3. How Electronic Access Control Systems Work
Chapter objectives
1. Understand about Access Control System Users
2. Understand Access Control System Portals
3. Understand Credential Readers
4. Introduction to Locks, Alarms, and Exit Devices
5. Learn about Access Zones and Schedules
6. Learn about Data, Data Retention, and Reports
7. Introduction to Database Maintenance
8. Learn about Access Control System Architecture
CHAPTER OVERVIEW
This chapter is about Electronic Access Control Systems concepts and how they work. It is important to read this chapter very carefully and be certain that you understand everything in it. Go over the Chapter Objectives and the Chapter Summary. Everything else you read in this book is based on the material in this chapter.
Electronic Access Control Systems comprise electronic elements, physical elements, operational elements, and logical elements to create a complete working system that facilitates rapid and reliable access to authorized users in a facility at minimum long-term cost to the organization.
This book is written in a hierarchical fashion, that is, the concepts are related first and then expanded in greater detail later in the book. Accordingly, you will see repetition throughout the book, but that repetition is designed to instill learning in a layered fashion; laying down the foundation and then layer by layer until the understanding is a complete structure in your head.
This chapter is about Electronic Access Control Systems concepts and how they work. It is important to read this chapter very carefully and be certain that you understand everything in it. Go over the Chapter Objectives and the Chapter Summary. Everything else you read in this book is based on the material in this chapter.
Electronic Access Control Systems comprise electronic elements, physical elements, operational elements, and logical elements to create a complete working system that facilitates rapid and reliable access to authorized users in a facility at minimum long-term cost to the organization.
This book is written in a hierarchical fashion; that is, the concepts are related first and then expanded on in greater detail later in the book. Accordingly, you will see repetition throughout the book, but that repetition is designed to instill learning in a layered fashion.
Keywords: Electronic Access Control Systems, Electronic Elements, Layered, Logical Elements, Operational Elements, Physical Elements, Repetition
Author Information:
Thomas L. Norman, CPP, PSP, CSC, Executive Vice President, Protection Partners International
Access Control elements include:
• Users
• Access Portals
• Credentials and Credential Readers
• Credential Authorization Process
• Locks, Alarms, and Exit Devices
• Access Zones and Schedules
• Access Control System Database
• Communications Infrastructure
• Access Control Policies and Procedures
First, A Little History
While Electronic Access Control Systems have only been around for about 50 years, the need for Access Control has been around a lot longer.
First it is essential to understand how access control needs were met prior to the use of Electronic Access Control Systems. Good Access Control Programs have always included all of the following elements:
• Basic Access Control Policies:
• All areas under the purview of the organization will be organized logically into Access Areas (includes many Portals that are logically related together such as all of the doors in a department).
• Each organization department or unit will determine where its employees need access. All organizational departments and units will be organized into Access Groups (includes the Access Areas that that department or unit's employees will need access to and the Schedule for which the group may have access to an Access Area).
• Individual organization employees will be assigned to one or more departmental Access Groups.
• Each employee will receive an Access Credential (have a unique number to look up on an authorized user list).
• Each employee may use his/her Access Credential to acquire access to a portal within an authorized Access Group during the authorized Schedule for that Access Group.
• Use:
• Authorized users approach an Access Portal (door, gate, etc.) and present their Access Credential to a Credential Reader (in the old days, this was a guard).
• The Credential Reader verifies the Credential against a database (in the old days, this was a daily authorized list) of authorized Credential holders.
• The Credential Reader then verifies the holder against the photo on the Credential (usually a card).
• Contractors and visitors:
• Similar policies will be developed to handle contractors and visitors.
• Typically a department will notify the front desk of a pending visit ahead of time.
• Contractors may be given their own cards or such cards may be held at the Security Reception Desk.
• Audit:
• All access control records should be audited regularly to ensure that policies are applied properly.
In the days before Electronic Access Control Systems all of these policies were carried out manually by a staff of trained Security Officers. Electronic Access Control Systems embed all of those functions (except possibly visual confirmation of the photo) into electronics.
