Skip to main content

Access Policy

ACCELERO has some quite clear concepts and rules to perform access control. Knowing what these concepts are is fundamental to understanding the suitability of the product and the operation of the system.

Essential Reading

This page explains the fundamentals of ACCELERO's access control system. Understanding these concepts is crucial to configuring and operating the system correctly.

The Three Fundamental Points

1st Point: Control over People, not over Identifiers

Central Concept

The most important point of ACCELERO's access policy is that control is done over the PERSON, and not over the identifiers.

What this means:

Who can pass (or not pass) through a lock is the PERSON, not their identifier.

Exceptions:

  • The identifier may be expired
  • That specific type of identifier may not be accepted at that lock

The person is the one who has the access prerogatives, always.

Multiple Equivalent Identifiers

A person can have several identifiers at the same time:

  • Proximity card
  • Biometrics
  • QRCode
  • Numeric password
  • Facial recognition
Equivalence

In principle, all will be absolutely equivalent to determine whether that person can or cannot pass through any lock.

Practical example:

Person: João Silva
Identifiers: Card #12345, Biometrics, QRCode

Scenario 1:
- João presents Card #12345 → System checks permissions of "João Silva"
- João has access to ROOM 03 from 08:00 to 18:00
- Current time: 10:00
- Result: ACCESS GRANTED

Scenario 2:
- João forgot the card
- João presents QRCode
- System checks permissions of the SAME person: "João Silva"
- The same rules apply
- Result: ACCESS GRANTED (if within the allowed time)

2nd Point: Permissions Determined in a Mixed Way

People's access prerogatives are always determined in two combined ways:

Way 1: Through Associated Categories

Fundamental Concept

The person, on their own, cannot pass through any lock.

From the moment they are associated with categories, the person inherits access prerogatives.

Characteristics:

  • A person can be associated with several categories at the same time
  • Their access prerogative will be equivalent to the sum of the access prerogatives of all the associated categories that are valid for that specific moment

Example:

Person: Maria Santos
Categories:
- EMPLOYEES (permanently valid)
→ Access ROOM 03 Mon-Fri 08:00-18:00
- CLEANING (valid from 01/02/2024 to 31/03/2024)
→ Access SERVICE AREA 24h

Result on 15/02/2024 at 20:00:
- EMPLOYEES category valid → BUT outside the time (08:00-18:00)
- CLEANING category valid → 24h time
- Maria CAN access the SERVICE AREA
- Maria CANNOT access ROOM 03 (outside the time)

Way 2: Through Individual Permissions

The person can have individual access permissions.

Characteristics:

  • Administration done "person by person"
  • The most direct way to work and configure
  • More laborious if it is necessary to change a lot of data at the same time

When to use:

  • Simple systems: individual permissions bring agility and simplicity
  • Complex systems: category policy brings flexibility
  • Best of both worlds: combine both ways!

Combination: Categories + Individual Permissions

Summed Permissions

The category permissions and the individual permissions are summed to determine the complete set of permissions of a person.

Combined example:

Person: Carlos Souza
Category: EMPLOYEES
→ Access ROOM 03 Mon-Fri 08:00-18:00

Individual Permission:
→ Access ROOM 03 on Saturday 10/02/2024 from 09:00-13:00
(to perform sporadic work)

Result:
Monday to Friday: Access 08:00-18:00 (via category)
Saturday 10/02: Access 09:00-13:00 (via individual permission)
Other Saturdays: NO ACCESS

See People - Individual Permissions for more details.

3rd Point: Triple Relationship (Category × Area × Time Range)

Triple Relationship

In the case of category permissions, all access prerogatives are based on a triple relationship: category × area × time range.

What this means:

"Everyone who has the EMPLOYEES category
can enter ROOM 04
from MONDAY TO FRIDAY FROM 08:00 TO 18:00"

Components:

  1. Category: EMPLOYEES
  2. Area: ROOM 04
  3. Time Range: Monday to Friday, 08:00-18:00

Multiple Relationships

Detailed Control

This allows quite detailed control over access prerogatives, since numerous relationships can be valid at the same time.

The same category can have access to several areas in various time ranges.

Complex example:

Category: EMPLOYEES

Relationships:
1. EMPLOYEES × RECEPTION × 24h
→ Unrestricted access to the reception

2. EMPLOYEES × OFFICE × Mon-Fri 07:00-20:00
→ Access to the office in extended hours

3. EMPLOYEES × MEETING ROOM × Mon-Fri 08:00-18:00
→ Access to the meeting room in business hours

4. EMPLOYEES × PARKING × 24h
→ Unrestricted access to the parking

Result for any person with the EMPLOYEES category:
- Can access RECEPTION at any time
- Can access OFFICE Mon-Fri 07:00-20:00
- Can access MEETING ROOM Mon-Fri 08:00-18:00
- Can access PARKING at any time

See Categories - Access Areas for more details.

