Bolid integration in 1C or how we tamed the access control system
Somewhere in 2009, when there was still no talk about the group of companies in its current form, i-Free rented space in the business center, first occupying one room and expanding over the years.
Branches in six countries of the world and placement “with difficulty” in four business centers of St. Petersburg are still ahead, but so far only 5 offices in different ends of the corridor and even on different floors. The corridor is common to different tenants, the entrance to the BC is free. Running to colleagues in another office, they often forgot to lock the door with a key. Therefore, access control has become a necessity. Thinking about the decision, and then the choice fell on the car .
Why bolid? There were no alternatives that were implemented in the business center, then they were “extended” for themselves, simply because the necessary specialist was “at hand”.
')
We quickly decided to separate our system from the business center so that there would be no discussion about access and control of the ACS.
After the appearance of a larger number of premises, they abandoned contact “tablets” in favor of more convenient contactless ones. Em marine readers, flashcards appeared. We bought "as many as 150 cards" and drove them into the system.
Designed, assembled, setup finished, cards issued, daily work went.
I will omit the pros, I will write about the cons, so that it is clear how and why we came to the current system.
So, the cons:
- for a simple issuance of a card, a specialist is required who has been trained to work with a very intricate Bolida interface and has appropriate access to the control program. It means “you cannot go on vacation, you cannot be ill, it is forbidden to die under the penalty of the death penalty”;
- very quickly it came to the understanding that cards need not only to be issued, but also changed. With the growth of the company, over 200 employees lost at least 2 cards a week;
- much more often, “oh, I forgot today at home, give me a card”. Up to a dozen a day;
- and “to us are guests from Beijing, 10 people, in the corridor, urgently need a card ... what do you mean once? I need it! ”;
- duplication of information input - the personnel officer enters information about the employee in 1C, the administrator - in AD, the ACS engineer - in Bolid. Three times;
- and also, the company pays for the meals of its employees, and all the time the idea was in the air "how can we eat it out on ration cards in our cafe";
“But it would be nice to have such a report, but in our case all moves are logged ... what does it mean you cannot make a report? it's a database ... ". Reports from the car then were provided, but for the money. And a very limited set of reports at the same time;
Implementation
The first step towards integration was the transfer of the Bolida database to the server. Description of the database is, tried to connect from 1C - hurray! The issue with the reports resolved. What we want, and get this.
As time went on, a power-on-card payment system was developed, a harbinger of the current one for Lunch.
The power supply system required the Mifare format, in order to organize on the card "wallet", we had to replace all the readers. And it was the next stage.
At some point, we grew out of “our” business center, rented an additional two floors in another. Connected remote premises on the local network, the benefit of Bolid posolyaet such architecture. Much later even branches in Moscow, Ukraine, and Kazakhstan were connected to our system.
Turnstiles at the entrance to the second BC remained a bottleneck - our readers Mifare had to hang onto other devices working with em marine. If “on the floors” we controlled the entrance to our premises on our own, then “on the turnstiles” we had to regularly transfer lists of keys, new and locked. Once a week, which created problems for the “losers” and new employees. At some point, we managed to negotiate with remote business centers in parallel to put not readers, but our devices connected via the network. And then the question of updating the keys became a matter of minutes, not days.
At the same time, we actively studied Bolid from the inside, it turned out to be a rather flexible system. Due to the internal macro language of the scenarios, we managed to discipline the employees: every day the script checked about 50 rooms for taking under protection, if the room was not protected, an alert was created for the person responsible for the disassembly of flights. Plus additional amenities: setting under protection of several premises at once with a certain algorithm, or receiving comments from the security by e-mail, in case of alarming situations.
As time passed, the transition to Mifare was finally over, and the torment with two cards from employees. Reports on the access control system are already in 1C, corporate catering, too, it’s easy to ensure that the data from 1C get into the controllers themselves. This is where the Orion Pro development kit came to our rescue.
Using XML-RPC procedures, we were able to immediately update the data on the system controllers, quickly block keys or change employee access levels.
