Access Policy
ACCELERO has some quite clear concepts and rules to perform access control. Knowing what these concepts are is fundamental to understanding the suitability of the product and the operation of the system.
This page explains the fundamentals of ACCELERO's access control system. Understanding these concepts is crucial to configuring and operating the system correctly.
The Three Fundamental Points
1st Point: Control over People, not over Identifiers
The most important point of ACCELERO's access policy is that control is done over the PERSON, and not over the identifiers.
What this means:
Who can pass (or not pass) through a lock is the PERSON, not their identifier.
Exceptions:
- The identifier may be expired
- That specific type of identifier may not be accepted at that lock
The person is the one who has the access prerogatives, always.
Multiple Equivalent Identifiers
A person can have several identifiers at the same time:
- Proximity card
- Biometrics
- QRCode
- Numeric password
- Facial recognition
In principle, all will be absolutely equivalent to determine whether that person can or cannot pass through any lock.
Practical example:
Person: João Silva
Identifiers: Card #12345, Biometrics, QRCode
Scenario 1:
- João presents Card #12345 → System checks permissions of "João Silva"
- João has access to ROOM 03 from 08:00 to 18:00
- Current time: 10:00
- Result: ACCESS GRANTED
Scenario 2:
- João forgot the card
- João presents QRCode
- System checks permissions of the SAME person: "João Silva"
- The same rules apply
- Result: ACCESS GRANTED (if within the allowed time)
2nd Point: Permissions Determined in a Mixed Way
People's access prerogatives are always determined in two combined ways:
Way 1: Through Associated Categories
The person, on their own, cannot pass through any lock.
From the moment they are associated with categories, the person inherits access prerogatives.
Characteristics:
- A person can be associated with several categories at the same time
- Their access prerogative will be equivalent to the sum of the access prerogatives of all the associated categories that are valid for that specific moment
Example:
Person: Maria Santos
Categories:
- EMPLOYEES (permanently valid)
→ Access ROOM 03 Mon-Fri 08:00-18:00
- CLEANING (valid from 01/02/2024 to 31/03/2024)
→ Access SERVICE AREA 24h
Result on 15/02/2024 at 20:00:
- EMPLOYEES category valid → BUT outside the time (08:00-18:00)
- CLEANING category valid → 24h time
- Maria CAN access the SERVICE AREA
- Maria CANNOT access ROOM 03 (outside the time)
Way 2: Through Individual Permissions
The person can have individual access permissions.
Characteristics:
- Administration done "person by person"
- The most direct way to work and configure
- More laborious if it is necessary to change a lot of data at the same time
When to use:
- Simple systems: individual permissions bring agility and simplicity
- Complex systems: category policy brings flexibility
- Best of both worlds: combine both ways!
Combination: Categories + Individual Permissions
The category permissions and the individual permissions are summed to determine the complete set of permissions of a person.
Combined example:
Person: Carlos Souza
Category: EMPLOYEES
→ Access ROOM 03 Mon-Fri 08:00-18:00
Individual Permission:
→ Access ROOM 03 on Saturday 10/02/2024 from 09:00-13:00
(to perform sporadic work)
Result:
Monday to Friday: Access 08:00-18:00 (via category)
Saturday 10/02: Access 09:00-13:00 (via individual permission)
Other Saturdays: NO ACCESS
See People - Individual Permissions for more details.
3rd Point: Triple Relationship (Category × Area × Time Range)
In the case of category permissions, all access prerogatives are based on a triple relationship: category × area × time range.
What this means:
"Everyone who has the EMPLOYEES category
can enter ROOM 04
from MONDAY TO FRIDAY FROM 08:00 TO 18:00"
Components:
- Category: EMPLOYEES
- Area: ROOM 04
- Time Range: Monday to Friday, 08:00-18:00
Multiple Relationships
This allows quite detailed control over access prerogatives, since numerous relationships can be valid at the same time.
The same category can have access to several areas in various time ranges.
Complex example:
Category: EMPLOYEES
Relationships:
1. EMPLOYEES × RECEPTION × 24h
→ Unrestricted access to the reception
2. EMPLOYEES × OFFICE × Mon-Fri 07:00-20:00
→ Access to the office in extended hours
3. EMPLOYEES × MEETING ROOM × Mon-Fri 08:00-18:00
→ Access to the meeting room in business hours
4. EMPLOYEES × PARKING × 24h
→ Unrestricted access to the parking
Result for any person with the EMPLOYEES category:
- Can access RECEPTION at any time
- Can access OFFICE Mon-Fri 07:00-20:00
- Can access MEETING ROOM Mon-Fri 08:00-18:00
- Can access PARKING at any time
See Categories - Access Areas for more details.
