor, Face Priority Auto Exposure, 3.5”/9cm Capacitive Touch Screen, IR LED, White LED, Wiegand, OSDP, I/O, Audio Full Duplex, PoE/12V DC
SFR-SC50	Facial Authentication Door Station, RGBIR Sensor, Face Priority Auto Exposure, 1.3” Capacitive Touch Screen, IR LED, White LED, Wiegand, OSDP, I/O, Audio Full Duplex, 12V DC. Indoor rated only.
SFR-SC50-SB	Facial Authentication Door Station with SRF-SB75, RGBIR Sensor, Face Priority Auto Exposure, 1.3” Capacitive Touch Screen, IR LED, White LED, Wiegand, OSDP, I/O, Audio Full Duplex, Ethernet, PoE/12V DC. Indoor rated only.
SFR-SB75	Secondary Box for PoE and Network Connection. Remotes connections away from SAFR SCAN.
SFR-SCWDG-20	Wedge Mounting Adapter

1.3 Deployment Sequence:

It is recommended that the installation and configuration process start with the Access Expert portion. For this, the reader should be created in Access Expert and its MAC address entered. This is done to ensure the reader knows where to call home. The status will show “Unknown” which is normal.

Once completed, the commissioning can then start within the SAFR SCAN’s Web Console. Some things to note prior to starting:

1. The Unlimited Access Level referenced in the setup process will automatically be created. DO NOT create one manually.
2. The SAFR SCAN reader requires a SAFR Service account similar to LDAP and Bosch. This too is automatically created in the background. The SAFR Commands option in the Event Types for an Operator Group can be ignored. This is for future expansion of the integration.

1.4 Types of Settings:

There are three types of Settings associated with the SAFR reader. More information on the differences will be provided in the appendix.

• Managed settings- Edited through the Access Expert Client.
• Unmanaged settings- Edited through SAFR SCAN Web Console only while disconnected from the Access Expert system. These are less commonly used settings that are generally modified once (before connecting) but can be modified at any time.
• Console only Settings- Edited through SAFR SCAN Web Console. These are settings that are specific to each device and generally only set during initial configuration.

Once the initial setup is completed in the SAFR Readers Web Console, the settings needed to bring the reader into Access Expert can be managed from within Access Expert.

1.5 Known Limitations:

Upon initial release, the following functional items are not supported. As the integration matures, additional functionality will be incorporated and supported.

1. SIP Intercom
2. RSTP video feed directly to Access Expert
3. Mobile ID’s

1.6 Setting up a SAFR Reader in Access Expert

Log into your Access Expert System.

1. Navigate to Hardware Provisioning  Controllers

2. Look for SAFR Controller from the drop-down list and select it. Only Instances that are licensed for SAFR will show this option.

At the minimum, enter the following information:

1. Set the Display Name

2. Paste or Enter the SAFR Readers MAC address

3. Set the Time Zone

4. Enable Wiegand Controller Output

5. Click Save

Other items shown in the Readers setup screen will be review later in this document. Not all settings are configured from Access Expert at this time.

The SAFR MAC address can either be captured from the devices Web Console, from the box or from the printed sticker on the reader itself.

Note the Enable Wiegand must be

selected before you do the setup in the

SAFR Web Console. If not, Access

Expert will override the setting in the

SAFR Reader.

Upon initial setup, the SAFR Reader will show an “Unknown” status which is normal. Once the SAFR setup is completed in the following steps and the reader makes its connection, the status in Access Expert will turn Green and show Online.

1.7 Setting up a SAFR Reader

The SAFR Readers can be locally powered or powered by POE. They also support either DHCP or Static IP addresses. It is best to determine the best setup with the local IT department but for the case of this document, we will be using POE for power and DHCP for the network parameters.

Once the reader has been removed from the packaging and installed, it is ready to be powered up. Once power is applied, take note of the screen as the reader will flash it’s IP address briefly. You will use this IP address to navigate into the SAFR SCAN Web Console page. The SAFR SCAN Web Console is used to initially configure a reader for the following purposes:

1. Initial connection to Access Expert Instance (called Server Address)

2. Adjust unmanaged settings.

3. View live activity on the reader for purposes and configuration and troubleshooting.

See SAFR SCAN Web Console for details on using this tool.

Take note of the items in this guide which need to be configured in the SAFR Reader through the Web Console before pointing the Reader to Access Expert.