Access Validation Flow

When a person tries to access a lock, the system runs the following check:

Step 1: Person Identification

Identifier presented → Which person?

The system searches which person is associated with that identifier.

Step 2: Record Verification

Person found → Valid record?

Verifications:

  • Is the record enabled?
  • Has the validity date not expired?
Immediate Block

If the record is disabled or expired → ACCESS DENIED

Step 3: Search for Valid Categories

Valid record → Which valid categories?

The system searches all the categories associated with the person that are valid at the moment:

  • Start date ≤ Current Date/Time
  • End date ≥ Current Date/Time

Step 4: Search for Individual Permissions

Categories found → Individual permissions?

The system also searches the person's individual permissions valid for:

  • Specific area being accessed
  • Current Date/Time

Step 5: Combination of Permissions

Permissions = Categories + Individual

The permissions are summed:

  • All the permissions of the valid categories
  • PLUS all the valid individual permissions

Step 6: Verification of Access to the Area

Combined permissions → Can access THIS area NOW?

The system checks whether in the combined permissions there is authorization for:

  • Area being accessed
  • At the current time
  • On the current day of the week

Step 7: Additional Verifications

Even with permission, the system checks:

  • Is the identifier type accepted on this channel?
  • Is the identifier not expired?
  • Sufficient credits (if control is active)?
  • Escort present (if required)?
  • Biometrics validated (if required)?
  • Anti-double entry ok (if active)?
  • Blocking category active?

Step 8: Final Decision

All verifications OK → ACCESS GRANTED
Any verification failed → ACCESS DENIED

Advantages of the ACCELERO Policy

1. Flexibility

  • Combine categories and individual permissions as needed
  • Adapt to simple or complex scenarios

2. Scalability

  • Change permissions of many people simultaneously (via categories)
  • Or adjust person by person (via individual permissions)

3. Granularity

  • Detailed control by area and time range
  • Multiple simultaneous relationships

4. Temporality

  • Categories with defined validity
  • Ideal for visitors, temporary contracts, events

5. Operational Simplicity

  • Operators do not need to understand identifiers
  • Focus on the person and their permissions

Practical Scenarios

Scenario 1: Standard Employee

Person: João
Category: EMPLOYEES (no end validity)
Identifiers: Card #123, Biometrics

Permissions (via category):
- RECEPTION: 24h
- OFFICE: Mon-Fri 08:00-18:00
- CAFETERIA: Mon-Fri 11:30-14:00

Result:
- João can use ANY identifier
- Automatic access to the areas in the allowed times
- Does not need to request individual permission

Scenario 2: Temporary Visitor

Person: Maria (visitor)
Category: VISITORS
Validity: 15/02/2024 08:00 until 15/02/2024 18:00
Identifier: QRCode

Permissions (via category):
- RECEPTION: 24h
- MEETING ROOM 3: 24h

Result:
- Access valid ONLY on 15/02/2024
- After 18:00 on 15/02, the category expires
- Subsequent access attempt → DENIED

Scenario 3: Special Permission

Person: Carlos
Category: EMPLOYEES
→ OFFICE: Mon-Fri 08:00-18:00

Individual Permission:
→ OFFICE: Saturday 20/02/2024 09:00-13:00

Result:
Monday to Friday: Normal access via category
Saturday 20/02: SPECIAL access via individual permission
Other Saturdays: NO ACCESS

Scenario 4: Multiple Categories

Person: Ana
Categories:
1. EMPLOYEES
→ OFFICE: Mon-Fri 08:00-18:00
2. SECURITY
→ SERVER ROOM: 24h
→ GATEHOUSE: 24h

Result:
- Access to the OFFICE in business hours (category 1)
- Access to the SERVER ROOM 24h (category 2)
- Access to the GATEHOUSE 24h (category 2)
- SUMMED permissions

Best Practices

  1. Use categories for general rules: Create categories for groups of people with similar permissions

  2. Use individual permissions for exceptions: Reserve them for special and temporary cases

  3. Configure appropriate validities: Visitors should have categories with an expiration date

  4. Review periodically: Remove expired categories and permissions

  5. Document your categories: Keep a record of the purpose of each category

  6. Test before activating: Check permissions at various times before releasing

  7. Use the triple relationship: Take advantage of the flexibility of area × category × time

Customizable Access Rule: Active Category Validation

ACCELERO allows you to configure a customizable access rule that validates whether the person's category is active at the moment of access. This additional rule can be enabled to complement the standard access policy verifications, including validation for vehicle escort (where the escort's category is checked).

Next Steps

  • Categories - Configure categories and the triple relationship
  • People - Associate categories and configure individual permissions
  • Areas - Define control areas
  • First Login - Start configuring the system