Introduction to Access Control Systems
What Is An "Access Control System”?
Simply defined, the term "access control" describes any technique used to control passage into or out of any area. The standard lock that uses a brass key may be thought of as a simple form of an "access control system".
Over the years, access control systems have become more and more sophisticated. Today, the term "access control system" most often refers to a computer-based, electronic card access control system. The electronic card access control system uses a special "access card", rather than a brass key, to permit access into the secured area.
When used within this document, the term "access control system" refers to an electronic card access control system.
Access control systems are most commonly used to control entry into exterior doors of buildings. Access control systems may also be used to control access into certain areas located within the interior of buildings.
The purpose of an access control system is to provide quick, convenient access to those persons who are authorized, while at the same time, restricting access to unauthorized people.
Basic Components of an Access Control System
Access control systems vary widely in type and complexity. However, most card access control systems consist of at least the following basic components:
The access card may be thought of as an electronic "key". The access card is used by persons to gain access through the doors secured by the access control system. Each access card is uniquely encoded. Most access cards are approximately the same size as a standard credit card, and can easily be carried in a wallet or purse.
Card readers are the devices used to electronically "read" the access card. Card readers may be of the "insertion" type (which require insertion of the card into the reader), or may be of the "proximity" type (which only require that the card be held in a 3" to 6" proximity of the reader. Card readers are usually mounted on the exterior (non-secured) side of the door that they control.
Access Control Keypads
Access control keypads are devices which may be used in addition to or in place of card readers. The access control keypad has numeric keys which look similar to the keys on a touch-tone telephone.
The access control keypad requires that a person desiring to gain access enter a correct numeric code. When access control keypads are used in addition to card readers, both a valid card and the correct code must presented before entry is allowed.
Where access control keypads are used in place of card readers, only a correct code is required to gain entry.
Electric Lock Hardware
Electric lock hardware is the equipment that is used to electrically lock and unlock each door that is controlled by the access control system.
There are a wide variety of different types of electric lock hardware. These types include electric locks, electric strikes, electromagnetic locks, electric exit devices, and many others. The specific type and arrangement of hardware to be used on each door is determined based on the construction conditions at the door.
In almost all cases, the electric lock hardware is designed to control entrance into a building or secured space. To comply with building and fire codes, the electric lock hardware never restricts the ability to freely exit the building at any time.
Access Control Field Panels
Access control field panels (also known as "Intelligent Controllers") are installed in each building where access control is to be provided. Card readers, electric lock hardware, and other access control devices are all connected to the access control field panels.
The access control field panels are used to process access control activity at the building level. The number of access control field panels to be provided in each building depends on the number of doors to be controlled. Access control field panels are usually installed in telephone, electrical, or communications closets.
Access Control Server Computer
The access control server computer is the "brain" of the access control system. The access control server computer serves as the central database and file manager for the access control system; and is responsible for recording system activity, and distributing information to and from the access control field panels.
Normally, a single access control server computer can be used to control a large number of card-reader controlled doors.
The access control server computer is usually a standard computer which runs special access control system application software. In most all cases, the computer is dedicated for full-time use with the access control system.
A Simple Access Control System
To explain the concept of a simple access control system, we will use a fictitious building, called the "Administration Building", as an example.
The management of the Administration Building has decided to install an access control system to improve security conditions at the building. Mary Simpson, the “security coordinator” for the building, has been assigned responsibility for implementing and managing the access control system.
There are two primary entrance doors to the Administration Building; one at each end of the building. Mary wants to control access through each of these doors.
There is a computer room located on the First Floor of the Administration Building. A single door leads from the main hallway into the computer room. Because of the sensitive nature of the equipment in the computer room, Mary wants to control access through this door.
Mary contacts the access control vendor to arrange for the installation of her system. The vendor, working with Mary, determines that three card readers will be required: one at the front building entrance door, one at the back building entrance door, and one at the door to the computer room. Mary decides to use insertion type card readers without keypads.
In addition to the card readers, each of the controlled doors will require the installation of electric lock hardware. A survey of the doors indicates that standard electric door strikes can be used.
To operate the three card readers at the Administration Building, one access control field panel is required. Mary decides to have this panel installed in a telephone closet that is centrally located within the building. Wiring will be installed between each of the card reader controlled doors and the access control field panel.
