Openpath Integration

In this article

Build your system from the inside out using Openpath as your end-to-end access control solution. If you’re solving for spaces with both new and legacy systems, Openpath can be easily implemented to work with whatever you’ve got.

How does this integration work?

The Envoy + Openpath integration streamlines the process of logging and distributing access to visitors. With in-depth customization options, including issuing access on either invites or guest sign-in, Envoy will create temporary Cloud Credentials in Openpath, which automatically and temporarily grants access to specific parts of your building — including automatic expiration and configurable access. Cloud Credentials are shared to your guests by either e-mail or SMS, when a phone number is provided and do not require the Openpath app to interact with.

Enabling the Envoy + Openpath integration

Note: You willl need administrative access on your Openpath ACU to complete this integration. Ensure you have administrative access or work with a local administrator before proceeding with the following steps:

  1. Begin by creating a role for the Envoy Bot.
    • Under the “Role Management” page in Openpath (click “Home > Users > Role Management”), click “Create New Role.”
    • Ensure at least “read” and “write” permissions are granted for View, and View & Edit users.
  2. Create a user for the Envoy Bot.
    • Navigate to the “User Management” portal in Openpath “Home > Users > User Management” and click the “Create User” button.
    • The new user will require an email — if you have an administrative alias email address, you could consider something like “[email protected]”, where the addition of “+envoybot” will help differentiate the user in Openpath.
    • The new user should have a recognizable “First” and “Last” name, we recommend “Envoy Bot”.
    • The new user should have the “Status” defined as “Active” and the role created in the previous step is selected.
    • Ensure “Portal Access” is toggled on for this new user, this will permit Envoy to access the API in order to generate cloud credentials for your visitors.
    • Under the “Access” tab in the new user view, ensure the new user has access to all of the relevant doors. This access will later be used for mapping visitor types in Envoy to access permissions.
  3. After creating a user in Openpath for Envoy, go to Integrations > All integrations in the Envoy dashboard.
  4. Under Building security, find Openpath, then click “Install.”
  5. In the API step, enter administrative credentials created in the first steps and click “Save” to continue.
  6. On the Org step, select the desired Organization from the drop down and click “Next Step” to continue.
    • The drop down menu on this step is automatically populated based on the Orgs the administrative account provided in Step 1 has access to. If you do not see your intended Organization than you must revisit your permissions within Openpath.
  7. On the Entries step, you can select which entries you want to permit visitor types to access. Click “Next Step” after you have finalized your entry / visitor type privilege mapping.
    • This step allows you to select multiple visitor types per entry.
    • This step allows you to add additional entries with the “Add another” button.
  8. On the Customization step, you can select several options of customization, including:
    • ONLY ALLOW INVITED GUESTS: Toggling this setting will switch to “Sign In” only Cloud Credential issuance when disabled, and “Invite” based Cloud Credentials when enabled. When this option is disabled the “ADVANCE ACCESS” and “ACCESS DURATION” fields can not be obeyed.
    • ADVANCE ACCESS: This is the length of time the Cloud Credential will work before the invited date and time (e.g., An invite may be for 8PM on April 13th, but 15 minutes or even 12 hours prior to the meeting can be added to enable to the Cloud Credentials early, allowing visitors to access the facilities for parking or lodgings).
    • ACCESS DURATION: This is the length of time the Cloud Credential will work for. After the access duration expires automatically in Envoy the Cloud Credential will cease to work.
    • FLOW BLOCK LIST (OPTIONAL): This is the list of visitor types which are blocked from receiving access.
    • YOUR CUSTOM LOGO (OPTIONAL): This is the logo which is displayed to visitors when they unlock doors with their temporary Cloud Credentials.
    • ADDITIONAL INSTRUCTIONS (OPTIONAL): This is the additional instructions / messaging which is displayed to visitors when they unlock doors with their temporary Cloud Credentials.

How Envoy Visitors entries look in Openpath

In the example below, individual visitors are listed. This list can be found in Openpath under the Home > Users > User Management > Edit User Credentials menu. Look for the user, “Envoy Bot”.

  • Visitor Stephen Arsenault signed in on May 10th, the associated visitor ID from Envoy is visible in the naming column as “49899119”
  • The format for these messages is as follows: Envoy ${eventType} ID ${visitorId}, ${visitorName}

How Cloud Credentials are assigned to Envoy Visitors in Openpath

Once successfully configured, the Envoy + Openpath integration will create Cloud Credentials with the user your configured (e.g., Envoy Bot). This user will display the automatically generated temporary Cloud Credentials created for each visitor and will also be reflected in the Openpath Reports > Activity Log menu, with additional visitor information available in the reports “Detail” column.

Possible Iterations of Access

Uninvited visitor signs in

  • They receive access if entries are assigned to that visitor type
  • They do not receive access if there are no entries assigned to that visitor type
  • They do not receive access if the customer has selected “ONLY ALLOW INVITED GUESTS”

Invite created without advance access

  • Credential link will be emailed and texted once the invitee has signed in

Invite created with advance access

  • Credential link should be emailed x amount of time before scheduled arrival

Invite is created with advance access and then the invitee signs in

  • The link will be emailed x amount of time before scheduled arrival
  • The link will not be emailed on sign in (no duplicate emails)
  • The link will be texted once the invitee signs in

Invite created with advance access, but deleted > 24 hours of scheduled arrival

  • A credential will be created and removed, and no link will be emailed

Invite created with advance access, but deleted on the day of scheduled arrival

  • A credential will be created and removed, but a link may still be emailed (though the access control page inform the user that they do not have access)

Invite is created with a visitor type that has access, but updated to a visitor type without access

  • A credential will be created, but on update, that credential will be removed

Invite is created with a visitor type without access, but updated to a visitor type with access

  • A credential will be created on update

Invite is created and then updated with a different arrival time

  • The existing credential will be updated with a new start and expiry time

On any sign out

  • If access was granted, access will be revoked during sign out