Genetec Access Control Integration
Overview
Genetec Security Center is an enterprise-grade unified security platform that provides physical access control, video surveillance, and other security management features through an on-premise installation. The Nexudus integration with Genetec automates cardholder provisioning and access group assignments based on customer contracts, passes, bookings, and desk assignments.Key Features
- Cloud-based management: Manage access through Genetec Security Center’s web interface
- Automatic provisioning: Access is granted and revoked automatically based on plan changes, bookings, and pass assignments
- RFID card support: Single RFID card per customer with facility code configuration
- PIN code support: Optional PIN codes for keypad access
- Group-based permissions: Map your inventory (passes, resources, desks) to Genetec cardholder groups
- Booking-based temporary access: Automatic access during reservation windows
- Partition support: Multi-site organizations can configure default partitions
Integration Type
On-premise with Bridge Support — Genetec Security Center is installed on-premise at your location. Nexudus connects via Genetec’s REST API using either:- Network Bridge: Secure tunnel through
https://bridge.nexudus.com/{device_id}/WebSdk/ - Port Forwarding: Direct connection to
http://public_ip:4590/WebSdk/(requires firewall configuration)
Capabilities
| Feature | Supported | Notes |
|---|---|---|
| Pass-based access | ✅ Yes | Customers receive access based on their active passes |
| Plan-based access | ✅ Indirect | Plans grant access through the passes they include |
| Resource-based access | ✅ Yes | Grants temporary access during reservations |
| Desk/unit-based access | ✅ Yes | Includes support for team billing contracts |
| Visitor access | ❌ No | Not supported by this integration |
| Booking guest access | ✅ Yes | Customers added as booking guests can access spaces during booking windows |
| Check-in tracking | ❌ No | Door events are not processed for automatic check-ins |
| Mobile app access | ❌ No | No mobile app integration available |
| Remote door unlock | ❌ No | Physical cards/PIN codes required for access |
How It Works
Access Control Model
Genetec uses a cardholder group model to manage access permissions:- Cardholders represent individuals in the system (mapped to Nexudus customers)
- Cardholder Groups define collections of doors that cardholders can access
- Credentials are physical access methods (RFID cards, PIN codes) linked to cardholders
- Partitions organize entities within multi-site Genetec deployments
Multi-Door Support
Genetec uses cardholder groups to grant permissions to multiple doors. Instead of mapping each door individually:- In Genetec Security Center, create a cardholder group (e.g., “24/7 Building Access”)
- Add the relevant doors to that group in Genetec
- In Nexudus, select that group from the dropdown when mapping your pass/resource/desk
- Customers with that pass automatically get access to all doors in the group
You must configure which doors belong to each group in the Genetec Security Center platform. Nexudus assigns customers to groups by selecting from the available groups retrieved from your Genetec system. The door-to-group mapping is managed in Genetec.
Prerequisites
Before connecting Nexudus to Genetec, ensure you have:- Genetec Security Center installed on-premise with administrator access
- API credentials (username and password for API authentication)
- Network connectivity — Either:
- Network Bridge configured: Device ID from your Nexudus Network Bridge installation
- Port forwarding configured: Public IP address with port 4590 forwarded to your Genetec server
- Genetec system configured with door controllers installed and online
- Cardholder groups created in Genetec for different access levels (e.g., 24/7 access, business hours only)
- Nexudus location configured with plans, passes, and resources
- (Optional) Default partition GUID if using Genetec’s partition feature for multi-site organizations
Configuration
Step 1: Connect to Genetec
- In the Nexudus dashboard, go to Settings > Integrations
- Find Genetec in the list and expand the settings
- Enable the Enable Genetec integration toggle
- Enter your connection details (fields appear when toggle is enabled):
- Genetec server address: Choose one of the following:
- Network Bridge:
https://bridge.nexudus.com/{DEVICE_ID}/WebSdk/(replace{DEVICE_ID}with your Bridge device ID) - Port Forwarding:
http://YOUR_PUBLIC_IP:4590/WebSdk/(replaceYOUR_PUBLIC_IPwith your public IP address)
- Network Bridge:
- Genetec username: Your Genetec API username
- Genetec password: Your Genetec API password
- Default partition (optional): The GUID of the default partition for new cardholders (for multi-site Genetec deployments)
- Genetec server address: Choose one of the following:
- Click Save to establish the connection
- Once connected successfully, the configuration panels for passes, resources, and desks will load below
The server URL must end with
/WebSdk/ to properly access the Genetec API. If using the Network Bridge, ensure your Bridge Agent is running and registered. If using port forwarding, ensure port 4590 is accessible from the internet.Step 2: Map Passes to Cardholder Groups
Passes are the primary way customers receive access in Nexudus. Each pass can be mapped to a Genetec cardholder group.- In the Passes section, you’ll see all passes configured for this location
- For each pass, select a Genetec access group from the dropdown menu