The vendor recommends that the Administration Building install a stand-alone access control server computer to operate the control system. Because Mary will be responsible for managing the access control system, she decides to locate the access control server computer in her office.
Mary makes arrangements with the vendor for the purchase of the system, and schedules to have the installation begin.
Access Control System Set-up and Operation
The vendor has completed the installation of the access control system at the Administration Building.
Mary, as security coordinator, will have day-to-day responsibility for managing the system. Before the system can be put into use, Mary must set-up or "define" the access control system software.
Set-up of the access control software is accomplished at the host computer. Set-up of the software involves setting various access control system parameters to meet the specific requirements of the building in which the system is installed.
Mary has already issued access cards to each of the tenants who will have access to the Administration Building. The first step in setting up the access control system is to "validate" each of the access cards. To validate the access cards, Mary must tell the access control system at what doors each of the cards can be used, and at what times.
The access control system allows a great deal of flexibility in "tailoring" the access privileges assigned to each card:
Doors: The system can allow the card to work at all card reader controlled doors; or only at specific doors.
Time Of Day: The system can allow the card to work 24 hours per day; or only during certain time periods (7:00 P.M.- 12:00 P.M. only, for example)
Day of Week: The system can allow the card to work seven days per week, or only on certain days (Monday, Wednesday, and Friday only, for example.)
Holidays: The system can allow the card to work differently on days defined as holidays.
Start and Stop Dates: The system can allow the card to only work during certain defined ranges of time (June 1 through June 15, for example.)
Mary sits down in front of the access control server computer and begins to validate each of the access cards. Here are several examples of the different access card privileges that Mary will assign:
Sally is a regular office worker at the Administration Building. Sally normally works Monday through Friday, 8:00 A.M. to 5:00 P.M.
Mary assigns privileges to Sally's card to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors. Sally does not require access to the computer room, so her card does not allow access through that door.
Susan is also a regular office worker at the Administration Building. Sally normally works Monday through Friday, 8:00 A.M. to 5:00 P.M.. Every Wednesday afternoon, Susan substitutes for a computer operator who works in the computer room.
Mary assigns privileges to Susan's card to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors. In addition, Susan's card is also defined to allow access into the computer room door from 11:00 A.M. to 5:00 P.M. on Wednesdays only.
John is the manager of computer operations, and requires seven day a week, 24 hour per day access to all doors of the Administration Building, including the computer room.
Mary assigns privileges to John's card to allow 24 hours per day, 365 day per year access through all doors.
Bill is a part-time worker that comes in to work only on Monday and Tuesday nights.
Mary assigns privileges to Bill's card that allows access Monday and Tuesday, 5:00 P.M. to 11:00 P.M., at the building entrance doors to the Administration Building. Bill does not work in the computer room, so his card will never allow access through that door.
Mike is a technician for a computer company. Mike is working on a computer installation in the Administration Building computer room. The computer installation is expected to begin on June 1st, and is expected to be completed by June 15th. Mary assigns Mike's card access privileges for the computer room door, Monday through Friday, 8:00 A.M. to 5:00 P.M. Mike's access privileges will begin on June 1, and will automatically expire on June 15.
As Mary begins to validate each of the access cards, she soon realizes that many of the cards in her system will receive identical access privileges. For example, all of the regular office workers will be given the same access privileges as Sally Strong.
To save time, the access control software allows the creation of "clearance codes". Clearance codes are pre-defined sets of access privileges. Once a clearance code has been created, it can be assigned to any number of access cards. Clearance codes can be given a name. Usually this name is a short description that corresponds with the intended use of the clearance code.
For example, Mary might create a clearance code and name it "Regular Office". She would set this clearance code to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors.
When validating Sally Strong's card, Mary would simply assign it the clearance code "Regular Office". This would give Sally exactly the access privileges that she needs. All of the other office workers who required access privileges identical to Sally's would also be assigned the "Regular Office" clearance code.
Mary will create several clearance codes corresponding to the various categories of tenants that have access to the Administration Building.
Validating each of the access cards requires at least three entries: the access card number, the cardholder's name, and at least one clearance code. The use of standard clearance codes will allow Mary to validate a large number of access cards in a short period of time.
Mary finishes entering the information for all of the access cards, and the access control system at the Administration Building is now ready for use.
Mary makes arrangements to conduct orientation sessions for all tenants of the building, and establishes a date when the access control system will be placed into service.