Reader Boot Time: Roughly 120 Seconds

IP Address Display Time: 2 Seconds

Once connected to the reader through the Web Console, an account must be created.

1. Once browsing to the reader based upon the IP address, a System Logon Setup screen will be presented.

a. Set the desired password

b. Enter the email address to be used for recovery when needed

c. Click Apply

d. The system will then bring you to the official Logon Screen where you will re-enter the User Identifier and Password.

2. It is important to make sure the Time Zone settings in the SAFR Console match what is set in Access Experts SAFR Configuration page. Conflicting Time Zones will prevent the reader from coming online.

a. Navigate to the System Tab

b. Select Date and Time

c. Choose the applicable Time Zone.

d. The SAFR Reader will automatically Reset to allow the changes to be applied.

Once that account is created:

1. Go to System  Network

2. Copy the MAC Address for the reader. This MAC address is what will be used in Access Expert to complete the controllers connection to the Access Expert Instance.

1.8 Access Level and Access Clearance Mapping

When working with SAFR SCAN, each Access Expert Cardholder should be assigned one Access Level only as the SAFR SCAN supports only one Access Level (in SAFR these are called Access Clearances but essentially the same). When Cardholders are loaded onto each SAFR SCAN, only one Access Level assigned to the person is added to SAFR and then assigned to that person record.

During the initial setup from the SAFR Web Console, Navigate to Operation, then select Access Control. Check the “Unlimited” Access Clearances Accepted option as this will be the name of the Access Level automatically created in Access Expert. DO NOT manually create the Unlimited Access Level in Access Expert.

It is expected that if that Cardholder needs additional Access Levels beyond the applicable SAFR SCAN Unlimited Access Level, that they will be managed from within Access Expert. Within Access Expert, the readers associated with Unlimited will be determined.

Through the Web Console, the Readers Display Screen Image can also be changed. Navigate to Operation then select Display. Selecting “Custom” from the Display Image When Inactive drop down will allow a png. or jpg. file to be uploaded to all connected readers.

1.9 Connecting the SAFR Reader to Access Expert

Still working in the SAFR Web Console, the reader needs to be directed to the Access Expert Instance. To do this, navigate to the System menu:

1. Select SAFR Server

2. Select SAFR Server from the Server Connected drop down.

3. A second setup screen will open to finish the connection.

4. Enter the API Address Instance: safr.us.feenics.com

5. Set the Ports to 443

6. Enter the Server User Identifier which is the Admin Account created in Access Expert for the SAFR Service.

7. Enter the Password for the Admin Account

8. Click Connect

While in the System Tab, make sure the Wiegand connection to Control Panel is Enabled. This will also apply to the SAFR Reader setup within Access Expert. On the readers Configuration screen is a check box for enabling the same setting that will need to be checked.

Once connected, the SAFR Server Status will show a Green “OK.” This should happen within 2-3 seconds. Note that the COVI Port may show an error for up to 15 seconds.

At this stage, you are now finished and the reader should show green in Access Expert.

Note if any of the Unmanaged or Web Console settings need to be changed in the future, change the Server Connected drop down to “None.” This will allow you to make those necessary changes. When the setting is “None,” the reader will show as offline in Access Expert. The Connection Settings information is not cached so it is a good idea to screen shot them or write them down.

Once you are ready for the reader to be back on Access Expert, repeat steps 1-7 above to reconnect the reader to Access Expert

1.10 Card Formats

When working with SAFR SCAN, each SAFR SCAN Controller can be assigned one Access Card Format only. SAFR SCAN supports only one Card Format per reader. The card format is assigned to the reader and so all persons using that reader must use the same Card Format. This is true whether using the internal card reader on SAFR SCAN RF models or using an external card reader connected through SAFR SCAN's Wiegand or OSDP inputs.

If the Facility ID on a Card Format is changed after adding people who are associated with that card format, then those person records must be updated in order to force the updated Facility Code to be updated in SAFR.

1.11 Card Credentials

When working with SAFR SCAN, each Access Expert Cardholder should be assigned one Access Card only. SAFR SCAN supports only one credential per person. When migrating a person record to SAFR SCAN, only one Access Card ID is added to SAFR.

When a person record is added to SAFR SCAN, only the Access Card ID is copied to Access Expert. The Access Card Facility ID in the SAFR person record is ignored.