- The dropdown shows all cardholder groups available in your connected Genetec system
- Groups are automatically retrieved when you save the connection settings
- Leave blank if a pass should not grant physical access
- When a customer has an active contract on a plan that includes passes, they automatically receive those passes
- If the pass is mapped to a Genetec cardholder group, the customer is added to that group
- When the pass expires or is consumed, access is revoked
- Time-limited passes (e.g., day passes with validity windows) automatically grant and revoke access at the appropriate times
| Pass Name | Genetec Group | Purpose |
|---|---|---|
| 24/7 Access Pass | 24/7 Building Access | Round-the-clock building access |
| Business Hours Pass | Business Hours Access | Access only during operating hours |
| Meeting Room Pass | Meeting Room Zones | Access to meeting room areas |
Cardholder groups are identified by GUID internally but displayed by name in the dropdown. If you don’t see a group in the dropdown, verify it exists in Genetec Security Center and re-save your connection settings to refresh the list.
Step 3: Map Resources to Cardholder Groups
Resources (meeting rooms, event spaces, etc.) can require specific access permissions for bookings.- In the Resources section, you’ll see all resources configured for this location
- For each resource, select a Genetec access group from the dropdown menu
- Leave blank if resource bookings should not grant physical access
- When a customer books a resource, Nexudus grants them access 15 minutes before the booking starts
- Access is automatically revoked when the booking ends
- If the booking is cancelled, access is removed immediately
| Resource Name | Genetec Group | Purpose |
|---|---|---|
| Conference Room A | Conference Room A Access | Access to specific meeting room |
| Event Space | Event Hall Access | Access to event space for bookings |
| Private Office | Private Office Area | Access to private office area |
Resource-based access is temporary and booking-specific. A customer only receives access during their booking window, even if they don’t hold a general access pass.
Step 4: Map Desks/Units to Cardholder Groups
Floor plan desks and units can grant access to specific areas when included in a customer’s contract.- In the Desks/Units section, you’ll see all desks from your floor plans
- For each desk, select a Genetec access group from the dropdown menu
- Leave blank if desk assignments should not grant physical access
- When a desk is added to a customer’s contract, they receive access to the mapped group
- Access is granted when the contract starts and revoked when it ends
- Team billing support: If a customer uses team billing (merged billing), they also receive access to desks included in the paying member’s contracts
| Desk/Unit Name | Genetec Group | Purpose |
|---|---|---|
| Private Office #101 | Private Office Floor 1 | Access to first-floor private office area |
| Dedicated Desk Zone A | Desk Area A Access | Access to dedicated desk zone A |
| Studio #5 | Studio Access Area | Access to individual studio unit |
Step 5: Save Configuration
- Review all mappings to ensure they’re correct
- Verify group selections match your intended access levels
- Click Save to apply the configuration
- Nexudus will immediately start provisioning access for customers based on the new mappings
How Access is Managed
When Access is Granted
Nexudus automatically grants Genetec access when:- Contract starts: Customer begins a contract on a plan → receives passes included in that plan → assigned to corresponding Genetec cardholder groups
- Pass activated: Customer receives a pass directly (not via a contract) → assigned to the mapped Genetec cardholder group
- Booking created: Customer books a resource → granted access to resource’s group 15 minutes before booking start time
- Desk added to contract: Desk is added to an active contract → customer receives access to the desk’s mapped group
- Booking guest added: Non-customer is added as a guest on a booking → granted access to resource’s group for the booking duration
When Access is Revoked
Nexudus automatically revokes Genetec access when:- Contract ends or cancelled: Customer loses passes from that contract → removed from corresponding Genetec cardholder groups
- Pass expires: Pass validity ends or usage is consumed → removed from mapped Genetec cardholder group
- Booking ends or cancelled: Booking time expires or is cancelled → access to resource’s group is removed
- Desk removed from contract: Desk is removed from contract → access to desk’s group is revoked
- Customer deactivated: Customer account is deactivated in Nexudus → cardholder is deactivated in Genetec
Cardholder Activation Status
Genetec cardholders can be in two states:- Active: Cardholder has at least one group assignment and credentials configured
- Inactive: Cardholder has no group assignments or credentials have been removed
Access Update Timing
- Immediate updates: Contract changes, pass assignments, and customer deactivations trigger access updates within seconds
- Booking lead time: Booking access is granted 15 minutes before the booking start time
- Background processing: Access updates are queued in background jobs to handle high volumes efficiently
- Distributed locking: Prevents concurrent updates to the same customer across multiple servers
If a customer should have access but doesn’t, the system automatically retries access provisioning. Check the Business Checkup page for any integration errors.
