9:["$","main",null,{"className":"flex-1 max-w-7xl mx-auto w-full px-6 py-12 grid gap-10 lg:grid-cols-[minmax(0,1fr)_220px]","children":[["$","div",null,{"className":"min-w-0 max-w-3xl","children":[["$","header",null,{"className":"mb-10","children":[["$","nav",null,{"aria-label":"Breadcrumb","className":"text-sm text-[color:var(--ae-text-muted)] mb-4","children":[["$","span","0",{"children":[["$","$L14",null,{"href":"/architecture/concepts","className":"hover:text-[color:var(--ae-text-secondary)]","children":"Glossary"}],["$","span",null,{"className":"mx-2","children":"/"}]]}],["$","span","1",{"children":[["$","span",null,{"aria-current":"page","children":"Partner authentication"}],false]}]]}],"$undefined",["$","h1",null,{"className":"text-4xl sm:text-5xl font-bold tracking-tight text-[color:var(--ae-text)] leading-[1.1]","children":"Partner authentication"}],"$undefined",["$","div",null,{"className":"mt-5 flex flex-wrap gap-2 text-[10px] uppercase tracking-wider font-medium","children":[["$","span","0",{"className":"px-2 py-1 rounded-full bg-[color:var(--ae-purple-20)] text-[color:var(--ae-purple)]","children":"Authentication"}]]}]]}],["$","$L15",null,{"connectorsById":{"active-directory":{"id":"active-directory","name":"Active Directory","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_ActiveDirectoryConnectorGuide","status":"active","description":"The Active Directory connector integrates AlertEnterprise with **Microsoft Active Directory** via LDAP — the long-standing on-prem directory service that remains the source-of-record for users, groups, and group memberships in most enterprise IT environments (especially financial services).\n\nTopology: AlertEnterprise's Alert Connector Framework (ACF) drives the **LDAP Adapter**, which issues TCP/LDAP(S) binds + queries against the customer's Active Directory deployment. An optional **.NET Web Services Agent** is required if the deployment wants to capture user/group changes (uses Active Directory's `repadmin` tool) — without it, AD reconciliation falls back to full-population scans.\n\nAuthentication uses LDAP bind credentials (service account DN + password) over LDAPS (TLS-protected LDAP) in production.\n","versions":[{"range":"Active Directory on Windows Server (all currently-supported versions)","status":"active","notes":"LDAP / LDAPS are stable protocols; the connector targets the protocol contract, not a specific Windows Server version."}],"transports":["ldap","ldaps"],"directions":["bidirectional"],"authentication":[{"kind":"ldap-bind","label":"LDAP bind (service account)","details":"The LDAP Adapter binds to AD using a service account DN + password. LDAPS\n(LDAP over TLS) is strongly recommended in production. The service account\nrequires sufficient permissions to read + modify users and group memberships\nunder the configured base DN.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/active-directory/source.pdf","locator":"p22 — Chapter 5, Security"}}],"endpoints":[],"dataFields":[{"aeField":"User","vendorField":"AD User Object","description":"User objects under the configured base DN. Connector reads + writes user attributes per the configured schema mapping.","direction":"bidirectional","required":true},{"aeField":"Group","vendorField":"AD Group Object","description":"Security groups and distribution groups. Connector reads group definitions and manages memberships.","direction":"bidirectional","required":true},{"aeField":"Group Membership","vendorField":"AD member / memberOf","description":"User-to-group memberships. Connector adds + removes memberships during provisioning.","direction":"bidirectional","required":true}],"rateLimits":[],"prerequisites":[{"title":"LDAP / LDAPS network access to AD domain controllers","description":"The AE host must have network reachability to one or more AD domain controllers\nover LDAP port 389 (plaintext, dev only) or LDAPS port 636 (TLS, production).\n","owner":"customer"},{"title":"AD service account with appropriate permissions","description":"Service account with read + write permissions on the configured base DN. For\ngroup membership changes the account needs delegated `Write Members` on the\ntarget group OUs.\n","owner":"customer","citation":{"source":"src/connectors/active-directory/source.pdf","locator":"p22 — Chapter 5, Security"}},{"title":".NET Web Services Agent (optional)","description":"Required only if the deployment wants incremental reconciliation of user/group\nchanges via `repadmin`. Without it, AD reconciliation runs as full-population\nscans (acceptable for small populations; impractical at scale).\n","owner":"ae","citation":{"source":"src/connectors/active-directory/source.pdf","locator":"p7 — Chapter 2, Connector Architecture"}}],"knownLimitations":[{"title":"Incremental reconciliation requires the .NET Web Services Agent","description":"The LDAP Adapter alone cannot detect incremental changes — it can only run\nfull-population queries. Enterprise-scale deployments (10k+ users) typically\nneed the .NET Agent to use `repadmin` change detection.\n","severity":"important"}],"relatedConnectors":[],"relatedConcepts":["lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"ldap-adapter","name":"AE LDAP Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's LDAP adapter. Binds to customer AD over LDAPS and issues queries/modifications."},{"id":"ad-net-web-services-agent","name":".NET Web Services Agent (AD repadmin)","kind":"service","vendor":"ae","trustZone":"customer-onprem","description":"Optional agent deployed on a customer Windows host with access to the AD\ndomain. Uses `repadmin` to surface incremental user/group changes for\ndelta reconciliation. Required for large-population incremental sync.\n"},{"id":"active-directory-domain","name":"Active Directory Domain","kind":"platform","vendor":"microsoft","trustZone":"customer-onprem","description":"The customer's AD forest / domain — authoritative source of users + groups."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"User / group sync requests","transport":"rest","carries":"User / Group operations","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"ldap-adapter","label":"ACF → adapter dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"ldap-adapter","to":"active-directory-domain","label":"LDAP(S) bind + queries / modifications","transport":"ldaps","auth":"ldap-bind","carries":"User + Group CRUD over LDAP","direction":"bidirectional","trustCrossing":true,"citation":{"source":"src/connectors/active-directory/source.pdf","locator":"p7 — Connector Architecture"}},{"from":"ldap-adapter","to":"ad-net-web-services-agent","label":"Incremental change requests (optional)","transport":"rest","direction":"outbound","trustCrossing":false,"notes":"Only present when incremental reconciliation is required."},{"from":"ad-net-web-services-agent","to":"active-directory-domain","label":"repadmin-based change detection","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/active-directory/source.pdf","locator":"p7 — Chapter 2, Connector Architecture"},{"source":"src/connectors/active-directory/source.pdf","locator":"p22 — Chapter 5, Security"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-24","sourceSha256":"6a277316efedd705833204837f0f77988c2673e5049f0feadb1d502730ac721e","kind":"data-source","fields":{"protocol":"LDAP / LDAPS (TCP 389 / 636)","connectionPattern":"ldap[s]://:/","queryModel":"Standard LDAP queries against the configured base DN. Writes use LDAP\nmodify operations.\n","transactional":"best-effort","schemaIntrospection":true,"changeDetection":"Full-population scan by default. Incremental change detection via the optional\n.NET Web Services Agent using AD's repadmin tool.\n"}},"adfs-sso":{"id":"adfs-sso","name":"ADFS Single Sign-On","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_ADFS_SSO_ConfigurationGuide","status":"active","description":"$16","versions":[{"range":"ADFS on Windows Server 2012 R2, 2016, 2019, 2022 (all generally supported — ADFS configuration UI is consistent across versions)","status":"active"}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"saml","label":"SAML 2.0 (Service Provider — federated to ADFS IdP)","details":"AE Guardian acts as the SAML Service Provider. ADFS acts as the SAML Identity Provider. The flow:\n\n1. User accesses AE Guardian URL\n2. AE Guardian redirects browser to ADFS for authentication\n3. User authenticates against ADFS (which validates against on-prem Active Directory)\n4. ADFS posts a SAML response back to AE Guardian containing Name ID (user's email) + tenant claim\n5. AE Guardian looks up the user in its own database by Name ID and logs them in\n\nAE provides metadata XML to the ADFS admin during setup; the admin imports it via Add Relying Party Trust → Import data about the relying party from a file.\n","citation":{"source":"src/connectors/adfs-sso/source.pdf","locator":"p7-14 — ADFS Configuration Changes"}}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"ADFS deployment trusting on-prem Active Directory","description":"An operational Microsoft ADFS deployment configured as the federation gateway for the customer's on-prem AD.\n","owner":"customer"},{"title":"AE-generated metadata XML imported as Relying Party Trust","description":"The AE Support team generates metadata XML describing AE Guardian as a SAML SP. The customer's ADFS admin imports this XML into ADFS via Trust Relationships → Relying Party Trusts → Add Relying Party Trust → Import data about the relying party from a file.\n","owner":"joint","citation":{"source":"src/connectors/adfs-sso/source.pdf","locator":"p7-8 — Generate metadata + Add Relying Party Trust"}},{"title":"Claim rules configured on the Relying Party Trust","description":"Three claim rules must be configured on the AE Relying Party Trust:\n1. **Send LDAP Attributes as Claims** — LDAP Attribute: E-Mail-Addresses → Outgoing Claim Type: E-Mail Address\n2. **Transform an Incoming Claim** — E-Mail Address → Name ID (format: Email), Pass through all claim values\n3. **Send Claims Using a Custom Rule** — `=> issue(Type = \"tenant\", Value = \"alert\");` (confirm tenant value with AE Support)\n","owner":"customer","citation":{"source":"src/connectors/adfs-sso/source.pdf","locator":"p12-14 — Claim Rules","quote":"=> issue(Type = \"tenant\", Value = \"alert\");"}},{"title":"User records pre-synced into AE Guardian database","description":"ADFS users must exist in AE Guardian's database **before** SSO will work. Typically this is achieved by running the [[active-directory]] connector to reconcile users from AD into AE, then enabling SSO. Without pre-synced records, SAML assertions arrive at AE for users that don't exist in AE — authentication fails.\n","owner":"ae","citation":{"source":"src/connectors/adfs-sso/source.pdf","locator":"p15 — Verify ADFS Setup","quote":"The ADFS user must be synced in the Alert Enterprise application database and have the necessary access assigned."}}],"knownLimitations":[{"title":"Authentication only — no provisioning or reconciliation","description":"This connector configures SSO. It does not provision users into ADFS or reconcile identity data from ADFS. For identity-data sync use the [[active-directory]] connector against the underlying on-prem AD.\n","severity":"informational"}],"relatedConnectors":["active-directory","microsoft-entra-id-sso"],"relatedConcepts":["saml","mfa","jit-provisioning"],"composition":{"actors":[{"id":"end-user","name":"End User (browser)","kind":"user","vendor":"ae","trustZone":"untrusted"},{"id":"ae-guardian-sp","name":"AE Guardian (SAML Service Provider)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"adfs-idp","name":"Microsoft ADFS (SAML IdP)","kind":"gateway","vendor":"microsoft","trustZone":"customer-onprem","description":"AD Federation Services — the SAML Identity Provider that authenticates users against on-prem AD."},{"id":"onprem-ad","name":"On-Premises Active Directory","kind":"platform","vendor":"microsoft","trustZone":"customer-onprem","description":"Customer's on-premises Active Directory domain controllers — the identity store that ADFS authenticates against."}],"edges":[{"from":"end-user","to":"ae-guardian-sp","label":"HTTPS access attempt","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"ae-guardian-sp","to":"end-user","label":"SAML AuthnRequest redirect → ADFS","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":false},{"from":"end-user","to":"adfs-idp","label":"Browser POST credentials to ADFS","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"adfs-idp","to":"onprem-ad","label":"LDAP bind / authenticate user","transport":"ldap","direction":"bidirectional","trustCrossing":false},{"from":"adfs-idp","to":"end-user","label":"SAML Response with Name ID + tenant claim","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":false},{"from":"end-user","to":"ae-guardian-sp","label":"SAML POST to ACS endpoint","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/adfs-sso/source.pdf","locator":"Full configuration guide — 15 pages, updated 2025-08-22"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-22","sourceSha256":"a390e77d6f2ba34c28fe1c581489967d41bc2e46ef799a52b08f2b1bef60ed7a","kind":"iam","fields":{"oidcSupport":"no","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"no","jitProvisioning":"no","mfaModel":"MFA is configurable on the ADFS Relying Party Trust (Configure Multi-factor Authentication screen during setup). Default for AE-configured trust is \"I do not want to configure multi-factor authentication for this relying party trust\" — customers requiring MFA enable it on the ADFS side.\n","groupSyncMode":"not-supported","defaultAttributeMapping":"Single SAML attribute: E-Mail-Address (from AD's E-Mail-Addresses) transformed into SAML Name ID with format Email. Plus a custom \"tenant\" claim set to \"alert\" by default.\n","sourceOfRecord":false}},"amag-legacy":{"id":"amag-legacy","name":"AMAG Symmetry SMS (legacy architecture)","vendor":"AMAG Technology","vendorId":"amag","connectorPackage":"AE_HSc_AMAGConnectorGuide (Old Version)","status":"legacy","description":"$17","versions":[{"range":"AMAG Symmetry SMS 8.0, 8.1, 9.0, 9.1, 9.4","status":"legacy","notes":"SMS 9.6 was added to the current [[amag]] connector but is not listed in the legacy guide. Customers on 9.6+ should migrate to the current connector.\n"}],"transports":["soap","jdbc"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SMS XML API basic auth (through .NET intermediary)","details":"Basic auth credentials are configured in the AE connector and forwarded by the Alert SMS Client to the AMAG SMS XML API.\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/amag-legacy/source.pdf","locator":"Detected by deterministic recognition — Basic auth mention in connector guide."}},{"kind":"basic","label":"AMAG database (JDBC) credentials","details":"Same JDBC reconciliation path as the current connector — read-only SQL Server user with SELECT on `multiMAX` + `multiMaxExport` schemas.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Alert SMS Web Service Client deployed on IIS","description":"The .NET-based Alert SMS Web Service Client (a.k.a. Alert SMS Client / Alert SMS Agent) must be deployed on either the AMAG SMS XML API host's IIS or a separate IIS server with network access to it. This intermediary is unique to the legacy architecture — the current [[amag]] connector does not require it.\n","owner":"ae","citation":{"source":"src/connectors/amag-legacy/source.pdf","locator":"p7 — Connector Architecture","quote":"Alert SMS Client is SOAP client/agent for SMS XML API (SOAP Web service) built in .NET language and this client service can be deployed on the IIS server where SMS XML API is hosted or can be deployed on a remote IIS server."}},{"title":"AMAG SMS deployed and reachable","description":"An AMAG Symmetry SMS deployment (8.0 through 9.4) with the XML Open Integration Module installed and configured. The Alert SMS Client must be able to reach the SMS XML API.\n","owner":"customer"},{"title":"Read-only JDBC user on AMAG SQL Server","description":"Same JDBC reconciliation requirement as the current [[amag]] connector — a read-only user with SELECT on `multiMAX.dbo` and `multiMaxExport.dbo` schemas.\n","owner":"customer"}],"knownLimitations":[{"title":"Legacy — superseded by the current [[amag]] connector","description":"This connector is preserved for customers still running the .NET-mediated topology. New deployments should use the current [[amag]] connector, which eliminates the Alert SMS Client intermediary and adds support for SMS 9.6. AE Engineering should plan to migrate any new customer off this path.\n","severity":"important"},{"title":"Additional failure surface from the .NET intermediary","description":"The Alert SMS Client adds an extra service hop with its own deployment, patching, and monitoring requirements. Network-partition scenarios between AE → IIS or IIS → SMS XML API surface as connector errors with less helpful messages than the direct-SOAP path provides.\n","severity":"informational"}],"relatedConnectors":["amag","amag-symmetry-mobile"],"relatedConcepts":["cardholder","badge-or-credential","access-level","card-format"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector."},{"id":"alert-amag-legacy-connector","name":"Alert AMAG Connector (legacy)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's legacy AMAG connector module. Calls the Alert SMS Web Service Client instead of the SMS XML API directly."},{"id":"alert-sms-web-service-client","name":"Alert SMS Web Service Client (.NET on IIS)","kind":"mediator","vendor":"ae","trustZone":"customer-onprem","description":"SOAP client/agent built in .NET that wraps the AMAG SMS XML API. Deployed on IIS, either on the SMS host or a separate IIS server. Unique to the legacy architecture."},{"id":"amag-sms-xml-api","name":"AMAG SMS XML API","kind":"gateway","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's SOAP/ASMX web service. Same endpoint as the current [[amag]] connector targets."},{"id":"amag-sms-server","name":"AMAG Symmetry SMS Server","kind":"platform","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's on-prem PACS application server."},{"id":"amag-database","name":"AMAG SQL Server Database","kind":"platform","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's SQL Server backend (`multiMAX` + `multiMaxExport`). Read directly by the AE connector for cardholder reconciliation."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-amag-legacy-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-amag-legacy-connector","to":"alert-sms-web-service-client","label":"SOAP via .NET intermediary","transport":"soap","auth":"basic","carries":"User / badge / role provisioning + reconciliation SOAP envelopes","direction":"bidirectional","trustCrossing":true,"notes":"Unique to the legacy architecture; the current connector talks directly to the SMS XML API."},{"from":"alert-sms-web-service-client","to":"amag-sms-xml-api","label":"SMS XML API (SOAP)","transport":"soap","direction":"bidirectional","trustCrossing":false},{"from":"alert-amag-legacy-connector","to":"amag-database","label":"Cardholder reconciliation (read-only JDBC)","transport":"jdbc","auth":"basic","carries":"SELECT queries against multiMAX / multiMaxExport","direction":"inbound","trustCrossing":true},{"from":"amag-sms-xml-api","to":"amag-sms-server","label":"Internal SMS API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"amag-sms-server","to":"amag-database","label":"Persists cardholders + access groups","transport":"jdbc","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/amag-legacy/source.pdf","locator":"Full connector guide (Old Version) — 26 pages, updated 2025-07-28"},{"source":"src/connectors/amag-legacy/source.pdf","locator":"p5 — Supported Version","quote":"The AMAG connector supports AMAG SMS 8.0, 8.1, 9.0, 9.1 and 9.4 versions."},{"source":"src/connectors/amag-legacy/source.pdf","locator":"p7 — Connector Architecture","quote":"Alert SMS Client is SOAP client/agent for SMS XML API (SOAP Web service) built in .NET language and this client service can be deployed on the IIS server where SMS XML API is hosted or can be deployed on a remote IIS server. AMAG connector built on top of Alert connector framework makes calls to Alert SMS Client/Agent and which internally calls SML XML API web service to perform provisioning and reconciliation operations."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-07-28","sourceSha256":"3f128b1ecb4ae07e6602cfaf4539fdc55823d21d65c3b7e1113a1225cd2464cb","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":["SeiwgV1","SeiwgGSC2_1","SRSeries_10And12Digit","SRSeries_15Digit","Standard"],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Identical to the current [[amag]] connector — AMAG's cardholder model is product-side, not connector-side.\n","accessRightsModel":"Identical to the current [[amag]] connector — AMAG Access Groups composed of Readers, Reader Groups, Floor Groups, and Intrusion Areas, gated by TimeCodes.\n","multiTenancy":"Identical to the current [[amag]] connector — single SMS instance = single tenant; one connector per instance.\n"}},"amag-symmetry-mobile":{"id":"amag-symmetry-mobile","name":"AMAG Symmetry Mobile","vendor":"AMAG Technology","vendorId":"amag","connectorPackage":"AE_HSc_AMAGSymmetryMobileConnectorGuide","status":"active","description":"The AMAG Symmetry Mobile connector integrates AlertEnterprise Guardian with **AMAG Symmetry Mobile** — AMAG's mobile credential issuance and lifecycle product, distinct from the [[amag]] PACS connector. Symmetry Mobile issues virtual credentials (mobile passes) to AMAG cardholders' smartphones, replacing or supplementing physical cards.\n\nArchitecturally this is a REST-based integration (the [[amag]] connector by contrast is SOAP+JDBC). The connector ships as `ALNTSymmetryMobileConnector-5.0-SNAPSHOT.jar` and registers `com.alnt.symmetry.mobile.services.SymmetryMobileConnectionInterface` as the extractor class. It targets the **Symmetry Mobile REST Service** — a cloud or on-prem-deployed service exposed at an `Instance URL` configured per AE tenant.\n\nCategorized as PACS in the connector catalog because it manages access credentials that authenticate at AMAG PACS readers; functionally it overlaps with credential-provider connectors like [[wavelynx]] and [[hid-mobile-credential]] but is AMAG-specific.\n","versions":[{"range":"Symmetry Mobile 1.0","connectorVersion":"ALNTSymmetryMobileConnector-5.0","status":"active","notes":"Only version 1.0 documented in the connector guide."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"custom-token","label":"Access Control System Token","details":"Symmetry Mobile authentication uses a vendor-issued access token generated by the **Symmetry Mobile System Administrator** under the Access Control System details section of the Symmetry Mobile admin UI. The token is configured as the `Specify Access Token` system parameter on the AE side, alongside the `Instance URL` and `User Id`. The token is sent on every REST call to the Symmetry Mobile REST Service.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p13-14 — System Parameters + Chapter 5 Security","quote":"The Access Token needs to be fetched from the Access Control System details section. / The connector is authenticated with a valid API URL and Access Control System Token Generated by the Symmetry Mobile System Administrator."}}],"endpoints":[],"dataFields":[{"aeField":"userId","vendorField":"employeeNumber","description":"Symmetry Mobile's primary user identifier — must match the AMAG SMS EmployeeNumber for cross-system linkage.","direction":"bidirectional","required":true},{"aeField":"firstName","vendorField":"name","direction":"bidirectional","required":true},{"aeField":"lastName","vendorField":"surname","direction":"bidirectional","required":true},{"aeField":"email","vendorField":"email","direction":"bidirectional","required":true},{"aeField":"photo","vendorField":"photo","direction":"outbound","required":true},{"aeField":"status","vendorField":"status","description":"Cardholder status enum.","direction":"bidirectional","required":true},{"aeField":"validTo","vendorField":"expiryDate","direction":"outbound","required":true},{"aeField":"validFrom (formula)","vendorField":"photoApprovedDate","description":"Validity-start derived from photo approval timestamp (set via formula on AE side).","direction":"outbound","required":true},{"aeField":"description (formula)","vendorField":"managerEmail","description":"Manager email, propagated through the `description` field via formula.","direction":"outbound","required":true},{"aeField":"description (formula)","vendorField":"issueLevel","description":"Credential issue level, propagated through `description` via formula.","direction":"outbound","required":true},{"aeField":"description (formula)","vendorField":"photoApprovalStatus","direction":"outbound","required":true},{"aeField":"description (formula)","vendorField":"overrideBluetoothSignalStrength","description":"Override for the BLE signal-strength threshold required for the mobile credential to register at a reader. Used to tune door-open behavior per cardholder.\n","direction":"outbound","required":true},{"aeField":"sourceId","vendorField":"cardNumber","description":"Mobile credential's card number (UserIdentifier Key).","direction":"bidirectional","required":true},{"aeField":"roleGroup","vendorField":"credentialGroup","description":"Symmetry Mobile groups credentials by Credential Group — analogous to AMAG's Access Groups but specific to mobile credentials.","direction":"bidirectional","required":true}],"rateLimits":[],"prerequisites":[{"title":"AMAG Symmetry Mobile service deployed and reachable","description":"An operational Symmetry Mobile REST service. The `Instance URL` system parameter must point to it and be reachable from the AE application server.\n","owner":"customer","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p13 — System Parameters","quote":"Instance URL: URL of the Symmetry Mobile Rest Service."}},{"title":"Access Control System Token from Symmetry Mobile admin","description":"The Symmetry Mobile System Administrator must generate an Access Token under the Access Control System details section of the Symmetry Mobile admin UI. This token is what the AE connector uses to authenticate.\n","owner":"customer","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p13 — Specify Access Token note","quote":"The Access Token needs to be fetched from the Access Control System details section."}},{"title":"SSL certificate trust","description":"The Symmetry Mobile REST service certificate must be imported into the AE host's JVM cacerts keystore. The guide documents the manual `keytool -importcert` procedure followed by a restart of the `Job` and `API` services.\n","owner":"ae","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p8-9 — Enabling SSL Communication"}},{"title":"UserIdentifier Key set to CardNumber","description":"The `Specify UserIdentifier Key` system parameter must be set to `CardNumber` — this is the field that links the mobile credential back to the cardholder's identity in the AMAG ecosystem.\n","owner":"ae","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p13 — Specify UserIdentifier Key","quote":"Specify UserIdentifier Key: Specify the value as \"CardNumber\""}},{"title":"Companion AMAG SMS connector for cross-system linkage","description":"Mobile credentials only become useful access credentials when associated with an AMAG cardholder. In typical deployments the [[amag]] connector handles cardholder provisioning into Symmetry SMS, and this connector handles the mobile credential layer on top. EmployeeNumber/CardNumber alignment between the two systems is the linkage.\n","owner":"joint","citation":{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p14 — Field Mapping (employeeNumber, cardNumber)"}}],"knownLimitations":[{"title":"Multiple business fields multiplexed through `description`","description":"The connector uses AE's `description` field as a vehicle for several Symmetry Mobile system fields (managerEmail, issueLevel, photoApprovalStatus, overrideBluetoothSignalStrength) via the formula-mapping mechanism. This means: (a) the AE-side `description` carries semantically heterogeneous data, and (b) any downstream consumer that reads `description` for its normal purpose will see the formula payload. Customers who rely on `description` as a free-text field should use AE custom attributes instead.\n","severity":"informational"},{"title":"Single-version coverage (1.0 only)","description":"The connector guide documents Symmetry Mobile version 1.0 only. AMAG's broader Symmetry Mobile product roadmap is not reflected here — verify with AMAG before promising support for newer Symmetry Mobile releases.\n","severity":"informational"}],"relatedConnectors":["amag","amag-legacy"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector."},{"id":"alert-symmetry-mobile-connector","name":"Alert Symmetry Mobile Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Symmetry Mobile connector module (ALNTSymmetryMobileConnector). Translates ACF requests into REST calls against the Symmetry Mobile service."},{"id":"symmetry-mobile-rest-service","name":"Symmetry Mobile REST Service","kind":"gateway","vendor":"amag","trustZone":"vendor-cloud","description":"AMAG's REST API for Symmetry Mobile credential lifecycle. Authenticates via an Access Control System Token."},{"id":"symmetry-mobile-server","name":"AMAG Symmetry Mobile Server","kind":"platform","vendor":"amag","trustZone":"vendor-cloud","description":"AMAG's Symmetry Mobile backend — issues virtual credentials, manages credential groups, and propagates updates to enrolled mobile devices."},{"id":"end-user-mobile-device","name":"Cardholder Mobile Device","kind":"device","vendor":"amag","trustZone":"untrusted","description":"The cardholder's iPhone / Android device with the AMAG Symmetry Mobile app installed. Receives the mobile credential and presents it via BLE/NFC at AMAG readers."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-symmetry-mobile-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-symmetry-mobile-connector","to":"symmetry-mobile-rest-service","label":"REST + Access Token","transport":"rest","auth":"custom-token","carries":"User / credential / credential-group provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"symmetry-mobile-rest-service","to":"symmetry-mobile-server","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"symmetry-mobile-server","to":"end-user-mobile-device","label":"Mobile credential push / lifecycle updates","transport":"proprietary-api","direction":"outbound","trustCrossing":true,"notes":"Out-of-band push to cardholder phones via AMAG's mobile delivery infrastructure."}]},"citations":[{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"Full connector guide — 18 pages, updated 2023-04-11"},{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p5 — Supported Version","quote":"The Symmetry Mobile connector supports Symmetry Mobile version 1.0."},{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p7 — Connector Architecture","quote":"The Symmetry Mobile connector is developed on top of the Restful API provided by the AMAG Symmetry Mobile system out of the box."},{"source":"src/connectors/amag-symmetry-mobile/source.pdf","locator":"p16 — Chapter 5 Security","quote":"The connector is authenticated with a valid API URL and Access Control System Token Generated by the Symmetry Mobile System Administrator."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2023-04-11","sourceSha256":"883a6dc84c7c936a25b7fb111cf566ef7e98e5f36dd9c1721b3a4d1b710a302b","kind":"pacs","fields":{"readerProtocols":["bluetooth","ble","nfc"],"cardFormats":[],"topology":"cloud","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Symmetry Mobile users carry the AMAG cardholder identity (employeeNumber, name/surname, email, photo, status, validity dates). Each user holds one or more virtual credentials (cardNumber), assigned to one or more **Credential Groups** (the mobile equivalent of an Access Group). The connector also captures Bluetooth signal-strength override per user — tunable for unusual reader-mounting environments.\n","accessRightsModel":"Access is granted by assigning a user to one or more Credential Groups. Each Credential Group maps to a set of mobile-enabled AMAG readers. Validity windows on the credential (validFrom / validTo) gate when the mobile pass is active.\n","multiTenancy":"Single Symmetry Mobile instance per AE→Symmetry Mobile connector. Customers running multiple Symmetry Mobile tenants require one connector instance per tenant.\n"}},"amag":{"id":"amag","name":"AMAG Symmetry SMS","vendor":"AMAG Technology","vendorId":"amag","connectorPackage":"AE_HSc_AMAGConnectorGuide","status":"active","description":"$18","versions":[{"range":"AMAG Symmetry SMS 8.0, 8.1, 9.0, 9.1, 9.4, 9.6","connectorVersion":"ALNTAMAGConnector-5.0","status":"active","notes":"Documented supported versions in AE_HSc_AMAGConnectorGuide.pdf p6. SMS 10.x not yet documented as supported."}],"transports":["soap","jdbc"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SMS XML API basic auth (SOAP/WSSE)","details":"The AMAG SMS XML API authenticates callers via WSSE/basic auth — a username + password configured in the AE connector. Incorrect credentials produce `org.apache.cxf.binding.soap.SoapFault: Unknown Username or Incorrect Password`.\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/amag/source.pdf","locator":"p22 — Troubleshooting (Test connection errors)","quote":"org.apache.cxf.binding.soap.SoapFault: Unknown Username or Incorrect Password"}},{"kind":"basic","label":"AMAG database (JDBC) credentials","details":"For cardholder reconciliation, the connector requires a separate database user with read access to the `multiMAX` and `multiMaxExport` schemas on AMAG's SQL Server backend. Driver Name + Database URL + Database User Name + Database Password are configured as System Parameters. See Chapter 6 of the connector guide for the minimum-privilege grant set.\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/amag/source.pdf","locator":"p15 — Database parameters"}}],"endpoints":[{"method":"POST","path":"/smsXMLWebService/smsXMLWebService.asmx","description":"AMAG SMS XML API endpoint (SOAP). All provisioning + most reconciliation operations target this single ASMX endpoint with SOAP envelope payloads.","category":"provisioning","direction":"outbound","authMethod":"basic","citation":{"source":"src/connectors/amag/source.pdf","locator":"p22 — Verify AMAG SMS web service accessibility","quote":"http:///smsXMLWebService/smsXMLWebService.asmx"}}],"dataFields":[{"aeField":"UserId","vendorField":"EmpReference","description":"Maps to `CardHolderTable.EmployeeNumber` (alias EmpReference in queries).","direction":"bidirectional","required":true},{"aeField":"FirstName","vendorField":"FirstName","direction":"bidirectional","required":true},{"aeField":"LastName","vendorField":"LastName","direction":"bidirectional","required":true},{"aeField":"Midname","vendorField":"MiddleName","direction":"bidirectional","required":false},{"aeField":"CompanyID","vendorField":"CompanyID","direction":"bidirectional","required":true},{"aeField":"BadgeId","vendorField":"CardNumber","description":"Maps to `CardInfoTable.CardNumberDisplay`.","direction":"bidirectional","required":true},{"aeField":"BadgeValidFrom","vendorField":"ActiveDate","description":"ISO datetime → AMAG `ActiveDateTime`.","direction":"bidirectional","required":true},{"aeField":"BadgeValidTo","vendorField":"ExpiryDate","description":"ISO datetime → AMAG `InactiveDateTime`.","direction":"bidirectional","required":true},{"aeField":"BadgeStatus","vendorField":"CardStatus","description":"\"Yes\" = active card, \"No\" = inactive (sourced from `CardInfoTable.Inactive`).","direction":"bidirectional","required":true},{"aeField":"UserStatus","vendorField":"CardHolderStatus","description":"\"Yes\" = active user, \"No\" = inactive (sourced from `CardInfoTable.ForcedInactive`).","direction":"bidirectional","required":true},{"aeField":"CardFormat","vendorField":"CardFormat","description":"AMAG card-format identifier. Possible values: `SeiwgV1`, `SeiwgGSC2_1`, `SRSeries_10And12Digit`, `SRSeries_15Digit`, `Standard`. Mandatory for all user and badge provisioning operations.\n","direction":"bidirectional","required":true},{"aeField":"CustomerCode","vendorField":"CustomerCode","description":"Maps to `CustomerCodeNumber` in AMAG.","direction":"bidirectional","required":true},{"aeField":"PIN","vendorField":"PIN","direction":"outbound","required":false},{"aeField":"AgencyCode","vendorField":"AgencyCode","direction":"bidirectional","required":false},{"aeField":"CardIssueLevel","vendorField":"CardIssueLevel","direction":"bidirectional","required":false},{"aeField":"IDSCode","vendorField":"IDSCode","direction":"bidirectional","required":false},{"aeField":"ImageUpload","vendorField":"FaceImage","description":"Cardholder face image — maps to `CardHolderFaceTable.Face`.","direction":"outbound","required":false},{"aeField":"SignatureUpload","vendorField":"SignatureImage","direction":"outbound","required":false},{"aeField":"PersonalData1","vendorField":"PersonalData1","description":"AMAG supports PersonalData1 through PersonalData50 — site-defined custom attributes. Each maps directly with the same name.","direction":"bidirectional","required":false},{"aeField":"RoleName","vendorField":"AccessGroupName","description":"Maps to `AccessGroupTable.AccessGroupName`. AMAG calls access levels \"Access Groups.\"","direction":"bidirectional","required":true},{"aeField":"RoleType","vendorField":"RoleType","direction":"bidirectional","required":true},{"aeField":"Timecode","vendorField":"TimeCode","description":"Schedule constraint that gates an access group.","direction":"bidirectional","required":false},{"aeField":"BadgeDesign","vendorField":"BadgeDesign","direction":"outbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"AMAG SMS deployed and reachable","description":"An AMAG Symmetry SMS deployment (version 8.0-9.6) with the **XML Open Integration Module** installed and configured. The SMS XML API must be reachable from the AE application server.\n","owner":"customer","citation":{"source":"src/connectors/amag/source.pdf","locator":"p9 — Connector Deployment Prerequisites","quote":"1. AMAG Security Management System (SMS) software is installed and configured. 2. XML Open Integration Module is installed and configured. 3. The AMAG SMS XML API is accessible to the server where the Alert Enterprise application is deployed."}},{"title":"Data Connector Module license on AMAG","description":"The AMAG system **must have a Data Connector Module license** for the SMS application to write changes into the export database (`multiMaxExport`). Without this license, cardholder reconciliation (the JDBC path) will not see changes.\n","owner":"customer","citation":{"source":"src/connectors/amag/source.pdf","locator":"p17 — Important note in System Parameters section","quote":"Make sure that the AMAG system has a Data Connector Module license to allow SMS application to write changes into the export database."}},{"title":"Read-only JDBC user on AMAG SQL Server","description":"A dedicated read-only database user with SELECT privileges on the `multiMAX.dbo` and `multiMaxExport.dbo` schemas — specifically tables `CardHolderTable`, `CardInfoTable`, `CardHolderFaceTable`, `AccessGroupTable`, `CardHolderAccessGroupXrTable`, `CardHolderAccessXrTable`, `ReaderTable`, `IntrusionZoneTable`, `AccessGroupReaderXrTable`, `AccessGroupReaderGroupXrTable`, `ReaderGroupXrTable`, `FloorGroupTable`, `AccessGroupFloorGroupXrTable`, `IntrusionAreaZoneXrTable`, `AccessGroupAreaXrTable`, and `DataExportTable`.\n","owner":"customer","citation":{"source":"src/connectors/amag/source.pdf","locator":"p15-17 — Database queries; Chapter 6"}},{"title":"SSL certificate trust (if HTTPS)","description":"When the SMS XML API is served over HTTPS, the AMAG SMS server's certificate must be imported into the AE host's JVM cacerts keystore. The connector raises `javax.net.ssl.SSLHandshakeException` / \"Unable to find valid certification path to requested target\" when the cert isn't trusted.\n","owner":"ae","citation":{"source":"src/connectors/amag/source.pdf","locator":"p23 — Troubleshooting (SSL handshake)"}}],"knownLimitations":[{"title":"Cardholder reconciliation requires direct DB access","description":"The AMAG SMS XML API does not expose cardholder reconciliation operations. AE works around this by issuing read-only JDBC queries directly against the AMAG SQL Server backend. Customers with strict policies against third-party direct-DB access must understand this is a hard architectural requirement, not a configurable behavior — Symmetry simply does not provide an API alternative for this operation.\n","severity":"important","citation":{"source":"src/connectors/amag/source.pdf","locator":"p8 — Connector Architecture","quote":"For Cardholder reconciliation (operation not supported by the SMS XML API), the AMAG Connector makes read-only JDBC calls directly to the AMAG database."}},{"title":"CardFormat is mandatory for every provisioning operation","description":"Every user and badge provisioning operation must include a CardFormat value from the closed set (SeiwgV1, SeiwgGSC2_1, SRSeries_10And12Digit, SRSeries_15Digit, Standard). Provisioning without CardFormat will fail at AMAG-side validation.\n","severity":"important","citation":{"source":"src/connectors/amag/source.pdf","locator":"p19 — CardFormat note","quote":"CardFormat is mandatory for all user and badge provisioning operations."}},{"title":"Provisioning error codes returned via DB table, not API","description":"Provisioning errors from AMAG are surfaced via the `multimaximport.dbo.messagetable` table — not in the SOAP response. Codes include `2` (mandatory fields not specified), `4` (record not found), `8` (card already exists), `9` (issue level out of range), `10` (PIN out of range), `14` (expiry before active), `16`/`17` (face/signature image not found). Operators must monitor this table separately to surface async errors.\n","severity":"informational","citation":{"source":"src/connectors/amag/source.pdf","locator":"p23-24 — Provisioning errors table"}}],"relatedConnectors":["amag-legacy","amag-symmetry-mobile"],"relatedConcepts":["cardholder","badge-or-credential","access-level","card-format","reader"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector."},{"id":"alert-amag-connector","name":"Alert AMAG Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's AMAG-specific connector module (ALNTAMAGConnector). Issues SOAP calls to the SMS XML API and JDBC queries directly to the AMAG database."},{"id":"amag-sms-xml-api","name":"AMAG SMS XML API","kind":"gateway","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's SOAP/ASMX web service (`/smsXMLWebService/smsXMLWebService.asmx`). Routes provisioning calls into the SMS server. Reachable on the AMAG SMS host on IIS."},{"id":"amag-sms-server","name":"AMAG Symmetry SMS Server","kind":"platform","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's on-prem PACS application server — authoritative for cardholders, access groups (access levels), readers, reader groups, floor groups, and intrusion areas."