Here is an example of how you can play around with the doors, if you have a similar system - the ControlAccess request sends a command to open the door, for this we need Curl and a request of the form:
ControlAccess
<?xml version="1.0" encoding="windows-1251"?> <methodCall> <methodName>ControlAccess</methodName> <params> <param> <value> <struct> <member> <name>ComPort</name> <value> <int>1</int> // ; </value> </member> <member> <name>PKUAddress</name> <value> <int>0</int> // 2000\2000, ; </value> </member> <member> <name>DeviceAddress</name> <value> <int>111</int> // ; </value> </member> <member> <name>AggregateAddress</name> <value> <int>1</int> // , 2000-2 1; </value> </member> <member> <name>Command</name> <value> <int>0</int> // 0 – , , 10 ; </value> </member> <member> <name>MethodNameForAnswer</name> <value> <string>Result</string> </value> </member> <member> <name>IPSERVER</name> <value> <string>127.0.0.1</string> // ; </value> </member> <member> <name>PORTSERVER</name> <value> <int>8080</int> </value> </member> </struct> </value> </param> </params> </methodCall> Save in test.txt send to the server access control, in our case it is local C: \ curl \ bin \ curl.exe -X POST -d @C: \ test.txt 127.0.0.1 : 8080
The lock is unlocked for the time set or until the door is opened, just do not expect that this action will remain unnoticed. In the event log of Orion, we will see the record: DateTime - xx.xxx.xxx hh.mm.ss; Event - Access granted (by button); The door is the name; Description - Login \ Exit; The address is 1/0/111/1; Access zone - registered in the controller.
Soon our main business center was already small and did not satisfy current needs, for this purpose, three floors were built specially for us in the congress and exhibition center next door, in which our main office is now safely located.
In the course of our acquaintance with the current systems of the new business center, we again met Bolid: in the form of a fire, security system and access control system, we continued to build on it.
Fees and relocation - a separate issue, but the result was worth it .
The integration of the car into 1C significantly simplified administration, allowed the creation of automatic rules for changing access levels when moving an employee between departments and automatic blocking upon dismissal, but when replacing cards, operator intervention was still required.
Here, using our SMS-Direct, we connected the service of automatic replacement and blocking of cards, for this the employee needs to send code words, if skud block, then all available keys are blocked by the employee, if skud pin, then the code comes in response, which is needed later enter on the keyboard for authentication.
The list of employees with phones is stored in 1C, the white list of phone numbers of employees is unloaded daily at the SMS-Direct node. When you receive an SMS with the request, the phone number is checked according to the list, if not in the list, the answer is sent that it would be good to go to the HR department and check if everything is Ok - a random short number is generated and sent to 1C and the employee converts the pin to 1C key code for controllers:
1234 = F300000000123401
4321 = 1B00000000432101
9876 = 9E00000000987601
4582 = 8200000000458201
123456 = 0500000012345601
If we analyze the last example, then 05 is a checksum, 000000 finishes up to 16 characters, 123456 is our short code, 01 is added to the end to all keys.
Cyclic checksum is obtained according to the rule of the company Dallas. The calculation is as follows:
CRCTable: array [0..255] of byte = (
0.94,188,226,97,63,221,131,194,156,126,32,163,253,31,65,
157,195,33,127,252,162,64,30,95,1,227,189,62,96,130,220,
35,125,159,193,66,28,254,160,225,191,93,3,128,222,60,98,
190,224,2,92,223,129,99,61,124,34,192,158,29,67,161,255,
70,24,250,164,39,121,155,197,132,218,56,102,229,187,89,7,
219,133,103,57,186,228,6,88,25,71,165,251,120,38,196,154,
101,59,217,135,4,90,184,230,167,249,27,69,198,152,122,36,
248,166,68,26,153,199,37,123,58,100,134,216,91,5,231,185,
140,210,48,110,237,179,81,15,78,16,242,172,47,113,147,205,
17,79,173,243,112,46,204,146,211,141,111,49,178,236,14,80,
175,241,19,77,206,144,114,44,109,51,209,143,12,82,176,238,
50,108,142,208,83,13,239,177,240,174,76,18,145,207,45,115,