RFID Card and PIN Management
Genetec supports both RFID access cards and PIN codes for physical access.Assigning RFID Cards
To assign an RFID card to a customer:- Go to Operations > Customers
- Select the customer
- In their profile, enter the following:
- Access Card ID: The card number (e.g.,
12345) - Key Fob Number: The facility code (e.g.,
100)
- Access Card ID: The card number (e.g.,
- Save the customer profile
- Genetec uses the Wiegand Corporate 1000 format by default
- Format:
WiegandCorporate1000CredentialFormat(facilityCode, cardNumber) - Both facility code and card number are required
Assigning PIN Codes
To assign a PIN code for keypad access:- Go to Operations > Customers
- Select the customer
- In their profile, enter a PIN code in the Access PIN Code field (e.g.,
1234) - Save the customer profile
- PIN codes are separate credentials from RFID cards
- A customer can have both a card and a PIN code
- PINs are stored as “Keypad” credential type in Genetec
- Removing the PIN code from Nexudus deletes the PIN credential in Genetec
Credential Management Logic
When you save a customer profile, Nexudus:- Creates cardholder: If the customer doesn’t exist in Genetec (lookup by email)
- Updates cardholder: Updates first name, last name, and email if cardholder exists
- Manages card credential:
- If card ID is present: Creates or updates the “UndecodedWiegand” credential
- If card ID is removed: Deletes the card credential
- Manages PIN credential:
- If PIN is present: Creates or updates the “Keypad” credential
- If PIN is removed: Deletes the PIN credential
- Updates group memberships: Adds/removes cardholder from groups based on passes, bookings, and desk assignments
Credentials are separate entities in Genetec linked to cardholders. When updating a card or PIN, Nexudus deletes the old credential and creates a new one with the updated values.
Troubleshooting
Customer has an active contract but can't access doors
Customer has an active contract but can't access doors
Possible causes:
-
Pass not mapped: The passes included in the customer’s plan are not mapped to any Genetec cardholder groups
- Solution: Go to Settings > Integrations > Genetec and select a cardholder group for the relevant passes
-
Group no longer exists: The selected group was deleted from Genetec Security Center
- Solution: Select a different group or recreate the group in Genetec, then refresh the integration
-
Pass expired or inactive: The customer’s pass has expired or hasn’t started yet
- Solution: Check the customer’s passes under their profile to verify validity windows
-
Cardholder not created: The customer wasn’t created in Genetec
- Solution: Check the Business Checkup page for integration errors, or manually trigger an update by editing and saving the customer’s profile
-
Group permissions: The Genetec cardholder group exists but isn’t assigned to any doors
- Solution: In Genetec Security Center, verify the cardholder group includes the correct door controllers
-
No credentials assigned: Customer exists in Genetec but has no card or PIN
- Solution: Assign an RFID card or PIN code in the customer’s profile fields
-
Cardholder inactive: Customer’s cardholder record is deactivated in Genetec
- Solution: Verify customer has active passes/contracts that grant access; Nexudus should automatically activate the cardholder
Booking access not working
Booking access not working
Possible causes:
-
Resource not mapped: The booked resource is not mapped to a Genetec cardholder group
- Solution: Select a cardholder group for the resource in Settings > Integrations > Genetec
-
Booking too far in future: Access is only granted 15 minutes before booking start time
- Solution: Wait until booking is within 15 minutes of start time
-
Booking not confirmed: Some resources require booking confirmation
- Solution: Confirm the booking if it’s in pending state
-
No credentials assigned: Customer has no physical card or PIN to use
- Solution: Assign an RFID card or PIN code to the customer’s profile
RFID cards or PINs not working
RFID cards or PINs not working
Possible causes:
-
Missing facility code: Key Fob Number (facility code) not configured
- Solution: Ensure both Access Card ID and Key Fob Number fields are filled in the customer profile
-
Credential format mismatch: Genetec reader expects a different card format