},{"id":"amag-database","name":"AMAG SQL Server Database","kind":"platform","vendor":"amag","trustZone":"customer-onprem","description":"AMAG's SQL Server backend (`multiMAX` + `multiMaxExport` schemas). Receives cardholder data via the SMS application; read directly by the AE connector for cardholder reconciliation."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-amag-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-amag-connector","to":"amag-sms-xml-api","label":"Provisioning + most reconciliation (SOAP)","transport":"soap","auth":"basic","carries":"User / badge / role / access-group SOAP envelopes","direction":"bidirectional","trustCrossing":true},{"from":"alert-amag-connector","to":"amag-database","label":"Cardholder reconciliation (read-only JDBC)","transport":"jdbc","auth":"basic","carries":"Cardholder, badge, role, reader, intrusion-zone SELECT queries against multiMAX / multiMaxExport","direction":"inbound","trustCrossing":true,"notes":"Workaround for operations not exposed by the SMS XML API."},{"from":"amag-sms-xml-api","to":"amag-sms-server","label":"Internal SMS API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"amag-sms-server","to":"amag-database","label":"Persists cardholders + access groups","transport":"jdbc","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/amag/source.pdf","locator":"Full connector guide — 28 pages, revision 3.0 dated 2025-12-24"},{"source":"src/connectors/amag/source.pdf","locator":"p6 — Supported Version","quote":"The AMAG connector supports AMAG SMS version 8.0, 8.1, 9.0, 9.1, 9.4 and 9.6."},{"source":"src/connectors/amag/source.pdf","locator":"p8 — Connector Architecture","quote":"The AMAG Connector communicates directly with the SMS XML API (SOAP web service) to carry out provisioning and reconciliation tasks. For Cardholder reconciliation (operation not supported by the SMS XML API), the AMAG Connector makes read-only JDBC calls directly to the AMAG database."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-12-24","sourceSha256":"bd45277c0fa10ddad1b7b6c02f025b31e2bb7a6561f48cf5568ff8f2a31bb449","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":["SeiwgV1","SeiwgGSC2_1","SRSeries_10And12Digit","SRSeries_15Digit","Standard"],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer; AMAG export database refreshes per Data Connector Module configuration.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"AMAG models cardholders in `multiMAX.dbo.CardHolderTable` (CardID, EmployeeNumber, FirstName, LastName, MiddleName, ForcedInactive status). Cards live in `CardInfoTable` (CardNumberDisplay, Inactive, Lost, ActiveDateTime, InactiveDateTime, CustomerCodeNumber). Each cardholder may have one or more cards. Photos in `CardHolderFaceTable`. PersonalData1-50 are site-defined custom attributes.\n","accessRightsModel":"Access is granted by assigning a cardholder to one or more **Access Groups** (AMAG's term for access levels). Access Groups are composed of Readers (`AccessGroupReaderXrTable`), Reader Groups (`AccessGroupReaderGroupXrTable`), Floor Groups for elevator readers (`AccessGroupFloorGroupXrTable`), and Intrusion Areas (`AccessGroupAreaXrTable` → `IntrusionAreaZoneXrTable` → `IntrusionZoneTable`). Each access group can be gated by a TimeCode (schedule).\n","multiTenancy":"A single AMAG SMS instance is typically a single tenant. Multi-site customers running federated SMS instances require one AE→AMAG connector per SMS instance.\n"}},"angus":{"id":"angus","name":"Angus AnyWhere","vendor":"Angus Systems","vendorId":"angus","connectorPackage":"AE_HSc_ANGUSConnectorGuide","status":"active","description":"The Angus connector integrates AlertEnterprise Guardian with **Angus AnyWhere** — Angus Systems' commercial real estate operations / tenant services platform with embedded visitor management and access functionality. Angus is the dominant tenant-services platform in commercial real estate (Class A office properties) — supporting it is a strategic differentiator for AE in deals involving multi-tenant office buildings where the building operator uses Angus for tenant-service requests and AE for security.\n\n**Categorization note:** Angus is technically more of a tenant-services platform than a pure PACS. It's categorized as `pacs` in the connector catalog because its access / visitor management functionality is what AE integrates with. For visitor management features specifically, Angus is the most common destination connector in the commercial real estate vertical.\n\nArchitecture: **AE → ACF → ANGUS Connector → ANGUS Rest Web Service (SDK) → ANGUS Server**.\n","versions":[{"range":"ANGUS 1.0.0","status":"active","notes":"Connector guide documents ANGUS version 1.0.0 only. Verify with Angus Systems for newer version support."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"ANGUS Web Service credentials over SSL","details":"Basic auth credentials configured in AE connector. SSL/TLS required.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"ANGUS SDK Web Service deployed","description":"The ANGUS Web Service (part of the ANGUS SDK) must be deployed and reachable from the AE application server.\n","owner":"customer","citation":{"source":"src/connectors/angus/source.pdf","locator":"p6 — Connector Architecture","quote":"This Web Service is a pre- requisite for deploying the ANGUS connector and is available as part of ANGUS SDK."}}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-angus-connector","name":"Alert ANGUS Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"angus-web-service","name":"ANGUS Rest Web Service","kind":"gateway","vendor":"angus","trustZone":"customer-onprem","description":"ANGUS SDK Web Service. Customer-deployed."},{"id":"angus-server","name":"ANGUS Server","kind":"platform","vendor":"angus","trustZone":"customer-onprem","description":"Angus AnyWhere tenant services / visitor management platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-angus-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-angus-connector","to":"angus-web-service","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"Visitor / user provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"angus-web-service","to":"angus-server","label":"SDK API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/angus/source.pdf","locator":"Full connector guide, updated 2024-12-03"},{"source":"src/connectors/angus/source.pdf","locator":"p5 — Supported Version","quote":"The ANGUS Connector supports ANGUS version 1.0.0"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-03","sourceSha256":"760fb65369894304a4b34768d7cabcd3012cf0c7897958846775eb2a4037d375","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"ANGUS users are typically visitors and tenant-employees in commercial real estate contexts.\n","accessRightsModel":"ANGUS access model is tenant-services oriented, not traditional PACS access levels. Site-specific configuration.\n","multiTenancy":"Single ANGUS deployment per AE→ANGUS connector. ANGUS itself is multi-tenant by design (one ANGUS instance serves multiple tenants in a building).\n"}},"avigilon":{"id":"avigilon","name":"Avigilon Access Control Manager","vendor":"Motorola Solutions (Avigilon)","vendorId":"avigilon","connectorPackage":"AE_HSc_AvigilonConnectorGuide","status":"active","description":"$19","versions":[{"range":"Avigilon Access Control Manager Application Software 5.4.4, 5.6.4 and above","connectorVersion":"ALNTAvigilonConnector-5.0","status":"active","notes":"Per the connector guide, versions 5.6 and above require JCE Unlimited Strength Jurisdiction Policy Files installed on the AE-side JDK to handle AES-256 token encryption.\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Username + password over SSL","details":"ACM authentication uses a dedicated API user (`User Id`) and password. Credentials are submitted to the Avigilon REST API which returns a session token; the token is then used for subsequent calls. SSL must be enabled (`SSL = True` system parameter) — the connector will not communicate over plaintext.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p12-13 — System Parameters","quote":"User Id of a user with API access and provisioning privileges. / Password required for connecting to an external system. / SSL: Specify \"True\" if the site is SSL enabled, else specify \"False\"."}}],"endpoints":[],"dataFields":[{"aeField":"UserId","vendorField":"Cn","description":"ACM uses LDAP-style `cn` (common name) as the primary user identifier.","direction":"bidirectional","required":true},{"aeField":"ExternalSystemId","vendorField":"ExternalSystemId","direction":"bidirectional","required":true},{"aeField":"FirstName","vendorField":"FirstName","direction":"bidirectional","required":true},{"aeField":"LastName","vendorField":"LastName","direction":"bidirectional","required":true},{"aeField":"MiddleName","vendorField":"MiddleName","direction":"bidirectional","required":false},{"aeField":"EmployeeType","vendorField":"Type","direction":"bidirectional","required":false},{"aeField":"Status","vendorField":"IDStatus","description":"Mapped enum: Active=1, Inactive=2, Not-Yet-Active=3, Expired=4.\n","direction":"bidirectional","required":false},{"aeField":"Title","vendorField":"Title","direction":"bidirectional","required":false},{"aeField":"Department","vendorField":"Department","direction":"bidirectional","required":false},{"aeField":"Division","vendorField":"Division","direction":"bidirectional","required":false},{"aeField":"Street","vendorField":"Address","direction":"outbound","required":false},{"aeField":"City","vendorField":"City","direction":"outbound","required":false},{"aeField":"State","vendorField":"State","direction":"outbound","required":false},{"aeField":"Zip","vendorField":"ZipCode","direction":"outbound","required":false},{"aeField":"SiteLocation","vendorField":"SiteLocation","direction":"bidirectional","required":false},{"aeField":"Building","vendorField":"Building","direction":"bidirectional","required":false},{"aeField":"Email","vendorField":"EmailAddress","direction":"bidirectional","required":false},{"aeField":"Mobile","vendorField":"Phone","direction":"bidirectional","required":false},{"aeField":"Photo","vendorField":"ImageData","description":"Cardholder image data, embedded in XML payload.","direction":"outbound","required":false},{"aeField":"BadgeId","vendorField":"TokenInternalNumber","description":"ACM's internal \"Token\" identifier (Avigilon term for a credential).","direction":"bidirectional","required":true},{"aeField":"BadgeValidFrom","vendorField":"TokenActivateDate","description":"Date format yyyyMMddHHmmss.","direction":"outbound","required":false},{"aeField":"BadgeValidTo","vendorField":"TokenDeactivateDate","description":"Date format yyyyMMddHHmmss.","direction":"outbound","required":false},{"aeField":"BadgeStatus","vendorField":"TokenStatus","description":"Active=1, Inactive=2.","direction":"bidirectional","required":true},{"aeField":"TokenEmbossedNumber","vendorField":"TokenEmbossedNumber","description":"Physical printed number on the card body.","direction":"bidirectional","required":false},{"aeField":"PIN","vendorField":"TokenPin","direction":"outbound","required":false},{"aeField":"TokenDownload","vendorField":"TokenDownload","description":"Whether the token has been pushed to door controllers (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenLevel","vendorField":"TokenLevel","description":"Numeric access level on the token.","direction":"bidirectional","required":false},{"aeField":"TokenVIP","vendorField":"TokenVIP","description":"VIP flag — door unlocks immediately, bypasses some timers (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenNoExpire","vendorField":"TokenNoExpire","description":"Token never expires (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenTrace","vendorField":"TokenTrace","description":"Audit-trace flag — records every use of this token (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenPinExempt","vendorField":"TokenPinExempt","description":"Exempts the token from PIN-required reader prompts (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenExtAccess","vendorField":"TokenExtAccess","description":"Extended access duration (ADA / accessibility support — door stays unlocked longer; \"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"TokenUserLoseExempt","vendorField":"TokenUserLoseExempt","description":"Token is exempt from auto-deactivation if the user is marked lost or inactive (\"TRUE\"/\"FALSE\").","direction":"bidirectional","required":false},{"aeField":"RoleName","vendorField":"ROLE_NAME","direction":"bidirectional","required":false},{"aeField":"RoleActive","vendorField":"ROLE_ACTIVE","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"Avigilon ACM with REST API enabled","description":"An Avigilon Access Control Manager appliance (version 5.4.4 or 5.6.4+) with the REST API enabled and a dedicated API user provisioned with provisioning + read privileges. The REST URLs and credentials are provided as part of the Avigilon ACM deployment.\n","owner":"customer","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p7 — Connector Architecture","quote":"This partner REST URLs is a prerequisite for deploying Avigilon connector and is provided as part of Avigilon subscription."}},{"title":"JCE Unlimited Strength Jurisdiction Policy Files (5.6+ only)","description":"ACM 5.6 and above uses AES-256 token encryption. The AE-side JVM must have the JCE Unlimited Strength Jurisdiction Policy Files installed. Copy `local_policy.jar` and `US_export_policy.jar` to `$JAVA_HOME/jre/lib/security` and restart the application server. IBM JDK has equivalent jar files obtainable from IBM Support.\n","owner":"ae","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p5 — Prerequisites for version 5.6 and above","quote":"This token is encrypted using the AES 256. Make sure your environment is ready to handle higher level crypto keys."}},{"title":"SSL certificate trust","description":"The Avigilon ACM appliance's SSL certificate must be imported into the AE host's JVM cacerts keystore. The guide documents the manual `keytool -importcert` procedure followed by a restart of the `Job` and `API` services.\n","owner":"ae","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p8-9 — Enabling SSL Communication"}},{"title":"Templates directory and date format configuration","description":"The connector requires a `Templates Directory` (filesystem path to XML templates installed during connector installation) and explicit date-format system parameters (`Alert Application Date Format = MM/dd/yyyy`, `Provisioning Date Format = yyyyMMddHHmmss`, `Reconciliation Date Format = yyyyMMddHHmmss`).\n","owner":"ae","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p12-13 — System Parameters","quote":"Templates Directory: Directory location where templates are installed during connector installation."}}],"knownLimitations":[{"title":"XML payload format","description":"Unlike most modern AE PACS connectors which use JSON, the Avigilon connector serializes payloads as XML. Customers using AE in customer-cloud deployments where outbound XML payload inspection is constrained should verify that any inspection layer (CASB / DLP / WAF) permits XML to Avigilon ACM endpoints.\n","severity":"informational","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p12 — System Parameters (Data Format)","quote":"Data Format: The data format, i.e. XML."}},{"title":"AES-256 cipher requires JCE policy files (5.6+)","description":"Without JCE Unlimited Strength Jurisdiction Policy Files installed on the AE-side JDK, the connector cannot communicate with ACM 5.6+ at all — token encryption will fail at connection setup. This is a hard prerequisite, not a graceful degradation.\n","severity":"important","citation":{"source":"src/connectors/avigilon/source.pdf","locator":"p5"}}],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level","card-format"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector."},{"id":"alert-avigilon-connector","name":"Alert Avigilon Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Avigilon-specific connector module (ALNTAvigilonConnector). Translates ACF requests into Avigilon REST XML calls."},{"id":"avigilon-rest-api-service","name":"Avigilon REST API Service","kind":"gateway","vendor":"avigilon","trustZone":"customer-onprem","description":"Avigilon ACM's REST API surface — runs on the ACM appliance. Authenticates callers and forwards operations to the Access Control Manager."},{"id":"avigilon-access-control-manager","name":"Avigilon Access Control Manager","kind":"platform","vendor":"avigilon","trustZone":"customer-onprem","description":"Avigilon's on-prem PACS appliance — manages cardholders (LDAP-style attributes), Tokens (credentials), Access Levels, and door controllers."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-avigilon-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-avigilon-connector","to":"avigilon-rest-api-service","label":"HTTPS REST + XML over basic auth + session token","transport":"rest","auth":"basic","carries":"User / Token / Role / Access-Level provisioning + reconciliation XML payloads","direction":"bidirectional","trustCrossing":true},{"from":"avigilon-rest-api-service","to":"avigilon-access-control-manager","label":"Internal ACM API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false,"notes":"Internal to the ACM appliance; not directly exercised by AE."}]},"citations":[{"source":"src/connectors/avigilon/source.pdf","locator":"Full connector guide — 20 pages, updated 2024-12-03"},{"source":"src/connectors/avigilon/source.pdf","locator":"p5 — Supported Version","quote":"Avigilon Access Control Manager Application Software Version: 5.4.4, 5.6.4"},{"source":"src/connectors/avigilon/source.pdf","locator":"p7 — Connector Architecture diagram","quote":"Alert Enterprise Connector Framework → Avigilon Connector → HTTP(S) → Avigilon Restful API Service → Avigilon Access Control Manager"},{"source":"src/connectors/avigilon/source.pdf","locator":"p6 — Provisioning Capabilities","quote":"Create User accounts / Update User information / Modify User Roles / Activate/Deactivate User / Add Badge / Activate Badge / Deactivate Badge / Change Badge"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-03","sourceSha256":"e990b5d2885d0f932fe6eb7945e6cb1d7c9009d42f1a275cf58e02c631446eed","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"Configurable on AE side per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"ACM uses an LDAP-style attribute model — cardholders are objects with `cn` (common name = UserId), FirstName, LastName, Type, IDStatus, Title, Department, Division, address fields, SiteLocation, Building, EmailAddress, Phone, and ImageData. Each cardholder has one or more associated **Tokens** (Avigilon's term for a credential / badge), each with TokenInternalNumber, TokenStatus, TokenActivateDate, TokenDeactivateDate, TokenLevel, and a set of boolean flags (TokenVIP, TokenNoExpire, TokenTrace, TokenPinExempt, TokenExtAccess, TokenUserLoseExempt).\n","accessRightsModel":"Access is granted by associating a Token with a TokenLevel (numeric access level) and assigning the cardholder to one or more Roles (ROLE_NAME / ROLE_ACTIVE). The connector supports Modify User Roles and reconciles role assignments bidirectionally.\n","multiTenancy":"A single Avigilon ACM appliance is typically a single tenant. Customers running multiple ACM appliances (e.g., per-site) require one AE→Avigilon connector instance per appliance.\n"}},"azure-sso":{"id":"azure-sso","name":"Azure SSO (legacy — superseded by Microsoft Entra ID SSO)","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_Azure_SSO_ConfigurationGuide","status":"legacy","description":"The Azure SSO connector is the **legacy / pre-rebrand** SAML SSO connector for what Microsoft now calls Microsoft Entra ID (the rebrand happened in mid-2023). For new deployments, use [[microsoft-entra-id-sso]] — they are functionally identical because Azure AD is Entra ID; only the product naming changed.\n\nThis record is preserved for customers still running on the older configuration guide and as documentation reference for the rebrand. The technical pattern is identical: AE Guardian as SAML SP, Entra ID (née Azure AD) as IdP, non-gallery Enterprise Application configured with AE metadata.\n","versions":[{"range":"Azure Active Directory (pre-rebrand) / Microsoft Entra ID (current)","status":"legacy","notes":"For new deployments, use [[microsoft-entra-id-sso]]."}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"saml","label":"SAML 2.0 (AE as SP, Azure AD / Entra ID as IdP)","details":"Same SAML 2.0 federation pattern as [[microsoft-entra-id-sso]]."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"See [[microsoft-entra-id-sso]] prerequisites","description":"Identical setup; only product naming differs.","owner":"customer"}],"knownLimitations":[{"title":"Superseded by [[microsoft-entra-id-sso]]","description":"Use the renamed connector for new deployments. Azure SSO is preserved for backward compatibility with existing configuration documentation only.\n","severity":"important"}],"relatedConnectors":["microsoft-entra-id-sso","microsoft-entra-id"],"relatedConcepts":["saml","oidc","mfa","conditional-access"],"composition":{"actors":[{"id":"end-user","name":"End User (browser)","kind":"user","vendor":"ae","trustZone":"untrusted"},{"id":"ae-guardian-sp","name":"AE Guardian (SAML SP)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"azure-ad-idp","name":"Azure AD / Microsoft Entra ID (SAML IdP)","kind":"gateway","vendor":"microsoft","trustZone":"vendor-cloud"}],"edges":[{"from":"end-user","to":"ae-guardian-sp","label":"HTTPS access attempt","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"ae-guardian-sp","to":"azure-ad-idp","label":"SAML AuthnRequest","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true},{"from":"azure-ad-idp","to":"ae-guardian-sp","label":"SAML Response (ACS POST)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/azure-sso/source.pdf","locator":"Full configuration guide — 20 pages, updated 2025-08-22"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-22","sourceSha256":"7c726622688a375e69f68fefd8659e97edbbf3da5176ad45580c6c95a75200d6","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"yes","jitProvisioning":"configurable","sourceOfRecord":false}},"brivo":{"id":"brivo","name":"Brivo","vendor":"Brivo","vendorId":"brivo","connectorPackage":"AE_HSc_BrivoConnectorGuide","status":"active","description":"$1a","versions":[{"range":"Brivo Access REST API v11.21 (August 2024)","connectorVersion":"ALNTBrivoConnector-5.0","status":"active","notes":"Documented supported version in AE_HSc_BrivoConnectorGuide.pdf p5."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-password","label":"OAuth 2.0 password grant","details":"Brivo's REST API requires an OAuth 2.0 access token obtained via the password grant flow. The token URL is `https://auth.brivo.com/oauth/token?grant_type=password`. The connector posts the configured `userId` + `password` along with `clientId` + `clientSecret`. The access token is then sent on subsequent REST calls.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — System Parameters table","quote":"Token URL is required for connecting to external system, its value should be: https://auth.brivo.com/oauth/token?grant_type=password"}},{"kind":"api-key","label":"Brivo API Key","details":"In addition to OAuth, Brivo requires an `api_key` System Parameter — issued per Brivo customer account — which is included on every REST request. The combination of OAuth token + API key authenticates *both* the AE tenant and the Brivo organization.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — System Parameters table","quote":"API key is required for connecting to external system."}}],"endpoints":[{"method":"POST","path":"https://auth.brivo.com/oauth/token?grant_type=password","description":"OAuth 2.0 password-grant token acquisition.","category":"auth","direction":"outbound","authMethod":"oauth2-password","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — Token URL field"}}],"dataFields":[{"aeField":"userId","vendorField":"UserId","description":"Primary user identifier in Brivo.","direction":"bidirectional","required":true},{"aeField":"firstName","vendorField":"firstName","description":"Cardholder first name.","direction":"bidirectional","required":true},{"aeField":"lastName","vendorField":"lastName","description":"Cardholder last name.","direction":"bidirectional","required":true},{"aeField":"middleName","vendorField":"MiddleName","direction":"bidirectional","required":false},{"aeField":"email","vendorField":"email","direction":"bidirectional","required":false},{"aeField":"photo","vendorField":"Photo","description":"Cardholder photo, provisioned via the `IMAGE_LOCATION` system parameter staging directory.","direction":"outbound","required":false},{"aeField":"badgeId","vendorField":"card_number","description":"Card number portion of a Brivo credential (Standard 26 Bit format).","direction":"bidirectional","required":false},{"aeField":"badgekey","vendorField":"credentialId","description":"Brivo's internal credential record identifier.","direction":"bidirectional","required":false},{"aeField":"validFrom","vendorField":"effectiveFrom","description":"Badge activation timestamp.","direction":"outbound","required":false},{"aeField":"validTo","vendorField":"effectiveTo","description":"Badge expiration timestamp.","direction":"outbound","required":false},{"aeField":"readerPIN","vendorField":"PIN","description":"PIN paired with the cardholder credential.","direction":"outbound","required":false},{"aeField":"roleSourceId","vendorField":"role.id","description":"Brivo role identifier for role assignment.","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"Brivo organization with API access","description":"An active Brivo Access subscription with API access enabled. The customer must obtain Client ID, Client Secret, and API Key from Brivo (provided as part of the Brivo subscription per p7 of the guide).","owner":"customer","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p7 — Connector Architecture","quote":"This partner REST URLs is a prerequisite for deploying Brivo connector and is provided as part of Brivo subscription."}},{"title":"API user account in Brivo","description":"A dedicated Brivo user with API access and provisioning privileges. This account's `userId` and `password` are used in the OAuth password grant flow.","owner":"customer","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — System Parameters table","quote":"User Id of a user with API access and provisioning privileges."}},{"title":"SSL certificate trust","description":"Brivo's REST endpoints serve TLS — the customer's AE installation must trust the Brivo certificate chain. The guide documents the manual `keytool -importcert` procedure for importing the Brivo certificate into the JVM `cacerts` keystore at `/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts`. Both the `Job` and `API` services must be restarted after import.\n","owner":"ae","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p8-9 — Enabling SSL Communication"}},{"title":"Image staging directory","description":"A writable filesystem path on the AE host, configured as the `IMAGE_LOCATION` system parameter. Cardholder photos are written here temporarily during provisioning before being uploaded to Brivo.\n","owner":"ae","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — System Parameters table"}}],"knownLimitations":[{"title":"OAuth password grant is the only supported flow","description":"The connector authenticates with OAuth 2.0 password grant — a flow that the IETF has deprecated for non-first-party clients (RFC 6749 § 4.3 was removed in OAuth 2.1 drafts). This means the AE installation effectively stores the Brivo administrative user's password in connector config. Customers with policies against storing service-account passwords in third-party apps must work with Brivo to obtain a dedicated API user with a long-lived rotated credential.\n","severity":"important"},{"title":"Image upload requires local staging","description":"Cardholder photos cannot stream directly from AE to Brivo; they are first written to the `IMAGE_LOCATION` filesystem path, then uploaded. Ensure this directory is cleaned up by a separate job to avoid disk-fill incidents.\n","severity":"informational","citation":{"source":"src/connectors/brivo/source.pdf","locator":"p13 — IMAGE_LOCATION parameter"}}],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level","card-format"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector, including Brivo."},{"id":"alert-brivo-connector","name":"Alert Brivo Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Brivo-specific connector module (ALNTBrivoConnector). Translates ACF requests into Brivo REST calls."},{"id":"brivo-restful-api-service","name":"Brivo REST API Service","kind":"gateway","vendor":"brivo","trustZone":"vendor-cloud","description":"Brivo's hosted REST API surface (auth.brivo.com + api.brivo.com). Authenticates callers and forwards operations to the Access Control Manager."},{"id":"brivo-access-control-manager","name":"Brivo Access Control Manager","kind":"platform","vendor":"brivo","trustZone":"vendor-cloud","description":"Brivo's cloud-hosted PACS authoritative system — manages cardholders, credentials, access groups, and door schedules. The customer's controller stack runs entirely here."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-brivo-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-brivo-connector","to":"brivo-restful-api-service","label":"HTTPS REST + OAuth bearer","transport":"rest","auth":"oauth2-password","carries":"User / role / badge provisioning + reconciliation payloads","direction":"bidirectional","trustCrossing":true},{"from":"brivo-restful-api-service","to":"brivo-access-control-manager","label":"Internal Brivo API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false,"notes":"Internal to Brivo's cloud; not directly exercised by AE."}]},"citations":[{"source":"src/connectors/brivo/source.pdf","locator":"Full connector guide — 17 pages, updated 2025-05-19"},{"source":"src/connectors/brivo/source.pdf","locator":"p5 — Supported Version","quote":"The Brivo Connector supports version 11.21 (August 2024)"},{"source":"src/connectors/brivo/source.pdf","locator":"p5 — Provisioning Capabilities","quote":"Create User accounts / Update User information / Modify User Roles / Delete User / Add Badge / Delete Badge"},{"source":"src/connectors/brivo/source.pdf","locator":"p7 — Connector Architecture diagram","quote":"Alert Enterprise Connector Framework → Brivo Connector → HTTP(S) → Brivo Restful API Service → Brivo Access Control Manager"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-05-19","sourceSha256":"1e1561d2a27738f16d59ab96b1c8cf45e1038b2a073118b2b8881c7bdc0e4443","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":["Standard 26 Bit"],"topology":"cloud","eventModel":"polling","pollInterval":"Not specified in connector guide — AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Brivo represents a cardholder as a User record with one or more associated User Badge records. Each Badge carries `credentialId`, `card_number`, `facility_code`, `effectiveFrom`, `effectiveTo`, and a `credentialFormatName` (e.g., \"Standard 26 Bit\"). Roles are assigned via UserRoleData records linking a User to a Brivo role.id.\n","accessRightsModel":"Access is granted by assigning a User to one or more Brivo Roles (UserRoleData mappings). The connector supports Provisioning (create / update / delete role assignments) and Reconciliation (full + incremental) of role-to-user mappings.\n","multiTenancy":"Each Brivo organization is a separate tenant in Brivo's cloud. The connector authenticates per-organization via Client ID + Client Secret + API Key; one AE→Brivo connector instance corresponds to one Brivo organization.\n"}},"ccure9000-victor":{"id":"ccure9000-victor","name":"C·CURE 9000 (via Victor Web Service)","vendor":"Software House (Johnson Controls)","vendorId":"johnson-controls","connectorPackage":"AE_HSc_CCURE9000VictorConnectorGuide","status":"active","description":"$1b","versions":[{"range":"C·CURE 9000 versions 2.6, 2.7, 2.80, 2.81, 2.9, 3.0, 3.10","connectorVersion":"ALNTCCure9000VictorConnector-5.0","status":"active","notes":"The 2.x line and 3.x line are both supported by the same connector. Set `IS_CLIENTID_AUTH = Yes` for CCURE 2.80+, and `IS_CCURE_26 = True` for CCURE 2.6 or later (per the connector System Parameters). The `manageCustomClearance` parameter is mandatory for 2.6+ (image provisioning switched from Data Import Jobs to API calls in 2.6).\n"}],"transports":["rest","jdbc"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-password","label":"Victor OAuth 2.0 (operator credentials → bearer token)","details":"The Victor Web Service uses OAuth 2.0 as the primary authentication mechanism. The Alert C·CURE Connector posts a CCURE operator username + password (configured as `userId` and `password` system parameters) to the Victor authentication endpoint and receives a scoped, time-bound bearer token. Subsequent API calls include `Authorization: Bearer `. The connector caches the token, reuses it until expiry, and refreshes on expiration. If the CCURE operator's authentication type is Windows, the `userId` must be in `\\` format. All traffic, including the token exchange, is encrypted over TLS 1.2 or later.\n","credentialStorage":"Encrypted in AE connector configuration; the `isCredentialChanged` flag is set to True after rotation to force the connector to revalidate.","rotation":"Operator-managed in CCURE; bearer token TTL is enforced by CCURE Victor server and renewed automatically by the connector.","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p11 — Chapter 2.4 Authentication Model","quote":"The CCURE Victor web service API uses OAuth 2.0 as its primary authentication mechanism. The Alert CCURE Connector obtains an access token from the CCURE Victor authentication endpoint before making API calls. Each request includes the token in the Authorization header using the Bearer format."}},{"kind":"basic","label":"SQL Server (JDBC) for role + activity reconciliation","details":"Role reconciliation (Clearances → AE Roles) and access-activity reconciliation (cardholder events: CardAdmitted, CardRejected, ObjectChangedState, JournalStateChange) use direct read-only JDBC against the C·CURE 9000 SQL Server backend (`ACVSCore` database — Access schema tables: Clearance, ClearanceItem, Door, Reader, Personnel, doorudf; plus the `ACVSUJournal*` event log databases). Driver Name, JDBC URL, database username, and password are configured as system parameters.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[{"method":"POST","path":"https:///CCUREWebService/victor/auth/token","description":"Victor OAuth 2.0 token endpoint. Exchanges CCURE operator credentials for a bearer token.","category":"auth","direction":"outbound","authMethod":"oauth2-password","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p15 — instanceURL example","quote":"https://ccureserver/CCUREWebService"}}],"dataFields":[{"aeField":"userId","vendorField":"ObjectID","description":"CCURE Personnel object identifier (GUID).","direction":"bidirectional","required":true},{"aeField":"firstName","vendorField":"FirstName","direction":"bidirectional","required":false},{"aeField":"lastName","vendorField":"LastName","direction":"bidirectional","required":false},{"aeField":"middleName","vendorField":"MiddleName","direction":"bidirectional","required":false},{"aeField":"status","vendorField":"Active","description":"CCURE Personnel `Active` boolean.","direction":"bidirectional","required":false},{"aeField":"type","vendorField":"PersonnelTypeID","description":"Personnel type discriminator. AE maps via formula: '1' → Employee, '2' → Contractor, '3' → Visitor, otherwise 'Permanent'.\n","direction":"bidirectional","required":false},{"aeField":"employmentStatus","vendorField":"Text5","description":"CCURE generic-text slot 5 — site-defined for employment status.","direction":"bidirectional","required":false},{"aeField":"email","vendorField":"Text1","description":"CCURE generic-text slot 1 — site-defined for email.","direction":"bidirectional","required":false},{"aeField":"photo","vendorField":"Image / PrimaryPortrait","description":"Cardholder photo. From 2.6+ image provisioning uses APIs (not Data Import jobs). Only the primary image is supported during reconciliation.","direction":"outbound","required":false},{"aeField":"pin","vendorField":"DecodePIN / PIN","direction":"outbound","required":false},{"aeField":"badgeId","vendorField":"Badge.CardNumber","description":"Card number must be less than 4294967295 (32-bit unsigned int ceiling). Values ≥ 4294967295 cause provisioning failure.\n","direction":"bidirectional","required":true},{"aeField":"CHUID","vendorField":"Badge.CHUID","description":"Cardholder Unique Identifier — typically formatted as '000000$BadgeId' via formula.","direction":"bidirectional","required":false},{"aeField":"BadgeFormatID","vendorField":"Badge.CHUIDFormatID","description":"CCURE card format identifier — must align with the credential format provisioned at the reader.","direction":"bidirectional","required":false},{"aeField":"validFrom","vendorField":"Badge.ActivationDateTime","direction":"outbound","required":false},{"aeField":"validTo","vendorField":"Badge.ExpirationDateTime","direction":"outbound","required":false},{"aeField":"badgedisabled","vendorField":"Badge.Disabled","direction":"bidirectional","required":false},{"aeField":"assetStatus","vendorField":"status","description":"Badge status mapping via formula: badgestolen=true → 'STOLEN'; badgedisabled=true → 'DISABLED'; badgelost=true → 'LOST'; else 'OPEN'.\n","direction":"bidirectional","required":false},{"aeField":"Location_id","vendorField":"Badge.FacilityCode","description":"Facility code on the badge — part of the (CardNumber, FacilityCode) credential-uniqueness key when configured.","direction":"bidirectional","required":false},{"aeField":"sourceId","vendorField":"TechnicalRoleName","description":"Clearance ObjectID — links UserRoleData entries to CCURE Clearances.","direction":"bidirectional","required":true},{"aeField":"text","vendorField":"ROLE_NAME","description":"Clearance display name.","direction":"bidirectional","required":false},{"aeField":"Description","vendorField":"ROLE_DESCRIPTION","direction":"bidirectional","required":false},{"aeField":"PartitionID","vendorField":"PartitionID","description":"CCURE 9000 partition — supports multi-tenant deployments where partitions isolate cardholder pools.","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"Updated CCURE License with AlertEnterprise integration option","description":"The customer must work with the CCURE licensing team to obtain an updated license including the **CC9000-ALERTENT** option. The license must then be applied to the CCURE Victor server using the `InsertLicenseOption` tool with the AlertEnterprise vendor GUID `a43a3d60-da8d-4ad6-8cdb-4ca792d865df`. This is a hard prerequisite — without it, the Victor Web Service rejects the AE integration's API calls. Plan license procurement well in advance.\n","owner":"customer","leadTime":"2-6 weeks (varies by CCURE licensing team SLA)","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p12 — Installation Prerequisites","quote":"For the Alert Enterprise - CCURE 9000 Victor integration to function correctly, the customer must work with the CCURE licensing team to obtain an updated license with the Alert Enterprise integration (GUID) enabled. Licensing Option: CC9000‐ALERTENT"}},{"title":"Alert Enterprise Agent deployed on-prem","description":"For SaaS Guardian deployments, the Alert Enterprise Agent must be deployed in the customer environment with network reachability to the CCURE Victor server. The Agent hosts the C·CURE 9000 Connector and provides the cloud-to-on-prem bridge — CCURE is never exposed to the cloud.\n","owner":"ae","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p10 — Guardian (SaaS) Architecture","quote":"The Alert Enterprise HSC application runs in the cloud and communicates over HTTPS (REST APIs) with the on-premises Alert Enterprise Agent, which acts as a secure gateway into the customer network. The Agent hosts the CCURE 9000 Connector..."}},{"title":"CCURE operator account for API access","description":"A dedicated CCURE operator account with sufficient privileges for the AE integration operations (create/update users, manage badges, modify clearances). Windows-auth operators require `\\` formatting in the AE config.\n","owner":"customer"},{"title":"Read-only JDBC user for role + activity reconciliation","description":"A SQL Server user with SELECT privileges on the `ACVSCore` database (Access schema: Clearance, ClearanceItem, Door, Reader, Personnel, doorudf) and on the per-day `ACVSUJournal*` event log databases. JDBC driver name + URL + credentials configured as system parameters.\n","owner":"customer"},{"title":"TLS 1.2 or later end-to-end","description":"All traffic to the Victor Web Service must use TLS 1.2 or later. Customers running CCURE servers on older OS / framework versions must update before integration.\n","owner":"customer","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p11 — Authentication Model","quote":"All API traffic, including authentication, is secured over HTTPS using TLS 1.2 or later to ensure confidentiality, integrity, and protection of tokens in transit."}},{"title":"Stable CCURE endpoint (DNS/VIP) for HA/DR","description":"Software House recommends a customer-managed DNS hostname or virtual IP fronting CCURE Victor servers behind a load balancer or traffic manager. The AE connector talks to a single endpoint and the customer's load-balancer fabric handles failover without integration changes.\n","owner":"customer","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p11 — High Availability (HA) & Disaster Recovery (DR)"}}],"knownLimitations":[{"title":"Card number ceiling at 4,294,967,295","description":"The CCURE 9000 Victor API rejects card numbers ≥ 4294967295 (32-bit unsigned int ceiling). Customers using larger card numbers (e.g., FASC-N derivative encodings, full 128-bit CHUIDs as integers) must use the CHUID + FacilityCode credential-unique fields path instead.\n","severity":"important","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p8 — Limitations","quote":"The CCURE 9000 Connector card number must be less than 4294967295; otherwise, the system generates a provisioning failure error."}},{"title":"Multi-image cardholders — only primary image reconciled","description":"During user reconciliation, only the primary image is supported. Cardholders with multiple stored images (e.g., a secondary visa or contractor photo) lose the non-primary images during reconciliation back into AE.\n","severity":"informational","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p8 — Limitations","quote":"If a user has multiple images, only the primary image is supported during user reconciliation."}},{"title":"License procurement is the long-pole prerequisite","description":"The `CC9000-ALERTENT` license must be obtained from Software House / Johnson Controls' licensing team — not via AE. Lead time of 2-6 weeks is typical. AE Sales / SE should surface this very early in the deal cycle to avoid project-start surprises.