The Basics
Electronic Access Control Systems are digital networks that control access to security portals. A security portal is an entry into or out of a security boundary. Most Electronic Access Control Systems also function as an intrusion alarm system. From this point forward we will assume that the systems we are discussing have an alarm system element. Electronic Access Control Systems are comprised of field equipment (sensors and controlled devices), decision modules, a communications network, one or more databases, and one or more human interface terminals (computer workstations).
What are not so obvious are the “soft” elements of the Access Control System. These include the Users, Policies and Procedures, the Management and Reporting Structure, and the use of the system to enhance continuing evaluation of the overall Security Program.
The most obvious elements of an Electronic Access Control System are the Field Elements: Access Control System Portals (for pedestrians or vehicles), alarm sensors, and any controlled devices such as roll-up doors and lights. Pedestrian Access Control portals typically include a door, a credential reader, an electronically controlled door lock, a door position switch, and a request-to-exit sensor.
These devices connect to an Access Control Panel, which grants access authorizations based upon comparing the credential presented at the door against a database of authorized credentials. The Access Control Panel communicates to a Server via a proprietary or TCP/IP computer network. The Server maintains one or more databases including the master database of authorized users, equipment configuration records, access control groups, and schedules. It also includes access control events (requests/authorizations/denials) and alarm events. The server is operated by one or more workstations that are used for system configurations, interactive access and alarm notifications, and reports.
The entire system should be operated according to an established Access Control Policy.
Authorized Users, User Groups, Access Zones, Schedules and Access Groups
Authorized Users
Just as you give keys to your home's front door out carefully, access to Access Control Portals is granted only to authorized users. User authorizations are granted based upon need. Users may be authorized because they are employees, regular contractors or vendors, or temporarily to legitimate visitors.
Each Access Control System utilizes a type of credential that authorized users can use to submit to the Access Control System as evidence that they are authorized. The system will analyze the credential and verify that it is valid. The system then allows the user to pass through the portal.
User Groups
User programming can be simplified by putting users of a common type into User Groups. Thus, all employees might be in the Employee Group, Janitors in the Janitorial Group, and Managers in the Manager's Group.
Access Zones
In most systems, a group of logically related security portals may be grouped together to form an Access Zone, which might include:
• Building Public Perimeter Doors
• All doors within a department
• Freight Elevators
• Public Elevators
• The entire Ninth Floor
The use of Access Zones simplifies access control permissions. Instead of giving a single user authorization to every individual door to which he/she needs access, the Security Department can just grant access to the Access Zones to which this user needs to go. Thus instead of programming a user into thirty-five doors, he/she can be programmed into only four Access Zones.
Schedules
In most cases, users do not need, nor should they have access to all authorized doors at all times. Accordingly, most users' access privileges are assigned to schedules, which might include:
• 24/7/365
• Daytime Shift
• Evening Shift
• Late Night Shift
• Weekends
• Holidays
• Special Event
Access Groups
So guess what? If Access Zones simplify user programming and Schedules simplify it even more, wouldn't it be a good idea to keep up this simplification trend? You bet it would. That is how Access Groups came to be.
An Access Group is a combination of User Groups, Access Zones, and Schedules. In this way, a large number of users can be programmed for access to a logical group of portals on a particular schedule or schedules, like Office Hours plus Weekends.
Portals
The idea of an Access Control Portal is central to the entire concept of Access Control Systems. An Access Control Portal is a passageway through which a person or vehicle must pass from one space into a more controlled or restricted space and in which only authorized persons are allowed. The discussion on Portals in this chapter is introductory. Portals are covered in greater detail in Chapter 5.
Types of Portals
There are two basic types of Access Control Portals: those for pedestrians and those for vehicles. Each type has many variations (Figure 3.1).
Virtually every Access Control Portal has the following five common elements:
• A Lockable, Operable Barricade
• An Identity Verification Method or Device
• A Locking Mechanism
• An Alarm-Sensing Device
• A Request-to-Exit Sensor
From the most common single-leaf door to the most complex vehicle security checkpoint, all have these elements in common.
