Primex recognizes today's organizations have complex network infrastructures, a division of responsibilities, and standard information security policies associated with data confidentiality, network bandwidth, and security of the systems deployed at their facilities.
This content is intended to provide information to answer the technical questions you or your staff may have regarding the Primex OneVue platform and Primex devices.
Architecture: OneVue is a multi-tenant solution built on top of Amazon Web Services (AWS). AWS is designed with multiple layers of protection, including secure data transfer, encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure.
Network communication: Primex devices equipped with Power over Ethernet (PoE), wired Ethernet, or Wi-Fi technology communicate over your facility's network to OneVue by way of the HTTPS communication protocol.
NTP Servers: Primex devices that require an NTP time source can be configured for up to three internal or external NTP Servers. The use of an external NTP server requires port 123 to be open.
Network Profiles: A Network Profile in OneVue represents a network at your facility and each Primex network device is assigned to a network. Once assigned, the network settings are downloaded to the Primex device, which allows the device to connect to your facility's network to transmit data to and download settings from OneVue. For OneVue devices that use NTP time, their assigned network also allows a connection to an external NTP time source.
OneVue Device Configurator (ODC) app: Configures new OneVue Sync Transmitters and Notify InfoBoards for use with OneVue. During a system deployment or when adding or replacing devices, the devices are required to be configured onsite with the ODC app. The app is available for both Apple iOS and Android mobile devices. Download the app from the App Store or Google Play™ store (search for Primex OneVue Device Configurator).
Access to network profile settings: Who has access to view and manage network profiles and device network settings is controlled by the Role assigned to a user.
Power over Ethernet (PoE)/Ethernet and Wi-Fi enabled devices connect to OneVue using the Hypertext Transfer Protocol Secure (HTTPS) protocol (port 443); all communication is encrypted.
Power over Ethernet (PoE)/Ethernet and Wi-Fi devices, and the OneVue web browser interface only initiate outbound network connections and do not initiate inbound network connections.
OneVue client and device data is encrypted in transit and all sensitive data is encrypted at rest.
Primex devices support an array of network communication options for secure wireless network connectivity.
Users can access OneVue from a supported web browser on any internet-enabled device, improving flexibility and mobility.
User access to the OneVue user interface is through a web browser by way of the HTTPS protocol (port 443).
OneVue is a multi-tenant solution built on top of Amazon Web Services (AWS). AWS is designed with multiple layers of protection, including secure data transfer, encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure. AWS provides a scalable architecture with security capabilities while lowering the application life-cycle costs and total cost of ownership for the OneVue capabilities.
Operating System: CoreOS and CentOS
Database Architecture: PostgreSQL (AWS RDS), DynamoDB, and Redis (ASW ElastiCache)
The security architecture of OneVue is multi-layered, operating through the Amazon Web Services (AWS) security infrastructure. AWS achieved ISO 27001 certification and is validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS).
AWS provides a secure infrastructure, including physical security, employee life-cycle management, and regular, third-party audits. The adoption of AWS by Homeland Security, NASA, and the Central Intelligence Agency demonstrates the high level of security AWS provides in its architecture.
Primex leverages the secure architecture of AWS to provide a cost effective solution that encompasses the high-security needs of our customers.
AWS Identity and Access Management (IAM) with Multi-Factor Authentication: Controls and manages user credentials, including passwords, access keys, and permissions policies.
IAM allows for the central management of all users, allowing Primex to control user access to individual records and services. Primex adds to this multi-factor security by controlling and managing the Primex resources granted access to the OneVue development and production environments through IAM. This provides complete security and ensures that not only can Primex control the security of customer information, but also audit and manage the access of Primex development, engineering, and support resources.
AWS Virtual Private Cloud (VPC): Provides the separation of OneVue customer instances.
Primex uses the AWS VPC services to provide separation of data and services between environments. Additionally, Primex uses the VPC service to secure all connectivity for development, training, and technical support functions.
Encrypted Data Storage: Secures data throughout the record lifecycle.
OneVue only accepts SSL-encrypted connections from client connections and reporting sensor and clock devices. Additionally, data is encrypted and maintained securely in storage with all of the AWS data services.
OneVue is comprised of the following Amazon Web Services (AWS).
DynamoDB - Predictable and Scalable NoSQL Data Store
ElastiCache - In-Memory Cache
Relational Database Service (RDS) - Managed Petabyte - Scale Data Warehouse
Storage & Cloud Delivery Network (CDN)
Simple Storage Service (S3) - Scalable Storage in the Cloud.
Compute & Networking
Elastic Cloud Compute (EC2) - Virtual Servers in the Cloud.
Virtual Private Cloud (VPC)- Virtual Secure Network
Elastic Load Balancing (ELB) - Load Balancing Service
Auto Scaling Groups (ASG) - Automatically Scale Up and Down
Route 53 - Scalable Domain Name System
Deployment & Management
CloudFormation - Template AWS Resource Creation
CloudWatch - Resource and Application Monitoring.
Identity and Access Management (IAM) - Secure AWS Access Control
SES - Email Sending Service
SQS - Message Queue Service
SWF - Coordinating App Components
The information below provides the details required to allow Primex network enabled devices to communicate over a facility's network to OneVue.
The OneVue platform is designed, developed, and managed in-house, allowing Primex to control the user experience and provide the highest level of reliability and security.
To support the myriad of network security and protocol standards in today’s business environment, Primex network enabled devices offer an array of options for secure network connectivity. This ensures our customers can use and leverage our full line of products without adding costly additional IT infrastructure.