\n","severity":"important","citation":{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p13 — Important note","quote":"Procuring an additional license may involve time and cost. This activity should be planned well in advance to avoid potential project delays."}},{"title":"PIN field is double-named (`PIN` vs `DecodePIN`)","description":"Both `Pin → PIN` and `pin → DecodePIN` mappings appear in the field mapping table. `DecodePIN` is the post-decryption value used for badge provisioning; `PIN` is the cardholder-facing PIN field for keypad readers. Confusion between the two is a common implementation pitfall — verify with the project's CCURE administrator which slot the site uses.\n","severity":"informational"}],"relatedConnectors":["lenel","genetec"],"relatedConcepts":["cardholder","badge-or-credential","access-level","piam","vim","chuid","card-format","reader","panel"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side framework that dispatches provisioning + reconciliation requests to every connector. In the SaaS topology, ACF runs in AE's cloud."},{"id":"alert-enterprise-agent","name":"Alert Enterprise Agent (on-prem gateway)","kind":"gateway","vendor":"ae","trustZone":"customer-onprem","description":"AE's on-prem agent service. Hosts the C·CURE 9000 Connector. Receives outbound-only HTTPS calls from cloud Guardian — no inbound firewall holes required."},{"id":"alert-ccure-connector","name":"Alert C·CURE 9000 Connector","kind":"service","vendor":"ae","trustZone":"customer-onprem","description":"AE's C·CURE-specific connector module (ALNTCCure9000VictorConnector). Translates ACF requests into Victor Web Service REST calls and JDBC queries."},{"id":"ccure-victor-load-balancer","name":"CCURE Victor LB (DNS / VIP)","kind":"gateway","vendor":"johnson-controls","trustZone":"customer-onprem","description":"Recommended stable endpoint (DNS hostname or VIP behind a load balancer) fronting one or more CCURE Victor servers for HA/DR."},{"id":"ccure-victor-web-service","name":"CCURE Victor Web Service","kind":"gateway","vendor":"johnson-controls","trustZone":"customer-onprem","description":"Software House's REST API surface for C·CURE 9000. Authenticates callers via OAuth 2.0 and forwards operations to the C·CURE server."},{"id":"ccure-9000-server","name":"C·CURE 9000 Server","kind":"platform","vendor":"johnson-controls","trustZone":"customer-onprem","description":"Software House's on-prem PACS application server. Manages Personnel (cardholders), Visitors, Badges, Clearances (access levels), Doors, Readers, Partitions."},{"id":"ccure-9000-database","name":"C·CURE 9000 SQL Server (ACVSCore + ACVSUJournal*)","kind":"platform","vendor":"johnson-controls","trustZone":"customer-onprem","description":"C·CURE's SQL Server backend. Read directly by the AE connector for role/clearance reconciliation and event-log/activity reconciliation."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-enterprise-agent","label":"Outbound-only HTTPS (cloud → on-prem)","transport":"rest","auth":"mtls","carries":"ACF dispatch payloads — secured tunnel from cloud Guardian into customer environment","direction":"outbound","trustCrossing":true,"notes":"SaaS Guardian topology. No inbound firewall holes into customer environment."},{"from":"alert-enterprise-agent","to":"alert-ccure-connector","label":"In-agent dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-ccure-connector","to":"ccure-victor-load-balancer","label":"Victor REST + OAuth bearer","transport":"rest","auth":"oauth2-password","carries":"Personnel / Badge / Clearance / Visitor REST calls","direction":"bidirectional","trustCrossing":false},{"from":"ccure-victor-load-balancer","to":"ccure-victor-web-service","label":"LB → Victor server pool","transport":"rest","direction":"bidirectional","trustCrossing":false},{"from":"ccure-victor-web-service","to":"ccure-9000-server","label":"Internal Software House API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"alert-ccure-connector","to":"ccure-9000-database","label":"Role + activity reconciliation (read-only JDBC)","transport":"jdbc","auth":"basic","carries":"SELECT against ACVSCore.Access (Clearance, Door, Reader, Personnel) + ACVSUJournalLog*","direction":"inbound","trustCrossing":false},{"from":"ccure-9000-server","to":"ccure-9000-database","label":"Persists Personnel + Clearances + journals","transport":"jdbc","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"Full connector guide — 38 pages, revision 4.0 dated 2026-04-29"},{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p7 — Supported Versions & Features","quote":"Integration Method: CCURE 9000 Connector / Supported Version(s): 2.6, 2.7, 2.80, 2.81, 2.9 and 3.0, 3.10"},{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p10 — Guardian (SaaS) Architecture","quote":"The Agent hosts the CCURE 9000 Connector, which translates Alert Enterprise requests into CCURE Victor Web Service (REST API) calls to manage personnel, credentials, and access levels."},{"source":"src/connectors/ccure9000-victor/source.pdf","locator":"p7 — Supported PACS Objects","quote":"PIAM - Cardholder, Cardholder Badge, Cardholder Access / VIM - Visitors, Visitor Badges, Visitor Access"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-04-29","sourceSha256":"472ccb556af2e165c10c9bc7cab4fa64094882c1f50670d3d653e2ce37484f33","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"both","pollInterval":"AE-side schedule per customer; activity reconciliation by date range via $LAST_RUN_DATE / $NEXT_RUN_DATE substitution.","eventTypes":["CardAdmitted","CardRejected","ObjectChangedState","JournalStateChange"],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"CCURE 9000 models a cardholder as a **Personnel** object in the `ACVSCore.Access.Personnel` table — keyed by `ObjectID` (GUID). Personnel objects carry FirstName, LastName, MiddleName, Active flag, PersonnelTypeID (Employee/Contractor/Visitor/Permanent), and 25+ generic-text slots (Text1-Text25) plus 7+ generic-int slots (Int6, Int7, ...) used for site-defined custom attributes. Each Personnel can have one or more **Badges**, identified by CardNumber, FacilityCode, CHUID, CHUIDFormatID, ActivationDateTime, ExpirationDateTime, and status flags (Disabled, Stolen, Lost). PrimaryPortrait holds the canonical photo; secondary images are not roundtripped. Visitors are a parallel object family used by VIM (Visitor Identity Management).\n","accessRightsModel":"Access is granted by assigning a Personnel/Badge to one or more **Clearances** (Software House's term for an access level), modeled in `ACVSCore.Access.Clearance` and linked to Doors via `ClearanceItem` join records. Each Clearance is composed of a set of (Door, Reader) pairs — doors have an `InReaderID` and `OutReaderID` distinguishing entry vs exit readers. Group memberships via `GroupMember` and door groups extend clearance scope.\n","multiTenancy":"C·CURE 9000 supports **Partitions** — first-class cardholder/clearance scoping units that isolate access pools within a single C·CURE deployment. Each Personnel and Clearance carries a PartitionID. Multi-business-unit customers running a shared C·CURE deployment can isolate by partition without multiple connector instances.\n"}},"cisco-ise":{"id":"cisco-ise","name":"Cisco Identity Services Engine (ISE)","vendor":"Cisco","vendorId":"cisco","connectorPackage":"AE_HSc_CiscoISEConnectorGuide","status":"active","description":"$1c","versions":[{"range":"Cisco ISE 2.2, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3, 3.4","connectorVersion":"ALNTCiscoISEConnector-5.0","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"ISE External RESTful Services (ERS) credentials over SSL","details":"Cisco ISE authentication uses basic auth — username + password for an ISE administrator or ERS Admin account. SSL/TLS is required; the connector guide documents the standard `keytool -importcert` procedure for importing the ISE certificate into the AE host's JVM cacerts keystore.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Cisco ISE deployment with ERS (External RESTful Services) enabled","description":"An operational Cisco ISE deployment (2.2 through 3.4) with the ERS API enabled. ERS is disabled by default — the ISE admin must enable it under Administration → System → Settings → ERS Settings. The REST URLs are provided as part of the Cisco ISE subscription.\n","owner":"customer","citation":{"source":"src/connectors/cisco-ise/source.pdf","locator":"p7 — Connector Architecture","quote":"This partner REST URLs is a prerequisite for deploying Cisco ISE connector and is provided as part of Cisco ISE subscription."}},{"title":"ISE ERS Admin account with API privileges","description":"A dedicated ISE administrator account in the **ERS Admin** role with privileges to manage Internal Users + Guest Users.\n","owner":"customer"},{"title":"SSL certificate trust","description":"ISE certificate imported into the AE host's JVM cacerts keystore via `keytool -importcert`; restart Job and API services.\n","owner":"ae"}],"knownLimitations":[{"title":"Modify User Roles supported for Internal Users only","description":"The `Modify User Roles` provisioning capability applies only to **Internal Users**. Guest user identity groups are managed through ISE's Sponsor Portal workflow rather than the ERS API, so AE cannot directly modify Guest user role assignments.\n","severity":"informational","citation":{"source":"src/connectors/cisco-ise/source.pdf","locator":"p5 — Provisioning Capabilities table","quote":"Modify the user roles in Cisco ISE system (Only for Internal Users)."}}],"relatedConnectors":[],"relatedConcepts":["saml","mfa","lifecycle-events"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-cisco-ise-connector","name":"Alert Cisco ISE Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Cisco ISE connector module (ALNTCiscoISEConnector)."},{"id":"cisco-ise-rest-api","name":"Cisco ISE External RESTful Services (ERS)","kind":"gateway","vendor":"cisco","trustZone":"customer-onprem","description":"ISE's REST API surface. Disabled by default — must be enabled by the ISE admin."},{"id":"cisco-ise-server","name":"Cisco ISE Server","kind":"platform","vendor":"cisco","trustZone":"customer-onprem","description":"Cisco ISE policy server — manages Internal Users, Guest Users, identity groups, network access policies."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-cisco-ise-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-cisco-ise-connector","to":"cisco-ise-rest-api","label":"ERS REST + basic auth","transport":"rest","auth":"basic","carries":"Internal / Guest user + role provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"cisco-ise-rest-api","to":"cisco-ise-server","label":"Internal ERS API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/cisco-ise/source.pdf","locator":"Full connector guide — 27 pages, updated 2024-12-03"},{"source":"src/connectors/cisco-ise/source.pdf","locator":"p5 — Supported Version","quote":"The Cisco ISE Connector supports Cisco ISE version 2.2, 2.6, 2.7, 3.0, 3.1, 3.2, 3.3, 3.4."},{"source":"src/connectors/cisco-ise/source.pdf","locator":"p5 — Provisioning Capabilities","quote":"Create User accounts / Update User information / Modify User Roles / Delete User / Delimit User / Lock User / Unlock User"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-03","sourceSha256":"8c2ca973c42f4f46a771bedbdde97cad37be232490691497a3ee981d067b6b02","kind":"iam","fields":{"oidcSupport":"no","samlSupport":"yes","samlBinding":[],"scimSupport":"no","jitProvisioning":"unknown","mfaModel":"ISE supports MFA enforcement at the network-access policy layer (e.g., requiring DUO + 802.1X for VPN). MFA configuration is owned by the ISE admin; AE does not configure ISE policies.\n","groupSyncMode":"flat","defaultAttributeMapping":"Standard ISE Internal User attributes (UserName, FirstName, LastName, Email, Description) + Guest User attributes (similar plus sponsor info).\n","sourceOfRecord":false}},"clear-pass":{"id":"clear-pass","name":"Aruba ClearPass","vendor":"HPE Aruba Networking","vendorId":"aruba","connectorPackage":"AE_HSc_ClearPassConnectorGuide","status":"active","description":"The Aruba ClearPass connector integrates AlertEnterprise Guardian with **HPE Aruba ClearPass Policy Manager** — Aruba's enterprise NAC (Network Access Control) platform, the primary competitor to [[cisco-ise]] in the network access space. ClearPass governs network authentication for wired, wireless, VPN, and BYOD access, with strong 802.1X and RADIUS integration.\n\nLike Cisco ISE, ClearPass scope is **network access** rather than application access — it sits at the network-authentication boundary, deciding which users / devices can authenticate onto the network and applying segmentation policies. AE Guardian provisions ClearPass **Local Users** (the local identity store ClearPass maintains for guest / contractor populations) and reconciles user data back to Guardian for governance purposes.\n\nArchitecture: **AE Guardian → ACF → Alert ClearPass Connector → ClearPass REST API → ClearPass Policy Manager**. Standard HTTPS REST with bearer-token auth.\n","versions":[{"range":"HPE Aruba ClearPass Application Software 6.8.x through 6.12.x","status":"active","notes":"Connector guide documents versions 6.8.x to 6.12.x. ClearPass 6.13.x not yet documented as supported."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"bearer-token","label":"ClearPass API Client Bearer Token","details":"ClearPass authenticates via an API Client configured in the ClearPass admin UI (Administration → API Services → API Clients). The API client uses OAuth 2.0 client credentials grant to obtain a bearer token. The connector exchanges `client_id` + `client_secret` for an access token and uses it on subsequent REST calls.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"ClearPass deployment with API Services enabled","description":"An operational ClearPass Policy Manager 6.8.x-6.12.x deployment with API Services enabled and an API Client configured for the AE integration.\n","owner":"customer"},{"title":"ClearPass API Client with required scopes","description":"ClearPass admin creates an API Client under Administration → API Services → API Clients, configures appropriate operator scope (must include Guest User / Local User management).\n","owner":"customer"},{"title":"SSL certificate trust","description":"ClearPass SSL certificate imported into the AE host's JVM cacerts keystore via `keytool -importcert`.\n","owner":"ae"}],"knownLimitations":[],"relatedConnectors":["cisco-ise"],"relatedConcepts":["saml","mfa","lifecycle-events"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-clearpass-connector","name":"Alert ClearPass Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"clearpass-rest-api","name":"ClearPass REST API","kind":"gateway","vendor":"aruba","trustZone":"customer-onprem","description":"ClearPass Policy Manager REST API. OAuth 2.0 authenticated."},{"id":"clearpass-policy-manager","name":"ClearPass Policy Manager","kind":"platform","vendor":"aruba","trustZone":"customer-onprem","description":"HPE Aruba ClearPass policy server. Manages Local Users, Guest Users, network access policies."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-clearpass-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-clearpass-connector","to":"clearpass-rest-api","label":"REST + OAuth bearer","transport":"rest","auth":"bearer-token","carries":"User / role / network-access provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"clearpass-rest-api","to":"clearpass-policy-manager","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/clear-pass/source.pdf","locator":"Full connector guide — 17 pages, updated 2024-12-20"},{"source":"src/connectors/clear-pass/source.pdf","locator":"p5 — Supported Version","quote":"ClearPass Application Software version 6.8.x to 6.12.x"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-20","sourceSha256":"093e8f3bace2f715b71d90b2dfa8e51071f0072172044fe3b5023defdfdd87a1","kind":"iam","fields":{"oidcSupport":"no","samlSupport":"yes","samlBinding":[],"scimSupport":"no","jitProvisioning":"unknown","mfaModel":"MFA enforced at the ClearPass network-access policy layer. AE does not configure ClearPass MFA policies.\n","groupSyncMode":"flat","defaultAttributeMapping":"ClearPass Local User attributes (UserName, Password, Role, ExpiryDate, GuestEnable status).\n","sourceOfRecord":false}},"db":{"id":"db","name":"DB","vendor":"Generic (Database)","vendorId":"ae","connectorPackage":"AE_HSc_DBConnectorGuide","status":"active","description":"The Generic (Database) connector integrates AlertEnterprise with **DB Connector** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_DBConnectorGuide.pdf` (page count: 25).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-db-connector","name":"Alert Generic (Database) Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Generic (Database)-specific connector module."},{"id":"ae-system","name":"Generic (Database) System","kind":"platform","vendor":"ae","trustZone":"customer-onprem","description":"The customer's Generic (Database) system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-db-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-db-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/db/source.pdf","locator":"Connector guide — 25 pages"},{"source":"src/connectors/db/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-12-24","sourceSha256":"b4c1f13992dafa9516002e9236d4db08112e204290e794264e9a9873af03595f","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"dmp-entre-pass":{"id":"dmp-entre-pass","name":"DMP Entré","vendor":"DMP (Digital Monitoring Products)","vendorId":"dmp","connectorPackage":"AE_HSc_DMPEntreConnectorGuide","status":"active","description":"The DMP Entré connector integrates AlertEnterprise Guardian with **DMP Entré** — Digital Monitoring Products' integrated access control + intrusion detection platform. DMP is unusual in the PACS landscape because its access control is tightly coupled to its intrusion detection / burglar alarm product line, making it a popular choice in retail, banking branches, and small-to-mid enterprise where both access and intrusion are needed from one vendor.\n\nArchitecture: **AE → ACF → Alert DMP Connector → DMP Entré RESTful API → DMP Access Control**. Standard REST over HTTPS.\n","versions":[{"range":"DMP Entré version 8.1","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"DMP Entré API credentials","details":"Basic auth credentials configured in AE connector. SSL/TLS required.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"DMP Entré with REST API enabled","description":"An operational DMP Entré 8.1 deployment with the REST API enabled.\n","owner":"customer","citation":{"source":"src/connectors/dmp-entre-pass/source.pdf","locator":"p8 — Connector Architecture","quote":"The Alert DMP Entre Connector consumes the Restful APIs provided by DMP Entre out of the box, for performing these operations."}},{"title":"DMP Entré API user with provisioning + reconciliation privileges","description":"Dedicated DMP Entré API user.","owner":"customer"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-dmp-connector","name":"Alert DMP Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"dmp-entre-rest-api","name":"DMP Entré Restful API","kind":"gateway","vendor":"dmp","trustZone":"customer-onprem"},{"id":"dmp-access-control","name":"DMP Entré Access Control System","kind":"platform","vendor":"dmp","trustZone":"customer-onprem","description":"DMP's combined access control + intrusion detection platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-dmp-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-dmp-connector","to":"dmp-entre-rest-api","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"User / badge / access provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"dmp-entre-rest-api","to":"dmp-access-control","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/dmp-entre-pass/source.pdf","locator":"Full connector guide, updated 2025-09-08"},{"source":"src/connectors/dmp-entre-pass/source.pdf","locator":"p6 — Supported Version","quote":"The DMP connector supports version 8.1"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-09-08","sourceSha256":"ac8e8707c6e6960532189b319c95c50c32b0c1bad4dded1e2316952305f447b8","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"DMP Entré cardholder model with associated badges and access permissions, exposed via REST.\n","accessRightsModel":"DMP Entré access permissions / schedules exposed through REST.\n","multiTenancy":"Single DMP Entré instance per AE→DMP connector.\n"}},"employee-search-rest":{"id":"employee-search-rest","name":"Employee Search","vendor":"AlertEnterprise","vendorId":"ae","connectorPackage":"AE_HSc_EmployeeSearch_RestConnectorGuide","status":"active","description":"The AlertEnterprise connector integrates AlertEnterprise with **Employee Search** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_EmployeeSearch_RestConnectorGuide.pdf` (page count: 26).\n","versions":[{"range":"supports Employee Search Rest version 8.4 and above.","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"client credentials","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-employee-search-rest-connector","name":"Alert AlertEnterprise Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's AlertEnterprise-specific connector module."},{"id":"ae-system","name":"AlertEnterprise System","kind":"platform","vendor":"ae","trustZone":"customer-onprem","description":"The customer's AlertEnterprise system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-employee-search-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-employee-search-rest-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/employee-search-rest/source.pdf","locator":"Connector guide — 26 pages"},{"source":"src/connectors/employee-search-rest/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-04-28","sourceSha256":"05d9b79f0a69d38c7b8e08d2e9aa11ce2b9004f33bc573362db6a6380b525903","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"epic":{"id":"epic","name":"EPIC EHR (HL7)","vendor":"EPIC","vendorId":"epic","connectorPackage":"AE_HSc_EPICIntegrationGuide","status":"active","description":"The EPIC integration links AlertEnterprise with **EPIC EHR systems** via **HL7 v2 messaging** — the standard interoperability protocol in US healthcare. The integration consumes patient + provider events from EPIC and surfaces them into AE for downstream identity, access, and visitor workflows. Common in healthcare-vertical deployments and at fin-services / mixed-use campuses where healthcare-affiliated facilities are part of the access-control envelope.\n\nArchitecturally distinctive vs. the standard AE connector pattern: this is an **HL7 message integration** with field-mapping driven by HL7 segment locators (e.g., `patientFirstName` ← `/PID-5-2`, `medicalRecordNumber` ← `/PID-3-1`) rather than a REST / SDK provisioning model. Configuration is HL7-field-mapping centric.\n","versions":[{"range":"HL7 v2 message-based integration with EPIC","status":"active","notes":"The integration is HL7 v2 protocol-based, not pinned to a specific EPIC\nrelease. EPIC versions through the current Production Major Release are\nassumed compatible at the HL7 v2 level.\n"}],"transports":["tcp"],"directions":["inbound"],"authentication":[{"kind":"anonymous","label":"HL7 MLLP (Minimum Lower Layer Protocol)","details":"HL7 v2 messages are typically delivered over MLLP — a TCP-based framing\nprotocol — between an EPIC interface engine and AE's HSC Application\nAgent. Authentication at the transport layer is typically network-zone\nbased (segregated VLAN, firewall ACL) rather than per-message credentials.\nTLS-MLLP is recommended where supported.\n","credentialStorage":"N/A (network-zone trust model)"}],"endpoints":[],"dataFields":[{"aeField":"patientFirstName","vendorField":"HL7 /PID-5-2","description":"Patient first name — extracted from the HL7 PID segment, field 5, component 2.","direction":"inbound","required":false,"citation":{"source":"src/connectors/epic/source.pdf","locator":"p5 — HL7 Field Mapping"}},{"aeField":"patientLastName","vendorField":"HL7 /PID-5-1","description":"Patient last name — PID segment, field 5, component 1.","direction":"inbound","required":false},{"aeField":"medicalRecordNumber","vendorField":"HL7 /PID-3-1","description":"MRN — PID segment, field 3, component 1. Primary identifier for downstream AE matching.","direction":"inbound","required":true},{"aeField":"controlSequenceNumber","vendorField":"HL7 /PID-18","description":"Account / control sequence number.","direction":"inbound","required":false},{"aeField":"alias","vendorField":"HL7 /PID-9-1","description":"Patient alias name.","direction":"inbound","required":false},{"aeField":"patientRoom","vendorField":"HL7 (location segment — per deployment mapping)","description":"Patient room / location — used for downstream visitor / access workflows.","direction":"inbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"EPIC interface engine configured to send HL7 messages to AE","description":"Customer's EPIC deployment requires an outbound interface (typically\nconfigured in Bridges or via Cloverleaf) sending HL7 messages to AE's\nHSC Application Agent endpoint over MLLP / TLS-MLLP.\n","owner":"customer"},{"title":"HSC Application Agent Server configured to receive HL7","description":"AE's HSC Application Agent must be configured with the appropriate HL7\nlistener port + protocol (MLLP / TLS-MLLP) and field-mapping configuration.\n","owner":"ae","citation":{"source":"src/connectors/epic/source.pdf","locator":"p13 — HSC Application Agent Server Configurations"}},{"title":"HL7 field-mapping spec","description":"The customer-specific field mapping (which HL7 fields populate which AE\nattributes) must be agreed and configured before message exchange begins.\n","owner":"joint","citation":{"source":"src/connectors/epic/source.pdf","locator":"p5 — HL7 Field Mapping"}}],"knownLimitations":[{"title":"Inbound-only HL7 v2 today","description":"The integration is documented as inbound HL7 v2 consumption. Outbound HL7\n(AE → EPIC) and FHIR R4 are not in scope of the current guide.\n","severity":"informational"},{"title":"Patient data is PHI under HIPAA","description":"All inbound data is Protected Health Information under HIPAA. AE-side\nstorage, audit, and access-control configuration must satisfy the\ncustomer's HIPAA posture (BAA, encryption-at-rest, audit logging,\nminimum-necessary access).\n","severity":"critical"}],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"epic-ehr","name":"EPIC EHR","kind":"platform","vendor":"epic","trustZone":"customer-onprem","description":"Customer's EPIC EHR system — the source of patient, provider, and\nencounter data.\n"},{"id":"epic-interface-engine","name":"EPIC Interface Engine (Bridges / Cloverleaf)","kind":"mediator","vendor":"epic","trustZone":"customer-onprem","description":"EPIC-side interface engine that formats and dispatches HL7 v2 messages\nto external systems.\n"},{"id":"ae-hsc-application-agent","name":"AE HSC Application Agent","kind":"service","vendor":"ae","trustZone":"customer-onprem","description":"AE's agent — typically deployed on-prem inside the customer's clinical\nnetwork zone — that receives HL7 messages over MLLP, parses them per\nconfigured field mapping, and forwards normalized data to Guardian.\n"}],"edges":[{"from":"epic-ehr","to":"epic-interface-engine","label":"EHR → interface engine","transport":"proprietary-api","direction":"outbound","trustCrossing":false,"notes":"Internal EPIC dispatch — outside AE's scope."},{"from":"epic-interface-engine","to":"ae-hsc-application-agent","label":"HL7 v2 messages over MLLP","transport":"tcp","carries":"HL7 PID / MSH / EVN / ADT segments","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/epic/source.pdf","locator":"p4 — Architecture"}},{"from":"ae-hsc-application-agent","to":"guardian-platform","label":"Normalized patient / encounter data","transport":"proprietary-api","carries":"Parsed HL7 → AE field mapping output","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/epic/source.pdf","locator":"p5 — Chapter 2, HL7 Field Mapping","quote":"The field mappings are driven based on the location of the specific field in the HL7 message segment. For example: patientFirstName can be mapped as /PID-5-2"},{"source":"src/connectors/epic/source.pdf","locator":"p17 — Chapter 3, HL7 Message Codes"},{"source":"src/connectors/epic/source.pdf","locator":"p13 — HSC Application Agent Server Configurations"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-03-06","sourceSha256":"7da8c24ec2d0d9e0d5a4b6c612532feb1fa479b52388d81a5e9911666532bb81","kind":"healthcare","fields":{"ehrSystem":"EPIC","standards":["HL7 v2","HL7 MLLP (Minimum Lower Layer Protocol)"],"phiHandling":"All inbound message content is PHI. AE's HSC Application Agent is the\nparsing boundary; downstream Guardian storage applies field-mapping\nminimization (only mapped fields are persisted). TLS-MLLP recommended\nbetween interface engine and the AE agent.\n","hipaaPosture":"Customer-driven — AE-side configuration supports HIPAA requirements\n(encrypted transport, restricted access, audit logging). Specific\nposture is documented in the customer's BAA and security review.\n"}},"everbridge":{"id":"everbridge","name":"Everbridge","vendor":"Everbridge","vendorId":"everbridge","connectorPackage":"AE_HSc_EverbridgeConnectorGuide","status":"active","description":"The Everbridge connector integrates AlertEnterprise with **Everbridge** — a notification system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for notification connectors.\n\nSource: `AE_HSc_EverbridgeConnectorGuide.pdf` (page count: 17).\n","versions":[{"range":"connector supports Everbridge version 24.9.0","status":"active"}],"transports":["rest"],"directions":["outbound"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-everbridge-connector","name":"Alert Everbridge Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Everbridge-specific connector module."},{"id":"everbridge-system","name":"Everbridge System","kind":"platform","vendor":"everbridge","trustZone":"vendor-cloud","description":"The customer's Everbridge system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-everbridge-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-everbridge-connector","to":"everbridge-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/everbridge/source.pdf","locator":"Connector guide — 17 pages"},{"source":"src/connectors/everbridge/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-11-25","sourceSha256":"aad934e45e8f6e0abe9a216adac960463ad1ff92975642ee419b572f26f35fcc","kind":"notification","fields":{"channels":[],"massAlertScenarios":[]}},"exchange":{"id":"exchange","name":"Exchange","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_ExchangeConnectorGuide","status":"active","description":"The Microsoft connector integrates AlertEnterprise with **Exchange Connector** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_ExchangeConnectorGuide.pdf` (page count: 23).\n","versions":[{"range":"rectory>:\\alert-server-1.0_10.8.202.3710\\lib","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Basic auth","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-exchange-connector","name":"Alert Microsoft Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Microsoft-specific connector module."},{"id":"microsoft-system","name":"Microsoft System","kind":"platform","vendor":"microsoft","trustZone":"customer-onprem","description":"The customer's Microsoft system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-exchange-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-exchange-connector","to":"microsoft-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/exchange/source.pdf","locator":"Connector guide — 23 pages"},{"source":"src/connectors/exchange/source.pdf","locator":"p3 — Chapter 1, Introduction ...................................................................................................................................... 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2023-04-11","sourceSha256":"9ad2f34287a55bc538a390e8f3ac777fcc298b32847ca28f54ac2e0d3118d818","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"file":{"id":"file","name":"File","vendor":"Generic (File)","vendorId":"ae","connectorPackage":"AE_HSc_FileConnectorGuide","status":"active","description":"The Generic (File) connector integrates AlertEnterprise with **File Connector** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_FileConnectorGuide.pdf` (page count: 22).\n","versions":[{"range":"rectory>:\\alert-server-1.0_10.8.202.3710\\lib","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-file-connector","name":"Alert Generic (File) Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Generic (File)-specific connector module."},{"id":"ae-system","name":"Generic (File) System","kind":"platform","vendor":"ae","trustZone":"customer-onprem","description":"The customer's Generic (File) system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-file-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-file-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/file/source.pdf","locator":"Connector guide — 22 pages"},{"source":"src/connectors/file/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-06-19","sourceSha256":"adf023c28ce5a261fc325d6d6d6fd59e9c65103fb89d2d1c0388f0fa121631c6","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"flex-dna-rest":{"id":"flex-dna-rest","name":"Flex DNA OOA","vendor":"AlertEnterprise","vendorId":"ae","connectorPackage":"AE_HSc_FlexDNA_RestConnectorGuide","status":"active","description":"The AlertEnterprise connector integrates AlertEnterprise with **Flex DNA OOA** — a integration-platform system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for integration-platform connectors.\n\nSource: `AE_HSc_FlexDNA_RestConnectorGuide.pdf` (page count: 61).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"client credentials","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-flex-dna-rest-connector","name":"Alert AlertEnterprise Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's AlertEnterprise-specific connector module."},{"id":"ae-system","name":"AlertEnterprise System","kind":"platform","vendor":"ae","trustZone":"vendor-cloud","description":"The customer's AlertEnterprise system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-flex-dna-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-flex-dna-rest-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/flex-dna-rest/source.pdf","locator":"Connector guide — 61 pages"},{"source":"src/connectors/flex-dna-rest/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 7"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-04-07","sourceSha256":"5d1ec146d4840701a18172f38c09fad71a544b094bbf60666c8994021d649828","kind":"integration-platform","fields":{"mediationModel":"unknown","messageFormats":[]}},"genetec":{"id":"genetec","name":"Genetec Security Center","vendor":"Genetec","vendorId":"genetec","connectorPackage":"AE_HSc_GenetecConnectorGuide","status":"active","description":"$1d","versions":[{"range":"Genetec Security Center 5.7","status":"legacy"},{"range":"Genetec Security Center 5.8.0.0 – 5.8.1.0","status":"legacy"},{"range":"Genetec Security Center 5.9","status":"legacy"},{"range":"Genetec Security Center 5.10","status":"active"},{"range":"Genetec Security Center 5.11","status":"active"},{"range":"Genetec Security Center 5.12","status":"active"},{"range":"Genetec Security Center 5.13","status":"active"}],"transports":["rest","jdbc","sdk"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"OAuth 2.0 via Apigee Gateway","details":"For cloud / managed deployments, AlertEnterprise authenticates to the Connector Agent\nthrough an Apigee gateway using OAuth 2.0 client credentials. The gateway URL pattern is\n`https://{env}.api.test.com/partner/genetec/security-center/v1`. Credentials are scoped\nper environment (beta / stage / prod).\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p28 — \"OAuth Framework Implementation for Genetec via Apigee Layer\"","quote":"OAuth Framework Implementation for Genetec via Apigee Layer"}},{"kind":"client-certificate","label":"Genetec SDK SSL certificate","details":"The Genetec SDK requires an SSL certificate to be exported from the SDK URL and imported\ninto the AE host's Java keystore (`cacerts`) using `keytool`. This is required for the\nConnector Agent to communicate with the Genetec Security Center over HTTPS.\n","credentialStorage":"Java keystore on AE host","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p11 — Export SSL Certificate / Importing Certificate in Keystore"}}],"endpoints":[{"method":"POST","path":"/partner/genetec/security-center/v1","description":"Apigee-fronted gateway endpoint for cloud-routed Genetec connector operations.","category":"provisioning","direction":"outbound","authMethod":"oauth2-client-credentials","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p28 — Apigee gateway URL pattern"}}],"dataFields":[{"aeField":"User","vendorField":"Cardholder","description":"Cardholder records in Genetec map to User entities in AE. The connector creates, updates, locks, unlocks, delimits, and deletes cardholders via the Genetec SDK.","direction":"bidirectional","required":true},{"aeField":"Credential","vendorField":"Badge / Credential","description":"Physical badge / credential records assigned to Cardholders. Connector adds, activates, and deactivates badges.","direction":"bidirectional","required":true},{"aeField":"Partition Membership","vendorField":"PartitionMembership","description":"Genetec uses Partitions to scope cardholder visibility; the connector reads PartitionMembership to enforce multi-tenant boundaries on reconciliation queries.","direction":"inbound","required":false},{"aeField":"Access Event","vendorField":"UserEvent (access granted / denied / alarm)","description":"Reconciliation pulls access events back into AE for audit and downstream policy decisions.","direction":"inbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"Genetec SDK License","description":"A Genetec SDK License must be procured and applied to the Genetec Security Center deployment before the connector can drive it. Verify via Purchase Order entry in the Genetec admin UI.","owner":"customer","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p10 — Procure Genetec SDK License / Update SDK License / Verify SDK License"}},{"title":"IIS Server 8.0+","description":"The Alert Genetec Connector Agent is an IIS-hosted .NET web service. IIS Server version 8.0 or above must be installed on the host before agent deployment.","owner":"customer","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p12 — Installation Prerequisites"}},{"title":"Microsoft .NET Framework 4.0+","description":"The Connector Agent requires .NET Framework 4.0 or above on the IIS host.","owner":"customer","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p12 — Installation Prerequisites"}},{"title":"Genetec SDK SSL certificate in Java keystore","description":"The SDK's SSL certificate must be exported from the Genetec SDK URL (Base-64 X.509 `.CER` format) and imported into the AE host's Java keystore using `keytool` before the connector can establish secure SDK communication.","owner":"ae","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p11 — Export SSL Certificate / Importing Certificate in Keystore"}}],"knownLimitations":[{"title":"Custom card formats require per-deployment configuration","description":"Non-standard card formats (anything outside Genetec's default Wiegand templates) must be defined per-deployment via the Provisioning configuration. The connector does not auto-discover custom formats from the Genetec System.","severity":"informational","citation":{"source":"src/connectors/genetec/source.pdf","locator":"p40 — Chapter 6, Supporting Custom Card Formats"}}],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level","piam","vim","card-format","reader","panel"],"composition":{"actors":[{"id":"genetec-connector-agent","name":"Alert Genetec Connector Agent","kind":"service","vendor":"ae","trustZone":"customer-onprem","description":"IIS-hosted .NET web service deployed on a customer-managed Windows\nServer. Mediates between Guardian and the on-prem Genetec Security\nCenter deployment via the Genetec SDK.\n"},{"id":"genetec-security-center","name":"Genetec Security Center","kind":"platform","vendor":"genetec","trustZone":"customer-onprem","description":"The customer's Genetec Security Center installation — the\nauthoritative source of cardholders, credentials, partitions,\nand access events.\n"},{"id":"apigee-gateway-genetec","name":"Apigee Gateway (Genetec)","kind":"gateway","vendor":"apigee","trustZone":"ae-cloud","description":"Optional OAuth-mediating API gateway for cloud-routed Genetec\ntraffic. Only present in deployments where Guardian sits in a\ndifferent trust zone from the Connector Agent.\n"}],"edges":[{"from":"guardian-platform","to":"apigee-gateway-genetec","label":"Provisioning + reconciliation requests","transport":"rest","auth":"oauth2-client-credentials","carries":"Cardholder / Credential / event-query","direction":"outbound","trustCrossing":true},{"from":"apigee-gateway-genetec","to":"genetec-connector-agent","label":"Authenticated forwarding","transport":"rest","auth":"oauth2-client-credentials","carries":"Provisioning + reconciliation requests","direction":"outbound","trustCrossing":true},{"from":"guardian-platform","to":"genetec-connector-agent","label":"Direct REST (bypasses Apigee)","transport":"rest","auth":"oauth2-client-credentials","carries":"Provisioning + reconciliation requests","direction":"outbound","trustCrossing":true,"notes":"Used when Guardian and the Connector Agent share a trust boundary\n(e.g. both inside the customer's network). Apigee path is preferred\nfor cross-zone traffic.\n"},{"from":"genetec-connector-agent","to":"genetec-security-center","label":"SDK calls (cardholder + credential ops)","transport":"sdk","auth":"client-certificate","carries":"Cardholder / Credential CRUD","direction":"outbound","trustCrossing":false},{"from":"genetec-connector-agent","to":"genetec-security-center","label":"Database reconciliation queries","transport":"jdbc","carries":"PartitionMembership / event reconciliation","direction":"inbound","trustCrossing":false,"notes":"SQL queries against the Genetec database for partition-scoped\ncardholder and event reconciliation.\n"},{"from":"genetec-security-center","to":"genetec-connector-agent","label":"Access events (granted / denied / alarm)","transport":"sdk","auth":"client-certificate","carries":"UserEvent","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/genetec/source.pdf","locator":"p7 — Chapter 1, Supported Version","quote":"The Genetec Connector supports Genetec Security Center versions 5.7, 5.8.0.0, 5.8.1.0, 5.9, 5.10, 5.11, 5.12 and 5.13"},{"source":"src/connectors/genetec/source.pdf","locator":"p7 — Provisioning Capabilities","quote":"Create User Account, Update User Account, Lock Account, Unlock Account, Delimit Account, Delete User accounts, Add Badge, Activate Badge, Deactivate Badge"},{"source":"src/connectors/genetec/source.pdf","locator":"p9 — Connector Architecture"},{"source":"src/connectors/genetec/source.pdf","locator":"p28 — OAuth Framework Implementation for Genetec via Apigee Layer"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-02-11","sourceSha256":"0329865ec32a5f30586c1c3a1485c33ac0d79003325f1b3ddcb95f265cb8d4b8","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":["Wiegand (Genetec defaults)","Custom Card Formats (per-deployment configuration; see prerequisites)"],"topology":"hybrid","eventModel":"both","pollInterval":"configurable per deployment","eventTypes":["access granted","access denied","alarm","cardholder lifecycle event"],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Cardholder is the principal entity. Each Cardholder has zero or more Credentials (badges).