Common Portals: The most common type of pedestrian portal is a single- or double-leaf door. This is a common door with a Credential Reader, Electrified Lock, Door Position Switch (DPS; alarm-sensing device), and some type of Request-to-Exit sensor (push button, motion detector, panic bar, etc.). Other common types of portals include revolving doors, automatic doors, and Man-Traps. A Man-Trap is a vestibule with a door leading into and out of the vestibule with no exit in between. Typical man-traps require a credential to enter and a credential to exit. The primary purpose of a man-trap is to ensure that no unauthorized user can pass through the portal while the door is open. Other common portals include Elevator Lobbies, Elevators, and Automatic Doors.
Tailgating: The most common security problem related to Electronic Access Control System Portals is “tailgating.” This is when one or more people follow an authorized user through an access portal after it has been opened by the authorized user. In common usage, an authorized user presents his credential and opens the door. As he walks through, an unauthorized person catches the closing door and enters behind the authorized user. This is a serious problem with Electronic Access Control Systems and it is one that Security Program Managers have to address. We will deal with this in more detail later in the book.
Credential Readers
The operational entry barrier to every Access Control Portal is its Credential Reader. Authorized users have a valid credential and may enter and unauthorized users do not have a valid credential and thus cannot enter.
The three types of credential readers include Card Readers, Keypads, and Biometric Readers. We will cover these in great detail in Chapter 4.
Electrified Locks
The two fundamental components at an Access Controlled Door are the Credential Reader and the Electrified Lock. One authorizes entry and the other allows it to occur. There are two basic types of Electrified Locks from a safety standpoint: (1) Fail Safe and (2) Fail Secure. Fail-Safe locks can be opened for exiting when power is not on and Fail-Secure locks cannot be opened for exiting when power is off.
Some locks by their very nature are Fail Safe, such as magnetic locks and Electrified Panic Hardware. As a magnetic lock requires electricity to hold secure, when power is lost the lock unlocks. Electrified Panic Hardware uses the principle of “Free Mechanical Egress”; that is, regardless of the state of the lock, when one pushes on the panic bar, the door opens. Other locks can be found in both types, such as electrified mortise locks, electrified cylinder locks, and electrified dead bolts.
Safety Systems
No matter what else, it is imperative that people inside a locked area are able to exit in case of an emergency. This is a “Life-Safety” function. Electronic Access Control Systems must be designed and installed to place Life Safety at the top of the list in priorities. There are very few circumstances in which Life Safety takes a back seat to security. Having designed Access Control Systems for over 35 years and having designed some of the most secure facilities in the world, I can tell you that there is almost never a case in which a Life-Safety provision is not paramount in the design of an Access Control Portal.
One key safety system is the interface between the electrified locks and the building fire alarm system. Wherever there is a fire alarm in a building, there must be a fire alarm interface to unlock all doors in the building in response to fire detection.
There has been a great deal of discussion on this. 1 The discussion falls into three camps: (1) unlock all doors in the building so that everyone can exit quickly without relying on the access control system in any way, (2) unlock only doors related to the floor of the fire so that the rest of the building remains secure, and (3) allow the Access Control System to do its job so that all doors remain secure.
1A quick Google search on "access control fire alarm interface" will uncover many competing points of view on how and in what manner fire alarms should be interfaced to access control systems; and indeed some opinions that they should not be interfaced.
There is, however, no discussion on this among fire authorities. Every fire authority insists that all doors are unlocked in a fire emergency. This is not only for the quick exiting of occupants but also the quick entrance of fire department responders. Chapter 8 deals with Locks and Fire Ratings.
Alarm Monitoring
Because Access Control Portals are entries through a security boundary, it is a likely point of illegal entry. It is essential that those monitoring the boundary for illegal intrusions be alerted if a person attempts to use the Access Control Portal improperly.
In its most basic form, this will include a DPS that monitors the closure of the door. When the door is opened without authorization from the Credential Reader, an alarm is sent to the alarm-monitoring software.
Request-to-Exit Sensors
Now we understand how authorized users enter through an Access Control System Portal, but they must also exit through it too. This involves several things:
• Unlock the door to allow exiting.
• Bypass the DPS so that no alarm occurs when the door is opened. The passage must be interpreted as an authorized exit, not an unauthorized entry.