Access Validation Flow
When a person tries to access a lock, the system runs the following check:
Step 1: Person Identification
Identifier presented → Which person?
The system searches which person is associated with that identifier.
Step 2: Record Verification
Person found → Valid record?
Verifications:
- Is the record enabled?
- Has the validity date not expired?
If the record is disabled or expired → ACCESS DENIED
Step 3: Search for Valid Categories
Valid record → Which valid categories?
The system searches all the categories associated with the person that are valid at the moment:
- Start date ≤ Current Date/Time
- End date ≥ Current Date/Time
Step 4: Search for Individual Permissions
Categories found → Individual permissions?
The system also searches the person's individual permissions valid for:
- Specific area being accessed
- Current Date/Time
Step 5: Combination of Permissions
Permissions = Categories + Individual
The permissions are summed:
- All the permissions of the valid categories
- PLUS all the valid individual permissions
Step 6: Verification of Access to the Area
Combined permissions → Can access THIS area NOW?
The system checks whether in the combined permissions there is authorization for:
- Area being accessed
- At the current time
- On the current day of the week
Step 7: Additional Verifications
Even with permission, the system checks:
- Is the identifier type accepted on this channel?
- Is the identifier not expired?
- Sufficient credits (if control is active)?
- Escort present (if required)?
- Biometrics validated (if required)?
- Anti-double entry ok (if active)?
- Blocking category active?
Step 8: Final Decision
All verifications OK → ACCESS GRANTED
Any verification failed → ACCESS DENIED
Advantages of the ACCELERO Policy
1. Flexibility
- Combine categories and individual permissions as needed
- Adapt to simple or complex scenarios
2. Scalability
- Change permissions of many people simultaneously (via categories)
- Or adjust person by person (via individual permissions)
3. Granularity
- Detailed control by area and time range
- Multiple simultaneous relationships
4. Temporality
- Categories with defined validity
- Ideal for visitors, temporary contracts, events
5. Operational Simplicity
- Operators do not need to understand identifiers
- Focus on the person and their permissions
Practical Scenarios
Scenario 1: Standard Employee
Person: João
Category: EMPLOYEES (no end validity)
Identifiers: Card #123, Biometrics
Permissions (via category):
- RECEPTION: 24h
- OFFICE: Mon-Fri 08:00-18:00
- CAFETERIA: Mon-Fri 11:30-14:00
Result:
- João can use ANY identifier
- Automatic access to the areas in the allowed times
- Does not need to request individual permission
Scenario 2: Temporary Visitor
Person: Maria (visitor)
Category: VISITORS
Validity: 15/02/2024 08:00 until 15/02/2024 18:00
Identifier: QRCode
Permissions (via category):
- RECEPTION: 24h
- MEETING ROOM 3: 24h
Result:
- Access valid ONLY on 15/02/2024
- After 18:00 on 15/02, the category expires
- Subsequent access attempt → DENIED
Scenario 3: Special Permission
Person: Carlos
Category: EMPLOYEES
→ OFFICE: Mon-Fri 08:00-18:00
Individual Permission:
→ OFFICE: Saturday 20/02/2024 09:00-13:00
Result:
Monday to Friday: Normal access via category
Saturday 20/02: SPECIAL access via individual permission
Other Saturdays: NO ACCESS
Scenario 4: Multiple Categories
Person: Ana
Categories:
1. EMPLOYEES
→ OFFICE: Mon-Fri 08:00-18:00
2. SECURITY
→ SERVER ROOM: 24h
→ GATEHOUSE: 24h
Result:
- Access to the OFFICE in business hours (category 1)
- Access to the SERVER ROOM 24h (category 2)
- Access to the GATEHOUSE 24h (category 2)
- SUMMED permissions
Best Practices
-
Use categories for general rules: Create categories for groups of people with similar permissions
-
Use individual permissions for exceptions: Reserve them for special and temporary cases
-
Configure appropriate validities: Visitors should have categories with an expiration date
-
Review periodically: Remove expired categories and permissions
-
Document your categories: Keep a record of the purpose of each category
-
Test before activating: Check permissions at various times before releasing
-
Use the triple relationship: Take advantage of the flexibility of area × category × time
Customizable Access Rule: Active Category Validation
ACCELERO allows you to configure a customizable access rule that validates whether the person's category is active at the moment of access. This additional rule can be enabled to complement the standard access policy verifications, including validation for vehicle escort (where the escort's category is checked).
Next Steps
- Categories - Configure categories and the triple relationship
- People - Associate categories and configure individual permissions
- Areas - Define control areas
- First Login - Start configuring the system