Personnel synchronization automatically occurs between Access Expert and SAFR. Cardholder records and their credentials are copied from Access Expert and shared with all SAFR SCAN devices connected to the specific Access Expert Instance. Synchronization is bidirectional and occurs in the background.

SAFR will synchronize people and credentials as follows:

• At initial connection time, all records pre-existing in Access Expert are copied to SAFR.
• From then on:
  • Records added to Access Expert are copied to all SAFR SCAN readers.
  • Records added to a SAFR SCAN are copied to Access Expert (and then down to all readers).
• Changes to records in Access Expert are updated in SAFR and vice versa.
• Only records with access credentials or an image will be copied to SAFR.
• Removing credentials and the image in Access Expert result in the record being removed from SAFR and vice versa.
• Setting record to inactive in Access Expert removes the record from SAFR.

1.12 Connecting to a Controller

With the current integration, the I/O associated with an actual door or opening is still controlled through a Mercury controller. The SAFR Readers outputs can either be connected to a reader port on an Intelligent or Downstream controller.

1.13 Enable SAFR SCAN Device for the appropriate connection type

To configure the SAFR SCAN reader for Wiegand, OSDP, or Relay do the following:

1. Enable Wiegand, OSDP, or Relay outputs as needed (see wiring diagram on flip side).
   1. Wiegand: System > Wiegand > Wiegand connection to Control Panel = Enabled.
   2. OSDP: System > OSDP > OSDP connection to Control Panel = Enabled.
   3. Relay: System > Door Strike Relay > Electric door strike relay = Enabled (adjust duration if needed).

At this point, the SAFR SCAN should be sending signals to the PACS panel to control the door.

1.14 Enrolling Cardholders

Operators have a few options when it comes to enrolling people into the system. Regardless of path used, Access Expert will synchronize the data not only with itself but also with the SAFR SCAN Readers connected to the Instance. Enrollment can be completed from:

1. Access Expert Windows Client
2. Access Expert Mobile App
3. Access Expert Web Client
4. SAFR Web Console

For the purposes of this document, we will focus on the Windows Client and Mobile Application.

1.15 Windows Client Enrollment

The process to add a person from the Windows Client is no different than adding a person who has a card only. You can opt to exclude adding a Card Assignment to the person but it is generally recommended that a Card Number be assigned to the Persons Record.

It is important to note that though the SAFR Reader supports a single Access Level, the Cardholder can have additional Access Levels assigned to their record for other doors or areas.

Take note that as card holder information is populated in Access Expert, a Card Number is still assigned to the person as well as a PIN if applicable. As this information is entered into Access Expert, it will be shared with the SAFR reader so it can be incorporated locally. The SAFR reader will assign a unique HEX Value to the record which is then automatically sent back to Access Expert so the card holder record can be updated.

*** In actual deployments, only 1 persons picture should be cropped.

Administrators DO NOT have to manually calculate nor enter the HEX value. The HEX value is not utilized at this point for Access Control so in the event no HEX value is assigned, the card holder account will still operate. The SAFR Reader will also assign a unique ID to each record which is applicable between Access Expert and SAFR. The ID is associated with the card holders record as long as they are in Access Expert.

If doing bulk importing of card holders, the Unlimited Access Level is the trigger for the sharing of information with the SAFR Reader. It is advised to not include the Access Level in the bulk import file and to add it to the card holders record as their image is captured. Note the HEX value is not needed at this time but

1.16 Mobile Client Enrollment

Another option is to utilize the Access Expert mobile application which is available for both IOS and Android devices. The mobile app approach means Operator staff can capture images on-site or off-site and not require employees to physically come to the security or HR office.

From the mobile app:

1. Select the People List from the bottom of the app.
2. Select Add New Person
3. Assign Name and other applicable information (Card number, Access Level, etc)
4. Click the Body image to activate the mobile devices camera
5. Take the picture and crop as needed
6. Click Save

*** In actual deployments, only 1 persons picture should be cropped.

1.17 Appendix:

Types of Settings:

1. Managed Settings:

a. Display Name

b. MAC Address (setting)

c. Card Format

d. Time Zone

2. Unmanaged Settings:

a. Tailgating

b. Sound Settings

c. Monitoring (Enable/Disable age & gender

d. Camera (Exposure, White Light & IR Levels

e. Image (Brightness, Contrast, Color Saturation, Sharpness)

f. Display (Brightness, Display image when inactive, LED Color, Display Message, Attendance)

g. Firmware update

3. Console Only Settings:

a. SAFR Server – Used to connect the reader to SAFR Server or Cloud.

b. Video Streams – Configure RTSP outputs.

c. Network – Configure device network interface.

d. OSDP – Modify OSDP Input and output settings.

e. Date and Time – Configure device date/time.

f. Reset – Reset the device to factory defaults.