202,148,118,40,171,245,23,73,8,86,180,234,105,55,213,139,
87,9,235,181,54,104,138,212,149,203,41,119,244,170,72,22,
233,183,85,11,136,214,52,106,43,117,151,201,74,20,246,168,
116,42,200,150,21,75,169,247,182,232,10,84,215,137,107,53);
KeyCode: array [1..8] of byte;
KeyCode [8]: = 0;
For j: = 1 to 7 do
KeyCode [8]: = CRCTable [KeyCode [8] xor KeyCode [j]];
0.94,188,226,97,63,221,131,194,156,126,32,163,253,31,65,
157,195,33,127,252,162,64,30,95,1,227,189,62,96,130,220,
35,125,159,193,66,28,254,160,225,191,93,3,128,222,60,98,
190,224,2,92,223,129,99,61,124,34,192,158,29,67,161,255,
70,24,250,164,39,121,155,197,132,218,56,102,229,187,89,7,
219,133,103,57,186,228,6,88,25,71,165,251,120,38,196,154,
101,59,217,135,4,90,184,230,167,249,27,69,198,152,122,36,
248,166,68,26,153,199,37,123,58,100,134,216,91,5,231,185,
140,210,48,110,237,179,81,15,78,16,242,172,47,113,147,205,
17,79,173,243,112,46,204,146,211,141,111,49,178,236,14,80,
175,241,19,77,206,144,114,44,109,51,209,143,12,82,176,238,
50,108,142,208,83,13,239,177,240,174,76,18,145,207,45,115,
202,148,118,40,171,245,23,73,8,86,180,234,105,55,213,139,
87,9,235,181,54,104,138,212,149,203,41,119,244,170,72,22,
233,183,85,11,136,214,52,106,43,117,151,201,74,20,246,168,
116,42,200,150,21,75,169,247,182,232,10,84,215,137,107,53);
KeyCode: array [1..8] of byte;
KeyCode [8]: = 0;
For j: = 1 to 7 do
KeyCode [8]: = CRCTable [KeyCode [8] xor KeyCode [j]];
Next, in 1C, a predefined access level is set with the antipassback enabled (so that the key is not entered 5 times) and the XML is sent to the kernel. Orion, according to the access level, sends the keys to the necessary controllers, the controllers are waiting for our employee to appear. Typically, the procedure for requesting a pin code takes less than a minute, after the employee has entered a pin code on the keyboard, the controller generates a signal to grant access and sends an employee authentication message to Orion. In Orion, the monitoring of the raised key begins to the reader we need, using the ReadKeyCodeFromReader method, and the command is sent to turn on the relay 2 to give a signal to the user about the card’s “leaning”, after receiving the code the relay is released (activating antipassback) and a request is sent in 1C, in which a short authentication code and new card code. In 1C, the corresponding key replacement documents are created for this request. The whole operation from sending an SMS to activating a card takes no more than a couple of minutes.
The terminal to activate the cards is the C2000-2 controller and the reader and keyboard connected to it, plus a pack of unregistered cards. We located one at the security post, the second in the HR department.
Now, each employee can independently at any time replace the penetration and get into the office according to his access level, and even have lunch “on penetration” a couple of hours after activation.
If the form factor in the form of a card does not suit, any employee can take a leather keychain, a silicone bracelet or a sticker on the phone - which is more convenient for someone - and independently activate upon receipt, in the HR department by the same procedure.
In the process of this automatic replacement, of course, there are too many intermediaries, and all this can be done on one device as a tablet with gsm and nfc or raspberry with a connected reader and gsm modem, but in the original data we had a Car, and it was important for us show the possibility of integration and automation of access control systems on the basis of it.
Conclusions and summary
These solutions helped us get rid of manual intervention in the access control system; reduce to zero the risk of errors when assigning access levels and replacing \ issuing keys; accelerate the issuance of new cards; improve overall system security and integrate new services.
After several years, our partner, a fairly large retail company in the FMCG field, asked for assistance in such integration into its infrastructure, which we successfully did, naturally, taking into account all the difficulties that we had to face when implementing the system in i-Free . That is, now our solution has proved the possibility of rapid scaling in other companies, regardless of the specifics of the work and the number of employees.
Source: https://habr.com/ru/post/253551/
All Articles