Using the Access Control System
On the day the access control system is placed into service, all persons desiring to enter the Administration Building must use their access card.
Using the access card is simple. To enter the building, the user simply inserts his card into the slot, allowing the card to be "read" by the card reader.
The card reader instantly sends the card's identity number to the access control field panel, which verifies that the card is valid at that door at that time. If the card is valid, the field panel immediately sends a signal to unlock the electric strike at the door, allowing the user to enter. The time between card insertion and door unlock is usually one second or less. In addition to unlocking the door, the access control field panel also sends a "valid access" transaction record to the server computer for storage. The valid access transaction record indicates the name assigned to the card, the name of the door that was entered, and the time that entry occurred.
Sometimes, a user may attempt to use his card at the wrong door; or at the wrong time. For example, if Bill Nelson (the part-time worker who is only supposed to work Monday and Tuesday) attempts to use his card to enter on Friday, he will not be granted entry.
When a user attempts to use his card incorrectly, the access control field panel will declare an "invalid access attempt". A transaction record of all invalid access attempts will be sent to the access control server computer for storage. The transaction record indicates the name of the cardholder, the name of the door at which entry was attempted, the reason for rejection (wrong time, wrong door, etc.), and the time that the entry attempt occurred.
Door Status Monitoring Feature
For the access control system at the Administration Building to work successfully, it is important that the card reader controlled doors be used as intended.
To prevent misuse, the access control system provides a "door status monitoring" feature at each of the card reader controlled doors. The door status monitoring feature provides two important functions:
"Door-Forced-Open" Monitoring: In the event that any card reader door is opened from outside without the use of a valid access card, the system will cause a "Door-Forced-Open" (DFO) condition to occur.
"Door-Open-Too-Long" Monitoring: In the event that any card reader door is propped open, the system will cause a "Door-Open-Too-Long" (OTL) condition to occur.
The access control system at the Administration Building has been designed to sound an audible alarm inside the building when either a DFO or OTL condition occurs at any card reader controlled door. In addition, a transaction record of all DFO and OTL conditions is sent to the access control server computer for storage. The transaction record indicates the name of the door at which the condition occurred, the type of event that occurred (DFO or OTL), and the time that the condition occurred.
The actual actions that occur upon a DFO or OTL condition at the Administration Building can be set at the access control server computer by the security coordinator, Mary Simpson, on a door by door basis. The access control software allows Mary to define the time periods during which the DFO and OTL monitoring functions will be in effect
For example, Mary may decide that it would be O.K. for the back door of the Administration Building to be propped open during regular working hours (8:00 A.M. to 5:00 P.M., Monday through Friday) to permit the loading and unloading of furniture. Mary does not want the back door to be propped open at any time other than regular working hours.
To accomplish this, Mary sits at the access control server computer and enters the time periods during which she does want DFO and OTL monitoring functions to be in effect; in this case, 5:00 P.M. to 8:00 A.M. Monday through Friday, and 24 hours per day on Saturday, Sunday and Holidays.
If the back door to the Administration Building is propped open during normal working hours, nothing will happen. However, if the door is propped open during the evening or on weekends, the audible alarm will sound.
Automatic Unlock Feature
The access control system allows each card reader controlled door to be "automatically unlocked" during certain time periods if desired. An automatically unlocked door can be opened without requiring the use of an access card.
The automatic unlocking feature can be set at the access control server computer on a door by door basis .
For example, the management of the Administration Building has decided that the front door of the building should remain open to the public during regular working hours (8:00 A.M. to 5:00 P.M., Monday through Friday).
Mary Simpson, the security coordinator, configures the access control system software to automatically unlock the front door at 8:00 A.M., and to automatically re-lock the front door at 5:00 P.M., Monday through Friday, excluding holidays.
Each weekday, the front door of the Administration Building will automatically unlock at 8:00 A.M., allowing free entrance into the building. At 5:00 P.M. the front door automatically re-locks. Persons desiring entry into the building after 5:00 P.M. must use their access card.
Door status monitoring (DFO and OTL) features are automatically disabled at a card reader controlled door that has been automatically unlocked by the system.
The access control system automatically records various types of system "transactions" on the access control server computer's hard disk. The collection of these stored transactions is called the "system journal". The system journal is simply a computer database in which records of access control transactions are stored.