- Solution: Verify your Genetec system uses Wiegand Corporate 1000 format; contact Genetec support if using a different format
-
Credential not synced: Recent changes haven’t been synced to Genetec
- Solution: Wait a few minutes for sync, or manually trigger by editing and saving the customer profile
-
Cardholder inactive: Customer’s cardholder is deactivated in Genetec
- Solution: Verify customer has active passes/contracts; Nexudus should automatically activate them
-
Card reader issue: Physical hardware problem
- Solution: Test cards on different readers to isolate hardware issues
Integration connection failing
Integration connection failing
Possible causes:
-
Incorrect server URL: The Genetec server URL is incorrect or missing
/WebSdk/endpoint- Solution: Verify the server URL follows one of these formats:
- Network Bridge:
https://bridge.nexudus.com/{DEVICE_ID}/WebSdk/ - Port Forwarding:
http://YOUR_PUBLIC_IP:4590/WebSdk/
- Network Bridge:
- Solution: Verify the server URL follows one of these formats:
-
Invalid credentials: Username or password is incorrect
- Solution: Verify credentials have administrative access in Genetec Security Center
-
API access disabled: Your Genetec account doesn’t have API access enabled
- Solution: Contact Genetec support to enable API access for your account
-
Network connectivity: Firewall or network issue preventing connection
- Solution: If using port forwarding, verify port 4590 is accessible from the internet. If using Network Bridge, verify the Bridge Agent is running and connected to Nexudus
-
License key issue: Genetec API license key not configured correctly
- Solution: Nexudus uses dedicated API keys embedded in the integration; contact Nexudus support if you see licensing errors
Cardholder groups not appearing in dropdown
Cardholder groups not appearing in dropdown
Possible causes:
-
Connection not saved: Settings haven’t been saved to retrieve groups
- Solution: Save the connection settings (server URL, username, password) to retrieve groups from Genetec
-
No groups created: No cardholder groups exist in Genetec Security Center
- Solution: Create cardholder groups in Genetec Security Center, then re-save your Nexudus integration settings
-
API permissions: Genetec user doesn’t have permission to read cardholder groups
- Solution: Ensure the API user has administrator permissions in Genetec
-
Connection error: Authentication or network error preventing group retrieval
- Solution: Check connection status and verify credentials are correct
Customer created but access not granted
Customer created but access not granted
Possible causes:
-
Groups not assigned: Customer’s passes/bookings/desks aren’t mapped to Genetec groups
- Solution: Map passes, resources, and desks to cardholder groups in Settings > Integrations > Genetec
-
Signature unchanged: Access hasn’t changed since last update (optimization)
- Solution: This is normal behavior; if access genuinely changed, save the customer profile to force an update
-
Background job delay: Access update is queued but not yet processed
- Solution: Wait a few minutes for background jobs to process
-
Error during provisioning: API call to Genetec failed
- Solution: Check Business Checkup page for error details
Monitoring Integration Errors
Nexudus monitors your access control integration and alerts you to any issues that need attention.Business Checkup Dashboard
Access control integration errors are displayed on the Business Checkup page:- Go to Home > Important Items in the dashboard, or
- Navigate directly to dashboard.nexudus.com/dashboards/checkup
- Look for the Access Control Integration tile
- If there are errors, the tile will be displayed in red
What Gets Flagged
- Authentication failures: Invalid credentials or connection errors
- Provisioning errors: Failed attempts to create or update customer access
- Configuration issues: Missing or invalid cardholder group mappings
- Credential errors: Failed attempts to create or update cards/PINs
- The customer affected
- The nature of the problem
- When the error occurred
- Suggested actions to resolve it
Nexudus automatically retries failed operations. If errors persist, check the Business Checkup page for detailed information and follow the suggested resolution steps.