The OneVue account structure is flexible and scalable to support small to larger more complex organizations.
Business Units and Locations are the two primary components of the OneVue account structure. You can configure OneVue to limit and control who has access to your devices, system data and features, and simplify the configuration of user access, reports, and alerts..
It's recommended to familiarize yourself with the account structure to ensure it mirrors your organization's business rules and structure. Regardless of how you initially configure OneVue, you can always change the structure as your business rules or staff responsibilities change.
A Business Unit is the primary account structure component that commonly represents a department or other business entity in your organization. Based on your organization's business rules or staff responsibilities, you may have one, a few, or many Business Units. With the use of Business Units, you can limit and control staff access to only what they are responsible for. You can also assign a Business Unit to other system components, including reports and Alert Rules.
The use of Business Units can simplify managing . A Business Unit essentially groups together, allowing a Business Unit to be added to other system components.
: Required to be assigned to a Business Unit. This limits and controls who can view and access the assigned to the Business Unit. When are added to your account, by default they are assigned to the account Business Unit.
Users: Each user is assigned to a Business Unit and a Role within the Business Unit. The Role assigned grants the user access to the assigned to the Business Unit.
Reports: Business Units can be added to a Report Profile. When added to a Report Profile, all assigned to the Business Unit are included in the Report.
Parent-child hierarchy: If a Business Unit is a parent to other Business Units (child), OneVue applies a parent-child hierarchy. For example, when parent Business Unit is assigned to a user or included in a Report or Alert Rule, all of its child Business Units are also included. You can assign a user to a child Business Unit or add a child Business Unit to a Report Profile or Alert Rule to avoid the parent-child hierarchy.
Regardless of how you initially configure your account, you can always change the structure as your business rules or staff responsibilities change.
For an organization that has located throughout one building and all staff is responsible for managing and monitoring all of . With this type of organization, you do not need to limit or control who has access to the . If this is the case, you can set up a simple account hierarchy structure. With a simple structure, your account is the only Business Unit and each user is assigned a Role to your account Business Unit.
With this type of account hierarchy, you will:
Assign each user a Role to your account Business Unit.
From Report Profiles, add each or simply add the one Business Unit. When a Business Unit is added, all assigned to the Business Unit are automatically included in Report.
Simple to configure and manage.
All users have access to all .
The Role assigned to the user grants their access to system features.
You cannot limit or control who has access to .
For an organization that has located throughout many areas and each area is responsible for managing and monitoring the in their area. An organization like this may require the intermediate account hierarchy option. This option limits and controls who has access to the .
With this type of account hierarchy, you will:
Create a Business Unit for each of the areas responsible for managing and monitoring the in their area.
Assign the applicable Business Unit to each of the .
Assign each user a Role to their responsible Business Unit. Assigning a user to a Role to a specific Business Unit allows you to limit and control a user's access to only those they are responsible for.
When assigning Roles to users with this type of hierarchy, the parent-child rule applies when you have more than one Business Unit. A Business Unit can be a parent to a Business Unit or a child to your OneVue account Business Unit. When you assign a user to a Role within a Business Unit, if the Business Unit is a parent to a child Business Unit, the user is automatically granted the same Role to the child Business Unit(s).
As an example, if you assign a user to your account Business Unit, the user is also be granted the same access to any child Business Units. If you only want a user to have access to a specific Business Unit, only assign the user to that specific Business Unit.
Optionally, you can assign Business Units to Report Profiles and Alert Rules. When assigned, all assigned to the Business Unit are included. If a Business Unit is a parent, its child Business Unit(s) are also included.
This hierarchy option is more specific and provides more granular control over what a user can manage and monitor based on their assigned Business Unit. This hierarchy also offers the ease of adding Business Units to reports and Alert Rules.
You can limit and control who can manage and monitor by business area.
You can add a Business Unit to a Report Profiles and Alert Rules, which automatically includes all assigned to the Business Unit.
Medium level of configuration complexity.
Business rules need to be managed and configured consistently within your OneVue account.
Imagine a large organization that may have hundreds of located throughout many business areas and locations. This type of organization may require staff to be responsible for specific business areas and locations. With this type of organization, you may have to spend some time to determine how to best configure your OneVue account hierarchy.
As you decide on your account hierarchy, the questions below may provide additional guidance to assist you in your decision.
Do you have to limit and control specific users responsible by department or business entity? If yes, create a Business Unit for each area. You will then assign users to specific Business Units.
Do you have to limit and control specific users to manage and monitor by a location, such as by building, floor, or room? If yes, create the location(s) representing each physical location, assign a location to each of the , and assign each user to the location Role they are responsible for.
Do you need to limit and control specific users to manage and monitor network profiles by location? If yes, assign the network profiles to a location.
Do you need reports or Alert Rules to be specific to location(s)? If yes, add the location(s) to a Report Profile or Alert Rule.
You can limit and control who can manage and monitor by department or business entity.
You can limit and control who can manage and monitor and networks by location.
You can add a Business Unit or Location to Report Profiles and Alert Rules, which automatically includes all assigned to the Business Unit or Location.
Advanced level of configuration planning.
Business rules need to be managed and configured consistently within your OneVue account.
OneVue is a cloud-based, mobile-first design that can be accessed from any web browser on a smartphone, tablet, laptop, or desktop computer. The mobile-first design eliminates the need for separate mobile apps, plug-ins, or downloads for optimal viewing on any size screen.
Log in to OneVue requires a user to have an active user account. A user account is assigned to a Role(s), which grants their access to OneVue account data and permissions to features.
Be sure to bookmark or favorite the OneVue URL: https://console.primexonevue.com