There are many different types of access control system transactions. Some of the more common types of transactions include:
Valid Access: A entry through a door using a valid access card.
Invalid Access Attempt: An attempt to use an access card at the wrong door or at the wrong time.
Door-Forced-Open (DFO) Condition: A door opened from the outside without the use of a valid access card.
Door-Open-Too-Long (OTL) Condition: A door propped open.
Equipment Failure Condition: Failure of a portion of the access control system or it's related wiring.
Power Failure Condition: Loss of primary power to the access control system.
The system journal can normally store several months’ worth of transactions, depending on the volume of activity generated at the building, and the size of the computer's hard disk.
The access control system allows the creation of reports of various types of system transactions. These reports are created at the access control server computer; and may be displayed on screen, or printed on a computer printer.
Reports can be created based on a set of parameters defined by the person managing the access control system. Some of these parameters can include:
Specific types of transactions
Specific ranges of time
Specific ranges of dates
Specific access cards
The flexible nature of the reporting feature allows the person managing the access control to custom-tailor a report to meet their specific needs.
The following are some day-to-day operations that Mary Simpson, as manager of the access control system at the Administration Building, is likely to encounter:
Card Doesn't Work
Situation: Susan Bright attempts to use her card to get into the computer room this Wednesday. Her card does not allow access into the computer room as it should. Her card works fine at the building entrance doors. This is the first time that Susan has tried to use her card at the computer room door since the access control system was installed. Susan tells Mary that her card doesn't work.
Action: Mary checks the clearance code assigned to the card, and finds that she inadvertently assigned the wrong code. Mary reassigns the correct clearance code, and the card now works fine.
Lost Access Card
Situation: Sally Strong has lost her wallet which contains her access card. Sally tells Mary that her access card is lost.
Action: Mary immediately invalidates (cancels) Sally's lost access card. Mary gives Sally a new access card, and validates it using the appropriate clearance code.
Change Of Access Privilege
Situation: Bill Nelson, who previously only worked part-time, will become a full-time regular employee next week. Bill's supervisor asks Mary to upgrade Bill's card to permit access during regular work hours.
Action: Mary changes the clearance code assigned to Bill's card to a clearance code that corresponds to his new job responsibilities.
Situation: A new employee, Brian Wilson, is hired to work in the computer room. Brian will not be given building access privileges during his first 90 days, but will require daytime access to the computer room. Brian's supervisor asks Mary to issue Brian an access card.
Action: Mary issues Brian a new access card. Mary discovers that she does not have a clearance code that corresponds to Brian's access privileges, so she creates one, and then assigns it to Brian's card.
Situation: A janitorial employee, Steve Woods, has been terminated. The contract janitorial company notifies Mary that Steve has been terminated, but that he has not yet returned his Administration Building access card.
Action: Mary immediately invalidates the access card assigned to Steve Woods.
Change of Auto-Unlock Time
Situation: The management of the Administration Building decides that the front door of the building should open to the public at 7:00 A.M., rather than at 8:00 A.M. as it presently does.
Action: Mary redefines the automatic unlock time setting for the front door to 7:00 A.M..
Lock-Out Of Doors
Situation: The floors at the Administration Building are being refinished this weekend. It will take 24 hours for the new floor finish to dry. The building management has notified all employees not to enter the building this weekend, but is afraid that some employees may forget and come in anyway.
Action: Mary sets the access control system to temporarily disable the access privileges of all employees (except custodial workers) until Monday morning.
Creation Of Report
Situation: Last weekend, someone accidentally turned off the power to a critical piece of equipment in the computer room. John Smith, the department manager, thinks that the accident occurred on Saturday morning. John wants to know all of the employees who entered the computer room on Saturday. John asks Mary to create an access report.
Action: Mary uses the access control report feature to print out a report of all persons who entered the computer room last Saturday.
Optional System Enhancements
In addition to the standard access control system features described above, there are many optional features available. Some of these optional features include:
In some cases, it may be desirable to lock and unlock doors automatically. This is often done on buildings which are open to the public during the day, but are closed at night. In these cases, automatic locking and unlocking eliminates the need for a person to perform this function manually.
As indicated above, all doors which have a card reader already have the capability to be programmed to lock and unlock automatically.
In some cases however, the building management may wish to automatically lock and unlock doors that are not equipped with a card reader.