Security Considerations
Data Shared with Genetec
When provisioning access, Nexudus shares the following information with Genetec:- Customer data: First name, last name, email address
- Credentials: Card IDs, facility codes, PIN codes
- External ID: Nexudus uses the customer’s email as the lookup key
- Phone numbers (unless part of customer name fields)
- Billing information
- Payment details
- Contract specifics (only cardholder group assignments)
- Personal notes or custom fields
Network Security
- HTTPS encryption: All communication uses HTTPS (SSL/TLS)
- Basic authentication: Username and password sent with each request (over HTTPS)
- API keys: Nexudus uses dedicated license keys for Genetec API access
- Distributed locking: Prevents race conditions and concurrent updates to the same customer
Credential Management
- Physical cards: Managed in both Nexudus and Genetec; always assign through Nexudus
- PIN codes: Stored in Nexudus and synced to Genetec
- User passwords: Never shared with Nexudus; authentication is handled by Genetec
Related Documentation
Best Practices
Cardholder Group Organization
Create cardholder groups in Genetec based on access levels, not products or plans:- ✅ Good: “24/7 Building Access”, “Business Hours Access”, “Meeting Room Zones”, “Private Office Areas”
- ❌ Avoid: “Hot Desk Plan”, “Dedicated Desk Plan” (these are billing products, not access types)
Naming Conventions
- Create descriptive cardholder group names in Genetec that make them easy to identify in the dropdown
- Avoid overly long group names that are difficult to read in the admin panel
- Document group-to-door mappings in Genetec for future reference
Card Management
- Use consistent facility codes across all cards at a location
- Keep facility code and card number separate (don’t combine into Access Card ID)
- Document your facility code for future card provisioning
- Test new cards immediately after provisioning to ensure proper configuration
Partition Configuration
- If using Genetec partitions for multi-site organizations, configure the Default Partition setting
- Partition GUID should match your primary partition in Genetec Security Center
- All cardholders created by Nexudus will be assigned to this partition
Access Signature Optimization
- Nexudus uses access signatures to avoid unnecessary API calls
- An access signature is a hash of all groups a customer should have access to
- If the signature hasn’t changed, Nexudus skips the update
- This optimization reduces API traffic and improves performance
Technical Details
For developers and IT administrators
For developers and IT administrators
API Architecture
- Protocol: HTTPS REST API
- Authentication: HTTP Basic Authentication (username/password)
- API Format: Query-string based parameters (not JSON body)
- Base URL: Configured per business with two options:
- Network Bridge:
https://bridge.nexudus.com/{DEVICE_ID}/WebSdk/ - Port Forwarding:
http://PUBLIC_IP:4590/WebSdk/
- Network Bridge:
- License Keys: Embedded in integration (Debug and Production keys)
Key Endpoints
-
Cardholders:
- GET
/report/CardholderConfiguration?q=EmailSearchMode=Is,Email={email}- Find cardholder by email - GET
/entity/{guid}- Get cardholder by GUID - POST
/entity?q=entity=NewEntity(Cardholder),Name={name},FirstName={fn},LastName={ln},EmailAddress={email},Status.Activate(),Guid,Name,FirstName,LastName,EmailAddress,State,Groups,Parents,Credentials- Create cardholder - POST
/entity?q=entity={guid},Name={name},FirstName={fn},LastName={ln},EmailAddress={email},Guid,Name,FirstName,LastName,EmailAddress,State,Groups,Parents,Credentials- Update cardholder - POST
/entity?q=entity={guid},Status.Activate()- Activate cardholder - POST
/entity?q=entity={guid},Status.Deactivate()- Deactivate cardholder - DELETE
/entity/{guid}- Delete cardholder
- GET
-
Cardholder Groups:
- GET
/report/EntityConfiguration?q=EntityTypes@CardholderGroup- List all cardholder groups - GET
/entity/{guid}- Get cardholder group by GUID - POST
/entity?q=entity={groupGuid},Members@({cardholderGuid})- Add member to group - POST
/entity?q=entity={groupGuid},Members-({cardholderGuid})- Remove member from group
- GET
-
Credentials:
- GET
/entity/{guid}- Get credential by GUID - POST
/entity?q=entity=NewEntity(Credential),Cardholder={cardholderGuid},Format=KeypadCredentialFormat({pin}),State=Active- Create PIN credential - POST