\nCardholders are scoped by Partition; PartitionMembership controls multi-tenant visibility.\n","accessRightsModel":"Access rights are assigned to Cardholders via Genetec's native access control model\n(Access Levels + Schedules). The connector reads and writes these but does not redefine the model.\n","multiTenancy":"Partition-based — Genetec's native Partition model is the multi-tenant boundary. AE\nprovisioning operations honor Partition scope via PartitionMembership queries.\n"}},"giam-rest":{"id":"giam-rest","name":"GIAM","vendor":"AlertEnterprise","vendorId":"ae","connectorPackage":"AE_HSc_GIAM_RestConnectorGuide","status":"active","description":"The AlertEnterprise connector integrates AlertEnterprise with **GIAM Rest** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_GIAM_RestConnectorGuide.pdf` (page count: 32).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-giam-rest-connector","name":"Alert AlertEnterprise Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's AlertEnterprise-specific connector module."},{"id":"ae-system","name":"AlertEnterprise System","kind":"platform","vendor":"ae","trustZone":"customer-onprem","description":"The customer's AlertEnterprise system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-giam-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-giam-rest-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/giam-rest/source.pdf","locator":"Connector guide — 32 pages"},{"source":"src/connectors/giam-rest/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-12-12","sourceSha256":"b59d422a4f5e6b996b2b77d02de946988e1e1d41fc0b4f39c9c15f2644929be4","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"hid-fargo":{"id":"hid-fargo","name":"HID Fargo","vendor":"HID Global","vendorId":"hid","connectorPackage":"AE_HSc_HIDFargoConnectorGuide","status":"active","description":"The HID Global connector integrates AlertEnterprise with **HID Fargo** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_HIDFargoConnectorGuide.pdf` (page count: 12).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"API key","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-hid-fargo-connector","name":"Alert HID Global Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's HID Global-specific connector module."},{"id":"hid-system","name":"HID Global System","kind":"platform","vendor":"hid","trustZone":"vendor-cloud","description":"The customer's HID Global system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-hid-fargo-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-hid-fargo-connector","to":"hid-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/hid-fargo/source.pdf","locator":"Connector guide — 12 pages"},{"source":"src/connectors/hid-fargo/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-02-07","sourceSha256":"d0222b8e8f263b47df49ac7a25b3d2adf051bfd20c8dd0bbf49445034fcb78b0","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"hid-mobile-credential":{"id":"hid-mobile-credential","name":"HID Mobile","vendor":"HID Global","vendorId":"hid","connectorPackage":"AE_HSc_HIDMobileCredentialConnectorGuide","status":"active","description":"The HID Global connector integrates AlertEnterprise with **HID Mobile** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_HIDMobileCredentialConnectorGuide.pdf` (page count: 22).\n","versions":[{"range":"ith the HID Mobile Access API v3.0","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-hid-mobile-credential-connector","name":"Alert HID Global Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's HID Global-specific connector module."},{"id":"hid-system","name":"HID Global System","kind":"platform","vendor":"hid","trustZone":"vendor-cloud","description":"The customer's HID Global system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-hid-mobile-credential-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-hid-mobile-credential-connector","to":"hid-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/hid-mobile-credential/source.pdf","locator":"Connector guide — 22 pages"},{"source":"src/connectors/hid-mobile-credential/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-12-18","sourceSha256":"1e68eb4bb383ca9a38d114ab263a056943acadba241ea7b2acf6af1b8908d5ca","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"hid-nfc-wallet-credential":{"id":"hid-nfc-wallet-credential","name":"HID Wallet","vendor":"HID Global","vendorId":"hid","connectorPackage":"AE_HSc_HIDNFCWalletCredentialConnectorGuide","status":"active","description":"The HID Global connector integrates AlertEnterprise with **HID Wallet** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_HIDNFCWalletCredentialConnectorGuide.pdf` (page count: 19).\n","versions":[{"range":"HID Credential Management API v3.2.x","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"client credentials","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-hid-nfc-wallet-credential-connector","name":"Alert HID Global Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's HID Global-specific connector module."},{"id":"hid-system","name":"HID Global System","kind":"platform","vendor":"hid","trustZone":"vendor-cloud","description":"The customer's HID Global system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-hid-nfc-wallet-credential-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-hid-nfc-wallet-credential-connector","to":"hid-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/hid-nfc-wallet-credential/source.pdf","locator":"Connector guide — 19 pages"},{"source":"src/connectors/hid-nfc-wallet-credential/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-12-18","sourceSha256":"c319e668bbf94b9bcf0abd1135fb66dde61c27e1b3e4103918d42785aefc67d2","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"honeywell-pro-watch-dtu":{"id":"honeywell-pro-watch-dtu","name":"Honeywell Pro-Watch DTU (SOAP)","vendor":"Honeywell","vendorId":"honeywell","connectorPackage":"AE_HSc_HoneywellProWatchDTUConnectorGuide","status":"active","description":"$1e","versions":[{"range":"Honeywell Pro-Watch 4.2, 4.5, 5.5, 6.0, 6.5","status":"active","notes":"For Pro-Watch 4.1, see [[honeywell-prowatch]] (HSDK + JDBC hybrid). For Pro-Watch 6.x with a preference for REST over SOAP, see [[pro-watch-dtu-rest]] — same Pro-Watch versions but a different integration API.\n"}],"transports":["soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"DTU API credentials","details":"Authentication to the Pro-Watch DTU API uses a username + password configured in AE connector System Parameters. Credentials are sent in WSSE-style SOAP headers over HTTPS.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Pro-Watch DTU API enabled","description":"The Pro-Watch DTU (Data Transfer Utility) API must be enabled on the Pro-Watch server and reachable from the AE application server over HTTPS.\n","owner":"customer","citation":{"source":"src/connectors/honeywell-pro-watch-dtu/source.pdf","locator":"p7 — Connector Architecture","quote":"The connector architecture consists of AlertEnterprise, AlertPro-Watch DTU Connector, Prowatch DTU API, and Pro-Watch system."}},{"title":"Pro-Watch operator account with API privileges","description":"A dedicated Pro-Watch operator account with sufficient privileges for the integration's required operations. The connector guide's \"Minimum Permissions for Provisioning and Reconciliation Operations\" section enumerates the minimum privilege grant set.\n","owner":"customer","citation":{"source":"src/connectors/honeywell-pro-watch-dtu/source.pdf","locator":"p25 — Chapter 5 Minimum Permissions"}},{"title":"SSL certificate trust","description":"The Pro-Watch DTU API's SSL certificate must be imported into the AE host's JVM cacerts keystore. Without it, the SOAP client fails with `javax.net.ssl.SSLHandshakeException`.\n","owner":"ae"}],"knownLimitations":[{"title":"Roles assigned at badge level (not user level)","description":"Same constraint as [[honeywell-prowatch]] — Pro-Watch assigns access levels to badges, not directly to users. Multi-badge cardholders may have different role sets per badge.\n","severity":"important","citation":{"source":"src/connectors/honeywell-pro-watch-dtu/source.pdf","locator":"p5 — Important note","quote":"In Pro-Watch, Roles are assigned at Badge Level"}}],"relatedConnectors":["honeywell-prowatch","pro-watch-dtu-rest"],"relatedConcepts":["cardholder","badge-or-credential","access-level","reader"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-prowatch-dtu-connector","name":"Alert Pro-Watch DTU Connector (SOAP)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's DTU SOAP-based Pro-Watch connector module."},{"id":"prowatch-dtu-api","name":"Pro-Watch DTU API (SOAP)","kind":"gateway","vendor":"honeywell","trustZone":"customer-onprem","description":"Honeywell's Data Transfer Utility SOAP API surface for Pro-Watch. Exposed on the Pro-Watch server itself."},{"id":"prowatch-server","name":"Honeywell Pro-Watch Server","kind":"platform","vendor":"honeywell","trustZone":"customer-onprem","description":"Pro-Watch PACS application server — manages cardholders, badges, clearances (access levels), and door controllers."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-prowatch-dtu-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-prowatch-dtu-connector","to":"prowatch-dtu-api","label":"SOAP over HTTPS","transport":"soap","auth":"basic","carries":"User / badge / role provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"prowatch-dtu-api","to":"prowatch-server","label":"Internal DTU → Pro-Watch","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/honeywell-pro-watch-dtu/source.pdf","locator":"Full connector guide — 29 pages, updated 2025-05-23"},{"source":"src/connectors/honeywell-pro-watch-dtu/source.pdf","locator":"p5 — Supported Version","quote":"The Honeywell Pro-Watch DTU connector supports Honeywell Pro-Watch version 4.2, 4.5, 5.5, 6.0, and 6.5."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-05-23","sourceSha256":"2610feffa9e21c78be6bfa70140bd402da5a98bea3cb7d75f1b951170236d919","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Pro-Watch cardholder model identical to [[honeywell-prowatch]] — see that record for the BADGE_ALL / BADGE_CARD_ALL schema. The DTU API exposes the same data through SOAP operations.\n","accessRightsModel":"Same as [[honeywell-prowatch]]: access assigned at badge level via permanent / timed / temporary clearance tables; CLEAR table holds master clearance definitions.\n","multiTenancy":"Single Pro-Watch instance per AE→Pro-Watch DTU connector.\n"}},"honeywell-prowatch":{"id":"honeywell-prowatch","name":"Honeywell Pro-Watch (HSDK)","vendor":"Honeywell","vendorId":"honeywell","connectorPackage":"AE_HSc_HoneywellProwatchConnectorGuide","status":"active","description":"$1f","versions":[{"range":"Honeywell Pro-Watch 4.1, 4.2","connectorVersion":"ALNTProWatchConnector-5.0","status":"active","notes":"For Pro-Watch 4.5 and above, see [[honeywell-pro-watch-dtu]] (DTU SOAP). For Pro-Watch 6.x with REST API, see [[pro-watch-dtu-rest]].\n"}],"transports":["sdk","jdbc"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"HSDK server credentials","details":"Authentication to the Honeywell HSDK server uses a username + password configured as `UserId` and `Password` system parameters. The connector also requires the HSDK server `Host` (IP), `Port`, and `URI` (e.g., `HSDKPNLApplicationModule`).\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p12 — System Parameters","quote":"Host: Specify IP address of the HSDK server. / Port: Specify port number of the HSDK server. / URI: Specify URI of the HSDK application module. For example, HSDKPNLApplicationModule. / UserId: Specify user Id used to authenticate with HSDK server. / Password: Specify password used to authenticate with HSDK server."}},{"kind":"basic","label":"Pro-Watch SQL Server (JDBC via JNDI)","details":"Reconciliation operations execute SQL queries directly against the Pro-Watch SQL Server backend, accessed through a JNDI-bound DataSource configured in the AE application server. The `Jndi Name` system parameter identifies the bound DataSource.\n","credentialStorage":"Managed by the AE application server's JNDI binding.","citation":{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p13 — Jndi Name parameter"}}],"endpoints":[],"dataFields":[{"aeField":"userId","vendorField":"UserId","description":"Hex-encoded Pro-Watch user ID — queries use `(`0x`+CONVERT(varchar(max),A.ID,2))` to expose the GUID-like internal ID as a hex string.","direction":"bidirectional","required":true},{"aeField":"firstName","vendorField":"FNAME","direction":"bidirectional","required":false},{"aeField":"lastName","vendorField":"LNAME","direction":"bidirectional","required":false},{"aeField":"middleName","vendorField":"MI","direction":"bidirectional","required":false},{"aeField":"badgeId / cardnumber","vendorField":"CARDNO","description":"Pro-Watch card number. Bound to the `Prowatch BadgeId Attribute Name = cardnumber` system parameter.","direction":"bidirectional","required":true},{"aeField":"PIN","vendorField":"PINCODE","direction":"outbound","required":false},{"aeField":"validFrom","vendorField":"ISSUE_DATE / Activation_Time","direction":"bidirectional","required":false},{"aeField":"validTo","vendorField":"EXPIRE_DATE / Expiry_Time","direction":"bidirectional","required":false},{"aeField":"assetStatus","vendorField":"Credential_Status (CARDSTATUS_DESCRP)","direction":"bidirectional","required":false},{"aeField":"BADGE_STATUS","vendorField":"BADGE_STATUS (joined to BADGE_STATUS table for STAT code)","description":"`A` is treated as Active when the column is null.","direction":"inbound","required":false},{"aeField":"BADGE_TYPE","vendorField":"BADGE_TYPE (joined to BADGE_TYP for DESCRP)","direction":"inbound","required":false},{"aeField":"roleType (Permanent / Timed / Temporary)","vendorField":"ROLE_TYPE","description":"Pro-Watch supports three role validity types — Permanent (no expiry), Timed (range-bound by EXPIRE/TEMPACCESS flags), and Temporary (range-bound by TEMPACCESS_START_TIME / TEMPACCESS_END_TIME).\n","direction":"bidirectional","required":false},{"aeField":"text","vendorField":"ROLE_NAME (BADGE_CLEARANCE.DESCRP)","direction":"bidirectional","required":false},{"aeField":"companyname","vendorField":"Company","direction":"bidirectional","required":false},{"aeField":"BADGE_IMAGE","vendorField":"BLOBS.BLOB","description":"Cardholder image stored as SQL BLOB, joined from the BLOBS table on user ID.","direction":"inbound","required":false},{"aeField":"validity","vendorField":"BADGE_BIRTHDATE / BADGE_EMPLOYER / BADGE_SUPERVISOR / BADGE_HAIRCOLOR / BADGE_EYECOLOR / BADGE_AGE / BADGE_HEIGHT / BADGE_WEIGHT / BADGE_SSN / BADGE_TITLE / BADGE_DEPARTMENT / BADGE_BUILDING / BADGE_FLOOR / BADGE_HOMEPHONE / BADGE_OFFICEPHONE / BADGE_ADDRESS1 / BADGE_ADDRESS2 / BADGE_CITY / BADGE_STATE / BADGE_ZIP / BADGE_COUNTRY","description":"Pro-Watch exposes a wide cardholder-profile column set on `BADGE_ALL`. The connector reads all of these during reconciliation; mapping to AE-side attributes is site-configured.\n","direction":"inbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"HSDK server deployed and reachable","description":"A Honeywell HSDK server (the SDK's web service host) must be deployed and reachable from the AE application server. The HSDK application module name (e.g., `HSDKPNLApplicationModule`) must be known and configured.\n","owner":"customer"},{"title":"Read access to Pro-Watch SQL Server via JNDI DataSource","description":"The AE application server must have a JNDI DataSource bound to the Pro-Watch SQL Server database, with read access to the cardholder, badge, and clearance tables (`BADGE_ALL`, `BADGE_CARD_ALL`, `BADGE_CLEARANCE`, `BADGE_TIME_CLEARANCE`, `BADGE_TEMPORARY_CLEARANCE`, `CLEAR`, `BLOBS`, `BADGE_TYP`, `BADGE_STATUS`, `HSDK_CHANGELIST`).\n","owner":"customer","citation":{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p13 — Jndi Name + queries"}},{"title":"HSDK_CHANGELIST table populated for incremental reconciliation","description":"Incremental user reconciliation queries `HSDK_CHANGELIST` filtered by `BACNET_TYPE='ACCESSUSER'` and `LAST_MODIFIED_TIME >= $LAST_RUN_DATE`. The Pro-Watch system must be configured to populate this change-log table for incremental sync to work; full reconciliation works without it.\n","owner":"customer"},{"title":"Lock / Unlock action mapping defined","description":"Operators must specify `Lock Action` (e.g., `INACTIVE`) and `Unlock Action` (e.g., `ACTIVE`) system parameters — these define which badge status values the connector sets when locking or unlocking a user.\n","owner":"ae"}],"knownLimitations":[{"title":"Roles assigned at badge level (not user level)","description":"Unlike most PACS, Pro-Watch assigns access levels to **badges**, not to users directly. Multi-badge cardholders may have different role sets per badge. Implementations that assume user-level role assignment must accommodate this — typically by enforcing one-active-badge-per-user or mapping AE-side role grants to the cardholder's \"primary\" badge.\n","severity":"important","citation":{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p? — Important note in the DTU guide; pattern applies to HSDK connector identically","quote":"In Pro-Watch, Roles are assigned at Badge Level"}}],"relatedConnectors":["honeywell-pro-watch-dtu","pro-watch-dtu-rest"],"relatedConcepts":["cardholder","badge-or-credential","access-level","reader"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-prowatch-connector","name":"Alert Pro-Watch Connector (HSDK)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's HSDK-based Pro-Watch connector module (ALNTProWatchConnector)."},{"id":"honeywell-hsdk-server","name":"Honeywell HSDK Server","kind":"gateway","vendor":"honeywell","trustZone":"customer-onprem","description":"Honeywell Software Development Kit server hosting the Pro-Watch application modules (e.g., HSDKPNLApplicationModule). Receives provisioning + command operations from the connector."},{"id":"prowatch-server","name":"Honeywell Pro-Watch Server","kind":"platform","vendor":"honeywell","trustZone":"customer-onprem","description":"Pro-Watch PACS application server — manages cardholders, badges, clearances (access levels), and door controllers."},{"id":"prowatch-database","name":"Pro-Watch SQL Server Database","kind":"platform","vendor":"honeywell","trustZone":"customer-onprem","description":"Pro-Watch's SQL Server backend (`BADGE_ALL`, `BADGE_CARD_ALL`, `BADGE_CLEARANCE`, and the rest). Read by AE via JNDI for reconciliation."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-prowatch-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-prowatch-connector","to":"honeywell-hsdk-server","label":"HSDK provisioning + commands","transport":"sdk","auth":"basic","carries":"User / badge / role provisioning + lock/unlock commands","direction":"bidirectional","trustCrossing":true},{"from":"honeywell-hsdk-server","to":"prowatch-server","label":"HSDK → Pro-Watch internal","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"alert-prowatch-connector","to":"prowatch-database","label":"Reconciliation (read-only JDBC via JNDI)","transport":"jdbc","auth":"basic","carries":"SELECT against BADGE_ALL / BADGE_CARD_ALL / BADGE_CLEARANCE / HSDK_CHANGELIST / etc.","direction":"inbound","trustCrossing":true},{"from":"prowatch-server","to":"prowatch-database","label":"Persists cardholders + badges + clearances","transport":"jdbc","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"Full connector guide — 25 pages, updated 2023-04-11"},{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p5 — Supported Version","quote":"The Honeywell Pro-Watch connector supports Honeywell Pro-Watch version 4.1, 4.2."},{"source":"src/connectors/honeywell-prowatch/source.pdf","locator":"p7 — Connector Architecture","quote":"The connector architecture consists of AlertEnterprise, Honeywell Pro-Watch Adapter, Honeywell HSDK, and Honeywell Pro-Watch system."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2023-04-11","sourceSha256":"70b109995cd9941760839d3f3045491e5fd520aa3c38897b33afd68db0cb94be","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Pro-Watch models a cardholder as a `BADGE_ALL` row keyed by an internal binary ID (exposed as hex `'0x'+CONVERT(varchar(max),A.ID,2)`). Each cardholder can have one or more cards in `BADGE_CARD_ALL` (CARDNO, PINCODE, ISSUE_DATE, EXPIRE_DATE, CARDSTATUS_DESCRP). Photo data is in `BLOBS.BLOB`. The cardholder profile is unusually rich (employer, supervisor, hair color, eye color, height, weight, SSN, address) — reflecting Pro-Watch's industrial / government-adjacent heritage.\n","accessRightsModel":"**Pro-Watch assigns access at badge level, not user level.** Access is granted by inserting rows into `BADGE_CLEARANCE` (permanent), `BADGE_TIME_CLEARANCE` (timed), or `BADGE_TEMPORARY_CLEARANCE` (temporary) — joined on `CARDNO`. The `CLEAR` table holds the master clearance definitions. Each clearance has an `EXPIRE` flag and a `TEMPACCESS` flag that derive the role-type discriminator.\n","multiTenancy":"Single Pro-Watch instance is typically a single tenant. Multi-instance federation requires one connector per Pro-Watch server.\n"}},"hrds-rest":{"id":"hrds-rest","name":"HRDS (Human Resource Data Service)","vendor":"AlertEnterprise","vendorId":"ae","connectorPackage":"AE_HSc_HRDS_RestConnectorGuide","status":"active","description":"The HRDS connector integrates AlertEnterprise Guardian with **HRDS (Human Resource Data Service)** — an AlertEnterprise-developed HR data normalization API that fronts multiple upstream HR systems (Workday, SAP, PeopleSoft) behind a single REST interface. HRDS is AE's answer to the \"every customer has a different HR system\" problem — it presents a normalized HR data model to Guardian regardless of the underlying source.\n\nArchitecture: **AE Guardian → ACF (REST Connector Framework) → HRDS Connector → HRDS REST APIs (Common Core OData / Common Core Delta / HR API / OData V2 DELETE) → HRDS System**. The four API families correspond to: full-load reconciliation (Common Core OData), incremental reconciliation (Common Core Delta), HR record CRUD (HR API), and termination operations (OData V2 DELETE).\n\nThe 88-page connector guide reflects the breadth of operations and field mappings this connector supports — it's the most heavily documented HR connector in the AE catalog.\n","versions":[{"range":"HRDS — multiple API families (Common Core OData, Common Core Delta, HR API, OData V2 DELETE)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"HRDS OAuth 2.0 client credentials","details":"OAuth 2.0 client credentials grant — client_id + client_secret configured in AE connector System Parameters.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"HRDS deployment with OAuth 2.0 credentials","description":"An operational HRDS deployment with OAuth 2.0 client credentials provisioned for the AE integration.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":["rhds-rest","workday-rest","sap-hr"],"relatedConcepts":["lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (REST)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-hrds-connector","name":"Alert HRDS Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"hrds-rest-api","name":"HRDS REST APIs (4 API families)","kind":"gateway","vendor":"ae","trustZone":"customer-cloud","description":"HRDS Common Core OData + Common Core Delta + HR API + OData V2 DELETE"},{"id":"hrds-system","name":"HRDS Backend (normalization layer over Workday / SAP / PeopleSoft)","kind":"platform","vendor":"ae","trustZone":"customer-cloud"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-hrds-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-hrds-connector","to":"hrds-rest-api","label":"HRDS REST + OAuth bearer","transport":"rest","auth":"oauth2-client-credentials","carries":"HR records (normalized across upstream sources)","direction":"bidirectional","trustCrossing":true},{"from":"hrds-rest-api","to":"hrds-system","label":"Internal normalization layer","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/hrds-rest/source.pdf","locator":"Full connector guide — 88 pages, updated 2025-10-30"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-10-30","sourceSha256":"42d50587c112c1d79e6d99887cb809e6eb1be51501a796680385d32b03bea6af","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":["hire","rehire","transfer","promotion","demotion","leave","return-from-leave","termination","title-change","manager-change","location-change"],"contingentWorkerSupport":true,"fieldMappingNotes":"HRDS exposes a normalized HR data model. Specific upstream source (Workday vs SAP vs PeopleSoft) determines which fields are populated.\n"}},"kantech":{"id":"kantech","name":"Kantech EntraPass","vendor":"Kantech (Johnson Controls / Tyco)","vendorId":"kantech","connectorPackage":"AE_HSc_KantechConnectorGuide","status":"active","description":"The Kantech connector integrates AlertEnterprise Guardian with **Kantech EntraPass** — Kantech's commercial-mid PACS, now part of Johnson Controls / Tyco's broader access portfolio. Kantech is widely deployed in commercial real estate, education, and mid-tier enterprise where C·CURE 9000 is overkill but a feature-rich PACS is required.\n\nArchitecture: **AE → ACF → Kantech Connector → Kantech SDK Web Service (REST) → Kantech Server**. The Web Service is part of the Kantech SDK and must be deployed by the customer — same pattern as [[si-pass]] and [[angus]].\n","versions":[{"range":"Kantech EntraPass V7.2.23 and above","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Kantech SDK Web Service credentials over SSL","details":"Basic auth credentials configured in AE connector. SSL/TLS required between AE and the Kantech Web Service.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Kantech SDK Web Service deployed","description":"The Kantech SDK Web Service must be deployed and reachable from the AE application server. The Web Service is bundled with Kantech SDK — customer-deployed alongside Kantech.\n","owner":"customer","citation":{"source":"src/connectors/kantech/source.pdf","locator":"p7 — Connector Architecture","quote":"This Web Service is a prerequisite for deploying the Kantech connector and is available as part of Kantech SDK."}},{"title":"Kantech operator account with API access","description":"Dedicated Kantech operator with API-access privileges.\n","owner":"customer"},{"title":"SSL certificate trust","description":"Kantech Web Service certificate imported into the AE host's JVM cacerts keystore.\n","owner":"ae"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-kantech-connector","name":"Alert Kantech Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Kantech connector module."},{"id":"kantech-web-service","name":"Kantech SDK Web Service (REST)","kind":"gateway","vendor":"kantech","trustZone":"customer-onprem","description":"REST web service bundled with the Kantech SDK. Customer-deployed."},{"id":"kantech-server","name":"Kantech EntraPass Server","kind":"platform","vendor":"kantech","trustZone":"customer-onprem","description":"Kantech EntraPass PACS application."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-kantech-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-kantech-connector","to":"kantech-web-service","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"User / badge / role provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"kantech-web-service","to":"kantech-server","label":"SDK API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/kantech/source.pdf","locator":"Full connector guide — 26 pages, updated 2024-12-19"},{"source":"src/connectors/kantech/source.pdf","locator":"p5 — Supported Version","quote":"The Kantech Connector supports Kantech version V7.2.23 and above"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-19","sourceSha256":"f590fd3b43e2163d1590ea7ff8c265f5f94d3ced02ea856e7be9ab1db7f489d4","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Kantech EntraPass cardholder model with associated cards and access levels.\n","accessRightsModel":"Kantech EntraPass access levels (called Access Levels in the product).\n","multiTenancy":"Single Kantech instance per AE→Kantech connector.\n"}},"legic":{"id":"legic","name":"LEGIC","vendor":"LEGIC","vendorId":"legic","connectorPackage":"AE_HSc_LEGICConnectorGuide","status":"active","description":"The LEGIC connector integrates AlertEnterprise with **LEGIC Connector** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_LEGICConnectorGuide.pdf` (page count: 20).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"API key","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-legic-connector","name":"Alert LEGIC Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's LEGIC-specific connector module."},{"id":"legic-system","name":"LEGIC System","kind":"platform","vendor":"legic","trustZone":"vendor-cloud","description":"The customer's LEGIC system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-legic-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-legic-connector","to":"legic-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/legic/source.pdf","locator":"Connector guide — 20 pages"},{"source":"src/connectors/legic/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-05-20","sourceSha256":"32f715595dbb2e654afa9dccebc733db21c8c955d61f5c1ca812d215fbad78fa","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"lenel-open-access":{"id":"lenel-open-access","name":"Lenel OnGuard (via OpenAccess REST)","vendor":"Lenel (HID Global / Carrier)","vendorId":"lenel","connectorPackage":"AE_HSc_LenelOpenAccessConnectorGuide","status":"active","description":"$20","versions":[{"range":"Lenel OnGuard 7.6, 8.0, 8.1, 8.2, 8.3","connectorVersion":"4.1.1","status":"active","notes":"Supported on OnGuard standalone + OnGuard Enterprise (federated). OnGuard Cloud is NOT supported by this connector — additional development required."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-password","label":"OnGuard OpenAccess OAuth 2.0","details":"The OpenAccess API uses OAuth 2.0. The Alert OpenAccess Connector exchanges OnGuard operator credentials for a bearer token at the OpenAccess token endpoint, then includes `Authorization: Bearer ` on subsequent calls. Token TTL is OnGuard-side and the connector refreshes on expiration. All traffic over TLS.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[{"aeField":"userId","vendorField":"Cardholder.PERSONID","description":"OnGuard Cardholder primary key.","direction":"bidirectional","required":true},{"aeField":"firstName","vendorField":"Cardholder.FIRSTNAME","direction":"bidirectional","required":false},{"aeField":"lastName","vendorField":"Cardholder.LASTNAME","direction":"bidirectional","required":false},{"aeField":"middleName","vendorField":"Cardholder.MIDNAME","direction":"bidirectional","required":false},{"aeField":"badgeId","vendorField":"Badge.BADGEKEY","description":"OnGuard badge identifier.","direction":"bidirectional","required":true},{"aeField":"cardNumber","vendorField":"Badge.CARDNUMBER","direction":"bidirectional","required":false},{"aeField":"BadgeAccessLevel","vendorField":"BadgeAccessLevel","description":"Cardholder Access Levels (OnGuard term for what Guardian calls Access Areas).","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"OnGuard OpenAccess API enabled","description":"The OpenAccess REST API must be enabled and reachable from the AE application server (on-prem deployment) or from the Alert Enterprise Agent (SaaS deployment).\n","owner":"customer","citation":{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p5 — Definitions / OpenAccess","quote":"OpenAccess: The RESTful API developed by Lenel that allows third-party systems to interface with the OnGuard system."}},{"title":"OnGuard operator account with API privileges","description":"Dedicated OnGuard operator with privileges for cardholder + badge + access-level operations, visitor operations (if VIM is in scope), and SOC Insights data reads (if Readers/Panels/Events/Alarms reconciliation is in scope).\n","owner":"customer"},{"title":"Alert Enterprise Agent (SaaS deployment only)","description":"For SaaS Guardian, an Alert Enterprise Agent must be deployed on-prem with reachability to OnGuard's OpenAccess endpoint. The Agent hosts the OpenAccess Connector and provides the cloud-to-on-prem bridge — OnGuard is never exposed to the cloud.\n","owner":"ae","citation":{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p9 — Guardian (SaaS) Architecture"}}],"knownLimitations":[{"title":"Badge PINs not reconcilable (encrypted in OnGuard)","description":"Badge PIN codes are encrypted in OnGuard and cannot be read back through the OpenAccess API. Reconciliation reads everything *except* PINs — provisioning writes PINs through but reconciliation can't verify them.\n","severity":"informational","citation":{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p7-8 — Limitations table","quote":"Badge PINs are encrypted in OnGuard and cannot be reconciled using the Open Access API."}},{"title":"OnGuard Cloud not supported","description":"This connector is designed for on-premises OnGuard deployments only. Supporting OnGuard Cloud would require additional development from AE. Customers planning OnGuard Cloud should engage AE Product to scope the work.\n","severity":"important","citation":{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p7-8 — Limitations table","quote":"The Guardian Lenel connector is designed for on-premises OnGuard deployments. Supporting OnGuard Cloud would require additional development."}}],"relatedConnectors":["lenel","ccure9000-victor","genetec"],"relatedConcepts":["cardholder","badge-or-credential","access-level","piam","vim","soc-insights","panel","reader"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-openaccess-connector","name":"Alert OpenAccess Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's modern Lenel connector using OpenAccess REST. On SaaS deployments this runs inside the Alert Enterprise Agent (customer-onprem)."},{"id":"lenel-openaccess-api","name":"Lenel OpenAccess REST API","kind":"gateway","vendor":"lenel","trustZone":"customer-onprem","description":"Lenel's REST API surface for OnGuard. Authenticates via OAuth 2.0."},{"id":"onguard-server","name":"Lenel OnGuard Server","kind":"platform","vendor":"lenel","trustZone":"customer-onprem","description":"OnGuard PACS application server — manages Cardholders, Visitors, Badges, Cardholder Access Levels, Readers, Panels, Events, Alarms."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-openaccess-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-openaccess-connector","to":"lenel-openaccess-api","label":"OpenAccess REST + OAuth bearer","transport":"rest","auth":"oauth2-password","carries":"Cardholder / Visitor / Badge / Access Level + SOC Insights (Readers / Panels / Events / Alarms)","direction":"bidirectional","trustCrossing":true},{"from":"lenel-openaccess-api","to":"onguard-server","label":"Internal OpenAccess → OnGuard","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/lenel-open-access/source.pdf","locator":"Full connector guide — 31 pages, updated 2026-05-14"},{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p6 — Supported Versions & Features","quote":"OpenAccess / 7.6, 8.0, 8.1, 8.2, 8.3 / PIAM - Cardholder, Cardholder Badge, Cardholder Access; VIM - Visitors, Visitor Badges, Visitor Access; SOC Insights - Readers, Panels, Events, Alarms"},{"source":"src/connectors/lenel-open-access/source.pdf","locator":"p5 — DataConduIT definition","quote":"Data ConduIT: The previous DCOM based API that Lenel provided for third-party integrations into their PACS. This is now obsolete."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-05-14","sourceSha256":"13915a1ef8f0c2a62e347158642bf94b5fb5cd4e165df33e7474d2190ab658a1","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"both","pollInterval":"AE-side schedule per customer; events available via incremental reconciliation.","eventTypes":["Badge Swipe Events","Alarms"],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"OnGuard models a Cardholder as the principal identity (PERSONID, FIRSTNAME, LASTNAME, MIDNAME, custom attributes). Each Cardholder has one or more **Badges** (BADGEKEY, CARDNUMBER, status flags, validity window, PIN). Visitors are a parallel object family — VIM (Visitor Identity Management) provides Visitor + Visitor Badge + Visitor Access. Both PIAM and VIM are supported by this connector.\n","accessRightsModel":"Access is granted by assigning **Cardholder Access Levels** to badges. OnGuard's term \"Cardholder Access Level\" maps to Guardian's \"Access Area\" concept. Supports `Change Badge Access Levels` operation to modify assignments.\n","multiTenancy":"OnGuard Enterprise supports federated deployments with multiple regional OnGuard instances. The connector supports both standalone OnGuard (on-prem) and OnGuard Enterprise. **OnGuard Cloud is not supported** — see limitation above.\n"}},"lenel":{"id":"lenel","name":"Lenel OnGuard","vendor":"Lenel","vendorId":"lenel","connectorPackage":"AE_HSc_LenelConnectorGuide","status":"active","description":"$21","versions":[{"range":"Lenel OnGuard 2012","status":"legacy"},{"range":"Lenel OnGuard 2013","status":"legacy"},{"range":"Lenel OnGuard 7.0","status":"legacy"},{"range":"Lenel OnGuard 7.1","status":"legacy"},{"range":"Lenel OnGuard 7.2","status":"legacy"},{"range":"Lenel OnGuard 7.3","status":"legacy"},{"range":"Lenel OnGuard 7.4","status":"active"},{"range":"Lenel OnGuard 7.5","status":"active"},{"range":"Lenel OnGuard 8.0","status":"active"},{"range":"Lenel OnGuard 8.1","status":"active"}],"transports":["soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Windows credentials over SOAP/HTTPS","details":"The Lenel Connector authenticates to the Alert Lenel Web Service Agent using a\nWeb Service URL plus Windows username / password. Credentials must correspond to a\nLenel user account, linked via Lenel's SSO configuration. The channel can be\nSSL-secured (recommended in production).\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p23 — Chapter 5, Security"}}],"endpoints":[],"dataFields":[{"aeField":"User","vendorField":"Lenel User / Cardholder","description":"User accounts in OnGuard map to AE User entities. Connector creates, updates, delimits, and deletes users.","direction":"bidirectional","required":true},{"aeField":"Credential","vendorField":"Badge","description":"Badge records assigned to users. Connector adds, activates, deactivates, changes, and deletes badges, and changes badge access levels.","direction":"bidirectional","required":true},{"aeField":"Access Level","vendorField":"Badge Access Level","description":"Access levels assigned to badges. Connector reads and writes badge access-level assignments during provisioning and reconciliation.","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"Alert Lenel Web Service Agent installed on Lenel host","description":"The Agent is a C# SOAP web service hosted on IIS on the Lenel OnGuard server. It\nmust be installed and reachable from the AE host before the connector can\noperate. IIS plus a compatible .NET runtime are required on the Lenel host.\n","owner":"ae","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p8 — Chapter 2, Connector Architecture"}},{"title":"Lenel service account with required permission groups","description":"The Lenel user account driving the integration must hold these permission groups:\nSystemAdmin (System), CardHolder Admin (CardHolder), MonitorUser (Monitor), and\nView Access (Reports). Lower-privileged accounts will fail at the DataConduIT layer.\n","owner":"customer","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p23 — Chapter 5, Security"}},{"title":"SSL configuration between Lenel Connector and Agent (recommended)","description":"The SOAP/HTTPS channel between the Lenel Connector and the Alert Lenel Web Service\nAgent supports SSL. Production deployments should enable SSL; the guide includes\ncertificate provisioning steps.\n","owner":"ae","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p23 — Chapter 5, Security"}},{"title":"SSO configuration linking Lenel users","description":"Lenel users must be linked through SSO configuration so that the Windows credential\npassed by AE resolves to a Lenel user with the required permissions.\n","owner":"customer","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p25 — Chapter 6, SSO Configuration"}}],"knownLimitations":[{"title":"Connector guide documents through OnGuard 8.1 only","description":"The connector guide (last updated 2023-04) lists OnGuard versions through 8.1.\nNewer OnGuard releases (8.2, 8.3) may work in practice but are not formally\ndocumented; treat support claims for newer versions as requiring operational\nverification.\n","severity":"important","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p6 — Chapter 1, Supported Version"}},{"title":"Custom fields require explicit configuration","description":"Non-default Lenel fields must be created on both sides (Lenel + AE) per the\nCreating Custom Fields chapter. The connector does not auto-discover custom fields.\n","severity":"informational","citation":{"source":"src/connectors/lenel/source.pdf","locator":"p30 — Chapter 9, Creating Custom Fields in Lenel"}}],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level","piam","card-format","reader","panel"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"Guardian-side framework providing common provisioning + reconciliation\nprimitives for every PACS / IAM / HR connector. Drives the Lenel Connector.\n"},{"id":"lenel-connector","name":"Lenel Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Lenel-specific connector module. Translates ACF operations into SOAP\ncalls against the Alert Lenel Web Service Agent.\n"},{"id":"alert-lenel-web-service-agent","name":"Alert Lenel Web Service Agent","kind":"service","vendor":"ae","trustZone":"customer-onprem","description":"AE-authored SOAP web service (C# / IIS-hosted) deployed ON the customer's\nLenel OnGuard host. Receives SOAP calls and translates them to DataConduIT\nAPI calls into Lenel OnGuard.\n"},{"id":"lenel-onguard-server","name":"Lenel OnGuard Server","kind":"platform","vendor":"lenel","trustZone":"customer-onprem","description":"The customer's Lenel OnGuard installation — the authoritative source of\nusers, badges, badge access levels, and access events.