Access Rights

Chapter 2 – ACCESS RIGHTS AND HOW

ACCESS GRANTED WORKS
Table of Contents
ACCESS RIGHTS ............................................................................................. 2-2
THE THREE WS OF ACCESS RIGHTS ......................................................... 2-2
THE ACCESS GROUP OBJECT .................................................................. 2-4
ACCESS RIGHTS DEFINED ...................................................................... 2-5
HOW ACCESS GRANTED IS DETERMINED ............................................ 2-6
ACCESS GRANTED BY DOOR CONTROLLER OBJECT ................................ 2-6
ACCESS GRANTED BY ELEVATOR CONTROLLER OBJECT ........................ 2-7

Access Control 3.40 Technical Reference Manual

Total Pages in this Chapter: 8 Edition 1.5 Original Page 2-1
 Access Rights

ACCESS RIGHTS
The three Ws of access rights
Access rights restrict a card user’s ability to enter and travel through an access–
controlled facility. When a card user presents his or her credential to a reader,
the access control system evaluates the access rights assigned to that card user.
If the evaluation results in access granted the door is unlocked otherwise access
is denied and the door remains locked.
Access rights control what happens when a credential is presented at a locked
door; they don’t control when a door is locked and when it is unlocked.
Access rights are specified in terms of the three Ws of access control: when,
where, who.

Where
When Who

Access
Rights

When

When specifies the days and times of day that access will
access be granted. When a credential is presented outside of the time specified
by the card user’s access rights, access is denied.
The Schedule object specifies a schedule that can be applied to one or more card
users. For a credential presented when a schedule is in its active state, the when
component of the access rights for granting access is satisfied.
A typical access control system uses multiple schedules to allow different access
rights to be specified for different types of employees or roles or for different
zones in the facility. For example, work hours, 24 by 7 and so on.
It is important to understand that access rights schedules are not the same as the
schedules such as the Unlock schedule used as inputs to the Door Controller
object. Access rights schedules specify when access may be granted at a locked

Access Control 3.40 Technical Reference Manual

Edition 1.5 Original Page 2-2 Total Pages in this Chapter:8
Access Rights

door; Door Controller object input schedules specify when the door is actually
locked.
The Schedule object also specifies days that are exceptions to the weekly
schedules such as holiday days where you want to deny access.

Where

Where specifies the access points such as doors and elevator

floor buttons at which access will be granted.
From an access control perspective, a facility comprises access–controlled doors
and elevator floors to allow facility managers to restrict card users’ ability to
move freely.
Three objects are used to specify where:
• the Door Controller object defines one access–controlled door.
• the Door Group object defines a collection of access–controlled doors
in a zone by grouping Door Controller objects into a door list
• the Elevator Controller object defines one or more floor buttons in one
elevator cab
Together the Door Controller, Door Group and Elevator Controller objects
specify a group of access points that can be applied to one or more card users.
For example, entry doors to a facility that are common ingress and egress points
used by employees are grouped as would doors to a secure area such as a parts
department.
For a credential presented at a specified door, the where component of the
access rights for granting access is satisfied.

Access Control 3.40 Technical Reference Manual

Total Pages in this Chapter: 8 Edition 1.5 Original Page 2-3
 Access Rights

Who

Who specifies who will be granted access. A card user is

specified by one or more valid credentials in his or her Card User object. When
a credential is presented, it must be associated with a CU object in the ASM’s
database and have a card status of Valid to participate in the decision to grant
access.

The Access Group object

To eliminate the need to assign access rights for each individual card user,
access rights are assigned using an access group. All card users assigned the
same access group are granted access at same doors and elevators at the same
scheduled times.
You use an Access Group object to create a list of valid combinations of when,
the schedules, and where, the doors, door groups and elevator floor buttons.

Where
When

Access
Group

The Access Group object’s name is chosen to reflect the role or duties of the
card users that are assigned the access group. Typically, the Access Group
object name describes or identifies the role that the group performs in the
organization, for example, custodians, employees, managers and so on.

Access Control 3.40 Technical Reference Manual

Edition 1.5 Original Page 2-4 Total Pages in this Chapter:8
Access Rights

Access Rights Defined

Now all three Ws: when, where and who are defined. But how is access rights
defined in the Delta access control system? One step more remains using the
Card User object.

Where
When Who

Access
Group

Access
Rights

The Card User object also defines access rights when access groups are added.
The Access Groups tab of the Card User dialog unites the when, where and who
by adding one or more access groups.
The power of this approach is evident in that any change to either the when or
where for an access group propagates to card users to which it is assigned,
immediately changing their access rights.

Access Control 3.40 Technical Reference Manual

Total Pages in this Chapter: 8 Edition 1.5 Original Page 2-5
 How Access Granted is Determined

HOW ACCESS GRANTED IS DETERMINED

The core function of the access control system is to grant access to secured area
only to card users who have the proper access rights for that area. Two objects
implement the decision logic that determines whether or not to grant access: the
Elevator Controller object for elevator floor access and the Door Controller
object for all other types of access points. The two flow charts below describe
the main steps in how access granted is determined by these two objects. The
access granted decision is executed entirely in the ASM.

Access granted by Door Controller object

How access granted is determined by the Door Controller object

credential
presented
at locked door Credential includes card
presentation and optional
PIN keypad entry

No door controlled by Only when the door lock is

active schedule controlled by an active Unlock or
? Relock schedule can a card user
gain access at a locked door
Yes

CU object
No
found in ASM CU object corresponding to
? presented credential must be
in the ASM database

Yes

No CU object
status = Valid
? When card user status is
Valid then this result is yes

Yes

No card
status = Valid
? When presented card’s status is
Valid then this result is yes

Yes

No access group
This test is performed for each
schedule =
access group the card user is a
grant access
member of. When one access
?
group allows access then this
result is yes.
Yes

Yes antipassback
violation
? Antipassback is optional

No

access denied access granted

Access Control 3.40 Technical Reference Manual

Edition 1.5 Original Page 2-6 Total Pages in this Chapter:8
How Access Granted is Determined

Access granted by Elevator Controller object

How access granted is determined by the Elevator Controller object

When Public Mode Input

floor buttons schedule is On, all floor buttons
all buttons are No
controlled by are enabled to allow access by
enabled
active schedule anyone to any floor. When
? Public Mode Input schedule is
Off, then the EC object manages
Yes
access control

credential
presented Credential includes card
presentation and optional
PIN keypad entry

CU object
No
found in ASM CU object corresponding to
? presented credential must be
in the ASM database
Yes

No CU object
status = Valid
? When card user status is
Valid then this result is yes

Yes

No card
status = Valid
? When presented card’s status is
Valid then this result is yes

Yes

No access group
This test is performed for each
schedule =
access group the card user is a
enable buttons
member of to determine which
?
buttons can be enabled for card
Yes user for this elevator.

No Yes
elevator controller
button schedule = Individual floor schedule for
enable each button determines
? whether or not to enable button
Yes

buttons enabled
access denied Yes
access granted

Access Control 3.40 Technical Reference Manual

Total Pages in this Chapter: 8 Edition 1.5 Original Page 2-7
 How Access Granted is Determined

Access Control 3.40 Technical Reference Manual

Edition 1.5 Original Page 2-8 Total Pages in this Chapter:8