/entity?q=entity=NewEntity(Credential),Cardholder={cardholderGuid},Format=WiegandCorporate1000CredentialFormat({facilityCode},{cardNumber}),State=Active- Create card credential - DELETE
/entity/{guid}- Delete credential
- GET
-
Creation Partition:
- POST
/creationpartition/{partitionGuid}- Set default partition for new entities
- POST
Cardholder Model
- Parents: Array of GUIDs representing cardholder groups this cardholder belongs to
- Credentials: Array of GUIDs representing credentials (cards, PINs) assigned to this cardholder
- State: “Active” or “Inactive”
Credential Model
- Keypad: PIN code credential (format:
KeypadCredentialFormat({pin})) - UndecodedWiegand: RFID card credential (format:
WiegandCorporate1000CredentialFormat({facilityCode},{cardNumber}))
Cardholder Group Model
Business Settings Reference
| Setting | Purpose |
|---|---|
Genetec.Enabled | Integration enabled flag (“true”/“false”) |
Genetec.ServerURL | Base URL of Genetec Security Center with /WebSdk/ endpoint. Use either Network Bridge (https://bridge.nexudus.com/{DEVICE_ID}/WebSdk/) or port forwarding (http://PUBLIC_IP:4590/WebSdk/) |
Genetec.Username | API username for authentication (appended with license key) |
Genetec.Password | API password for authentication |
Genetec.DefaultPartition | GUID of default partition for new cardholders (optional) |
Access Update Logic
- Passes: Active passes from contracts + shared passes from paying member
- Check-ins: Passes from open check-ins (maintains access during session)
- Bookings: Resources with bookings starting within 15 minutes
- Booking guests: Resources from bookings where customer is a visitor
- Desks: Desks from active contracts (own + team billing)
- Group collection: Aggregated list of unique cardholder group GUIDs
- Access signature: Hash of sorted group GUIDs to detect changes
- Skip if unchanged: If signature matches previous signature, skip update
- Cardholder provisioning: Create or update cardholder with new information
- Credential management: Create/update/delete card and PIN credentials
- Group membership sync: Compare current groups to target groups, add/remove as needed
- Activation status: Activate if groups exist, deactivate if no groups
External ID System
- Lookup key: Email address is used to find existing cardholders
- Create if not found: New cardholder created if email doesn’t exist
- No numeric external ID: Unlike some integrations, Genetec uses email as the unique identifier
Error Handling
- Authentication failures: Logged to business log entries
- Provisioning errors: Automatic retry with distributed locking
- Business Checkup: Integration errors displayed on dashboard
- Event system: OnExceptionHandler raises AccessControlEventData for error tracking
- Credential errors: Separate error handling for card vs. PIN creation/update
Credential Management Logic
When updating cardholders:- Fetch current credentials: Get list of credential GUIDs from cardholder
- Identify credential types:
- “Keypad” = PIN credential
- “UndecodedWiegand” = Card credential
- PIN logic:
- If
AccessPincodeis empty and PIN exists: Delete PIN credential - If
AccessPincodeis present and PIN exists: Delete old PIN, create new PIN - If
AccessPincodeis present and PIN doesn’t exist: Create new PIN
- If
- Card logic:
- If
AccessCardIdis empty and card exists: Delete card credential - If
AccessCardIdis present and card exists: Delete old card, create new card - If
AccessCardIdis present and card doesn’t exist: Create new card
- If
Credentials are updated by deleting and recreating rather than in-place updates. This ensures credential format changes are properly applied.
Performance Optimization
- Debouncing: 5-second debounce prevents rapid repeated updates for same customer
- Access signature hashing: Skips API calls when access hasn’t changed
- Distributed locking: Prevents concurrent updates to same customer across servers
- Background jobs: Queued in Hangfire for non-blocking execution
- Priority queue: Critical updates use
1_criticalqueue for faster processing
License Key Integration
The integration includes embedded license keys for Genetec API access:- Debug key:
KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv - Production key:
Ww9c2Z9pMRjeMAluH1V7UgCViwOedGiHJ98YwOwBRi8SkEW1TE2cc8B3WY6zlK7r