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","carries":"User / Badge / AccessLevel operations","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"lenel-connector","label":"ACF → connector dispatch","transport":"proprietary-api","carries":"User / Badge / AccessLevel operations","direction":"outbound","trustCrossing":false},{"from":"lenel-connector","to":"alert-lenel-web-service-agent","label":"SOAP/HTTP(S) request/response","transport":"soap","auth":"basic","carries":"Provisioning + reconciliation operations","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/lenel/source.pdf","locator":"p8 — Connector Architecture"}},{"from":"alert-lenel-web-service-agent","to":"lenel-onguard-server","label":"DataConduIT API calls","transport":"proprietary-api","carries":"User / Badge / AccessLevel CRUD + event reconciliation","direction":"bidirectional","trustCrossing":false,"citation":{"source":"src/connectors/lenel/source.pdf","locator":"p8 — Connector Architecture"}},{"from":"lenel-onguard-server","to":"alert-lenel-web-service-agent","label":"Reconciliation results / event data","transport":"proprietary-api","carries":"User / Badge / AccessLevel deltas, access events","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/lenel/source.pdf","locator":"p6 — Chapter 1, Supported Version","quote":"The Lenel OnGuard connector supports OnGuard 2012, OnGuard 2013, OnGuard 7.0, OnGuard 7.1, OnGuard 7.2, OnGuard 7.3, OnGuard 7.4, OnGuard 7.5, OnGuard 8.0, and OnGuard 8.1 versions."},{"source":"src/connectors/lenel/source.pdf","locator":"p6 — Provisioning Capabilities","quote":"Create User Account, Update User Account, Delete User accounts, Delimit User accounts, Add Badge, Activate Badge, Deactivate Badge, Change Badge, Change Badge Access Levels, Delete Badge"},{"source":"src/connectors/lenel/source.pdf","locator":"p7 — Reconciliation Capabilities","quote":"Full Reconciliation of User, User Badges & Badge Access Levels; Incremental Reconciliation of User, User Badges & Badge Access Levels"},{"source":"src/connectors/lenel/source.pdf","locator":"p8 — Chapter 2, Connector Architecture","quote":"The Alert Lenel Web service Agent is a SOAP based web service (built with C# language) and it should be deployed on the IIS server located on the Lenel OnGuard system... The agent internally makes DataConduIT calls to communicate with the Lenel OnGuard system."},{"source":"src/connectors/lenel/source.pdf","locator":"p23 — Chapter 5, Security","quote":"SystemAdmin (System); CardHolder Admin (CardHolder); MonitorUser (Monitor); View Access (Reports)"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2023-04-11","sourceSha256":"9d35b327730ad1ed53a797b4399aa6b077eef9a0748bd870fcb685dd37627255","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":["Custom Card Formats (per-deployment configuration; see Chapter 9 — Creating Custom Fields)"],"topology":"hybrid","eventModel":"both","pollInterval":"configurable per deployment","eventTypes":["access granted","access denied","alarm","badge issued","badge revoked"],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"User (cardholder) is the principal entity. Users hold Badges; Badges are assigned\nAccess Levels. Custom fields can extend Users and Badges per deployment.\n","accessRightsModel":"Access Levels are assigned to Badges (not directly to Users). The connector reads\nand writes Badge Access Level assignments; OnGuard enforces the model natively.\n","multiTenancy":"Segment / Region partitioning supported by OnGuard natively. The connector honors\nthe customer's segmentation model via DataConduIT calls.\n"}},"matrix-frontier":{"id":"matrix-frontier","name":"Matrix Systems Frontier","vendor":"Matrix Systems","vendorId":"matrix","connectorPackage":"AE_HSc_MatrixFrontierConnectorGuide","status":"active","description":"The Matrix Frontier connector integrates AlertEnterprise Guardian with **Matrix Systems Frontier** — Matrix Systems' enterprise PACS, commonly deployed in government, transit, and large commercial facilities. Frontier is positioned as a high-availability PACS with strong support for distributed multi-site deployments.\n\nArchitecture: **AE → ACF → Alert Matrix Frontier Adapter → Frontier REST API → Matrix Frontier System**. HTTPS REST.\n","versions":[{"range":"Matrix Frontier 4.8","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Frontier API credentials","details":"Basic auth credentials configured in AE connector. SSL/TLS required.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Matrix Frontier 4.8 with REST API enabled","description":"An operational Matrix Frontier 4.8 deployment with the Frontier API enabled and reachable.\n","owner":"customer","citation":{"source":"src/connectors/matrix-frontier/source.pdf","locator":"p7 — Connector Architecture","quote":"The Alert Connector Framework uses the Alert Matrix Frontier Adapter to make Frontier API calls for performing operations in the Matrix Frontier system."}}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-matrix-frontier-adapter","name":"Alert Matrix Frontier Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"matrix-frontier-api","name":"Frontier API","kind":"gateway","vendor":"matrix","trustZone":"customer-onprem"},{"id":"matrix-frontier-system","name":"Matrix Frontier System","kind":"platform","vendor":"matrix","trustZone":"customer-onprem"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-matrix-frontier-adapter","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-matrix-frontier-adapter","to":"matrix-frontier-api","label":"Frontier REST API over HTTPS","transport":"rest","auth":"basic","carries":"User / badge / access provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"matrix-frontier-api","to":"matrix-frontier-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/matrix-frontier/source.pdf","locator":"Full connector guide, updated 2024-12-19"},{"source":"src/connectors/matrix-frontier/source.pdf","locator":"p5 — Supported Version","quote":"Matrix Frontier Connector supports Matrix Version 4.8"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-19","sourceSha256":"2635f67d55cfc8a47b7b6ef4232931cf2a5ba2a29409494d3979a348001a98a8","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Matrix Frontier cardholder model with associated badges and access permissions.\n","accessRightsModel":"Matrix Frontier access model exposed through Frontier REST API.\n","multiTenancy":"Single Frontier instance per AE→Matrix Frontier connector.\n"}},"medeco-rest":{"id":"medeco-rest","name":"Medeco eCylinders (REST)","vendor":"Medeco","vendorId":"medeco","connectorPackage":"AE_HSc_Medeco_RestConnectorGuide","status":"active","description":"The Medeco REST connector integrates AlertEnterprise with **Medeco eCylinders** — electronic-lock platforms commonly deployed in fin-services facilities where traditional networked PACS is impractical (utility closets, remote sites, branch vaults). The connector drives lock-side provisioning + reconciliation via Medeco's RESTful API.\n\nTopology: Alert Connector Framework (ACF) drives the Medeco Connector, which issues HTTPS calls into the Medeco RESTful API. No intermediate agent — direct REST integration.\n","versions":[{"range":"Medeco eCylinders (per current Medeco REST API contract)","status":"active","notes":"No fixed version pin in the connector guide. Connector targets the documented Medeco REST API."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"Medeco REST API authentication","details":"Medeco's REST API authentication is configured per deployment. See the connector\nguide's Security chapter and Medeco's API contract for the current scheme.\n","credentialStorage":"AE connector configuration (encrypted at rest)"}],"endpoints":[],"dataFields":[{"aeField":"User","vendorField":"Medeco User","description":"User accounts for lock access. Connector creates + updates users and credentials.","direction":"bidirectional","required":true},{"aeField":"Credential","vendorField":"Medeco Key / Credential","description":"Electronic key credentials assigned to users. Connector adds + revokes credentials.","direction":"bidirectional","required":true}],"rateLimits":[],"prerequisites":[{"title":"Medeco REST API access","description":"Customer must have Medeco's REST API enabled on their eCylinders deployment\nwith valid AE-callable credentials.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-medeco-connector","name":"Alert Medeco Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Medeco-specific connector. REST/HTTPS into the Medeco system."},{"id":"medeco-system","name":"Medeco eCylinders System","kind":"platform","vendor":"medeco","trustZone":"customer-cloud","description":"Medeco's electronic-lock management system. Hosts user + credential records\nthat drive electronic-cylinder access decisions at the lock itself.\n"},{"id":"medeco-ecylinders","name":"Medeco eCylinders (locks)","kind":"device","vendor":"medeco","trustZone":"device-edge","description":"Field-deployed electronic locks. Receive credential updates from the Medeco\nsystem via Medeco's own delivery mechanism (BLE / programmable key delivery\ndepending on lock model).\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"User + credential ops","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-medeco-connector","label":"ACF dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-medeco-connector","to":"medeco-system","label":"REST API (provisioning + reconciliation)","transport":"rest","carries":"User / Credential operations","direction":"bidirectional","trustCrossing":true,"citation":{"source":"src/connectors/medeco-rest/source.pdf","locator":"p8 — Connector Architecture"}},{"from":"medeco-system","to":"medeco-ecylinders","label":"Lock-side credential delivery (Medeco's own mechanism)","transport":"proprietary-api","direction":"outbound","trustCrossing":false,"notes":"Final delivery to the lock is outside AE's scope — Medeco's own\nprogrammable-key / BLE delivery mechanism handles this step.\n"}]},"citations":[{"source":"src/connectors/medeco-rest/source.pdf","locator":"p8 — Chapter 2, Connector Architecture"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-10-10","sourceSha256":"3c221800e03246dc13fe0dcc2fabcf9b1296a843c4bfedc6f7ed0a0e5a471fca","kind":"lock","fields":{"protocols":["bluetooth","proprietary"],"offlineCapability":true,"batteryPowered":true,"keyManagementModel":"Credentials are minted on the Medeco system and delivered to electronic\ncylinders via Medeco's programmable-key / BLE delivery model. AE manages\nthe user/credential identity; lock-side delivery is Medeco's mechanism.\n","auditLogModel":"Lock-side audit events are surfaced through the Medeco system and\nreconciled back into AE on the standard reconciliation cadence.\n"}},"microsoft-entra-id-sso":{"id":"microsoft-entra-id-sso","name":"Microsoft Entra ID SSO","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_MicrosoftEntraID_SSO_ConfigurationGuide","status":"active","description":"The Microsoft Entra ID SSO connector configures AlertEnterprise Guardian to federate authentication to **Microsoft Entra ID** (formerly Azure AD) via SAML 2.0. AE Guardian acts as the SAML Service Provider; Entra ID acts as the Identity Provider with its own identity store (users + groups created in Entra or synced from on-prem AD via Entra Connect).\n\nThis is the renamed successor to [[azure-sso]] — Microsoft rebranded \"Azure Active Directory\" to \"Microsoft Entra ID\" in mid-2023, so the SSO connector reflects the new product naming. Functionally identical to azure-sso. For identity data sync (not just SSO), pair with the [[microsoft-entra-id]] connector which uses Microsoft Graph API.\n\nSetup pattern: AE Guardian is registered as a **non-gallery Enterprise Application** in the customer's Entra tenant, configured for SAML SSO, with users and/or groups assigned to it.\n","versions":[{"range":"Microsoft Entra ID (cloud — versionless SaaS, formerly Azure AD)","status":"active"}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"saml","label":"SAML 2.0 (AE as SP, Entra ID as IdP)","details":"AE Guardian acts as the SAML Service Provider; Entra ID acts as the Identity Provider. The Entra admin creates a non-gallery Enterprise Application in Entra → Enterprise Applications → New application → Create your own application, configures SAML 2.0 SSO with AE-provided metadata, and assigns users/groups.\n","citation":{"source":"src/connectors/microsoft-entra-id-sso/source.pdf","locator":"Full guide — Entra Enterprise Application configuration"}}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Entra ID tenant with non-gallery Enterprise Application for AE","description":"The Entra admin must create a non-gallery Enterprise Application for AE Guardian, configure SAML 2.0 SSO with AE metadata, and assign users/groups.\n","owner":"customer"},{"title":"User records pre-synced into AE Guardian database","description":"Same constraint as other SSO connectors — users authenticated by Entra ID must already exist in AE Guardian's database. Typically achieved by running the [[microsoft-entra-id]] connector first.\n","owner":"ae"}],"knownLimitations":[{"title":"Authentication only — no provisioning or reconciliation","description":"For Entra-side identity data sync, use the [[microsoft-entra-id]] connector.\n","severity":"informational"}],"relatedConnectors":["microsoft-entra-id","azure-sso","adfs-sso"],"relatedConcepts":["saml","oidc","mfa","conditional-access","jit-provisioning"],"composition":{"actors":[{"id":"end-user","name":"End User (browser)","kind":"user","vendor":"ae","trustZone":"untrusted"},{"id":"ae-guardian-sp","name":"AE Guardian (SAML SP)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"entra-id-idp","name":"Microsoft Entra ID (SAML IdP)","kind":"gateway","vendor":"microsoft","trustZone":"vendor-cloud","description":"Entra ID tenant acting as the SAML IdP."}],"edges":[{"from":"end-user","to":"ae-guardian-sp","label":"HTTPS access attempt","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"ae-guardian-sp","to":"entra-id-idp","label":"SAML AuthnRequest (via browser redirect)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true},{"from":"entra-id-idp","to":"ae-guardian-sp","label":"SAML Response (via browser POST to ACS)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/microsoft-entra-id-sso/source.pdf","locator":"Full configuration guide — 20 pages, updated 2025-08-22"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-22","sourceSha256":"ef236aa1f536052b22beecdec557e7df5c770dce547c2de059caceb06f4ca407","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"yes","jitProvisioning":"configurable","mfaModel":"MFA enforced by Entra ID Conditional Access policies. AE Guardian inherits MFA enforcement — no AE-side configuration required.\n","groupSyncMode":"not-supported","defaultAttributeMapping":"Email-formatted Name ID + optional claims. Extensible via Entra application attribute mapping.\n","sourceOfRecord":false}},"microsoft-entra-id":{"id":"microsoft-entra-id","name":"Microsoft Entra ID (formerly Azure AD)","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_MicrosoftEntraID_ConnectorGuide","status":"active","description":"$22","versions":[{"range":"Microsoft Entra ID (cloud — versionless / continuously updated)","connectorVersion":"ALNTAzureADConnector-5.0","status":"active","notes":"Entra ID is a SaaS platform with no discrete version numbers. The connector targets the current Microsoft Graph API (v1.0). Connector guide revision 2.0 (2025-07-03) updated the API Permissions section to reflect Microsoft's most recent application-permission scopes.\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"OAuth 2.0 client credentials via Entra app registration","details":"The connector authenticates via an **app registration** in the customer's Entra ID tenant. The customer must:\n1. Register a new application in Entra → App Registrations\n2. Create a client secret under Certificates & Secrets (note the secret value — it's only displayed once)\n3. Configure API Permissions (see Prerequisites below) and grant admin consent\n4. Configure the connector's System Parameters with the app's `clientId`, `clientSecret`, and tenant `azureApiVersion`\n\nThe connector exchanges these for an OAuth 2.0 access token at `login.microsoftonline.com` and uses the token on every Graph API call.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p20 — Register Application section + p21 — API Permissions"}}],"endpoints":[{"method":"POST","path":"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token","description":"OAuth 2.0 token endpoint — exchanges client credentials for an access token.","category":"auth","direction":"outbound","authMethod":"oauth2-client-credentials"},{"method":"GET","path":"https://graph.microsoft.com/v1.0/users","description":"List users (full + incremental reconciliation).","category":"query","direction":"outbound"},{"method":"POST","path":"https://graph.microsoft.com/v1.0/users","description":"Create user.","category":"provisioning","direction":"outbound"},{"method":"PATCH","path":"https://graph.microsoft.com/v1.0/users/{id}","description":"Update user.","category":"provisioning","direction":"outbound"},{"method":"GET","path":"https://graph.microsoft.com/v1.0/groups","description":"List groups (full reconciliation).","category":"query","direction":"outbound"},{"method":"GET","path":"https://graph.microsoft.com/v1.0/users/{id}/memberOf","description":"Read directory role + group memberships for a user.","category":"query","direction":"outbound"},{"method":"GET","path":"https://graph.microsoft.com/v1.0/directoryRoles","description":"Read all directory roles.","category":"query","direction":"outbound"}],"dataFields":[],"rateLimits":[{"scope":"Microsoft Graph API","limit":"Throttling per application + per tenant — limits vary by Graph resource","per":"app + tenant","exceededResponse":"HTTP 429 with `Retry-After` header","notes":"Graph API throttling is documented separately by Microsoft per resource type. AE's reconciliation jobs at large scale (Fortune 500 with 50k+ users) should respect `Retry-After` headers and back off. The connector handles retries internally; operators can tune reconciliation cadence on the AE side.\n"}],"prerequisites":[{"title":"Microsoft Entra ID tenant with admin access","description":"An operational Microsoft Entra ID tenant. The customer's Entra admin must perform app registration and grant admin consent for the required application permissions.\n","owner":"customer"},{"title":"Entra app registration with Graph API permissions","description":"Create an app registration and grant the following Microsoft Graph API **Application** permissions (admin consent required for each):\n\n**Read permissions (reconciliation):**\n- `User.Read.All` — read all user profiles\n- `Group.Read.All` — read all groups\n- `GroupMember.Read.All` — read group membership\n- `Directory.Read.All` — read directory data including subscribed SKUs (license info)\n- `RoleManagement.Read.Directory` — read directory roles\n\n**Write permissions (provisioning):**\n- `User.ReadWrite.All` — create/update users\n- `User-LifeCycleInfo.ReadWrite.All` — manage employee lifecycle (hire/termination dates)\n- `User.EnableDisableAccount.All` — lock/unlock accounts\n- `User.ManageIdentities.All` — add/update/remove external identities\n\nNote: Application permissions (not Delegated) — the connector runs as an application, not as a delegated user.\n","owner":"customer","citation":{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p21-22 — API Permissions tables"}},{"title":"SSL certificate trust","description":"Standard SSL trust for `graph.microsoft.com` — typically trusted by default in modern JVMs. Verify the AE host's JVM cacerts keystore includes the Microsoft / DigiCert certificate chain.\n","owner":"ae","citation":{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p24 — Troubleshooting"}}],"knownLimitations":[{"title":"On-prem AD `Description` attribute not reconciled","description":"The connector does not reconcile the `Description` attribute when the source identity is hybrid-synced from on-prem Active Directory to Entra ID. For full description-attribute coverage, customers must also deploy the [[active-directory]] connector and reconcile from on-prem AD directly.\n","severity":"informational","citation":{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p25 — Limitations","quote":"Attribute Description of On-Premises AD is not reconciled to Microsoft Entra ID."}}],"relatedConnectors":["active-directory","microsoft-entra-id-sso","okta"],"relatedConcepts":["graph-api","oidc","saml","scim","mfa","conditional-access","lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-entra-connector","name":"Alert Microsoft Entra ID Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Entra ID connector module (ALNTAzureADConnector — legacy name retained)."},{"id":"microsoft-graph-api","name":"Microsoft Graph API","kind":"gateway","vendor":"microsoft","trustZone":"vendor-cloud","description":"Microsoft's unified REST API for Microsoft 365 + Entra ID + Azure services. Endpoint at graph.microsoft.com."},{"id":"microsoft-entra-id-platform","name":"Microsoft Entra ID Platform","kind":"platform","vendor":"microsoft","trustZone":"vendor-cloud","description":"Microsoft's cloud identity directory (formerly Azure AD)."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-entra-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-entra-connector","to":"microsoft-graph-api","label":"Graph REST + OAuth bearer","transport":"rest","auth":"oauth2-client-credentials","carries":"User / Group / Directory Role / License provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"microsoft-graph-api","to":"microsoft-entra-id-platform","label":"Internal Microsoft API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"Full connector guide — 25 pages, revision 2.0 dated 2025-07-03"},{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p6 — Supported Version","quote":"The Microsoft Entra ID Connector supports Microsoft Entra ID System."},{"source":"src/connectors/microsoft-entra-id/source.pdf","locator":"p8 — Connector Architecture","quote":"The Alert Enterprise Connector Framework uses the Alert Microsoft Entra ID Connector to make Microsoft Graph API calls for performing User Provisioning and reconciliation operations in the Microsoft Entra ID Platform."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-07-14","sourceSha256":"b4127e25bfe3c7e047a27cba55cba11af58eb41d6d5b0a500e96d8e63dae7a78","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":[],"scimSupport":"yes","scimVersion":"SCIM 2.0 via Entra ID's provisioning service (out of scope for this connector — Guardian provisions via Graph API directly)","jitProvisioning":"configurable","mfaModel":"Entra ID enforces MFA via Conditional Access policies (Entra Premium P1+) or Security Defaults (free tier). MFA enforcement is owned by the customer's Entra admin — AE Guardian does not enforce or override.\n","groupSyncMode":"nested","defaultAttributeMapping":"Standard Graph user properties (id, userPrincipalName, displayName, givenName, surname, mail, jobTitle, department, manager, accountEnabled). Customers can extend via Entra's directory schema and map additional attributes through AE's Field Mapping configuration.\n","sourceOfRecord":false}},"microsoft-teams":{"id":"microsoft-teams","name":"Microsoft Teams","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_MicrosoftTeamsConnectorGuide","status":"active","description":"The Microsoft Teams connector integrates AlertEnterprise's Guardian platform with **Microsoft Teams** for real-time chat notifications driven by Guardian workflows — most notably **visitor check-in / check-out** notifications to hosts, escorts, and visit requestors.\n\nArchitecturally distinctive: the connector is built on **Microsoft Bot Framework**, not the Graph API. AE provisions a registered **AE Guardian Teams Bot** in the customer's Azure tenant; the bot is the communication bridge between Guardian-side workflow events and Teams-side chat delivery.\n\nTopology: Guardian Platform → Alert Microsoft Teams Connector → AE Guardian Teams Bot (Bot Framework) → Microsoft Teams.\n","versions":[{"range":"Microsoft Bot Framework + Teams (current)","status":"active","notes":"Continuous-release SaaS — connector targets the current Bot Framework + Teams APIs."}],"transports":["rest","webhook"],"directions":["outbound"],"authentication":[{"kind":"oauth2-client-credentials","label":"Azure AD application OAuth (Bot Framework auth)","details":"The AE Guardian Teams Bot is registered as an Azure AD application in the\ncustomer's tenant. Authentication uses OAuth 2.0 client credentials against\nMicrosoft's Bot Framework. The bot must be granted the appropriate Teams app\npermissions and installed in the relevant Teams.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p7 — Chapter 2, Connector Architecture"}}],"endpoints":[],"dataFields":[{"aeField":"Chat Message","vendorField":"Teams Chat Message (Bot Framework)","description":"Outbound chat messages — recipient (host / escort / requestor), body, optional adaptive-card content.","direction":"outbound","required":true}],"rateLimits":[],"prerequisites":[{"title":"Azure AD tenant + Bot Framework registration","description":"Customer's Azure AD tenant where the AE Guardian Teams Bot is registered as\nan application. Bot Framework requires explicit registration in Azure.\n","owner":"customer","citation":{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p15 — Chapter 5, Register AE Guardian Teams Bot"}},{"title":"Teams app installed in target Teams","description":"The AE Guardian Teams Bot must be installed in the Teams channels / chats it\nwill message into. Customer Teams admin must approve installation.\n","owner":"customer"},{"title":"Configured directory mapping (host email → Teams user)","description":"Guardian's visitor workflow needs to map visit host / escort email addresses\nto Teams user identities. Standard via Azure AD / Entra ID directory.\n","owner":"customer"}],"knownLimitations":[{"title":"Outbound chat only (today)","description":"The connector documents Send Chat Message only — no documented inbound flow\n(Teams → Guardian) at present.\n","severity":"informational","citation":{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p7 — Connector Architecture functions"}}],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-microsoft-teams-connector","name":"Alert Microsoft Teams Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Teams-specific connector. Dispatches chat-message requests to the AE Guardian Teams Bot."},{"id":"ae-guardian-teams-bot","name":"AE Guardian Teams Bot","kind":"service","vendor":"ae","trustZone":"customer-cloud","description":"AE-authored bot registered as an Azure AD application in the customer's tenant.\nBuilt with Microsoft Bot Framework; bridges Guardian-side events to Teams chat.\n"},{"id":"microsoft-teams-platform","name":"Microsoft Teams","kind":"platform","vendor":"microsoft","trustZone":"vendor-cloud","description":"Microsoft Teams + the Bot Framework infrastructure that delivers messages\nto end-users in their Teams clients.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Visitor / workflow event → chat trigger","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-microsoft-teams-connector","label":"ACF dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-microsoft-teams-connector","to":"ae-guardian-teams-bot","label":"Bot invocation","transport":"rest","carries":"Chat message payload","direction":"outbound","trustCrossing":false},{"from":"ae-guardian-teams-bot","to":"microsoft-teams-platform","label":"Bot Framework → Teams chat delivery","transport":"rest","auth":"oauth2-client-credentials","carries":"Chat message","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p7 — Connector Architecture"}}]},"citations":[{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p7 — Chapter 2, Connector Architecture","quote":"The Alert Enterprise Guardian Teams Bot, developed with the Microsoft Bot Framework, acts as the communication bridge."},{"source":"src/connectors/microsoft-teams/source.pdf","locator":"p15 — Chapter 5, Register AE Guardian Teams Bot"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-09-30","sourceSha256":"7b0a767d5657425c38cc8cf5e1c7196990d4575bbee850a28b4cf8b0a1623d9d","kind":"collaboration","fields":{"capabilities":["chat","bots","webhooks"],"appInstallation":"The AE Guardian Teams Bot is registered as an Azure AD application and\ninstalled into the customer's Teams as a Teams app. Customer Teams admin\napproves the installation; per-channel installation is required for each\ntarget chat / channel.\n"}},"mule-soft-rest":{"id":"mule-soft-rest","name":"MuleSoft (REST)","vendor":"MuleSoft","vendorId":"mulesoft","connectorPackage":"AE_HSc_MuleSoft_RestConnectorGuide","status":"active","description":"The MuleSoft REST connector integrates AlertEnterprise with **MuleSoft Anypoint Platform** — Salesforce's enterprise iPaaS / API mediation layer. The connector lets AE consume MuleSoft-exposed REST APIs to orchestrate provisioning + reconciliation across systems MuleSoft mediates (legacy HR systems, custom in-house apps, partner gateways).\n\nTopology: Alert Connector Framework (ACF) → Alert MuleSoft Connector → MuleSoft Anypoint Platform → downstream systems mediated by MuleSoft.\n\nAuthentication: OAuth 2.0 client credentials against MuleSoft's API gateway.\n","versions":[{"range":"MuleSoft Anypoint Platform (current REST API contract)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"OAuth 2.0 client credentials","details":"MuleSoft's API gateway authenticates AE via OAuth 2.0 client credentials.\nAE obtains a bearer token and uses it on subsequent API calls.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/mule-soft-rest/source.pdf","locator":"p30 — Chapter 6, Security"}}],"endpoints":[],"dataFields":[{"aeField":"Mediated API Object","vendorField":"MuleSoft-exposed REST resource","description":"The resource is defined per MuleSoft API contract — typically a user / role\n/ entitlement object mediated from a backing system. Field mappings are\nper-deployment.\n","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"MuleSoft Anypoint deployment with AE-accessible API","description":"Customer must have a MuleSoft Anypoint deployment exposing the API(s) AE\nwill call, with the API contract documented.\n","owner":"customer"},{"title":"OAuth client credentials for AE","description":"Customer registers AE as a client application on the MuleSoft API gateway and\nprovides client_id + client_secret to AE.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-mulesoft-connector","name":"Alert MuleSoft Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's MuleSoft-specific connector. OAuth-authenticates against MuleSoft API gateway."},{"id":"mulesoft-anypoint","name":"MuleSoft Anypoint Platform","kind":"gateway","vendor":"mulesoft","trustZone":"vendor-cloud","description":"MuleSoft's API mediation gateway. Sits between AE and the downstream\nsystems it mediates.\n"},{"id":"mulesoft-mediated-systems","name":"Downstream systems mediated by MuleSoft","kind":"platform","vendor":"customer","trustZone":"customer-cloud","description":"The customer-specific systems that MuleSoft fronts. From AE's perspective\nthese are opaque — MuleSoft is the contract surface.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-mulesoft-connector","label":"ACF dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-mulesoft-connector","to":"mulesoft-anypoint","label":"OAuth-authenticated REST calls","transport":"rest","auth":"oauth2-client-credentials","carries":"Mediated resource operations","direction":"bidirectional","trustCrossing":true,"citation":{"source":"src/connectors/mule-soft-rest/source.pdf","locator":"p7 — Connector Architecture"}},{"from":"mulesoft-anypoint","to":"mulesoft-mediated-systems","label":"MuleSoft → mediated systems (opaque to AE)","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/mule-soft-rest/source.pdf","locator":"p7 — Chapter 2, Connector Architecture"},{"source":"src/connectors/mule-soft-rest/source.pdf","locator":"p30 — Chapter 6, Security"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-19","sourceSha256":"881b7899770c9dfa4416bf5f9d4d36ff933176374817f91b20ffe48dc0f5fab7","kind":"integration-platform","fields":{"mediationModel":"passthrough","messageFormats":["JSON","XML"],"persistence":"configurable"}},"nedap":{"id":"nedap","name":"Nedap AEOS","vendor":"Nedap Identification Systems","vendorId":"nedap","connectorPackage":"AE_HSc_NedapConnectorGuide","status":"active","description":"The Nedap connector integrates AlertEnterprise Guardian with **Nedap AEOS** — Nedap Identification Systems' enterprise PACS, widely deployed in EMEA enterprises (banking, healthcare, transportation, energy). AEOS is one of the more sophisticated PACS in terms of multi-site federation and policy-based access management.\n\nArchitecture: **AE → ACF → Alert Nedap Connector → Nedap SOAP API → Nedap Application**. The connector uses **SOAP over HTTPS** — a deliberate choice on Nedap's part to maintain compatibility with their existing integration ecosystem.\n","versions":[{"range":"Nedap AEOS 2020.X, 2021.X, 2023.X, 2024.X","status":"active","notes":"Nedap uses year-based version numbering for AEOS major releases. 2022.X is not listed as supported."}],"transports":["soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Nedap SOAP API credentials over SSL","details":"Basic auth credentials in WSSE-style SOAP headers, sent over HTTPS to the Nedap SOAP API endpoint.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Nedap AEOS with SOAP API enabled","description":"An operational Nedap AEOS deployment (2020.X, 2021.X, 2023.X, or 2024.X) with the SOAP API enabled and reachable from the AE application server.\n","owner":"customer","citation":{"source":"src/connectors/nedap/source.pdf","locator":"p8 — Connector Architecture","quote":"The Nedap Connector is built on top of the SOAP API exposed by the Nedap system out of the box."}},{"title":"AEOS API user with provisioning + reconciliation privileges","description":"Dedicated AEOS API user account.","owner":"customer"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-nedap-connector","name":"Alert Nedap Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"nedap-soap-api","name":"Nedap SOAP API","kind":"gateway","vendor":"nedap","trustZone":"customer-onprem"},{"id":"nedap-aeos","name":"Nedap AEOS Application","kind":"platform","vendor":"nedap","trustZone":"customer-onprem","description":"Nedap's enterprise PACS server."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-nedap-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-nedap-connector","to":"nedap-soap-api","label":"SOAP over HTTPS","transport":"soap","auth":"basic","carries":"User / badge / access provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"nedap-soap-api","to":"nedap-aeos","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/nedap/source.pdf","locator":"Full connector guide, updated 2025-09-08"},{"source":"src/connectors/nedap/source.pdf","locator":"p6 — Supported Version","quote":"The Nedap connector supports 2020.X, 2021.X, 2023.X, 2024.X versions."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-09-08","sourceSha256":"2f6d7ee04bab9f8349b6cce009538ad82a56dd444cfecd40b840112732cd1767","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"AEOS cardholder model with associated tokens (Nedap's term for credentials) and access entitlements.\n","accessRightsModel":"AEOS uses a policy-based access model — Authorisations grant access through Roles and Areas. Specific mapping conventions are AEOS-deployment specific.\n","multiTenancy":"AEOS supports multi-site federation natively. Single connector instance per AEOS deployment.\n"}},"okta-sso":{"id":"okta-sso","name":"Okta Single Sign-On","vendor":"Okta","vendorId":"okta","connectorPackage":"AE_Okta_SSO_ConfigurationGuide","status":"active","description":"The Okta SSO connector configures AlertEnterprise Guardian to federate authentication to **Okta** via SAML 2.0. AE Guardian acts as the SAML **Service Provider (SP)**; Okta acts as the **Identity Provider (IdP)** with its own identity store (users + groups created in Okta or synced from upstream sources via Okta AD Agent / SCIM).\n\nFor new-hire identity sync — distinct from SSO authentication — pair this connector with the full [[okta]] connector (which uses Okta's REST API for cardholder/identity provisioning + reconciliation) or with [[sail-point-rest]] when SailPoint owns the identity lifecycle.\n\nSetup pattern mirrors [[adfs-sso]]: AE provides metadata XML; Okta admin creates a new **SAML 2.0 Application** in the Okta admin console, imports the AE metadata, configures attribute statements (email → Name ID, optional tenant claim). Users must be assigned to the Okta application AND exist in AE Guardian's database before they can log in.\n","versions":[{"range":"Okta (cloud — versionless SaaS)","status":"active"}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"saml","label":"SAML 2.0 (AE as SP, Okta as IdP)","details":"AE Guardian acts as the SAML Service Provider; Okta acts as the Identity Provider. AE provides metadata XML; the Okta admin creates a SAML 2.0 application in Okta admin console, imports AE metadata, and assigns users / groups to the application. On authentication, Okta posts a SAML response to AE's ACS endpoint with the user's email as Name ID.\n","citation":{"source":"src/connectors/okta-sso/source.pdf","locator":"Full guide — Okta SAML application configuration"}}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Okta tenant with SAML 2.0 application configured for AE","description":"An operational Okta tenant. The Okta admin creates a SAML 2.0 application, imports AE-provided metadata XML, and assigns users/groups to it.\n","owner":"customer"},{"title":"User records pre-synced into AE Guardian database","description":"Same constraint as [[adfs-sso]] — users authenticated by Okta must already exist in AE Guardian's database. Typically achieved by running the [[okta]] provisioning connector first.\n","owner":"ae"}],"knownLimitations":[{"title":"Authentication only — no provisioning or reconciliation","description":"This connector configures SSO. For identity data sync, pair with the [[okta]] connector.\n","severity":"informational"}],"relatedConnectors":["okta","adfs-sso","microsoft-entra-id-sso"],"relatedConcepts":["saml","oidc","mfa","jit-provisioning"],"composition":{"actors":[{"id":"end-user","name":"End User (browser)","kind":"user","vendor":"ae","trustZone":"untrusted"},{"id":"ae-guardian-sp","name":"AE Guardian (SAML SP)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"okta-idp","name":"Okta (SAML IdP)","kind":"gateway","vendor":"okta","trustZone":"vendor-cloud","description":"Okta tenant acting as the SAML Identity Provider."}],"edges":[{"from":"end-user","to":"ae-guardian-sp","label":"HTTPS access attempt","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"ae-guardian-sp","to":"okta-idp","label":"SAML AuthnRequest (via browser redirect)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true},{"from":"okta-idp","to":"ae-guardian-sp","label":"SAML Response (via browser POST to ACS)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/okta-sso/source.pdf","locator":"Full configuration guide — 17 pages, updated 2025-08-22"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-22","sourceSha256":"0297d93160e01488832ac89036303c9beddfcbac1ce9699dba900377bf13afac","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"yes","jitProvisioning":"configurable","mfaModel":"MFA enforced by Okta via Sign-On Policies. AE Guardian inherits MFA enforcement from Okta — no AE-side configuration required.\n","groupSyncMode":"not-supported","defaultAttributeMapping":"Email-formatted Name ID + optional tenant claim. Customers can extend the attribute statement in the Okta application configuration.\n","sourceOfRecord":false}},"okta":{"id":"okta","name":"Okta","vendor":"Okta","vendorId":"okta","connectorPackage":"AE_HSc_OktaConnectorGuide","status":"active","description":"$23","versions":[{"range":"Okta 2020.02 and above","status":"active","notes":"Per the connector guide (2025-02-06), Okta 2020.02 is the baseline. Okta's continuous-release model means current production tenants are always above this baseline."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Okta operator credentials (User Name + Password)","details":"The Okta REST API requires a valid operator account with one of the following\nroles: `pam_admin`, `resource_admin`, or `security_admin`. Credentials are passed\nwith each HTTPS request to the Okta tenant. The Okta tenant URL takes the form\n`https://{yourOktaDomain}/api/v1/users`.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/okta/source.pdf","locator":"p18 — Chapter 5, Security"}}],"endpoints":[{"method":"GET","path":"/api/v1/users","description":"List + read users for reconciliation.","category":"query","direction":"outbound","authMethod":"basic","citation":{"source":"src/connectors/okta/source.pdf","locator":"p18 — User API endpoint"}},{"method":"POST","path":"/api/v1/users","description":"Create a user in the Okta tenant.","category":"provisioning","direction":"outbound","authMethod":"basic"},{"method":"PUT","path":"/api/v1/users/{userId}","description":"Update a user in the Okta tenant.","category":"provisioning","direction":"outbound","authMethod":"basic"}],"dataFields":[{"aeField":"User","vendorField":"Okta User","description":"User accounts in Okta map to AE User entities. Connector creates and updates users.","direction":"bidirectional","required":true},{"aeField":"Access Group","vendorField":"Okta Group","description":"Okta Groups (access groups). Connector changes a user's group memberships and reconciles group definitions + memberships back into AE.","direction":"bidirectional","required":true},{"aeField":"User Profile Attributes","vendorField":"Okta user profile subschema","description":"Okta supports custom user profile schemas (default + custom subschemas). The connector reads and writes user profile attributes per the documented schema.","direction":"bidirectional","required":false,"citation":{"source":"src/connectors/okta/source.pdf","locator":"p12 — developer.okta.com user schema references"}}],"rateLimits":[],"prerequisites":[{"title":"Okta User API enabled on the tenant","description":"The Okta tenant must have the User API enabled at `https://{yourOktaDomain}/api/v1/users`.\nDisabled / restricted-IP tenants will reject the connector's calls.\n","owner":"customer","citation":{"source":"src/connectors/okta/source.pdf","locator":"p18 — User API enabled"}},{"title":"HTTPS-enabled Okta tenant","description":"The Okta REST API must be served over HTTPS. Plaintext HTTP is not supported by\nthe connector.\n","owner":"customer","citation":{"source":"src/connectors/okta/source.pdf","locator":"p18 — Web API should be secured (https)"}},{"title":"Okta operator account with privileged role","description":"The connector's operator account must hold one of: `pam_admin`, `resource_admin`,\nor `security_admin`. Insufficient roles will produce permission errors at the\nOkta API layer.\n","owner":"customer","citation":{"source":"src/connectors/okta/source.pdf","locator":"p18 — Valid Operator Login roles"}}],"knownLimitations":[{"title":"No delete-user support","description":"The connector documents Create and Update for user accounts but does NOT document\na Delete operation. Operationally, user deactivation is typically handled by\ngroup-membership changes or by Okta's lifecycle states; full delete requires\nmanual administrator action.\n","severity":"important","citation":{"source":"src/connectors/okta/source.pdf","locator":"p5 — Provisioning Capabilities table"}},{"title":"SSO federation requires separate configuration","description":"The standard Okta connector handles user lifecycle and group reconciliation but\ndoes NOT configure SAML/OIDC SSO between Okta and AlertEnterprise. SSO setup is\ncovered by the separate `okta-sso` SSO Configuration guide.