• Log the exit in the database as an authorized exit.
Credentials and Credential Readers
A credential is an evidence of authority, status, right, or entitlement to privileges. 2 As we said earlier, authorized users utilize credentials to submit to the system so that it can make an authorization decision. The discussion on Credentials and Credential Readers in this chapter is introductory. A complete discussion on Access Credentials and Credential Readers is covered in Chapter 4.
Before Electronic Access Control Systems, procedural methods using coded cards, passwords, and codes were used to gain authorized entry to secure areas in high-security military and military industrial complexes, mints, and other very high security facilities. At the Manhattan Project, where the first atomic bombs were designed and built, security was handed over to the Army because it was their conviction that it was the organization best prepared during wartime to enforce a foolproof system of security. 3 Manhattan Project physical security included a Technical Fence separating the industrial project from the housing areas, patrols, and access controlled gates using officers and credentialed employees. This was supplemented by a comprehensive operational security program including plant inspections and technical and undercover investigations. Employees would present their credential each day to an officer at a gate who would check the credential and the employee's identification papers against a list of authorized employees and their credential information. Check and countercheck.
3National Counterintelligence Center — Counter-Intelligence in World War II, Chapter 1.http://www.fas.org/irp/ops/ci/docs/ci2/.
In modern Electronic Access Control Systems, users present an electronic credential to an electronic credential reader. Credentials may be something you have (an access card), something you know (a keypad code), or something unique to you (fingerprint, voice, eyeball iris, pattern, etc.). Credential Readers may be card readers, keypads, or biometric readers.
Credential Authorization
The Credential Reader is an electronic device that reads one or more types of Access Credentials and converts the credential information into a coded data stream that it passes to the Access Control Panel for interpretation. From there, all action is controlled by the Access Control Panel.
The Access Control Panel contains a connection to the Credential Reader, lock (or portal activating device), alarm point, request-to-exit sensor, and data communications to a server through some type of network. It also contains a small computer that communicates with the server and with the access portal(s) connected to it.
The Access Control Panel is the principal device making access control decisions. It does this by receiving a coded data stream from the Credential Reader (corresponding to the Credential presented at the reader) and comparing that with a database that it has received from the server. It performs a look-up comparison and then issues an access decision (grant/deny access). If access is granted, it deactivates the lock by triggering an output control point, bypasses the alarm (in software), and (typically) logs the event into an access control event database. This event is also sent to the server to a master dataset.
Locks, Alarms, and Exit Devices
An access control portal requires some method to lock the portal or it would not be much of a deterrent against unauthorized access. Almost all Portals also have an alarm point of some kind to detect unauthorized intrusion attempts. Finally, almost all Portals also have a Request-to-Exit Sensor so that persons inside the secured space can exit freely.
The discussion on Electrified Locks, Alarms, and Exit Devices in this chapter is introductory. Electrified Locks are discussed in detail in Chapter 9, Chapter 10, Chapter 11, Chapter 12 and Chapter 13, Alarms are discussed in detail in Chapter 20 and Exit Devices are discussed in detail in Chapter 6.
Electrified Locks
There are four basic types of Electrified Locks:
• Electrified Mortise and Cylinder Locks
• Magnetic Locks
• Electrified Panic Hardware
• Electric Strikes
There are two common variations of Electrified Locks: Fail Safe and Fail Secure. Fail-Safe locks unlock when power is removed and Fail-Secure locks remain locked when power is removed. This decision has life-safety and code-compliance implications, so be certain to use the correct lock. A complete discussion of this is presented in Chapter 6.
Electrified Mortise and Cylinder Locks are simply electrified versions of conventional mechanical door locks. They use an electric solenoid within the lock to engage a small pin that keeps the lock from opening. Electrified Mortise Locks can be very robust and secure locks because they are well fitted into the door and their strength relies on the strength of the door. Electrified Cylinder Locks are to be avoided for anything but very light access control. They are not a security device because they cannot stand up to even moderate force. Electrified Mortise locks can also be ordered with an integral DPS, lock monitoring switch, and integral request-to-exit sensor within the handle itself.