4. Other Settings:

a. Access Mode – Specifies which kind of user authentication to be used.

i. Face Recognition

ii. Face Recognition and Access Card

iii. Face Recognition or Access Card

iv. Access Card

v. Disabled
Note that "Access Card" in the options above refers to any Wiegand-capable or OSDP-capable authentication device that you connect to the SAFR SCAN device.

b. Confidence Level - Specifies how strict you want the SAFR SCAN access control system to be. There are two options:

i. High: High face match confidence is required. With this option selected SAFR SCAN has a 99.9996% accuracy rate, which is more than sufficient for the vast majority of use cases.

ii. Extreme: Extreme face match confidence is required. With this option selected SAFR SCAN has a 99.999996% accuracy rate. Selecting this option can cause SAFR SCAN to be overly strict, resulting in authorized people occasionally not being granted access.

c. Spoofing Protection Level - Specifies what level of anti-spoofing protection you want to use:

i. None (masks allowed)

ii. Standard (masks allowed)

iii. High (beta: masks not allowed)

iv. Extreme (beta: masks and direct sun not allowed)

d. Backlight Compensation Level

e. Camera White Light

f. Camera IR Light

g. Display Mode – Specifies when the SAFR SCAR devices video region displays the devices camera feed. There are 3 possible options:

i. Activate when face is detected

ii. Always on

iii. Always off

h. Face Activation Distance - Specifies when the SAFR SCAN device's video region will wake up and start displaying video. There are three possible options:

i. Far

ii. Intermediate

iii. Near

i. Keypad Layout

j. Grant Wait Time- Number of seconds to wait before granting an authorized person access.

k. Deny Wait Time - Number of seconds to wait before denying access to an unauthorized person. We recommend setting this to a non-zero value because sometimes the initial face recognition attempt will fail to match an enrolled person due to a temporary condition. (e.g.a bad angle, momentary bad lighting, etc.) Setting this value to 1 second (or more) gives subsequent face recognition attempts a correct for any temporary bad conditions that may arise.

l. Second Factor Wait Time - Number of seconds to wait for the second authentication method to validate. If the second authentication method validates after this wait time has been exceeded, then the user will be required to validate the first authentication method again.

m. Sound Volume

n. Brightness Display

o. Enable Wiegand Controller Output - Enables the WIEG OUT EXT0 and WIEG OUT EXT1 pins on the SAFR SCAN Device, which are used to connect a physical access control (PAC) panel. When a user is authenticated, SAFR SCAN will send their credentials to the connected PAC panel, causing the door the PAC panel controls to unlock.

p. Enable Wiegand Reader Input - Enables the WIEG IN EXT0 and WIEG IN EXT1 pins on the SAFR SCAN Device, which are used to connect Wiegand-capable authentication devices. Card readers are most commonly used, but you could also connect other devices such as fingerprint readers. When a user successfully uses the device to authenticate, the device will send their credentials to SAFR SCAN.

q. Enable Door Strike Relay – Allows the SAFR SCAR reader to control the internal strike relay based upon an Access Granted.

r. Disable Controller

1.18 Documenting IP Addresses

At some time in the future, you will need to reconnect to the readers Web Console for system changes. If using Static IP addresses, it is recommended that you document the IP address of the reader as an attached note to the device. To do this:

1. Right Click the reader

2. Choose Notes from the menu

3. Type in the IP address in the lower field

4. Click Save & Close

1.19 People Attribute Mapping

The following is the current imported and supported fields associated with people that are mapped between SAFR and Access Expert.

Access Expert	SAFR
Person / First and Last Name	Person / First and Last Name
Person / Identification Photo	Person / Identity Image
Credential / Access Card ID	Person / Access Card ID
Controller / Card Format	Reader / Access Card Format
Card Format / Facility code	Person / Facility ID
Card Number	Access Card ID
Person / Access Level	Person / Access Clearance

1 | Page