\n","severity":"informational"}],"relatedConnectors":[],"relatedConcepts":["oidc","saml","scim","mfa","lifecycle-events","system-of-record","integration-system-user"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"Guardian-side framework providing common provisioning + reconciliation\nprimitives for every PACS / IAM / HR connector.\n"},{"id":"alert-okta-connector","name":"Alert Okta Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Okta-specific connector module. Issues authenticated HTTPS calls\ndirectly against the customer's Okta tenant REST API.\n"},{"id":"okta-tenant","name":"Okta Tenant","kind":"platform","vendor":"okta","trustZone":"vendor-cloud","description":"The customer's Okta tenant at `https://{yourOktaDomain}` — the authoritative\nsource of users, groups, and access policies.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","carries":"User / Group operations","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-okta-connector","label":"ACF → connector dispatch","transport":"proprietary-api","carries":"User / Group operations","direction":"outbound","trustCrossing":false},{"from":"alert-okta-connector","to":"okta-tenant","label":"REST API calls (provisioning + reconciliation)","transport":"rest","auth":"basic","carries":"User CRUD, Group membership changes","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/okta/source.pdf","locator":"p7 — Connector Architecture"}},{"from":"okta-tenant","to":"alert-okta-connector","label":"Reconciliation results","transport":"rest","auth":"basic","carries":"User + Group deltas","direction":"inbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/okta/source.pdf","locator":"p5 — Chapter 1, Supported Version","quote":"The Okta Connector supports Okta version 2020.02 and above."},{"source":"src/connectors/okta/source.pdf","locator":"p5 — Provisioning Capabilities","quote":"Create User accounts; Update User accounts; Change User Access Groups"},{"source":"src/connectors/okta/source.pdf","locator":"p5-6 — Reconciliation Capabilities","quote":"Full Reconciliation of User; Incremental Reconciliation of User; Full Reconciliation of Access Groups; Incremental Reconciliation of Access Groups"},{"source":"src/connectors/okta/source.pdf","locator":"p7 — Chapter 2, Connector Architecture","quote":"The Alert Connector Framework uses the Okta Connector to make calls to the Web Service for performing operations in the Okta system."},{"source":"src/connectors/okta/source.pdf","locator":"p18 — Chapter 5, Security","quote":"Valid Operator Login: pam_admin, resource_admin, security_admin"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-02-06","sourceSha256":"e02100c6cc4950f514da56ca8302b3e10840fde8cc2e8cc3d3f84edafd6760ad","kind":"iam","fields":{"oidcSupport":"yes","oidcDiscoveryUrlPattern":"https://{yourOktaDomain}/.well-known/openid-configuration","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"yes","scimVersion":"2.0","jitProvisioning":"configurable","mfaModel":"Native Okta MFA policy — enforced server-side by Okta independent of the\nAE connector. The connector authenticates as a privileged operator and\ninherits Okta's policy posture.\n","groupSyncMode":"flat","defaultAttributeMapping":"Okta default user schema (login, email, firstName, lastName, etc.) plus\nconfigurable custom subschemas per the developer.okta.com reference.\n","sourceOfRecord":true}},"oracle-server":{"id":"oracle-server","name":"Oracle","vendor":"Oracle","vendorId":"oracle","connectorPackage":"AE_HSc_OracleServerConnectorGuide","status":"active","description":"The Oracle connector integrates AlertEnterprise with **Oracle Connector** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_OracleServerConnectorGuide.pdf` (page count: 20).\n","versions":[{"range":"supports operations on Oracle 8.1.7.0.0(8i), 9.0.1.1.1(9i),","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-oracle-server-connector","name":"Alert Oracle Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Oracle-specific connector module."},{"id":"oracle-system","name":"Oracle System","kind":"platform","vendor":"oracle","trustZone":"customer-onprem","description":"The customer's Oracle system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-oracle-server-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-oracle-server-connector","to":"oracle-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/oracle-server/source.pdf","locator":"Connector guide — 20 pages"},{"source":"src/connectors/oracle-server/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-19","sourceSha256":"953990759b31a2a635af7a7f154e7f8133bae626d28a4ffd865cefbe7b0b36ba","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"pacom-gms":{"id":"pacom-gms","name":"PACOM GMS (Graphical Monitoring System)","vendor":"PACOM Systems","vendorId":"pacom","connectorPackage":"AE_HSc_PacomGMSConnectorGuide","status":"active","description":"$24","versions":[{"range":"PACOM GMS 4.20, 4.3, 4.5 SP03","status":"active","notes":"For PACOM VigilCore 8.4+, use [[pacom-vigilcore-rest]] (REST API, different product line)."}],"transports":["soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"PACOM GMS operator credentials (basic auth via SOAP/WCF)","details":"Authentication uses basic auth credentials configured in the AE connector and forwarded by the Alert GMS Agent's SOAP/WCF service to PACOM's GMS .NET SDK. SSL is enabled via IIS-bound certificates on the Agent host.\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/pacom-gms/source.pdf","locator":"Detected via deterministic recognition (Basic auth) + ASP.NET / Windows / Digest auth options in IIS prerequisites."}}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Windows Server with .NET 4.0+ and IIS 8.0+ for the Alert GMS Agent","description":"The Alert GMS Agent — the .NET WCF intermediary that wraps PACOM's GMS SDK — must be deployed on a Windows Server with .NET Framework 4.0 or higher and IIS 8.0 or above. The IIS installation must include Application Development (Static Content, Default Document, Directory Browsing, HTTP Errors, ASP, ASP.NET, .NET Extensibility, ISAPI Extensions, ISAPI Filters), Health/Diagnostics (HTTP Logging, Request Monitor), Security (Basic/Windows/Digest Authentication, Request Filtering), Performance (Static Content Compression), and Management Tools (IIS 6 Management Console + Scripts + Compatibility).\n","owner":"ae","citation":{"source":"src/connectors/pacom-gms/source.pdf","locator":"p8-9 — Installation Prerequisites","quote":"Microsoft .NET framework version 4.0 or higher must be installed on the server where the connector agent is going to be deployed. The IIS Server 8.0 or above must be installed with all Application Development Features listed below..."}},{"title":"PACOM GMS deployment with SDK access","description":"An operational PACOM GMS deployment with the GMS .NET SDK reachable from the Alert GMS Agent host. The Agent can be co-located with the GMS server or remote — both topologies are documented as supported.\n","owner":"customer"},{"title":"AE GMS Connector Agent installer (ALNTGMSWS) deployed","description":"Copy the contents of the `ALNTGMSWS` folder from the ALNTGMSConnector build to the target directory on the Agent host. Update the `web.config` to set a valid Windows folder path for log file generation (must have appropriate write permissions).\n","owner":"ae","citation":{"source":"src/connectors/pacom-gms/source.pdf","locator":"p9 — Installation Steps for GMS Connector Agent"}}],"knownLimitations":[{"title":"Windows-only intermediary","description":"The Alert GMS Agent is Windows-only. Customers running fully Linux-based AE deployments must still provision a Windows Server for the Agent. This is a hard constraint of PACOM's GMS SDK, not an AE-side limitation.\n","severity":"important","citation":{"source":"src/connectors/pacom-gms/source.pdf","locator":"p8 — Important note","quote":"The GMS Connector Agent can only be deployed on the Windows server."}},{"title":"Two access-group hierarchies must be reconciled separately","description":"PACOM's GAG (Global Access Group) and FAG (Floor Access Group) are parallel hierarchies. Customers expecting a single unified access-level abstraction must understand that user role mappings span both — and that the temporary variants of each must be handled distinctly from the permanent ones.\n","severity":"informational"}],"relatedConnectors":["pacom-vigilcore-rest"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-gms-connector","name":"Alert GMS Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE-side connector that calls the Alert GMS Agent."},{"id":"alert-gms-agent","name":"Alert GMS Agent (Windows / IIS / WCF)","kind":"mediator","vendor":"ae","trustZone":"customer-onprem","description":"SOAP/WCF web service built in .NET that wraps PACOM's GMS SDK. Deployable on the same host as PACOM GMS or a separate Windows host. Required intermediary — the GMS SDK is .NET-only."},{"id":"pacom-gms-sdk","name":"PACOM GMS .NET SDK","kind":"gateway","vendor":"pacom","trustZone":"customer-onprem","description":"PACOM's .NET API exposed by the GMS installation."},{"id":"pacom-gms-server","name":"PACOM GMS Server","kind":"platform","vendor":"pacom","trustZone":"customer-onprem","description":"PACOM Graphical Monitoring System server — manages cardholders, primary + temporary cards, GAGs, FAGs, and door controllers."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-gms-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-gms-connector","to":"alert-gms-agent","label":"HTTPS SOAP/WCF","transport":"soap","auth":"basic","carries":"User / badge / role provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"alert-gms-agent","to":"pacom-gms-sdk","label":".NET SDK calls","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"pacom-gms-sdk","to":"pacom-gms-server","label":"SDK → GMS internal","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/pacom-gms/source.pdf","locator":"Full connector guide — 30 pages, updated 2025-05-23"},{"source":"src/connectors/pacom-gms/source.pdf","locator":"p5 — Supported Version","quote":"The Alert GMS Connector supports PACOM GMS version 4.20, 4.3, 4.5 SP03"},{"source":"src/connectors/pacom-gms/source.pdf","locator":"p7 — Connector Architecture","quote":"The Alert GMS agent is a SOAP/WCF web service built on top of the GMS .NET API provided by the GMS system out of the box."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-05-23","sourceSha256":"3aa2b22d14a0f6302af7fae689fd23437086f166466488013143acd429a74d38","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"PACOM models a User with one or more Cards. Each user has a designated **Primary Card**; additional cards are **Linked Cards**. **Temporary Cards** can be issued and linked back to another user's primary card — supporting visitor / borrowed-badge workflows where the temporary card carries access derived from a host user's permissions.\n","accessRightsModel":"Access is granted via **Global Access Groups (GAG)** for area access and **Floor Access Groups (FAG)** for elevator/floor access. Both group types have **Permanent** and **Temporary** variants. A user's card may carry any combination — GAG-permanent, GAG-temporary, FAG-permanent, FAG-temporary.\n","multiTenancy":"Single PACOM GMS instance per AE→GMS Connector. Multi-site customers running federated GMS deployments require one connector + one Agent per GMS instance.\n"}},"pacom-vigilcore-rest":{"id":"pacom-vigilcore-rest","name":"PACOM VigilCore (REST)","vendor":"PACOM Systems","vendorId":"pacom","connectorPackage":"AE_HSc_PACOMVIGILCORE_RestConnectorGuide","status":"active","description":"$25","versions":[{"range":"PACOM VigilCore 8.4 and above","status":"active","notes":"For legacy PACOM GMS (4.x), see [[pacom-gms]]. The two product lines do not share a connector."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-password","label":"OAuth 2.0 password grant","details":"The VigilCore REST API authenticates via OAuth 2.0. The connector posts `username` + `password` + `grant_type` system parameters to the configured `Token URL` (example: `https://demo.vigilcore.dev/api/login/v1`) and receives an access token. The token is sent on subsequent REST calls.\n","credentialStorage":"Encrypted in AE connector configuration (System Parameters tab).","citation":{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"p8-9 — System Parameters","quote":"Token URL / Grant Type / Username / Password / Instance URL"}}],"endpoints":[{"method":"POST","path":"{tokenURL}","description":"OAuth 2.0 token endpoint (example demo URL https://demo.vigilcore.dev/api/login/v1).","category":"auth","direction":"outbound","authMethod":"oauth2-password"},{"method":"POST","path":"{CREATE_USER0 endpoint}","description":"Create User Account with badge.","category":"provisioning","direction":"outbound"},{"method":"GET","path":"{SEARCH_USER0 endpoint}","description":"Search / lookup users.","category":"query","direction":"outbound"},{"method":"PUT","path":"{UPDATE_USER0 endpoint}","description":"Update User information.","category":"provisioning","direction":"outbound"},{"method":"DELETE","path":"{DELETE_USER0 endpoint}","description":"Delete User account.","category":"deprovisioning","direction":"outbound"},{"method":"POST","path":"{ASSIGN_BADGE0 endpoint}","description":"Assign Credential to a user.","category":"provisioning","direction":"outbound"},{"method":"GET","path":"{SEARCH_BADGE0 endpoint}","description":"Search / lookup badges.","category":"query","direction":"outbound"},{"method":"POST","path":"{ACTIVATE_BADGE0 endpoint}","description":"Activate Credential.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{DEACTIVATE_BADGE0 endpoint}","description":"De-activate Credential.","category":"lifecycle","direction":"outbound"},{"method":"DELETE","path":"{REMOVE_BADGE0 endpoint}","description":"Remove Credential from user.","category":"deprovisioning","direction":"outbound"}],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"PACOM VigilCore 8.4+ with REST API enabled","description":"An operational PACOM VigilCore deployment (8.4 or later) with the REST API reachable from the AE application server. The `Instance URL` system parameter must point to the API base.\n","owner":"customer","citation":{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"p6 — Supported Version","quote":"The AE application supports PACOM VIGIL CORE version 8.4 and above."}},{"title":"OAuth 2.0 credentials provisioned in VigilCore","description":"VigilCore admin must provision a dedicated API user with `username` + `password` and provide the OAuth Token URL. Configure these as System Parameters along with `grant_type`.\n","owner":"customer"},{"title":"Per-operation endpoint URLs configured","description":"Each REST operation (CREATE_USER0, UPDATE_USER0, DELETE_USER0, SEARCH_USER0, ASSIGN_BADGE0, SEARCH_BADGE0, ACTIVATE_BADGE0, DEACTIVATE_BADGE0, REMOVE_BADGE0) must be configured as a System Parameter pointing to the appropriate VigilCore endpoint URL. The connector also needs `userIdentifierKey` and per-operation identifier-key variants (SEARCH_USER_userIdentifierKey, ASSIGN_BADGE_userIdentifierKey, etc.).\n","owner":"ae"},{"title":"Track guide revisions during deployment","description":"The VigilCore connector guide has been revised 5+ times between January 2025 and March 2026, with active field-mapping and parameter changes. Verify the deployment matches the latest revision and re-validate after VigilCore version upgrades.\n","owner":"ae"}],"knownLimitations":[{"title":"Active iteration — field mappings change between revisions","description":"Because the connector guide has been revised 5+ times in 14 months with field-mapping and parameter updates, customers locked to a frozen revision risk drift from VigilCore's current API surface. Recommend revalidating against the latest connector guide before each VigilCore version upgrade.\n","severity":"informational","citation":{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"p4 — Document Revision History (5 revisions documented)"}}],"relatedConnectors":["pacom-gms"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-vigilcore-connector","name":"Alert VigilCore Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's REST-based PACOM VigilCore connector — uses the generic REST connector framework with per-operation endpoint URLs."},{"id":"vigilcore-rest-api","name":"VigilCore REST API","kind":"gateway","vendor":"pacom","trustZone":"vendor-cloud","description":"PACOM's RESTful API for VigilCore. Authenticates callers via OAuth 2.0."},{"id":"vigilcore-system","name":"PACOM VigilCore System","kind":"platform","vendor":"pacom","trustZone":"vendor-cloud","description":"PACOM's modern cloud-native PACS — successor to GMS."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-vigilcore-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-vigilcore-connector","to":"vigilcore-rest-api","label":"REST + OAuth bearer","transport":"rest","auth":"oauth2-password","carries":"User / credential / access-level provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"vigilcore-rest-api","to":"vigilcore-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"Full connector guide — 35 pages, revision 5.0 dated 2026-03-05"},{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"p6 — Supported Version","quote":"The AE application supports PACOM VIGIL CORE version 8.4 and above."},{"source":"src/connectors/pacom-vigilcore-rest/source.pdf","locator":"p7 — Connector Architecture","quote":"The PACOM VIGIL CORE Connector relies on the out-of-the-box RESTful APIs provided by the PACOM VigilCore system to perform these operations efficiently."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-03-05","sourceSha256":"c2cf35895f3c1abbbc8e92d1482af9ba0107a49f31091fcc945250f40d662a8b","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"cloud","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"VigilCore exposes Users with associated Credentials (badges) via REST resources. Credential lifecycle (assign / activate / deactivate / remove) is modeled as discrete API operations rather than status-field toggles.\n","accessRightsModel":"Roles / access levels in VigilCore are managed through the REST API; specific access-group semantics (GAG / FAG analogs from GMS) are not exhaustively documented in the connector guide and require verification against the customer's VigilCore admin configuration.\n","multiTenancy":"VigilCore tenants are isolated at the API layer. One AE→VigilCore connector per tenant.\n"}},"people-soft":{"id":"people-soft","name":"Oracle PeopleSoft HCM","vendor":"Oracle","vendorId":"oracle","connectorPackage":"AE_HSc_PeopleSoftConnectorGuide","status":"active","description":"The PeopleSoft connector integrates AlertEnterprise Guardian with **Oracle PeopleSoft HCM** (Human Capital Management). PeopleSoft is the legacy enterprise HCM platform that competes with SAP HR and Workday in large enterprise (especially federal, state government, and higher education). Despite Oracle's strategic push toward Oracle HCM Cloud, PeopleSoft remains in heavy production at thousands of large institutions.\n\nArchitecture: **AE → ACF → PeopleSoft Adapter → PeopleSoft PSJOA API → PeopleSoft System**. The connector uses **PSJOA (PeopleSoft Java Object Adapter)** — Oracle's Java client library for talking to PeopleSoft's Component Interfaces. This means the AE connector loads PSJOA classes at runtime and invokes Component Interface methods directly (similar in spirit to SAP JCo / [[sap-hr]]).\n","versions":[{"range":"Oracle PeopleTools 8.55, 8.58, 8.60","status":"active","notes":"PeopleTools is the framework version; the underlying HCM application version typically tracks alongside."}],"transports":["proprietary-api"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"PeopleSoft operator credentials via PSJOA","details":"Authentication uses a PeopleSoft operator ID + password configured in AE connector System Parameters. The PSJOA library establishes the session.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Oracle PeopleSoft HCM with PeopleTools 8.55/8.58/8.60","description":"An operational PeopleSoft deployment running PeopleTools 8.55, 8.58, or 8.60. PeopleSoft HCM module licensed and configured.\n","owner":"customer"},{"title":"PSJOA Java library deployed on AE host","description":"Oracle PSJOA (PeopleSoft Java Object Adapter) JAR file deployed on the AE application server. PSJOA is distributed by Oracle as part of the PeopleSoft SDK.\n","owner":"ae","citation":{"source":"src/connectors/people-soft/source.pdf","locator":"p7 — Connector Architecture","quote":"This Web Service is a pre-requisite for deploying the PeopleSoft connector and is available as part of PeopleSoft SDK."}},{"title":"PeopleSoft operator with Component Interface privileges","description":"Dedicated PeopleSoft operator account with privileges to invoke the Component Interfaces the connector uses (typically `CI_PERSONAL_DATA`, `CI_JOB_DATA`, `CI_PERSON_ROLES_USER`, etc.).\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":["sap-hr","workday-rest"],"relatedConcepts":["component-interface","lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-peoplesoft-adapter","name":"Alert PeopleSoft Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"Uses Oracle PSJOA Java library at runtime."},{"id":"peoplesoft-psjoa","name":"Oracle PSJOA (PeopleSoft Java Object Adapter)","kind":"mediator","vendor":"oracle","trustZone":"customer-onprem","description":"Oracle's Java client library exposing PeopleSoft Component Interfaces. Required intermediary."},{"id":"peoplesoft-system","name":"Oracle PeopleSoft HCM (PeopleTools 8.55-8.60)","kind":"platform","vendor":"oracle","trustZone":"customer-onprem"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-peoplesoft-adapter","label":"ACF → adapter dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-peoplesoft-adapter","to":"peoplesoft-psjoa","label":"PSJOA Component Interface calls","transport":"proprietary-api","auth":"basic","carries":"Personnel / Job / Roles records","direction":"inbound","trustCrossing":true},{"from":"peoplesoft-psjoa","to":"peoplesoft-system","label":"Internal Component Interface API","transport":"proprietary-api","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/people-soft/source.pdf","locator":"Full connector guide — 21 pages, updated 2024-12-20"},{"source":"src/connectors/people-soft/source.pdf","locator":"p5 — Supported Version","quote":"The PeopleSoft Connector supports PeopleTools version 8.55, 8.58, 8.60."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-20","sourceSha256":"e9e91081e04883c979b707cd93439f97b71f6418d204c9d7773095d8d1a1d481","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":["hire","rehire","transfer","promotion","termination","title-change","manager-change","location-change"],"contingentWorkerSupport":false,"fieldMappingNotes":"Standard PeopleSoft HCM fields — EMPLID (personnel ID), NAME, BIRTHDATE, SEX, HIRE_DT, TERMINATION_DT, EMPL_STATUS, JOBCODE, DEPTID, LOCATION, SUPERVISOR_ID. AE-side mapping configurable per deployment.\n"}},"ping-federate-sso":{"id":"ping-federate-sso","name":"PingFederate Single Sign-On","vendor":"Ping Identity","vendorId":"ping-identity","connectorPackage":"AE_PingFederate_SSO_ConfigurationGuide","status":"active","description":"The PingFederate SSO connector configures AlertEnterprise Guardian to federate authentication to **Ping Identity PingFederate** via SAML 2.0. AE Guardian acts as the SAML Service Provider; PingFederate acts as the Identity Provider. PingFederate is the second-most-common enterprise IdP in financial services after Okta, particularly in customer-managed federation deployments where the customer wants on-prem / private-cloud-hosted IdP infrastructure rather than a SaaS IdP.\n\nPattern mirrors [[adfs-sso]] / [[okta-sso]] / [[microsoft-entra-id-sso]]: AE provides metadata XML; PingFederate admin imports it as an **SP Connection** with appropriate attribute contracts (email → Name ID).\n","versions":[{"range":"PingFederate (Ping Identity's enterprise federation server)","status":"active","notes":"Connector guide does not pin a specific PingFederate version; SAML 2.0 SP configuration is consistent across PingFederate releases."}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"saml","label":"SAML 2.0 (AE as SP, PingFederate as IdP)","details":"AE Guardian SP federates to PingFederate IdP. PingFederate posts a SAML response to AE's ACS endpoint with Name ID set to the user's email."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"PingFederate deployment with SP Connection for AE","description":"An operational PingFederate deployment. The PingFederate admin creates an SP Connection for AE Guardian, imports AE metadata XML, configures attribute contracts and policy.\n","owner":"customer"},{"title":"User records pre-synced into AE Guardian database","description":"Same constraint as other SSO connectors — users authenticated by PingFederate must already exist in AE Guardian's database.\n","owner":"ae"}],"knownLimitations":[{"title":"Authentication only — no provisioning or reconciliation","description":"For Ping-side identity data, use a separate provisioning connector targeting Ping's authoritative source (typically AD / Entra ID / a directory PingFederate fronts).\n","severity":"informational"}],"relatedConnectors":["active-directory","adfs-sso"],"relatedConcepts":["saml","oidc","mfa","jit-provisioning"],"composition":{"actors":[{"id":"end-user","name":"End User (browser)","kind":"user","vendor":"ae","trustZone":"untrusted"},{"id":"ae-guardian-sp","name":"AE Guardian (SAML SP)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"ping-federate-idp","name":"PingFederate (SAML IdP)","kind":"gateway","vendor":"ping-identity","trustZone":"customer-onprem","description":"PingFederate IdP server."}],"edges":[{"from":"end-user","to":"ae-guardian-sp","label":"HTTPS access attempt","transport":"rest","direction":"outbound","trustCrossing":true},{"from":"ae-guardian-sp","to":"ping-federate-idp","label":"SAML AuthnRequest","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true},{"from":"ping-federate-idp","to":"ae-guardian-sp","label":"SAML Response (ACS POST)","transport":"rest","auth":"saml","direction":"outbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/ping-federate-sso/source.pdf","locator":"Full configuration guide — 21 pages, updated 2026-02-19"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-02-19","sourceSha256":"7e63ae738ce7e4ea83c59e7b8b71b7727eeb21f82def20cd121a24503da96a2a","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":["http-post","http-redirect"],"scimSupport":"yes","jitProvisioning":"configurable","mfaModel":"MFA enforced by PingFederate authentication policy / Selector. AE Guardian inherits MFA enforcement from the PingFederate policy chain.\n","groupSyncMode":"not-supported","sourceOfRecord":false}},"pro-watch-dtu-rest":{"id":"pro-watch-dtu-rest","name":"Honeywell Pro-Watch DTU REST","vendor":"Honeywell","vendorId":"honeywell","connectorPackage":"AE_HSc_ProWatchDTU_RestConnectorGuide","status":"active","description":"$26","versions":[{"range":"Honeywell Pro-Watch 6, 6.5","status":"active","notes":"For Pro-Watch 4.x or 5.5, use [[honeywell-pro-watch-dtu]] (SOAP DTU) or [[honeywell-prowatch]] (HSDK).\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"mtls","label":"Mutual TLS","details":"The Pro-Watch DTU REST API authenticates clients via mutual TLS — the AE-side connector presents a client certificate that the Pro-Watch server validates against its configured trust store. The connector's `Authorization` system parameter holds the bearer / token if the deployment layers additional auth atop mTLS.\n","credentialStorage":"Client certificate stored in AE's connector configuration / certificate store.","citation":{"source":"src/connectors/pro-watch-dtu-rest/source.pdf","locator":"Detected by deterministic recognition — multiple mTLS mentions in security section."}}],"endpoints":[{"method":"POST","path":"{CREATE_USER0 endpoint}","description":"Create User Account (badge-level account creation).","category":"provisioning","direction":"outbound"},{"method":"PUT","path":"{UPDATE_USER0 endpoint}","description":"Update User Account.","category":"provisioning","direction":"outbound"},{"method":"DELETE","path":"{DELETE_USER0 endpoint}","description":"Delete User Account.","category":"deprovisioning","direction":"outbound"},{"method":"POST","path":"{LOCK_USER0 endpoint}","description":"Lock User Account.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{UNLOCK_USER0 endpoint}","description":"Unlock User Account.","category":"lifecycle","direction":"outbound"},{"method":"GET","path":"{SEARCH_USER0 endpoint}","description":"Search / lookup users for reconciliation.","category":"query","direction":"outbound"},{"method":"POST","path":"{ASSIGN_BADGE0 endpoint}","description":"Assign Credential (Card) to a user.","category":"provisioning","direction":"outbound"},{"method":"PUT","path":"{UPDATE_BADGE0 endpoint}","description":"Update Credential validity dates.","category":"provisioning","direction":"outbound"},{"method":"POST","path":"{ACTIVATE_BADGE0 endpoint}","description":"Activate Credential.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{DEACTIVATE_BADGE0 endpoint}","description":"De-activate Credential.","category":"lifecycle","direction":"outbound"},{"method":"DELETE","path":"{REMOVE_BADGE0 endpoint}","description":"Remove Credential from user.","category":"deprovisioning","direction":"outbound"},{"method":"POST","path":"{ADD_ROLE0 endpoint}","description":"Add Role (ClearCode) to user.","category":"provisioning","direction":"outbound"},{"method":"DELETE","path":"{REMOVE_ROLE0 endpoint}","description":"Remove Role (ClearCode) from user.","category":"deprovisioning","direction":"outbound"},{"method":"GET","path":"{GET_ALL_ROLES0 endpoint}","description":"Fetch all available roles (ClearCodes).","category":"query","direction":"outbound"},{"method":"GET","path":"{GET_ALL_USERS0 endpoint}","description":"Fetch all users for full reconciliation.","category":"query","direction":"outbound"}],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Pro-Watch 6.x with REST DTU API enabled","description":"A Pro-Watch 6 or 6.5 deployment with the RESTful DTU API enabled. The `Instance URL` system parameter must point to the API base (example from guide: `http://172.16.38.106:8734/pwapi`).\n","owner":"customer","citation":{"source":"src/connectors/pro-watch-dtu-rest/source.pdf","locator":"p5 — Instance URL example","quote":"http://172.16.38.106:8734/pwapi"}},{"title":"mTLS client certificate provisioned","description":"AE-side client certificate provisioned and trusted by the Pro-Watch DTU REST API's mTLS configuration. This is the primary auth mechanism — without a valid client cert the API rejects all requests.\n","owner":"joint","leadTime":"Certificate issuance + trust-store update on Pro-Watch side"},{"title":"Per-operation endpoint URLs configured","description":"All 15+ operation endpoints (`CREATE_USER0`, `UPDATE_USER0`, `DELETE_USER0`, `LOCK_USER0`, `UNLOCK_USER0`, `SEARCH_USER0`, `ASSIGN_BADGE0`, `UPDATE_BADGE0`, `ACTIVATE_BADGE0`, `DEACTIVATE_BADGE0`, `REMOVE_BADGE0`, `ADD_ROLE0`, `REMOVE_ROLE0`, `GET_ALL_ROLES0`, `GET_ALL_USERS0`) must be configured as System Parameters. This connector's flexibility is also its setup burden — there is no single API root.\n","owner":"ae"},{"title":"Identifier-key system parameters set","description":"The connector requires `User Identifier Key`, `Badge Identifier Key`, `Created User Identifier Key`, and `Role Identifier Key` system parameters configured to map API response keys back to AE-side identifiers.\n","owner":"ae"},{"title":"Run Database Scripts in HSC Application Table","description":"Per the connector guide's Chapter 3 installation step, database scripts must be executed in the HSC application table for the connector to function correctly. Run as part of connector deployment.\n","owner":"ae"}],"knownLimitations":[{"title":"15+ endpoint URLs to configure (high setup burden)","description":"Because the connector uses the generic REST connector framework with per-operation endpoint System Parameters, customers must configure each endpoint URL individually. A misconfigured endpoint shows as a single-operation failure rather than a global connector failure, which can make initial diagnosis more painful than for connectors with a single API root.\n","severity":"informational"}],"relatedConnectors":["honeywell-prowatch","honeywell-pro-watch-dtu"],"relatedConcepts":["cardholder","badge-or-credential","access-level","reader"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-prowatch-dtu-rest-connector","name":"Alert Pro-Watch DTU REST Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's REST-based Pro-Watch connector using the generic IRESTConnectorInterface framework with per-operation endpoint configuration."},{"id":"prowatch-dtu-rest-api","name":"Pro-Watch DTU REST API (/pwapi)","kind":"gateway","vendor":"honeywell","trustZone":"customer-onprem","description":"Honeywell's modern RESTful DTU API for Pro-Watch 6.x. Authenticates clients via mTLS."},{"id":"prowatch-server","name":"Honeywell Pro-Watch Server (6.x)","kind":"platform","vendor":"honeywell","trustZone":"customer-onprem","description":"Pro-Watch 6.x PACS application server."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-prowatch-dtu-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-prowatch-dtu-rest-connector","to":"prowatch-dtu-rest-api","label":"REST over mTLS","transport":"rest","auth":"mtls","carries":"User (badge) / credential (card) / role (ClearCode) provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"prowatch-dtu-rest-api","to":"prowatch-server","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/pro-watch-dtu-rest/source.pdf","locator":"Full connector guide — 45 pages, revision 2.0 dated 2025-11-19"},{"source":"src/connectors/pro-watch-dtu-rest/source.pdf","locator":"p7 — Supported Version","quote":"The ProWatch DTU Rest connector supports Pro-Watch version 6, 6.5."},{"source":"src/connectors/pro-watch-dtu-rest/source.pdf","locator":"p7 — Connector Architecture","quote":"The ProWatch DTU Rest Connector relies on the out-of-the-box RESTful APIs provided by the ProWatch DTU system to perform these operations efficiently."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-11-19","sourceSha256":"64ea691b13bf6399bea5b1e3b4a3270059da97978b2cc286f4ffdf374e46ded6","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"Pro-Watch 6.x cardholder model — see [[honeywell-prowatch]] for the underlying schema. The REST API surfaces this through user / badge / card resources rather than table-level access.\n","accessRightsModel":"Same Pro-Watch badge-level role assignment as the other Pro-Watch connectors, but exposed through REST endpoints with **ClearCode** as Pro-Watch's term for the role primitive.\n","multiTenancy":"Single Pro-Watch 6.x instance per AE→Pro-Watch DTU REST connector.\n"}},"rhds-rest":{"id":"rhds-rest","name":"RHDS (Reusable HR Data Service)","vendor":"AlertEnterprise","vendorId":"ae","connectorPackage":"AE_HSc_RHDS_RestConnectorGuide","status":"active","description":"The RHDS connector integrates AlertEnterprise Guardian with **RHDS (Reusable HR Data Service)** — another AlertEnterprise-developed HR normalization layer, distinct from [[hrds-rest]] in that **RHDS uses GraphQL** rather than OData. The same naming-vs-protocol mismatch as [[ssg-entre-rest]] applies: \"Rest\" in the package name; GraphQL queries on the wire.\n\nBoth authentication paths are supported: OAuth 2.0 client credentials and Basic auth — the deployment chooses which based on customer policy.\n\nFor deployments standardized on OData / multiple-API-families, prefer [[hrds-rest]]. RHDS is the GraphQL-based alternative.\n","versions":[{"range":"RHDS 8.4 and above","status":"active"}],"transports":["graphql"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"RHDS OAuth 2.0 client credentials","details":"OAuth 2.0 client credentials grant — typical preferred auth.","credentialStorage":"Encrypted in AE connector configuration."},{"kind":"basic","label":"RHDS basic auth (alternative)","details":"Basic auth supported as an alternative when the deployment can't accommodate OAuth.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"RHDS 8.4+ deployment with API access","description":"An operational RHDS deployment exposing GraphQL APIs.","owner":"customer"}],"knownLimitations":[{"title":"\"Rest\" in the name; GraphQL on the wire","description":"Same naming quirk as [[ssg-entre-rest]]. Operators expecting REST endpoints should expect GraphQL queries/mutations instead. AE's REST connector framework hosts the connector; the wire protocol downstream is GraphQL.\n","severity":"informational","citation":{"source":"src/connectors/rhds-rest/source.pdf","locator":"p6 — Connector Architecture","quote":"The RHDS Rest Connector relies on the GraphQL APIs provided by the RHDS system to perform these operations efficiently."}}],"relatedConnectors":["hrds-rest"],"relatedConcepts":["lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (REST)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-rhds-connector","name":"Alert RHDS Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"rhds-graphql-api","name":"RHDS GraphQL APIs","kind":"gateway","vendor":"ae","trustZone":"customer-cloud"},{"id":"rhds-system","name":"RHDS Backend","kind":"platform","vendor":"ae","trustZone":"customer-cloud"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-rhds-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-rhds-connector","to":"rhds-graphql-api","label":"GraphQL queries + OAuth bearer","transport":"graphql","auth":"oauth2-client-credentials","carries":"HR records via GraphQL","direction":"bidirectional","trustCrossing":true},{"from":"rhds-graphql-api","to":"rhds-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/rhds-rest/source.pdf","locator":"Full connector guide — 56 pages, updated 2025-11-04"},{"source":"src/connectors/rhds-rest/source.pdf","locator":"p5 — Supported Version","quote":"The RHDS Rest connector supports RHDS Rest version 8.4 and above."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-11-04","sourceSha256":"9d3e87e27ba2726eab746cc60c0841170aafb910eea32909d34c246ee3de5c56","kind":"hr","fields":{"syncMode":["full-load","delta"],"direction":"inbound","lifecycleEvents":["hire","transfer","termination","title-change","manager-change"],"contingentWorkerSupport":true}},"rs2-access-it":{"id":"rs2-access-it","name":"RS2 AccessIt!","vendor":"RS2 Technologies","vendorId":"rs2","connectorPackage":"AE_HSc_RS2AccessItConnectorGuide","status":"active","description":"The RS2 AccessIt! connector integrates AlertEnterprise Guardian with **RS2 AccessIt!** — RS2 Technologies' enterprise PACS, with broad version coverage from AccessIt! 8.x through 11.x. RS2 is commonly deployed in healthcare, retail, and federal-adjacent verticals.\n\nArchitecture: **AE → ACF → RS2AccessIt Connector → AccessIt! RESTful API → AccessIt! System**. The connector uses HTTPS REST. The REST API must be enabled on the RS2AccessIt system side — it's not on by default.\n","versions":[{"range":"RS2 AccessIt! 8.x, 9.x, 10.x, 11.x","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"AccessIt! REST API credentials","details":"Basic auth credentials configured in AE connector. The connector sends credentials on every REST call to the AccessIt! API.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"RS2AccessIt REST API enabled","description":"The RESTful API must be enabled on the RS2AccessIt system and made accessible to the AE application server. The API is not enabled by default — coordinate with the RS2AccessIt administrator to turn it on.\n","owner":"customer","citation":{"source":"src/connectors/rs2-access-it/source.pdf","locator":"p7 — Connector Architecture","quote":"The Restful API needs to be enabled on RS2AccessIt system and made accessible to Alert Application server for the integration to work."}},{"title":"AccessIt! operator account with API privileges","description":"Dedicated AccessIt! operator with provisioning + reconciliation privileges.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-rs2-connector","name":"Alert RS2 AccessIt Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"rs2-rest-api","name":"RS2 AccessIt RESTful API","kind":"gateway","vendor":"rs2","trustZone":"customer-onprem","description":"AccessIt!'s REST API surface. Must be explicitly enabled customer-side."},{"id":"rs2-system","name":"RS2 AccessIt! System","kind":"platform","vendor":"rs2","trustZone":"customer-onprem"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-rs2-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-rs2-connector","to":"rs2-rest-api","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"User / badge / access provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"rs2-rest-api","to":"rs2-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/rs2-access-it/source.pdf","locator":"Full connector guide — 26 pages"},{"source":"src/connectors/rs2-access-it/source.pdf","locator":"p5 — Supported Version","quote":"The RS2AccessIt Connector supports RS2AccessIt version 8.x, 9.x, 10.x, 11.x."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-17","sourceSha256":"e9e01c44235c25c44d557d6eb6ae43a636938d12eebb962627fe044cb6526356","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"AccessIt! cardholder model with associated cards and access privileges.\n","accessRightsModel":"AccessIt! access privileges assigned to cardholders/cards.\n","multiTenancy":"Single AccessIt! instance per AE→RS2AccessIt connector.\n"}},"s2-net-box":{"id":"s2-net-box","name":"S2 NetBox","vendor":"S2 Security (Lenel / HID)","vendorId":"s2","connectorPackage":"AE_HSc_S2NetBoxConnectorGuide","status":"active","description":"The S2 NetBox connector integrates AlertEnterprise Guardian with **S2 NetBox** — S2 Security's appliance-based PACS, well known in mid-market and education verticals before S2's acquisition into the Lenel / HID portfolio. The NetBox appliance ships with an embedded web server and REST API, making it relatively straightforward to integrate with.\n\nArchitecture: **AE → ACF → S2 NetBox Connector → S2 NetBox RESTful API → S2 NetBox Access Control System**. Single transport (REST) over HTTPS.\n","versions":[{"range":"S2 NetBox 4.8, 5.2.2, 5.6.2","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"S2 NetBox API credentials","details":"Basic auth credentials configured in AE connector. SSL/TLS required.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"S2 NetBox appliance with REST API enabled","description":"An operational S2 NetBox appliance (versions 4.8, 5.2.2, or 5.6.2) with the REST API enabled and reachable from the AE application server.\n","owner":"customer","citation":{"source":"src/connectors/s2-net-box/source.pdf","locator":"p7 — Connector Architecture","quote":"The S2 NetBox Connector is built on top of the S2 NetBox Restful API, which is provided by the Access control system out of the box."}}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-s2-connector","name":"Alert S2 NetBox Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"s2-rest-api","name":"S2 NetBox Restful API","kind":"gateway","vendor":"s2","trustZone":"customer-onprem"},{"id":"s2-system","name":"S2 NetBox Access Control System","kind":"platform","vendor":"s2","trustZone":"customer-onprem","description":"S2 Security's PACS appliance."