Doors which lock and unlock automatically but which do not have a card reader are called "Automatically Locked" doors. Automatically locked doors can be programmed to lock and unlock at specific times just like card reader controlled doors can. The cost of an automatically-locked door is less than the cost of a card reader controlled door.
Normally, automatically locked doors are used in conjunction with card reader doors. For example, in many buildings, there are four doors at each building entrance. To permit night entrance, one of these four doors is equipped with a card reader. The other three doors are equipped with electric lock hardware to allow them to be automatically locked. All four doors are then programmed to automatically lock and unlock at the same time.
Automatically locked doors usually also provide the "Door-Open-Too-Long" (OTL) monitoring feature to prevent them from being propped open.
In some cases, it is desirable to have door status monitoring on doors which are not card reader controlled and not automatically locked. A door that is connected to the access control system for monitoring purposes only is called a "monitored door".
To create a monitored door, a door position switch is installed on the door and wired into the access control field panel.
When a monitored door is opened, it reports to the access control system server computer. The actions to be taken when the door is opened can vary depending on how the system has been configured.
For example, at the Administration Building, there is a door that leads to the roof. Mary Simpson, the security coordinator, wants to know anytime that this door is opened. Mary arranges to have this door monitored by the access control system.
When the door to the roof is opened, it sounds an alert at the access control system server computer, notifying Mary. In addition, the event is recorded on the system journal at the server computer allowing future recall through the reporting feature.
Monitored doors can be configured to cause other system events to occur, such as sound audible alarms, turn on lights, etc. The actual sequence of events (what device is activated, when, for how long) can be defined on a door-by-door basis through the access control system software.
In many buildings, it may be desirable to secure only certain floors of the building. In these cases, it is often necessary to provide security control of the elevators to prevent unauthorized access to the secured floors of the building.
The access control system can be designed to provide security control of elevators. This feature is known as "elevator control".
Elevator control can be provided in one of two ways.
Simple elevator control is accomplished by providing a card reader at the elevator lobby. To call the elevator to the lobby, an access card is presented to the card reader, activating the elevator call button. Once the elevator has responded to the lobby, the person may enter and travel to any floor served by the elevator.
Simple elevator control works well when all access card holders are entitled to have access to all floors.
In some cases however, it is necessary to restrict access on a floor by floor basis. To accomplish this, a more sophisticated form of elevator control is required. This method requires that a card reader be installed in the cab of each elevator; and that a special electronic interface be made to the elevator controllers.
Using this more sophisticated method, it is possible to assign a clearance code to each access card that allows access only to a certain floor or group of floors.
In the examples used for the Administration Building, it has been assumed that all management of the access control system (set-up, card validation, creation of reports, etc.) would be accomplished from the server computer located in Mary Simpson's office.
In some cases, it is desirable to manage the access control system remotely. This can be accomplished in several ways. First, it is possible to install access control "client" software on other personal computers at the company. These use the network to communicate with the server computer and can be used to perform all system functions.
Second, many systems allow the use of a standard web browser interface to connect with the server computer. Authorized users can log on using a web browser on any computer to perform basic functions.
Finally, some access control systems offer mobile apps which allow management of the system using a smartphone.
The latest trend in access control systems are cloud-based systems. These systems operate using a server located off-site at a service provider's facility and eliminate the need for an access control server on the premises. The access control field panels communicate with the service provider's server using the internet. The cloud-based access control system is managed by the user using a web-browser interface.
Some cloud-based systems can be completely managed by the service provider, eliminating the need for an employee at the company to do any type of system programming at all. When using a managed system, the security coordinator at the building contacts the service provider when any type of programming change is needed.
For example, if Mary Simpson wanted to delete an access card for a terminated employee, she would simply call the service provider and ask them to cancel the access privileges of the terminated employee's card.
Like this article?
Visit our Security Tips page for more than 75 additional articles on a variety of topics related to physical security
Follow us on Twitter to be notified when new Security Tips are published
Did You Know?
Silva Consultants is an independent security consulting firm and does not sell security equipment or products
Silva Consultants can assist you in the design and planning of an effective security program and in the selection of security products and services
Please contact us for further assistance
Thinking about becoming an independent security consultant yourself?
Buy Michael A. Silva's book on Amazon
"Becoming an Independent Security Consultant – A Practical Guide to Starting and Running a Successful Security Consulting Practice"
Published May, 2016