Perhaps the most common type of Electrified Lock is the Magnetic Lock. Magnetic locks work by putting electricity through an electromagnet attached to the door frame that holds tightly to a steel plate attached to the door. All magnetic locks are Fail Safe and in two varieties: Plate Locks and Shear Locks. Plate Locks place the steel plate on the vertical surface of the door. The magnet is attached to the door frame with the electromagnetic exposed vertically. The steel plate and electromagnet come together as the door closes and they touch each other. Shear Locks place the steel plate in a recessed area on the top of the door and the electromagnet is placed in the top of the door frame pointing down. As the door closes the plate takes its position under the electromagnet. When the electromagnet energizes, the plate is drawn up to the magnet, locking the door. When power is removed, the plate falls back into the recess in the top of the door.
Electrified Panic Hardware is conventional or specialized panic hardware (a push bar on the door) that is electrified to perform a remotely controlled locking function. Often the panic bar also contains a request-to-exit switch that activates when the panic bar is pushed. Electrified Panic Hardware is available in a rim-Mounted type (surface-mounted) or mortise-lock type, or it may lock using vertical bars that latch into strike pockets at the top, bottom, or top and bottom of the door. Vertical bars may be surface mounted or concealed inside the door.
Electric Strikes are remotely operable latchbars that replace a conventional fixed strike faceplate in a door frame. The door lock for that door is typically a conventional mechanical cylinder or mortise lock that latches into the latchbar of the Electric Strike. The Electric Strike typically has a beveled or angled surface that allows the door lock latchbolt to close into a keeper space in the Electric Strike pocket, behind the Electric Strike latchbar. When the power state of the Electric Strike is changed (turned off or on from its static state), the latchbar is released and allows the door to open without retracting the latchbolt (the lock swings freely out of the Electric Strike latch pocket when the strike is unlocked). Electric Strikes are available in either Fail Secure or Fail Safe and in either AC or DC versions. The AC versions make a buzzing sound when unlocked, notifying the person at the door that the door can be opened.
Alarms
Most Portals are equipped with an alarm point to let the Security Staff know if the door is being forced opened by an unauthorized user, without the assistance of the Access Control System, or if it is being held open after a legitimate opening. This is typically in the form of a magnetic DPS at the top of the door. A magnetic switch in or on the door frame is held close to a door magnet in or at the top of the door. When the door opens the magnet moves away from the switch and allows the switch to change state. Magnetic switches may be normally open or normally closed.
Other types of alarm devices exist that are used in conjunction with Access Control Systems. These will be discussed in detail in Chapter 20.
Exit Devices
Since the Access Portal on the boundary of a secure space is typically locked, those inside the secure space have a need to exit by unlocking and opening the Access Portal. This can be done by one of two methods: Request-to-Exit Sensors or Free Mechanical Egress Devices.
Request-to-Exit Sensors are an electronic sensor (usually a motion sensor or a push button) that signals the Access Control System to unlock the door and to bypass the alarm when the door is opened for an authorized user to exit.
Free Mechanical Egress Devices are Electrified Locks that function mechanically to allow exiting no matter what the condition of the Access Control System. Examples include Electrified Mortise Locks and Electrified Panic Hardware. In both cases, the user only has to operate the lock as any other normal mechanical lock and open the door to exit. Typically these types of locks are also coupled up with Request-to-Exit Sensors, which are used only to notify the Access Control System to bypass the door alarm because an authorized exit is occurring. The Request-to-Exit Sensor may be a motion detector or a switch within the lock.
Chapter 6 covers Exit Devices and Life-Safety principles in detail.
Data, Data Retention, and Reports
Electronic Access Control Systems use stored data to operate and analyze security patterns.
From all of the information previously mentioned, it is clear to see that Electronic Access Control Systems manage a wide variety of data including:
• Access Portals
• Alarm Points
• Output Controls
• Schedules
• Users
• User Groups
• Access Zones
• Access Groups
• Access Control Request/Granting History
• Event Programming
• Event History
Depending on the Brand and Model of Electronic Access Control System, these and other datasets may be kept in the Server and Access Control Panels. In every case, the Server will hold a Master Alarm/Access Control Database to which Access Control Panels link and report their event history.