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-s2-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-s2-connector","to":"s2-rest-api","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"Cardholder provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"s2-rest-api","to":"s2-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/s2-net-box/source.pdf","locator":"Full connector guide — 24 pages, updated 2024-11-22"},{"source":"src/connectors/s2-net-box/source.pdf","locator":"p5 — Supported Version","quote":"x Connector supports S2NetBox version 4.8, 5.2.2, 5.6.2"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-11-22","sourceSha256":"fee470b656599e9717a5e3b7a963cc135842a7366c6589370bf30e1e6bddf6fd","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"S2 NetBox models cardholders with associated cards and access levels via REST resources.\n","accessRightsModel":"S2 NetBox access levels exposed through REST.\n","multiTenancy":"Single S2 NetBox appliance per AE→S2 connector.\n"}},"safe-trust":{"id":"safe-trust","name":"SafeTrust","vendor":"SafeTrust","vendorId":"safe-trust","connectorPackage":"AE_HSc_SafeTrustConnectorGuide","status":"active","description":"The SafeTrust connector integrates AlertEnterprise with **SafeTrust** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_SafeTrustConnectorGuide.pdf` (page count: 17).\n","versions":[{"range":"rectory>:\\alert-server-1.0_10.8.202.3710\\lib","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"API key","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-safe-trust-connector","name":"Alert SafeTrust Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's SafeTrust-specific connector module."},{"id":"safe-trust-system","name":"SafeTrust System","kind":"platform","vendor":"safe-trust","trustZone":"vendor-cloud","description":"The customer's SafeTrust system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-safe-trust-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-safe-trust-connector","to":"safe-trust-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/safe-trust/source.pdf","locator":"Connector guide — 17 pages"},{"source":"src/connectors/safe-trust/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-03-27","sourceSha256":"013e475be93ecd6fa3711b9d85faea09a6d1016422bdb48a12ef778eff7757d8","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"sail-point-rest":{"id":"sail-point-rest","name":"SailPoint (Identity Security Cloud)","vendor":"SailPoint","vendorId":"sailpoint","connectorPackage":"AE_HSc_SailPoint_RestConnectorGuide","status":"active","description":"$27","versions":[{"range":"SailPoint Identity Security Cloud (versionless / continuously updated SaaS)","status":"active","notes":"SailPoint Identity Security Cloud is a cloud SaaS with no discrete versions. The connector targets SailPoint's Public APIs."}],"transports":["rest"],"directions":["inbound"],"authentication":[{"kind":"oauth2-client-credentials","label":"SailPoint Public API OAuth 2.0 client credentials","details":"The connector authenticates to SailPoint via OAuth 2.0 client credentials grant. Tenant admin generates a Personal Access Token (or app-registration-style client_id + client_secret) in SailPoint admin. The connector posts to `/oauth/token?grant_type=client_credentials` with `client_id` + `client_secret` and uses the returned bearer token on subsequent API calls.\n","credentialStorage":"Encrypted in AE connector configuration.","citation":{"source":"src/connectors/sail-point-rest/source.pdf","locator":"p7-8 — API Endpoints / Authentication","quote":"URL: /oauth/token?grant_type=client_credentials / grant_type: client_credentials / client_id: {client_id} / client_secret: {client_secret}"}}],"endpoints":[{"method":"POST","path":"{instance}/oauth/token?grant_type=client_credentials","description":"OAuth 2.0 token exchange.","category":"auth","direction":"outbound","authMethod":"oauth2-client-credentials"},{"method":"POST","path":"{instance}/v3/search","description":"Search SailPoint identity events / identities — used for new-hire detection and incremental reconciliation. Indices include `events`, `identities`.","category":"query","direction":"outbound"}],"dataFields":[],"rateLimits":[{"scope":"SailPoint Public APIs","limit":"Tenant-scoped throttling — limits vary by API and SailPoint subscription tier","per":"tenant","notes":"SailPoint documents rate limits per-tenant. AE polls at a configurable interval (default 15 minutes) to stay well under typical limits."}],"prerequisites":[{"title":"SailPoint Identity Security Cloud tenant with Public API access","description":"An operational SailPoint Identity Security Cloud tenant. Tenant admin must enable Public API access and generate OAuth client credentials.\n","owner":"customer"},{"title":"AE Guardian workflows mapped to SailPoint event types","description":"AE Guardian-side workflow mappings must be configured for the events of interest — new hire, identity-attribute change, termination. Without these mappings, polling SailPoint produces events that AE doesn't act on.\n","owner":"ae"}],"knownLimitations":[{"title":"Reconciliation only (no provisioning back to SailPoint)","description":"The connector reads from SailPoint but does not write into it. SailPoint remains the authority for the identity lifecycle; AE consumes events and acts on them downstream. If a deployment requires AE to push into SailPoint, that requires custom connector development.\n","severity":"important","citation":{"source":"src/connectors/sail-point-rest/source.pdf","locator":"p6 — Connector Capabilities","quote":"The connector capabilities include the following: ● Reconciliation Capabilities"}},{"title":"Active iteration — track guide revisions","description":"6 revisions in 8 months (Sept 2025 - April 2026), with active updates to system parameters and query payloads. Verify against the latest connector guide revision before each deployment and after each SailPoint platform update.\n","severity":"informational"}],"relatedConnectors":["active-directory","microsoft-entra-id","okta"],"relatedConcepts":["iga","system-of-record","lifecycle-events","oidc","saml","scim"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-sailpoint-connector","name":"Alert SailPoint Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"sailpoint-rest-api","name":"SailPoint Public REST APIs","kind":"gateway","vendor":"sailpoint","trustZone":"vendor-cloud","description":"SailPoint Identity Security Cloud's REST API surface. OAuth 2.0 authenticated."},{"id":"sailpoint-system","name":"SailPoint Identity Security Cloud","kind":"platform","vendor":"sailpoint","trustZone":"vendor-cloud","description":"SailPoint's IGA platform — owns the customer's identity lifecycle, access reviews, certifications, SOD policy enforcement."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-sailpoint-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-sailpoint-connector","to":"sailpoint-rest-api","label":"Public REST + OAuth bearer (polling at 15-min default)","transport":"rest","auth":"oauth2-client-credentials","carries":"Identity events, identity attribute updates, lifecycle state","direction":"inbound","trustCrossing":true},{"from":"sailpoint-rest-api","to":"sailpoint-system","label":"Internal API","transport":"proprietary-api","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/sail-point-rest/source.pdf","locator":"Full connector guide — 32 pages, revision 6.0 dated 2026-04-06"},{"source":"src/connectors/sail-point-rest/source.pdf","locator":"p7 — Connector Architecture","quote":"The REST Connector Framework uses the SailPoint connector to call the SailPoint RESTful APIs to perform operations in the SailPoint system."},{"source":"src/connectors/sail-point-rest/source.pdf","locator":"p7 — Integration Mechanism / Polling Schedule","quote":"A configurable interval, such as every 15 minutes, is used to pull data."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-04-09","sourceSha256":"abf9d044321c3b66b02c87aa9d2f1ad32f6a3b9e695a124306a4fef71067ec03","kind":"iam","fields":{"oidcSupport":"yes","samlSupport":"yes","samlBinding":[],"scimSupport":"yes","scimVersion":"SCIM 2.0 (SailPoint supports SCIM as a downstream-system protocol; this connector reads from SailPoint's Public APIs, not via SCIM)","jitProvisioning":"configurable","mfaModel":"SailPoint defers MFA to the upstream IdP (Okta, Entra ID). The connector reads identity state from SailPoint but does not configure or enforce MFA itself.\n","groupSyncMode":"not-supported","defaultAttributeMapping":"SailPoint identity attributes — id, name, email, employeeNumber, department, manager, lifecycleState, status. AE-side mapping is configurable.\n","sourceOfRecord":true}},"sap-btp":{"id":"sap-btp","name":"SAP BTP (Business Technology Platform)","vendor":"SAP","vendorId":"sap","connectorPackage":"AE_HSc_SAPBTPConnectorGuide","status":"active","description":"$28","versions":[{"range":"SAP BTP / Cloud Integration (versionless cloud service)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"OAuth 2.0 client credentials (typical)","details":"OAuth 2.0 client credentials grant is the most common authentication mode. Token URL pattern `{tenant}.fgvms.com/api/oauth2/v2.0/token`.","credentialStorage":"Encrypted in AE connector configuration."},{"kind":"saml","label":"SAML (alternative)","details":"SAML authentication supported for SuccessFactors-backed IFlows."},{"kind":"api-key","label":"API key (alternative)","details":"API key auth supported for some IFlow configurations."},{"kind":"basic","label":"Basic auth (alternative)","details":"Basic auth fallback for legacy configurations."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SAP BTP / Cloud Integration tenant with IFlows configured","description":"An operational SAP BTP tenant with Cloud Integration enabled and IFlows configured for the source systems of interest (SuccessFactors, SuccessFactors Learning, Fieldglass).\n","owner":"customer"},{"title":"BTP service-binding credentials for AE","description":"Tenant admin provisions client credentials for the AE integration.","owner":"customer"}],"knownLimitations":[{"title":"Categorized as HR but actually an integration platform","description":"BTP itself is an integration mediation platform (closer in spirit to a `kind: integration-platform` connector). Classified `kind: hr` only because its dominant AE use case is HR data mediation.\n","severity":"informational"}],"relatedConnectors":["sap-hr","sap-fieldglass","success-factors-lms"],"relatedConcepts":["iflow","lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-sap-btp-connector","name":"Alert SAP BTP Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"sap-btp-cloud-integration","name":"SAP BTP Cloud Integration","kind":"mediator","vendor":"sap","trustZone":"vendor-cloud","description":"SAP's integration mediation platform. Hosts IFlows that connect to upstream HR sources."},{"id":"sap-successfactors","name":"SAP SuccessFactors","kind":"platform","vendor":"sap","trustZone":"vendor-cloud","description":"SAP's cloud HCM platform."},{"id":"sap-successfactors-lms","name":"SAP SuccessFactors Learning (LMS)","kind":"platform","vendor":"sap","trustZone":"vendor-cloud"},{"id":"sap-fieldglass","name":"SAP Fieldglass","kind":"platform","vendor":"sap","trustZone":"vendor-cloud","description":"SAP's contingent workforce management platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-sap-btp-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-sap-btp-connector","to":"sap-btp-cloud-integration","label":"BTP Cloud Integration REST + OAuth bearer","transport":"rest","auth":"oauth2-client-credentials","direction":"bidirectional","trustCrossing":true},{"from":"sap-btp-cloud-integration","to":"sap-successfactors","label":"IFlow → SuccessFactors","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"sap-btp-cloud-integration","to":"sap-successfactors-lms","label":"IFlow → SuccessFactors Learning","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false},{"from":"sap-btp-cloud-integration","to":"sap-fieldglass","label":"IFlow → Fieldglass","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/sap-btp/source.pdf","locator":"Full connector guide — 70 pages, updated 2025-08-28"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-28","sourceSha256":"b34e8c5af423215417093388ac681cca9df95ce0060dbf15d5cc109b423e5223","kind":"hr","fields":{"syncMode":["full-load","delta"],"direction":"inbound","lifecycleEvents":["hire","transfer","termination"],"contingentWorkerSupport":true,"fieldMappingNotes":"Mediated through IFlows — field mappings are IFlow-specific per upstream source."}},"sap-fieldglass":{"id":"sap-fieldglass","name":"SAP Fieldglass","vendor":"SAP","vendorId":"sap","connectorPackage":"AE_HSc_SAPFieldglassConnectorGuide","status":"active","description":"The SAP Fieldglass connector integrates AlertEnterprise Guardian with **SAP Fieldglass** — SAP's cloud Vendor Management System (VMS) for contingent labor. Fieldglass governs **contingent workers** (contractors, consultants, statement-of-work resources) separately from full-time employees, which typically live in SAP SuccessFactors / SAP HR / Workday.\n\nThis is the connector to use when AE Guardian needs visibility into the contingent workforce identity lifecycle — onboarding a new contractor, off-boarding when their engagement ends, applying appropriate PIAM workflows. For full-time employees on the SAP stack, use [[sap-hr]] or the [[sap-btp]] mediation layer for SuccessFactors.\n\nArchitecture: **AE → ACF → SAP Fieldglass Adapter → SAP Fieldglass Web Service (part of SAP Fieldglass SDK) → Fieldglass System**.\n","versions":[{"range":"SAP Fieldglass 7.x.x","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SAP Fieldglass Web Service credentials","details":"Basic auth credentials configured in AE connector System Parameters.","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SAP Fieldglass 7.x deployment with Web Service deployed","description":"An operational SAP Fieldglass deployment with the Fieldglass SDK Web Service deployed and reachable.\n","owner":"customer","citation":{"source":"src/connectors/sap-fieldglass/source.pdf","locator":"p7 — Connector Architecture","quote":"This Web Service is a prerequisite for deploying the SAP Fieldglass connector and is available as part of SAP Fieldglass SDK."}},{"title":"Fieldglass operator account with API access","description":"Dedicated Fieldglass operator with privileges to read contingent worker data.","owner":"customer"}],"knownLimitations":[],"relatedConnectors":["sap-hr","sap-btp","sap-fieldglass"],"relatedConcepts":["lifecycle-events","system-of-record"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-fieldglass-adapter","name":"Alert SAP Fieldglass Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"fieldglass-web-service","name":"SAP Fieldglass Web Service","kind":"gateway","vendor":"sap","trustZone":"vendor-cloud"},{"id":"fieldglass-system","name":"SAP Fieldglass (Contingent Workforce VMS)","kind":"platform","vendor":"sap","trustZone":"vendor-cloud"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-fieldglass-adapter","label":"ACF → adapter dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-fieldglass-adapter","to":"fieldglass-web-service","label":"SDK Web Service REST + Basic","transport":"rest","auth":"basic","carries":"Contingent worker records (contractor / consultant / SOW resource)","direction":"inbound","trustCrossing":true},{"from":"fieldglass-web-service","to":"fieldglass-system","label":"Internal API","transport":"proprietary-api","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/sap-fieldglass/source.pdf","locator":"Full connector guide — 17 pages, updated 2025-08-07"},{"source":"src/connectors/sap-fieldglass/source.pdf","locator":"p5 — Supported Version","quote":"The SAP Fieldglass Connector supports SAP Fieldglass version 7.x.x"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-08-07","sourceSha256":"69d3a130a6be669cf1ffc94bfafb4ca5466de7cc45735beca4cdceedeb006c61","kind":"hr","fields":{"syncMode":["full-load","delta"],"direction":"inbound","lifecycleEvents":["hire","transfer","termination","title-change","manager-change"],"contingentWorkerSupport":true,"fieldMappingNotes":"Fieldglass contingent worker attributes — workerID, firstName, lastName, supplierID (the staffing firm), engagementStartDate, engagementEndDate, role, costCenter, manager.\n"}},"sap-hr":{"id":"sap-hr","name":"SAP HR (HCM on SAP ECC)","vendor":"SAP","vendorId":"sap","connectorPackage":"AE_HSc_SAPHRConnectorGuide","status":"active","description":"$29","versions":[{"range":"SAP ECC 6.0 and above","status":"active"}],"transports":["proprietary-api"],"directions":["inbound"],"authentication":[{"kind":"basic","label":"SAP RFC / BAPI service-user credentials","details":"Authentication uses an SAP service-account user with privileges to call the RFC / BAPI endpoints the connector consumes. Credentials configured in AE System Parameters; SAP RFC connection uses sapjco3.jar Java connector library.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SAP ECC 6.0+ deployment with HR/HCM module","description":"An operational SAP ECC 6.0 or later deployment with SAP HR/HCM module licensed and configured.\n","owner":"customer"},{"title":"SAP service-user with RFC + BAPI privileges","description":"Dedicated SAP service account with privileges to invoke the RFC function modules / BAPIs the connector uses for employee data extraction.\n","owner":"customer"},{"title":"SAP JCo (Java Connector) library deployed","description":"`sapjco3.jar` Java Connector library must be deployed on the AE application server.\n","owner":"ae"}],"knownLimitations":[],"relatedConnectors":["sap-btp","sap-fieldglass","workday"],"relatedConcepts":["lifecycle-events","system-of-record","integration-system-user"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-sap-hr-adapter","name":"Alert SAP HR Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"sap-hr-system","name":"SAP ECC 6.0+ (HR/HCM)","kind":"platform","vendor":"sap","trustZone":"customer-onprem","description":"SAP ECC 6.0+ system with HR/HCM module — system of record for employee identity."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-sap-hr-adapter","label":"ACF → adapter dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-sap-hr-adapter","to":"sap-hr-system","label":"SAP RFC / BAPI calls","transport":"proprietary-api","auth":"basic","carries":"Employee lifecycle events (hire / transfer / termination / promotion)","direction":"inbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/sap-hr/source.pdf","locator":"Full connector guide — 17 pages, updated 2024-08-28"},{"source":"src/connectors/sap-hr/source.pdf","locator":"p5 — Supported Version","quote":"The SAP HR connector supports SAP ECC 6.0 version and above."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-08-28","sourceSha256":"5ccfe3701311f1d6401cd3feb11e8f2c06b31128ea9634d7eba32799583b4046","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":["hire","rehire","transfer","promotion","demotion","leave","return-from-leave","termination","title-change","manager-change","location-change"],"contingentWorkerSupport":false,"bulkOperations":"Full-load reconciliation supported for initial sync / cutover. Subsequent runs use delta extraction (events changed since last run).\n","fieldMappingNotes":"Standard SAP HR fields (PERNR = personnel number, NACHN = surname, VORNA = first name, PERSG = employee group, PERSK = employee subgroup, BUKRS = company code, WERKS = personnel area, ORGEH = organizational unit, PLANS = position). Mapping to AE Guardian attributes is configurable.\n"}},"si-pass":{"id":"si-pass","name":"Siemens SiPass","vendor":"Siemens","vendorId":"siemens","connectorPackage":"AE_HSc_SiPassConnectorGuide","status":"active","description":"The SiPass connector integrates AlertEnterprise Guardian with **Siemens SiPass** — Siemens' flagship enterprise PACS, widely deployed in financial services, healthcare, and large corporate environments across EMEA. SiPass is the higher-end Siemens PACS; for the smaller / midmarket Siemens line, see [[siemens-siport]] and [[siport-rest]].\n\nThe architecture is straightforward: **AE → ACF → SiPass Connector → SiPass SDK Web Service → SiPass System**. The Web Service that the connector talks to is bundled with the **SiPass SDK** and must be deployed as part of the SiPass installation — it is a hard prerequisite for the connector.\n\nThe connector ships as `ALNTSiPassConnector-5.0-SNAPSHOT.jar` and registers `com.alnt.connector.provisioning.services.SiPassHRApiRestConnectionInterface` as the extractor class. Despite \"HRApiRest\" in the class name, the underlying transport with the SiPass Web Service is HTTPS — SiPass exposes its API as a SOAP/REST hybrid depending on operation.\n","versions":[{"range":"Siemens SiPass 2.8.X, 2.9.X","connectorVersion":"ALNTSiPassConnector-5.0","status":"active"}],"transports":["rest","soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SiPass Web Service credentials over SSL","details":"Authentication uses basic auth credentials configured in the AE connector. SSL/TLS is required between AE and the SiPass Web Service — the connector guide documents the standard `keytool -importcert` procedure to import the SiPass certificate into the AE host's JVM cacerts keystore.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SiPass SDK Web Service deployed","description":"The Web Service bundled with the SiPass SDK must be deployed and reachable from the AE application server. This is a hard prerequisite — the connector does not talk to SiPass directly.\n","owner":"customer","citation":{"source":"src/connectors/si-pass/source.pdf","locator":"p7 — Connector Architecture","quote":"This Web Service is a prerequisite for deploying the SiPass connector and is available as part of SiPass SDK."}},{"title":"SiPass operator account with API access","description":"A dedicated SiPass operator account with sufficient privileges for the integration's provisioning + reconciliation operations.\n","owner":"customer"},{"title":"SSL certificate trust","description":"SiPass Web Service certificate imported into the AE host's JVM cacerts keystore. The connector guide documents the keytool procedure followed by a restart of the `Job` and `API` services.\n","owner":"ae"}],"knownLimitations":[{"title":"Web Service must be SDK-deployed (no off-the-shelf REST endpoint)","description":"Unlike vendors that ship a REST API as part of the product, SiPass requires the customer to deploy the SDK Web Service explicitly. This adds deployment complexity and a license-side dependency on the SiPass SDK module.\n","severity":"informational"}],"relatedConnectors":["siemens-siport","siport-rest"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-sipass-connector","name":"Alert SiPass Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's SiPass connector module (ALNTSiPassConnector)."},{"id":"sipass-web-service","name":"SiPass SDK Web Service","kind":"gateway","vendor":"siemens","trustZone":"customer-onprem","description":"Web service bundled with the SiPass SDK. Customer-deployed alongside SiPass. Required intermediary."},{"id":"sipass-server","name":"Siemens SiPass Server","kind":"platform","vendor":"siemens","trustZone":"customer-onprem","description":"Siemens' enterprise PACS server."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-sipass-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-sipass-connector","to":"sipass-web-service","label":"HTTPS REST/SOAP","transport":"rest","auth":"basic","carries":"User / badge / role provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"sipass-web-service","to":"sipass-server","label":"SDK API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/si-pass/source.pdf","locator":"Full connector guide — 33 pages, updated 2024-12-17"},{"source":"src/connectors/si-pass/source.pdf","locator":"p5 — Supported Version","quote":"The SiPass Connector supports SiPass version 2.8.X, 2.9.X."},{"source":"src/connectors/si-pass/source.pdf","locator":"p7 — Connector Architecture","quote":"The connector architecture consists of AlertEnterprise, SiPass Adapter, Web Service and the SiPass system."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-17","sourceSha256":"514263747b5e620197203bbe6d14394210afdf2c61f72df3ca4d844fb3e6ec83","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"SiPass models cardholders with associated badges and access levels. Reconciliation supports User / User Badges / User Access Levels full + incremental.\n","accessRightsModel":"Access is granted via SiPass Access Levels assigned to badges. Full + incremental reconciliation of access levels is supported.\n","multiTenancy":"Single SiPass instance per AE→SiPass connector.\n"}},"siemens-siport":{"id":"siemens-siport","name":"Siemens SiPort (Personnel Data Import / JDBC)","vendor":"Siemens","vendorId":"siemens","connectorPackage":"AE_HSc_SiemensSIPORTConnectorGuide","status":"active","description":"$2a","versions":[{"range":"Siemens SiPort MP 2.2, 3.0","connectorVersion":"ALNTSiportConnector-5.0","status":"active","notes":"For Siemens SiPort 2.0+ via REST API, use [[siport-rest]]. For Siemens SiPass (enterprise tier), use [[si-pass]].\n"}],"transports":["jdbc"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SiPort database credentials","details":"Authentication is to the SiPort database via JDBC — database user with INSERT / UPDATE / DELETE privileges on the Personnel Data Import staging tables, and SELECT for reconciliation queries. Credentials configured as System Parameters.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SiPort Personnel Data Import pre-configured","description":"The \"SIPORT Personnel Data Import\" feature must be pre-configured on the SiPort side. The customer must select the Database, Import Table, and Key-Field values, and move the necessary fields from the \"No Imported fields\" list to the \"Imported fields\" list — only those fields will be provisioned via this path.\n","owner":"customer","citation":{"source":"src/connectors/siemens-siport/source.pdf","locator":"p8 — Installation Prerequisites","quote":"SIPORT Personnel Data Import section needs to be pre-configured."}},{"title":"SIPORT Personnel ODBC Import Windows service running","description":"The `SIPORT Personnel ODBC Import` job (a Windows service on the SiPort host) must be running. Without it, AE writes staging records but they are never imported into SiPort. The Windows service runs on a configurable interval — operators must align Guardian's provisioning latency expectations with this interval.\n","owner":"customer","citation":{"source":"src/connectors/siemens-siport/source.pdf","locator":"p8 — Installation Prerequisites","quote":"Make sure the \"SIPORT Personnel ODBC Import\" job is running on the SIPORT system. This job can be located under windows services."}},{"title":"SiPort license for Data Import process","description":"The SiPort system must hold an appropriate license to process user records through the Data Import process. This is a Siemens-side license module, not an AE-side license.\n","owner":"customer","citation":{"source":"src/connectors/siemens-siport/source.pdf","locator":"p8 — Installation Prerequisites","quote":"The SIPORT system should have an appropriate license to process the user records through the SIPORT Data Import process."}}],"knownLimitations":[{"title":"Indirect provisioning via batch import — no real-time API","description":"Provisioning operations are asynchronous: AE writes to the SiPort staging database, and the Personnel ODBC Import job (a Windows service) periodically imports staging records into the live SiPort system. Provisioning latency = max(write-to-DB time, ODBC Import job interval). Customers expecting real-time provisioning should either tighten the ODBC Import schedule or migrate to [[siport-rest]] for a true API.\n","severity":"important","citation":{"source":"src/connectors/siemens-siport/source.pdf","locator":"p7 — Connector Architecture","quote":"The AlertEnterprise Connector Framework uses Alert SIPORT Connector to perform these operations in the Siemens SIPORT system using personnel data import DB API provided by the SIPORT out of the box."}},{"title":"14-digit Add Badge limitation","description":"The `Add Badge` capability only supports 14-digit badge IDs. `Modify Badge`, `Activate Badge`, `Deactivate Badge`, and `Remove Badge` work with 6 or 14-digit badge IDs, but initial Add must use 14-digit. Operators using 6-digit cards must seed the badge by some other means (manual entry on SiPort side) before AE can modify it.\n","severity":"informational","citation":{"source":"src/connectors/siemens-siport/source.pdf","locator":"p5-6 — Provisioning Capabilities"}}],"relatedConnectors":["si-pass","siport-rest"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-siport-connector","name":"Alert SiPort Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's SiPort connector module (ALNTSiportConnector). Writes to staging DB via JDBC."},{"id":"siport-staging-database","name":"SiPort Personnel Data Import Staging DB","kind":"platform","vendor":"siemens","trustZone":"customer-onprem","description":"Database staging area for Personnel Data Import. AE writes user records here; the Personnel ODBC Import Windows service polls and imports them into SiPort."},{"id":"siport-odbc-import-job","name":"SIPORT Personnel ODBC Import Windows Service","kind":"service","vendor":"siemens","trustZone":"customer-onprem","description":"Windows service on the SiPort host that periodically imports staging records into the live SiPort system. Required for AE provisioning to land in SiPort."},{"id":"siport-server","name":"Siemens SiPort Server","kind":"platform","vendor":"siemens","trustZone":"customer-onprem","description":"Siemens SiPort PACS application — receives imported user records via the Personnel ODBC Import job."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-siport-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-siport-connector","to":"siport-staging-database","label":"JDBC INSERT / UPDATE / SELECT (Personnel Data Import staging)","transport":"jdbc","auth":"basic","carries":"User record + badge data","direction":"bidirectional","trustCrossing":true},{"from":"siport-odbc-import-job","to":"siport-staging-database","label":"Polls staging table","transport":"jdbc","direction":"inbound","trustCrossing":false},{"from":"siport-odbc-import-job","to":"siport-server","label":"Imports records into live system","transport":"proprietary-api","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/siemens-siport/source.pdf","locator":"Full connector guide — 41 pages, updated 2024-08-23"},{"source":"src/connectors/siemens-siport/source.pdf","locator":"p5 — Supported Version","quote":"The Siemens SIPORT connector supports Siemens SIPORT Versions MP 2.2, 3.0."},{"source":"src/connectors/siemens-siport/source.pdf","locator":"p7 — Connector Architecture","quote":"personnel data import DB API provided by the SIPORT out of the box"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-08-23","sourceSha256":"64f2eb57eb00d5b74c6d5169568feca5bf79a54793d643e52eb32c14a2a467e5","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"Bounded by SIPORT Personnel ODBC Import Windows service schedule (configured customer-side).","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"SiPort cardholders modeled with Profile assignments and badges (6 or 14-digit). Last-used date/time on badges is optionally reconciled (see Chapter 4 of the connector guide for the additional configuration).\n","accessRightsModel":"Roles in SiPort are called **Profiles**. The connector supports Modify User Roles/Profiles + Remove User Roles/Profiles. Full + incremental reconciliation of Profiles is supported.\n","multiTenancy":"Single SiPort instance per AE→SiPort connector.\n"}},"simple-k-rest":{"id":"simple-k-rest","name":"SimpleK","vendor":"SimpleK","vendorId":"simplek","connectorPackage":"AE_HSc_SimpleK_RestConnectorGuide","status":"active","description":"The SimpleK connector integrates AlertEnterprise with **SimpleK Rest** — a lock system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for lock connectors.\n\nSource: `AE_HSc_SimpleK_RestConnectorGuide.pdf` (page count: 30).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-simple-k-rest-connector","name":"Alert SimpleK Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's SimpleK-specific connector module."},{"id":"simplek-system","name":"SimpleK System","kind":"platform","vendor":"simplek","trustZone":"vendor-cloud","description":"The customer's SimpleK system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-simple-k-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-simple-k-rest-connector","to":"simplek-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/simple-k-rest/source.pdf","locator":"Connector guide — 30 pages"},{"source":"src/connectors/simple-k-rest/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 6"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-10-10","sourceSha256":"3f5c67ffc684e18d5382324a6f8f2bb688a207367fc6c0bfb33106d031f45af0","kind":"lock","fields":{"protocols":[]}},"siport-mobile":{"id":"siport-mobile","name":"SIPORT Mobile","vendor":"Siemens","vendorId":"siemens","connectorPackage":"AE_HSc_SIPORTMobileConnectorGuide","status":"active","description":"The Siemens connector integrates AlertEnterprise with **SIPORT Mobile** — a credential-provider system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for credential-provider connectors.\n\nSource: `AE_HSc_SIPORTMobileConnectorGuide.pdf` (page count: 29).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-siport-mobile-connector","name":"Alert Siemens Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Siemens-specific connector module."},{"id":"siemens-system","name":"Siemens System","kind":"platform","vendor":"siemens","trustZone":"vendor-cloud","description":"The customer's Siemens system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-siport-mobile-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-siport-mobile-connector","to":"siemens-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/siport-mobile/source.pdf","locator":"Connector guide — 29 pages"},{"source":"src/connectors/siport-mobile/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-03-27","sourceSha256":"46592939a9952e7fe56e65761b153f1a1b599020c20cb2794659d6911dc16636","kind":"credential-provider","fields":{"wallets":[],"lifecycleStates":[]}},"siport-rest":{"id":"siport-rest","name":"Siemens SiPort REST","vendor":"Siemens","vendorId":"siemens","connectorPackage":"AE_HSc_SIPORT_RestConnectorGuide","status":"active","description":"The SiPort REST connector integrates AlertEnterprise Guardian with **Siemens SiPort 2.0+** via SiPort's modern **RESTful API** — replacing the legacy Personnel Data Import path used by [[siemens-siport]]. This is the recommended connector for new SiPort deployments on supported versions.\n\nThe architecture is direct: **AE → SIPORT REST Connector → SIPORT RESTful API → SIPORT System**. The connector uses AE's generic REST connector framework (`com.alnt.platform.core.connector.rest.commons.IRESTConnectorInterface`) with per-operation endpoint URLs configured as System Parameters. Unlike the legacy path, provisioning is **real-time** — no Windows service polling, no batch import latency.\n\nThis is a **newer connector** — first revision dated 2026-01-29, so coverage and field-mapping conventions are still settling. Verify against the latest guide revision during deployment.\n","versions":[{"range":"Siemens SiPort 2.0 and above (REST API)","status":"active","notes":"For legacy SiPort MP 2.2 / 3.0 via Personnel Data Import, use [[siemens-siport]]. For the higher-tier Siemens enterprise PACS, use [[si-pass]].\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"SiPort REST API credentials","details":"Authentication to the SiPort REST API uses username + password configured as System Parameters. The connector's `Authorization` parameter holds the bearer/token if the deployment layers token auth atop basic. Example `Instance URL` from the connector guide: `https://192.168.194.85:8043`.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[{"method":"POST","path":"{CREATE_USER0 endpoint}","description":"Create User Account.","category":"provisioning","direction":"outbound"},{"method":"PUT","path":"{UPDATE_USER0 endpoint}","description":"Update User Information.","category":"provisioning","direction":"outbound"},{"method":"DELETE","path":"{DELETE_USER0 endpoint}","description":"Delete User Account.","category":"deprovisioning","direction":"outbound"},{"method":"POST","path":"{LOCK_USER0 endpoint}","description":"Lock User Account.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{UNLOCK_USER0 endpoint}","description":"Unlock User Account.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{ASSIGN_BADGE0 endpoint}","description":"Assign Credential.","category":"provisioning","direction":"outbound"},{"method":"PUT","path":"{UPDATE_BADGE0 endpoint}","description":"Update Card information.","category":"provisioning","direction":"outbound"},{"method":"POST","path":"{ACTIVATE_BADGE0 endpoint}","description":"Activate Credential.","category":"lifecycle","direction":"outbound"},{"method":"POST","path":"{DEACTIVATE_BADGE0 endpoint}","description":"Deactivate Credential.","category":"lifecycle","direction":"outbound"},{"method":"DELETE","path":"{REMOVE_BADGE0 endpoint}","description":"Delete Credential.","category":"deprovisioning","direction":"outbound"}],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"Siemens SiPort 2.0+ with REST API enabled","description":"An operational Siemens SiPort 2.0 or later deployment with the REST API enabled. The `Instance URL` system parameter must point to the API base.\n","owner":"customer","citation":{"source":"src/connectors/siport-rest/source.pdf","locator":"p6 — Supported Version","quote":"The SIPORT Rest connector supports SIPORT Rest version 2.0 and above."}},{"title":"SiPort REST API user account","description":"A dedicated SiPort REST API user account with provisioning + reconciliation privileges.\n","owner":"customer"},{"title":"Per-operation endpoint URLs configured","description":"Each operation endpoint must be configured as a System Parameter: CREATE_USER0, UPDATE_USER0, DELETE_USER0, LOCK_USER0, UNLOCK_USER0, ASSIGN_BADGE0, UPDATE_BADGE0, ACTIVATE_BADGE0, DEACTIVATE_BADGE0, REMOVE_BADGE0.\n","owner":"ae"},{"title":"Run Database Scripts in HSC Application Table","description":"Per the connector guide's Chapter 3 installation, database scripts must be executed in the HSC application table for the connector to function correctly.\n","owner":"ae"}],"knownLimitations":[{"title":"New connector — verify against latest guide revision","description":"First revision dated January 2026 — coverage and field-mapping conventions are still settling. Re-verify against the latest connector guide revision before each new deployment and after each SiPort upgrade.\n","severity":"informational","citation":{"source":"src/connectors/siport-rest/source.pdf","locator":"p5 — Document Revision History (first draft January 29, 2026)"}}],"relatedConnectors":["si-pass","siemens-siport"],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-siport-rest-connector","name":"Alert SiPort REST Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's REST-based SiPort connector using the generic IRESTConnectorInterface framework."},{"id":"siport-rest-api","name":"SiPort REST API","kind":"gateway","vendor":"siemens","trustZone":"customer-onprem","description":"Siemens' modern RESTful API for SiPort 2.0+."},{"id":"siport-server-rest","name":"Siemens SiPort 2.0+ Server","kind":"platform","vendor":"siemens","trustZone":"customer-onprem","description":"Siemens SiPort PACS application with REST API enabled."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-siport-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-siport-rest-connector","to":"siport-rest-api","label":"REST over HTTPS","transport":"rest","auth":"basic","carries":"User / credential / profile provisioning + reconciliation","direction":"bidirectional","trustCrossing":true},{"from":"siport-rest-api","to":"siport-server-rest","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/siport-rest/source.pdf","locator":"Full connector guide — 56 pages, first revision dated 2026-01-29"},{"source":"src/connectors/siport-rest/source.pdf","locator":"p6 — Supported Version","quote":"The SIPORT Rest connector supports SIPORT Rest version 2.0 and above."},{"source":"src/connectors/siport-rest/source.pdf","locator":"p7 — Connector Architecture","quote":"The SIPORT Rest Connector relies on the out-of-the-box Restful APIs provided by the SIPORT system to perform these operations efficiently."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-01-30","sourceSha256":"be80d46128e214308fc11bb953ff2200662e79227fbbc656494d60436ca0532f","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"on-prem","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"SiPort cardholders modeled via REST resources with associated credentials.\n","accessRightsModel":"SiPort access via Profiles (same naming as [[siemens-siport]]), exposed through REST.\n","multiTenancy":"Single SiPort instance per AE→SiPort REST connector.\n"}},"ssg-entre-rest":{"id":"ssg-entre-rest","name":"SSG Entre (GraphQL)","vendor":"SSG Solutions","vendorId":"ssg","connectorPackage":"AE_HSc_SSGEntreRestConnectorGuide","status":"active","description":"The SSG Entre connector integrates AlertEnterprise Guardian with **SSG Entre** — SSG Solutions' cloud-native access control + visitor management platform. SSG is a smaller specialty PACS vendor with strong adoption in flexible-workspace, corporate-tenant, and shared-building scenarios.\n\n**The connector is unusual: despite the \"Rest\" naming on the AE side, SSG Entre's underlying API is GraphQL.** The AE-side connector adapts AE's REST connector framework to consume SSG's GraphQL APIs. This is worth flagging to operators expecting standard REST endpoint URLs — the request bodies are GraphQL queries / mutations, not REST resources.\n\nArchitecture: **AE → ACF (REST Connector Framework) → SSG Entre Rest Connector → SSG Entre GraphQL APIs → SSG Entre System**. OAuth 2.0 client credentials grant; example API host `https://api.ssgsolutions.com`.\n","versions":[{"range":"SSG Entre 8.4 and above","status":"active"}],"transports":["graphql"],"directions":["bidirectional"],"authentication":[{"kind":"oauth2-client-credentials","label":"OAuth 2.0 client credentials","details":"The SSG Entre GraphQL API authenticates callers via OAuth 2.0 client credentials grant. The connector exchanges its `client_id` + `client_secret` for an access token at the SSG token endpoint and includes the token on subsequent GraphQL calls.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SSG Entre 8.4+ with GraphQL API access","description":"An operational SSG Entre deployment (8.4+) with GraphQL API access. The connector targets `https://api.ssgsolutions.com` (or the customer's tenant URL).\n","owner":"customer","citation":{"source":"src/connectors/ssg-entre-rest/source.pdf","locator":"p5 — Supported Version","quote":"The SSG Entre Rest connector supports SSG Entre Rest version 8.4 and above."}},{"title":"OAuth 2.0 client credentials","description":"SSG admin must provision OAuth client credentials (client_id + client_secret) and provide the Token URL.\n","owner":"customer"}],"knownLimitations":[{"title":"\"Rest\" in the name; GraphQL on the wire","description":"Despite the connector package name ending in \"Rest\", the underlying SSG Entre API is GraphQL. Operators debugging the connector should expect GraphQL query and mutation request bodies, not REST resource endpoints. This naming reflects AE's REST connector framework hosting the connector rather than the wire protocol used downstream.\n","severity":"informational","citation":{"source":"src/connectors/ssg-entre-rest/source.pdf","locator":"p6 — Connector Architecture","quote":"The SSG Entre Rest Connector relies on the GraphQL APIs provided by the SSG Entre system to perform these operations efficiently."}}],"relatedConnectors":[],"relatedConcepts":["cardholder","badge-or-credential","access-level"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (REST)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-ssg-connector","name":"Alert SSG Entre Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's SSG Entre connector — adapts the REST connector framework to issue GraphQL queries/mutations to SSG."},{"id":"ssg-entre-graphql-api","name":"SSG Entre GraphQL API","kind":"gateway","vendor":"ssg","trustZone":"vendor-cloud","description":"SSG's GraphQL API surface. Authenticates via OAuth 2.0 client credentials."},{"id":"ssg-entre-system","name":"SSG Entre System","kind":"platform","vendor":"ssg","trustZone":"vendor-cloud","description":"SSG Solutions' cloud-native PACS / visitor management platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-ssg-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-ssg-connector","to":"ssg-entre-graphql-api","label":"GraphQL queries/mutations + OAuth bearer","transport":"graphql","auth":"oauth2-client-credentials","carries":"User / credential / access provisioning + reconciliation (GraphQL)","direction":"bidirectional","trustCrossing":true},{"from":"ssg-entre-graphql-api","to":"ssg-entre-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/ssg-entre-rest/source.pdf","locator":"Full connector guide — 24 pages, updated 2025-03-21"},{"source":"src/connectors/ssg-entre-rest/source.pdf","locator":"p5 — Supported Version","quote":"The SSG Entre Rest connector supports SSG Entre Rest version 8.4 and above."},{"source":"src/connectors/ssg-entre-rest/source.pdf","locator":"p6 — Connector Architecture","quote":"The SSG Entre Rest Connector relies on the GraphQL APIs provided by the SSG Entre system to perform these operations efficiently."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-03-21","sourceSha256":"e889948aea500e0e084aa7fa685a0c62b598522478f09bacc84a48dd06f441a7","kind":"pacs","fields":{"readerProtocols":[],"cardFormats":[],"topology":"cloud","eventModel":"polling","pollInterval":"AE-side schedule per customer.","eventTypes":[],"antiPassback":"unknown","holidaySchedules":"unknown","cardholderModel":"SSG Entre cardholder model exposed via GraphQL types. Specific schema must be verified against the deployment's GraphQL introspection output.\n","accessRightsModel":"SSG Entre access model exposed via GraphQL — Roles / Access Levels are connector-deployment specific.\n","multiTenancy":"Each SSG customer occupies a separate tenant on SSG Solutions' cloud. One connector instance per tenant.\n"}},"success-factors-lms":{"id":"success-factors-lms","name":"SAP SuccessFactors Learning (LMS)","vendor":"SAP SuccessFactors","vendorId":"sap","connectorPackage":"AE_HSc_SuccessFactorsLMSConnectorGuide","status":"active","description":"$2b","versions":[{"range":"SAP SuccessFactors Learning (cloud — versionless SaaS)","status":"active"}],"transports":["rest","sftp"],"directions":["inbound"],"authentication":[{"kind":"oauth2-client-credentials","label":"SuccessFactors LMS OAuth 2.0 client credentials","details":"OAuth 2.0 client credentials grant for OData REST API access.\n","credentialStorage":"Encrypted in AE connector configuration."},{"kind":"basic","label":"SFTP credentials (CSV pull path)","details":"Basic auth (or SSH key) credentials for SFTP/FTP access to the CSV drop location.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"SAP SuccessFactors Learning tenant with API access","description":"An operational SuccessFactors LMS tenant with OData REST API access enabled. Tenant admin provisions OAuth client credentials.\n","owner":"customer"},{"title":"SFTP/FTP CSV drop location (for the SFTP path)","description":"A reachable SFTP/FTP location where SuccessFactors LMS or a scheduled job drops certification CSV files for AE to pick up.\n","owner":"customer"}],"knownLimitations":[{"title":"SFTP CSV path is a workaround","description":"The dual-path architecture exists because some SuccessFactors LMS configurations don't expose certification data through the OData API. Customers on those configurations rely on the SFTP CSV path. If your tenant exposes everything via OData, the SFTP path is optional.\n","severity":"informational"}],"relatedConnectors":["sap-hr","sap-btp","talent-lms"],"relatedConcepts":["iflow"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-sf-lms-adapter","name":"Alert SuccessFactors LMS Adapter","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"sf-lms-odata-api","name":"SuccessFactors LMS OData REST API","kind":"gateway","vendor":"sap","trustZone":"vendor-cloud"},{"id":"sf-lms-sftp","name":"SuccessFactors LMS SFTP Drop Location","kind":"gateway","vendor":"sap","trustZone":"vendor-cloud","description":"SFTP/FTP location where CSV certification exports are dropped."},{"id":"sf-lms-system","name":"SuccessFactors Learning (LMS)","kind":"platform","vendor":"sap","trustZone":"vendor-cloud"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-sf-lms-adapter","label":"ACF → adapter dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-sf-lms-adapter","to":"sf-lms-odata-api","label":"OData REST + OAuth bearer","transport":"rest","auth":"oauth2-client-credentials","carries":"User certifications via OData","direction":"inbound","trustCrossing":true},{"from":"alert-sf-lms-adapter","to":"sf-lms-sftp","label":"SFTP CSV pull","transport":"sftp","auth":"basic","carries":"User certifications via CSV","direction":"inbound","trustCrossing":true},{"from":"sf-lms-odata-api","to":"sf-lms-system","label":"Internal API","transport":"proprietary-api","direction":"inbound","trustCrossing":false},{"from":"sf-lms-sftp","to":"sf-lms-system","label":"Scheduled CSV export","transport":"proprietary-api","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/success-factors-lms/source.pdf","locator":"Full connector guide — 16 pages, updated 2024-12-17"},{"source":"src/connectors/success-factors-lms/source.pdf","locator":"p6 — Connector Architecture","quote":"The SuccessFactors LMS Adapter makes OData REST API calls to evaluate user certifications in the SuccessFactors LMS system and also reconciles the user certification data from a CSV file dropped at SFTP/FTP location."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-17","sourceSha256":"da1b7f966277f28fc17e19a3f8f5e59516dc640dd5e98dfac75160ce46c51cce","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":[],"contingentWorkerSupport":false,"fieldMappingNotes":"SuccessFactors LMS certification fields — userID, courseID, courseName, completionDate, expirationDate, certificationStatus.\n"}},"suprema-bio-star2-rest":{"id":"suprema-bio-star2-rest","name":"Suprema BioStar 2 (REST)","vendor":"Suprema","vendorId":"suprema","connectorPackage":"AE_HSc_SupremaBioStar2_RestConnectorGuide","status":"active","description":"The Suprema BioStar 2 REST connector integrates AlertEnterprise with **Suprema BioStar 2** — a biometric access-control platform supporting face, fingerprint, and card-based authentication. Common in fin-services data-center and high-security-zone deployments where biometric MFA is required.\n\nTopology: AlertEnterprise application → Suprema BioStar 2 REST Connector → Suprema BioStar 2 RESTful APIs. Direct REST integration; no intermediate agent.\n","versions":[{"range":"Suprema BioStar 2 REST API version 8.4 and above","status":"active","notes":"Per the connector guide (2026-05-22), the connector targets BioStar 2 REST\nAPI version 8.4 and above. Earlier BioStar 2 versions used different APIs.\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"session-cookie","label":"BioStar 2 login session","details":"BioStar 2's REST API uses a session-cookie authentication model — the\nconnector POSTs login credentials and receives a session cookie used on\nsubsequent calls. See the connector guide's Security chapter for the\nconfigured credential storage pattern.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/suprema-bio-star2-rest/source.pdf","locator":"p42 — Chapter 4, Security"}}],"endpoints":[],"dataFields":[{"aeField":"User","vendorField":"BioStar 2 User","description":"User records — name, ID, biometric template references (templates stored on device or server depending on deployment).","direction":"bidirectional","required":true},{"aeField":"Credential","vendorField":"BioStar 2 Card / Biometric Template","description":"Cards and biometric templates assigned to users. Provisioning manages both.","direction":"bidirectional","required":true},{"aeField":"Access Level","vendorField":"BioStar 2 Access Group","description":"Access group / access-level assignments per user.","direction":"bidirectional","required":false}],"rateLimits":[],"prerequisites":[{"title":"BioStar 2 server v8.4+","description":"Customer's BioStar 2 server must be on version 8.4 or above to expose the\nREST API surface the connector requires.\n","owner":"customer"},{"title":"BioStar 2 API user with appropriate permissions","description":"Dedicated API user account on BioStar 2 with permissions to manage users +\naccess groups.\n","owner":"customer"}],"knownLimitations":[{"title":"Biometric template handling is regulatory-sensitive","description":"Biometric templates are sensitive personal data under GDPR Article 9, India\nDPDP 2023, US BIPA, and similar regimes. The connector moves template\nreferences but customer must establish lawful basis, consent, and retention\npolicies separately.\n","severity":"important"}],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-rest-connector-framework","name":"Alert REST Connector Framework","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-suprema-biostar-connector","name":"Alert Suprema BioStar 2 REST Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's BioStar 2-specific connector. REST/HTTPS into the BioStar 2 server."},{"id":"suprema-biostar-2-server","name":"Suprema BioStar 2 Server","kind":"platform","vendor":"suprema","trustZone":"customer-onprem","description":"Customer's Suprema BioStar 2 deployment. Hosts user records, access groups,\nand biometric templates (or template references if templates live on devices).\n"},{"id":"suprema-readers","name":"Suprema biometric readers","kind":"device","vendor":"suprema","trustZone":"device-edge","description":"Field-deployed Suprema biometric readers (face / fingerprint / card).\nReceive user + template updates from BioStar 2 server.\n"}],"edges":[{"from":"guardian-platform","to":"alert-rest-connector-framework","label":"Provisioning + reconciliation","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-rest-connector-framework","to":"alert-suprema-biostar-connector","label":"Framework dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-suprema-biostar-connector","to":"suprema-biostar-2-server","label":"REST API (user + access ops)","transport":"rest","auth":"session-cookie","carries":"User / Credential / Access Group operations","direction":"bidirectional","trustCrossing":true,"citation":{"source":"src/connectors/suprema-bio-star2-rest/source.pdf","locator":"p8 — Connector Architecture"}},{"from":"suprema-biostar-2-server","to":"suprema-readers","label":"User + template distribution to readers","transport":"proprietary-api","direction":"outbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/suprema-bio-star2-rest/source.pdf","locator":"p6 — Chapter 1, Supported Version","quote":"Connector supports Suprema BioStar 2 Rest version 8.4 and above."},{"source":"src/connectors/suprema-bio-star2-rest/source.pdf","locator":"p8 — Chapter 2, Connector Architecture"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2026-05-22","sourceSha256":"82a0ac9d80df799b27cf8ebfda797983fdb2e075f764ffb7ef121f4098192eed","kind":"biometric","fields":{"modalities":["face","fingerprint"],"templateStorage":"both","livenessDetection":"configurable","spoofDetection":"Per Suprema product line — newer readers (BioStation 3 / FaceStation F2) support\nanti-spoofing. Specific posture depends on the reader hardware deployed.\n","privacyProfile":["GDPR Article 9 (special-category data)","India DPDP 2023 (biometric data classification)","US BIPA (where applicable — Illinois, Texas, Washington)"],"rightToErasure":true}},"talent-lms":{"id":"talent-lms","name":"TalentLMS","vendor":"TalentLMS (Epignosis)","vendorId":"talentlms","connectorPackage":"AE_HSc_TalentLMSConnectorGuide","status":"active","description":"The TalentLMS connector integrates AlertEnterprise Guardian with **TalentLMS** — Epignosis' cloud LMS, popular in mid-market and smaller enterprises as a more cost-effective alternative to [[success-factors-lms]]. Like SuccessFactors LMS, TalentLMS provides training / certification data that AE Guardian consumes to gate PIAM workflows on training compliance.\n\nArchitecture: **AE → ACF (REST Connector Framework) → TalentLMS Connector → TalentLMS RESTful API → TalentLMS System**.\n","versions":[{"range":"TalentLMS (cloud — versionless SaaS)","status":"active","notes":"Connector guide does not pin a specific version; TalentLMS is a continuously updated cloud product."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"TalentLMS API key","details":"TalentLMS uses an API key generated in the TalentLMS admin console (Account & Settings → Integration → REST API). API key included as `Authorization` header on every REST call.\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[{"title":"TalentLMS deployment with API access","description":"An operational TalentLMS tenant with REST API enabled. TalentLMS admin generates an API key.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":["success-factors-lms"],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (REST)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-talent-lms-connector","name":"Alert TalentLMS Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"talent-lms-rest-api","name":"TalentLMS REST API","kind":"gateway","vendor":"talentlms","trustZone":"vendor-cloud"},{"id":"talent-lms-system","name":"TalentLMS","kind":"platform","vendor":"talentlms","trustZone":"vendor-cloud"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-talent-lms-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-talent-lms-connector","to":"talent-lms-rest-api","label":"REST + API key","transport":"rest","auth":"api-key","carries":"User certifications / course completions","direction":"bidirectional","trustCrossing":true},{"from":"talent-lms-rest-api","to":"talent-lms-system","label":"Internal API","transport":"proprietary-api","direction":"bidirectional","trustCrossing":false}]},"citations":[{"source":"src/connectors/talent-lms/source.pdf","locator":"Full connector guide — 23 pages, updated 2025-02-13"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-02-13","sourceSha256":"0e716b2bf142e23fb0b46b0a7906eb52741a7addc3f3779fb29e5df05d2f446d","kind":"hr","fields":{"syncMode":["delta"],"direction":"inbound","lifecycleEvents":[],"contingentWorkerSupport":false,"fieldMappingNotes":"TalentLMS user + course-completion fields. User properties include id, login, email, first_name, last_name; course completion includes course_id, course_name, completion_status, completion_date, score.\n"}},"tessera-rest":{"id":"tessera-rest","name":"Tessera","vendor":"Tessera","vendorId":"tessera","connectorPackage":"AE_HSc_Tessera_RestConnectorGuide","status":"active","description":"The Tessera connector integrates AlertEnterprise with **Tessera Rest** — a lock system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for lock connectors.\n\nSource: `AE_HSc_Tessera_RestConnectorGuide.pdf` (page count: 14).\n","versions":[{"range":"(version not specified in connector guide — verify against current vendor docs)","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-tessera-rest-connector","name":"Alert Tessera Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Tessera-specific connector module."},{"id":"tessera-system","name":"Tessera System","kind":"platform","vendor":"tessera","trustZone":"vendor-cloud","description":"The customer's Tessera system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-tessera-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-tessera-rest-connector","to":"tessera-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/tessera-rest/source.pdf","locator":"Connector guide — 14 pages"},{"source":"src/connectors/tessera-rest/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-02-20","sourceSha256":"38450d16d7719dae687122e6730df24f241192ebdd21533b22d94537c63bba9c","kind":"lock","fields":{"protocols":[]}},"twilio":{"id":"twilio","name":"Twilio","vendor":"Twilio","vendorId":"twilio","connectorPackage":"AE_HSc_TwilioConnectorGuide","status":"active","description":"The Twilio connector integrates AlertEnterprise's Guardian platform with **Twilio** for SMS-based messaging — visitor check-in / check-out notifications, OTP delivery, mass alert dispatch, and general SMS communication driven by Guardian workflows.\n\nTopology: Alert Connector Framework (ACF) → Alert Twilio Connector → Twilio's hosted messaging API over HTTPS. No intermediate agent — direct vendor-cloud REST integration.\n","versions":[{"range":"Twilio Messaging API (current)","status":"active","notes":"Twilio is a continuous-release SaaS; the connector targets the current Twilio Messaging API contract."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Account SID + Auth Token (Twilio basic-auth pattern)","details":"Twilio's REST API uses HTTP basic-auth with the Account SID as the username and\nthe Auth Token as the password. Auth Tokens are rotatable from the Twilio console.\n","credentialStorage":"AE connector configuration (encrypted at rest); production tokens in Firebase Secret Manager"}],"endpoints":[],"dataFields":[{"aeField":"SMS Message","vendorField":"Twilio Message","description":"Outbound SMS messages — body, recipient phone, sender number / messaging service SID.","direction":"outbound","required":true},{"aeField":"Delivery Status","vendorField":"Twilio Message Status Callback","description":"Delivery status updates (sent / delivered / failed) returned via Twilio status callbacks.","direction":"inbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"Twilio account with verified messaging-capable phone number or Messaging Service","description":"Customer needs an active Twilio account with at least one messaging-capable\nphone number or a configured Messaging Service. SMS deliverability depends on\nTwilio's regional carrier registrations (10DLC in US, sender-ID registration\nelsewhere).\n","owner":"customer"},{"title":"Account SID + Auth Token in AE config","description":"Twilio Account SID + Auth Token configured in AE connector config.","owner":"ae"}],"knownLimitations":[{"title":"SMS regulatory compliance is customer responsibility","description":"US (10DLC), India (DLT), and similar regional registrations for SMS sending\nare customer-owned. The connector does not register sender IDs on the\ncustomer's behalf.\n","severity":"important"}],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-twilio-connector","name":"Alert Twilio Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Twilio-specific connector. Issues HTTPS calls to Twilio's Messaging API."},{"id":"twilio-messaging","name":"Twilio Messaging Platform","kind":"platform","vendor":"twilio","trustZone":"vendor-cloud","description":"Twilio's hosted SMS / voice / WhatsApp messaging platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Notification requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-twilio-connector","label":"ACF dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-twilio-connector","to":"twilio-messaging","label":"Send SMS / message","transport":"rest","auth":"basic","carries":"SMS message payloads","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/twilio/source.pdf","locator":"p7 — Connector Architecture"}},{"from":"twilio-messaging","to":"alert-twilio-connector","label":"Delivery status callback","transport":"webhook","carries":"Message status events","direction":"inbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/twilio/source.pdf","locator":"p7 — Chapter 2, Connector Architecture","quote":"It allows the platform to send and receive SMS messages."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-10-13","sourceSha256":"727b414ca6feb27dc07bcf0194e72ccce9d497dc2275933016573b2fbca7ad42","kind":"notification","fields":{"channels":["sms"],"templateModel":"Templates are managed in Twilio's Messaging Service templates or composed at\nsend-time by the Guardian workflow.\n","deliveryConfirmation":"per-channel","retrySemantics":"Twilio handles carrier-level retries internally. Failed-after-retry messages\nsurface as a final status callback (failed / undelivered).\n","massAlertScenarios":["Visitor check-in / check-out notifications to host","Mass alert / emergency notification dispatch","OTP / verification code delivery"]}},"unix":{"id":"unix","name":"Unix","vendor":"Generic (Unix/Linux)","vendorId":"ae","connectorPackage":"AE_HSc_UnixConnectorGuide","status":"active","description":"The Generic (Unix/Linux) connector integrates AlertEnterprise with **Unix Connector** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_UnixConnectorGuide.pdf` (page count: 20).\n","versions":[{"range":"AIX version 6.1 and above.","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-unix-connector","name":"Alert Generic (Unix/Linux) Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Generic (Unix/Linux)-specific connector module."},{"id":"ae-system","name":"Generic (Unix/Linux) System","kind":"platform","vendor":"ae","trustZone":"customer-onprem","description":"The customer's Generic (Unix/Linux) system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-unix-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-unix-connector","to":"ae-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/unix/source.pdf","locator":"Connector guide — 20 pages"},{"source":"src/connectors/unix/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-07-04","sourceSha256":"ce768a9e59873cf857fb0f7cfd2b5ad0e0bb750b229f4c7fc2b56eed1263f01e","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"wavelynx":{"id":"wavelynx","name":"Wavelynx","vendor":"Wavelynx","vendorId":"wavelynx","connectorPackage":"AE_HSc_WavelynxConnectorGuide","status":"active","description":"The Wavelynx connector integrates AlertEnterprise with the **Wavelynx Cloud** mobile credential provisioning platform. Wavelynx is one of AE's three primary credential providers (alongside HID and LEGIC). This connector handles the AE-side ↔ Wavelynx-cloud interactions that issue and lifecycle mobile credentials destined for Apple Wallet and Google Wallet.\n\nThe deeper architectural model for Wavelynx — including the CM/CP topology where **AE acts as Credential Manager** and Wavelynx acts as Credential Provider — lives in `content/integrations/wavelynx.yaml`. This connector record describes the AE-side connector implementation: REST API surface, auth model, and the actors AE contributes to a composed deployment diagram.\n\nWavelynx is the credential provider that lets AE talk directly to Apple Pay; Google Wallet provisioning routes via **NXP MIFARE2GO**. AE owns lifecycle authority for Wavelynx-issued credentials.\n","versions":[{"range":"Wavelynx API version 2.5.0","status":"active","notes":"Per the connector guide (2024-12-10). Newer API versions may exist; verify against Wavelynx's current API docs for production deployments."}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"X-API-Key header","details":"The Wavelynx Cloud REST API authenticates via an X-API-Key header carrying a\nper-partner API key issued by Wavelynx. Keys are environment-scoped (sandbox\nvs production).\n","credentialStorage":"AE connector configuration (encrypted at rest); production keys in Firebase Secret Manager","citation":{"source":"src/connectors/wavelynx/source.pdf","locator":"p12 — Chapter 5, Security"}}],"endpoints":[],"dataFields":[{"aeField":"Mobile Credential","vendorField":"Wavelynx Pass","description":"The mobile credential issued to Apple Wallet or Google Wallet. AE creates, updates, suspends, resumes, and revokes via the connector.","direction":"bidirectional","required":true},{"aeField":"Eligible User","vendorField":"Wavelynx Cardholder Reference","description":"User reference passed to Wavelynx for credential issuance. AE is the source of identity (no SCIM provisioning from AE → Wavelynx; credential is issued per request).","direction":"outbound","required":true}],"rateLimits":[],"prerequisites":[{"title":"Wavelynx API key","description":"Per-environment API key (sandbox + production) issued by Wavelynx. Stored as\nthe X-API-Key header credential in AE connector config / Secret Manager.\n","owner":"customer","citation":{"source":"src/connectors/wavelynx/source.pdf","locator":"p12 — Chapter 5, Security"}},{"title":"Wavelynx Cloud partner registration","description":"AE-on-behalf-of-customer must be registered as a Wavelynx Cloud partner with\nthe appropriate environment (sandbox + production) before the connector can\nissue credentials.\n","owner":"ae"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["guardian-nfc-cloud","pass-id","provisioning-payload","apple-uap"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-wavelynx-connector","name":"Alert Wavelynx Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Wavelynx-specific connector. Issues authenticated REST calls into Wavelynx Cloud."},{"id":"wavelynx-cloud","name":"Wavelynx Cloud","kind":"platform","vendor":"wavelynx","trustZone":"vendor-cloud","description":"Wavelynx's hosted credential provisioning + lifecycle platform."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Credential issuance / lifecycle requests","transport":"rest","carries":"Mobile-credential operations","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-wavelynx-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-wavelynx-connector","to":"wavelynx-cloud","label":"REST API calls","transport":"rest","auth":"api-key","carries":"Credential CRUD, Pass lifecycle","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/wavelynx/source.pdf","locator":"p6 — Chapter 2, Connector Architecture"}},{"from":"wavelynx-cloud","to":"alert-wavelynx-connector","label":"Webhook / lifecycle event delivery","transport":"webhook","auth":"api-key","carries":"Lifecycle events (issued / suspended / revoked)","direction":"inbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/wavelynx/source.pdf","locator":"p5 — Chapter 1, Supported Version","quote":"The Wavelynx Connector supports Wavelynx API version 2.5.0."},{"source":"src/connectors/wavelynx/source.pdf","locator":"p6 — Chapter 2, Connector Architecture"},{"source":"src/connectors/wavelynx/source.pdf","locator":"p12 — Chapter 5, Security"},{"source":"content/integrations/wavelynx.yaml","locator":"Integration record — CM/CP model + wallet routing"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-10","sourceSha256":"3e4f3fa541477d0a9c50fcf9ebe4c945c32551a8cbbf7795474091bc79cb6d08","kind":"credential-provider","fields":{"integrationId":"wavelynx","wallets":["apple","google"],"issuanceModel":"invitation","lifecycleStates":["issued","active","suspended","resumed","revoked"],"webhookSupport":"Wavelynx Cloud delivers lifecycle event webhooks to AE NFC Cloud. AE acts as\nCredential Manager and consumes these events for downstream policy.\n","keyMaterialNotes":"Per-credential key material is generated by Wavelynx Cloud at issuance time;\nthe diversified credential key is NOT persisted in Wavelynx (unlike HID's\nSeos model). Master key is shared with the physical card encryption keystore.\n"}},"windows-power-shell":{"id":"windows-power-shell","name":"Windows","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_WindowsPowerShellConnectorGuide","status":"active","description":"The Microsoft connector integrates AlertEnterprise with **Windows** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_WindowsPowerShellConnectorGuide.pdf` (page count: 17).\n","versions":[{"range":"PowerShell version 4.0","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-windows-power-shell-connector","name":"Alert Microsoft Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Microsoft-specific connector module."},{"id":"microsoft-system","name":"Microsoft System","kind":"platform","vendor":"microsoft","trustZone":"customer-onprem","description":"The customer's Microsoft system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-windows-power-shell-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-windows-power-shell-connector","to":"microsoft-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/windows-power-shell/source.pdf","locator":"Connector guide — 17 pages"},{"source":"src/connectors/windows-power-shell/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-03-06","sourceSha256":"716ab969e500800541a2d01a8b455a55373306183f464289da99c43b56bce6a6","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"windows":{"id":"windows","name":"Windows","vendor":"Microsoft","vendorId":"microsoft","connectorPackage":"AE_HSc_WindowsConnectorGuide","status":"active","description":"The Microsoft connector integrates AlertEnterprise with **Windows** — a data-source system.\n\n**This record was auto-generated by `scripts/ingest/template-connector.ts` from the AE connector guide.** Structured fields (versions, transports, authentication, composition graph) are derived from deterministic recognition; the description, prerequisites, dataFields, knownLimitations, and kind-specific fields are placeholders to be filled in during the category authoring wave for data-source connectors.\n\nSource: `AE_HSc_WindowsConnectorGuide.pdf` (page count: 22).\n","versions":[{"range":"2.1.1","status":"active"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Basic auth","details":"Detected from connector guide (deterministic recognition). Refine prose and add citation page numbers per the AE-internal authoring conventions.\n"}],"endpoints":[],"dataFields":[],"rateLimits":[],"prerequisites":[],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":[],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-windows-connector","name":"Alert Microsoft Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Microsoft-specific connector module."},{"id":"microsoft-system","name":"Microsoft System","kind":"platform","vendor":"microsoft","trustZone":"customer-onprem","description":"The customer's Microsoft system or tenant — authoritative source for the data this connector reads / writes.\n"}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Provisioning + reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-windows-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-windows-connector","to":"microsoft-system","label":"API calls (provisioning + reconciliation)","transport":"rest","carries":"Connector-specific data","direction":"bidirectional","trustCrossing":true}]},"citations":[{"source":"src/connectors/windows/source.pdf","locator":"Connector guide — 22 pages"},{"source":"src/connectors/windows/source.pdf","locator":"p3 — Chapter 1, Introduction................................................................................................................. 5"}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2024-12-03","sourceSha256":"ec5ce62f7a2b6959cae404dcb8dcd587c0d4e9972bfce72ba36f8529ccb38322","kind":"data-source","fields":{"protocol":"(see connector guide)"}},"workday-rest":{"id":"workday-rest","name":"Workday (via REST API)","vendor":"Workday","vendorId":"workday","connectorPackage":"AE_HSc_Workday_RestConnectorGuide","status":"active","description":"The Workday REST connector integrates AlertEnterprise Guardian with **Workday** via Workday's RESTful APIs. Workday is the dominant cloud HCM platform in the Fortune 500 — supporting Workday is mandatory for AE in any large deployment.\n\nThis is the **REST-based** integration path. For the older Workday Web Service (SOAP) integration, see the hand-authored [[workday]] connector. New deployments should prefer this REST connector.\n\nArchitecture: **AE → ACF (REST Connector Framework) → Workday REST Connector → Workday RESTful APIs → Workday System**.\n","versions":[{"range":"Workday REST API version 8.4 and above","status":"active","notes":"Workday REST API version corresponds to the Workday tenant's API version setting. For Workday SOAP integration, use [[workday]].\n"}],"transports":["rest"],"directions":["bidirectional"],"authentication":[{"kind":"api-key","label":"Workday Integration System User (ISU) credentials","details":"Workday authentication uses an Integration System User (ISU) credential — typically API key or basic auth depending on the Workday tenant's integration security configuration. The ISU must have an Integration System Security Group with read-access to the relevant Workday data domains (Workers, Organizations, Job Profiles, etc.).\n","credentialStorage":"Encrypted in AE connector configuration."}],"endpoints":[],"dataFields":[],"rateLimits":[{"scope":"Workday tenant","limit":"Per-tenant + per-integration concurrency limits documented by Workday","per":"tenant","notes":"Workday enforces concurrency limits per tenant. AE polls at a configurable interval to stay within limits."}],"prerequisites":[{"title":"Workday tenant with REST API enabled","description":"An operational Workday tenant with REST API access enabled. Tenant admin must enable API access at the appropriate version (8.4+).\n","owner":"customer"},{"title":"Workday Integration System User (ISU) with required scopes","description":"ISU configured in Workday with an Integration System Security Group granting access to the Worker / Organization / Job Profile / Position data domains the connector consumes.\n","owner":"customer"}],"knownLimitations":[],"relatedConnectors":["workday","sap-hr"],"relatedConcepts":["lifecycle-events","system-of-record","integration-system-user"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (REST)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-workday-rest-connector","name":"Alert Workday REST Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"workday-rest-api","name":"Workday REST APIs","kind":"gateway","vendor":"workday","trustZone":"vendor-cloud"},{"id":"workday-system","name":"Workday Tenant","kind":"platform","vendor":"workday","trustZone":"vendor-cloud","description":"Customer's Workday tenant — system of record for employee identity."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Reconciliation requests","transport":"rest","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-workday-rest-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-workday-rest-connector","to":"workday-rest-api","label":"Workday REST API calls","transport":"rest","auth":"api-key","carries":"Worker / Organization / Job Profile / Position records + lifecycle events","direction":"inbound","trustCrossing":true},{"from":"workday-rest-api","to":"workday-system","label":"Internal API","transport":"proprietary-api","direction":"inbound","trustCrossing":false}]},"citations":[{"source":"src/connectors/workday-rest/source.pdf","locator":"Full connector guide — 24 pages, updated 2025-04-17"},{"source":"src/connectors/workday-rest/source.pdf","locator":"p5 — Supported Version","quote":"The Workday Rest connector supports Workday Rest version 8.4 and above."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-04-17","sourceSha256":"714dbbe853e51f6490a453635860ce66765f4a228705f666b3b3fd5be12ca619","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":["hire","rehire","transfer","promotion","demotion","leave","return-from-leave","termination","title-change","manager-change","location-change"],"contingentWorkerSupport":true,"bulkOperations":"Workday REST API supports bulk worker extraction with pagination.","fieldMappingNotes":"Workday's standard Worker object — workerID, employeeID, firstName, lastName, preferredName, hireDate, terminationDate, employmentStatus, jobProfile, supervisoryOrganization, manager, location, costCenter. Customers extending with Workday's custom fields configure additional mappings in AE.\n"}},"workday":{"id":"workday","name":"Workday HCM","vendor":"Workday","vendorId":"workday","connectorPackage":"AE_HSc_WorkdayConnectorGuide","status":"active","description":"The Workday connector integrates AlertEnterprise with **Workday HCM** for human-capital data sync — the source-of-record for Workers, organizations, and employment lifecycle events in most enterprise deployments. Provisioning is built on Workday's **Human Resource API (SOAP)**; reconciliation is built on the **Report API**, which is a prerequisite for reconciliation operations.\n\nTopology: Alert Connector Framework (ACF) drives the Alert Workday Connector, which issues SOAP/HTTPS calls into Workday's HR API and Report API endpoints. No intermediate agent — direct vendor-cloud REST/SOAP integration.\n\nAuthentication supports both Basic auth (Workday Integration System User credentials) and OAuth 2.0 client credentials, configurable per tenant. Workday's API model is service-versioned (e.g. v44.x, v45.x); the connector negotiates against the customer's exposed version.\n","versions":[{"range":"Workday tenant with HR API + Report API enabled","status":"active","notes":"Workday is a continuous-release SaaS; the connector targets the customer's contracted API version. No fixed version pin in the connector guide."}],"transports":["soap"],"directions":["bidirectional"],"authentication":[{"kind":"basic","label":"Workday Integration System User (ISU) credentials","details":"Workday tenant requires an Integration System User account with sufficient\ndomain security policy permissions to call the HR + Report APIs. Credentials\nare passed in the SOAP header per Workday's standard auth model.\n","credentialStorage":"AE connector configuration (encrypted at rest)","citation":{"source":"src/connectors/workday/source.pdf","locator":"p7 — Chapter 2, Connector Architecture"}},{"kind":"oauth2-client-credentials","label":"OAuth 2.0 client credentials","details":"Alternative auth path for Workday tenants using OAuth-protected API endpoints.\nConfigurable per deployment.\n"}],"endpoints":[],"dataFields":[{"aeField":"Worker","vendorField":"Workday Worker (Employee + Contingent Worker)","description":"Worker records — employees and contingent workers. Reconciled from Workday into AE; provisioning writes user-related fields back as needed.","direction":"bidirectional","required":true},{"aeField":"Organization","vendorField":"Workday Organization (Supervisory Organization, Cost Center, etc.)","description":"Organizational hierarchy. Reconciled from Workday into AE for downstream entitlement decisions.","direction":"inbound","required":false},{"aeField":"Employment Status","vendorField":"Workday Worker employment status","description":"Active / leave / terminated lifecycle states drive AE-side provisioning decisions.","direction":"inbound","required":false}],"rateLimits":[],"prerequisites":[{"title":"Workday Report API enabled","description":"Reconciliation depends on Workday's Report API. The customer's Workday tenant must\nhave the Report API enabled, and the AE Integration System User must have\npermission to call the reports the connector consumes.\n","owner":"customer","citation":{"source":"src/connectors/workday/source.pdf","locator":"p7 — Connector Architecture"}},{"title":"Workday Integration System User (ISU) account","description":"An ISU account with appropriate domain security policy permissions for HR API\n+ Report API. Workday best practice is a dedicated ISU per integration partner.\n","owner":"customer"},{"title":"Worker Field Mapping documentation","description":"Customer must provide field mappings between AE Worker attributes and Workday\nWorker XML field paths before reconciliation can begin.\n","owner":"joint"}],"knownLimitations":[],"relatedConnectors":[],"relatedConcepts":["lifecycle-events","system-of-record","integration-system-user"],"composition":{"actors":[{"id":"alert-connector-framework","name":"Alert Connector Framework (ACF)","kind":"service","vendor":"ae","trustZone":"ae-cloud"},{"id":"alert-workday-connector","name":"Alert Workday Connector","kind":"service","vendor":"ae","trustZone":"ae-cloud","description":"AE's Workday-specific connector. Issues authenticated SOAP/HTTPS calls into Workday's HR + Report APIs."},{"id":"workday-tenant","name":"Workday Tenant","kind":"platform","vendor":"workday","trustZone":"vendor-cloud","description":"The customer's Workday HCM tenant. Authoritative source of Worker, Organization, and employment-state data."}],"edges":[{"from":"guardian-platform","to":"alert-connector-framework","label":"Worker sync requests","transport":"rest","carries":"Worker / Organization sync ops","direction":"outbound","trustCrossing":false},{"from":"alert-connector-framework","to":"alert-workday-connector","label":"ACF → connector dispatch","transport":"proprietary-api","direction":"outbound","trustCrossing":false},{"from":"alert-workday-connector","to":"workday-tenant","label":"HR API + Report API calls","transport":"soap","auth":"basic","carries":"Worker / Organization / employment-status data","direction":"outbound","trustCrossing":true,"citation":{"source":"src/connectors/workday/source.pdf","locator":"p7 — Connector Architecture"}},{"from":"workday-tenant","to":"alert-workday-connector","label":"Report results + worker data","transport":"soap","auth":"basic","carries":"Worker / Org reconciliation payloads","direction":"inbound","trustCrossing":true}]},"citations":[{"source":"src/connectors/workday/source.pdf","locator":"p7 — Chapter 2, Connector Architecture","quote":"The Provisioning calls are built on top of the Human Resource API (SOAP) provided by Workday out of the box and Reconciliation operations are built on top of the Report API."}],"audience":"internal","confidentiality":"restricted","lastUpdated":"2025-09-23","sourceSha256":"8ee985fa1cfd0027844187ad1934295480afa67f4a6b980f9eb56cb9e7149569","kind":"hr","fields":{"syncMode":["full-load","delta"],"scheduledSync":"configurable","direction":"inbound","lifecycleEvents":["hire","rehire","transfer","promotion","leave","return-from-leave","termination","manager-change","location-change"],"contingentWorkerSupport":true,"bulkOperations":"Bulk operations are supported via Workday's Report API (returns paginated\nresult sets). Initial-load reconciliation typically uses a full-population report.\n","fieldMappingNotes":"Field mappings are defined per deployment against Workday's Worker XML schema.\nCustomer typically provides the mapping spreadsheet; AE connector configuration\ntranslates to runtime mappings.\n"}}}}],"$L2c","$L2d","$L2e",false,"$L2f"]}],"$L30"]}]

System	Term / Notes
Wavelynx	ECC P-256 signature → bearer JWT
HVHID v3.x	OAuth 2.0 client_credentials + PKI cert option

What other systems call it

Related concepts

The AE Mobile Wiki needs a bigger screen.