These data will be held for a determinate time period or indefinitely (depending on hard disk space). These data not only provide the foundational information from which all access control and event decisions are made and executed, but they are also the source of system reports. In most cases the data will be stored internally in the Alarm/Access Control System server(s). However, if the system is part of a larger system that includes a digital video archiving system, a choice may be made to store the Alarm/Access Control System data on a Storage Area Network along with the Digital Video System data.
Reports can be run on system configurations, system status, and system events.
Chapter 17 contains detailed information on Access Control Panels and Networks, and Chapter 18 includes expanded information on Access Control System Servers and Workstations including more about Data, Data Retention, and Reports.
Chapter Summary
1. Good Access Control Programs have always included:
• Basic Access Control Policies
• Usage Policies
• Provisions for Contractors and Vendors
• An Audit Method
2. Access Control Systems are digital networks that control access to security portals.
3. Most Access Control Systems also function as Intrusion Alarm Systems.
4. Systems must be supported by “soft” elements including the Users, Policies and Procedures, the Management and Reporting Structure, and the use of the system to enhance continuing evaluation of the overall Security Program.
5. The hardware elements include field elements, access control panels, servers, and workstations.
6. Authorized users may be employees, regular contractors or vendors, or visitors.
7. Users may be combined into a User Group according to their common access needs.
8. Access Portals may be combined into an Access Zone.
9. Access is normally granted according to a schedule.
10. Access Groups can be assembled from User Groups, Access Zones, and Schedules.
11. Virtually every Access Control portal has the following five common elements:
• A Lockable, Operable Barricade
• An Identity Verification Method or Device
• A Locking Mechanism
• An Alarm Sensing Device
• A Request to Exit Sensor
12. Credential Readers may read something you know (keycode), something you have (access card), or something that is unique to you (biometric).
13. Credentials are authorized in the Access Control Panel.
14. There are four common kinds of electric locks:
• Electrified Mortise and Cylinder Locks
• Magnetic Locks
• Electrified Panic Hardware
• Electric Strikes
15. Most portals are equipped with an alarm sensor to let security staff know if the door is being forced opened by an unauthorized user, or held open after a legitimate opening.
16. Request-to-Exit sensors signal the Access Control Panel that the door is being opened legitimately for exiting, and not being forced open.
17. Electronic Access Control Systems use stored data to operate and analyze security patterns.
18. Data may be held in the Server(s) and/or in the Access Control Panels.
19. Reports can be run on system configurations, system status, and system events.
1) What do Electronic Access Control Systems comprise?
a. Electronic elements
b. Physical elements
c. Operational and logical elements
d. All of the above
2) What does the Server maintain?
a. Electronic Access Control Panels
b. TCP/IP computer networks
c. Pedestrian Access Control Portals
d. Master database of authorized users, equipment configuration records, access control groups, and schedules, access control, and alarm events
3) Access Group is
a. The combination of User Groups, Access Zones, and Schedules
b. The combination of four Access Zones
c. The combination of Employee and Manager Groups
d. A logical Group of Portals
4) What is Tailgating?
a. The act of one or more people following an authorized user through an access portal after it has been opened by the authorized user
b. Having a valid credential and entering into the access zones
c. Granting access authorization to employees, regular contractors or vendors, or temporarily to legitimate visitors
d. All of the above
5) The Request-to-Exit Sensor involves
a. Unlock the door to allow exiting
b. Bypass the DPS so that no alarm occurs when the door is opened
c. Log the exit in the database as an authorized exit
d. All of the above
6) What is an electronic credential reader?
a. Card readers
b. Keypads
c. Biometric readers
d. All of the above
7) Electrified locks include
a. Electrified Mortise and Panic Locks
b. Electrified Magnetic Hardware
c. Electrified Mortise and Cylinder Locks, Magnetic Locks, Electrified Panic Hardware, Electric Strikes
d. Magnetic Strikes
Answers: 1) d, 2) d, 3) a, 4) a, 5) d, 6) d, 7) c
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.