Physical access control

Physical access control is a security measure used to regulate and monitor who is allowed to enter or exit specific areas within a building or facility. Its primary purpose is to ensure that only authorized individuals can access sensitive or restricted spaces, thereby protecting people, property, and information.

In addition to regulating physical access, physical access control supports compliance with industry regulations and can play a critical role in emergency- and audit situations by providing real-time data on who is and was present in a facility.

Functionality

Physical access control is considered one of the core pillars of a modern physical security system. YourSixOS features physical access control based on Axis door controllers, providing the core functionality:

Hardware management (firmware upgrades, health monitoring etc).
Identity- and access management.
Events for logs and notifications, used for alarm and reporting purposes. For more information on logging and alerting, see the event concept.
Live control in user applications and Inspect:
- Users can observe current state of barriers and temporarily/perpetually unlock barriers to let people in.
- Alarm operators can react to alarms and control barriers in accordance with alarm operating procedures.

TIP

All identity and access configuration is stored in the cloud and synchronized to the controller, making it very easy to replace hardware in case of a failure.

Access management model

YourSixOS physical access management model is heavily inspired by how a traditional firewall operates.

Identity groups: the who?
Barrier groups: the what?
Schedules: the when?
Authentication profiles: using what type of credential?

Access rules will tie together all of the above items into an access authorization or a scheduled unlock, see diagram below:

Barriers

A barrier is the YourSixOS representation of a controlled set of access points. Examples of barriers are doors, turnstiles, gates and lockers.

Barriers are enrolled on a door controller device and configured with hardware for authentication and monitoring, see below.

Identities

An identity is a physical person that is being granted access to barriers.

Identities may hold several credentials.

Credentials

An access credential is a tangible item or piece of data that an identity uses to prove their authenticity. Effectively, it act as a replacement of a key.

Examples of credentials are cards, fobs and mobile applications interacting directly with a reader.

When enrolling credentials in YourSixOS, the software will make sure that the same credential can not be enrolled twice. YourSixOS will also enforce that the credential is paired with a PIN code.

INFO

The PIN code is not uniquified since most PIN codes are 4 digits which poses a fair risk of collisions (four digits -> 10000 possible codes). This means that uniquifying it would tend to disclose other's PIN codes.

This also means that if the same PIN code is used twice, and a PIN-only access rule has been setup, the access grant will be anonymous. Use with care! If high security is demanded, always use card as authentication profile.

WARNING

When adding a credential, what's entered into YourSixOS must match exactly what's presented by the reader to the controller. Think of it like a password, where the reader is just another keyboard.

Identity groups

An identity group is essentially a group of identities. Identity groups are global to the organization. Identity groups allow administrators to configure access for multiple identities as an atomic unit.

An identity group consists of several identities. An identity may exist in multiple groups.

TIP

Identity groups are typically used to reflect professional roles within an organization, e.g: managers and employees. An identity can be in the employee group and in the manager group at the same time.

Barrier groups

A barrier group is essentially a group of barriers. Barrier groups are global to the organization. Barrier groups allow administrators to refer multiple barriers as an atomic unit when applying access rules.

A barrier must exist in one and one only barrier group. A barrier can not exist in multiple groups at once and can not be referred to by a rule without being in a group.

TIP

Barrier groups are typically used to reflect access levels within an organization, e.g: server rooms, rest rooms, conference rooms etc.

Schedules

Access schedules define the when in granting access. They determine the specific timeframes during which identities are granted access or when locks are kept unlocked.

Rules

Access rules define who is permitted to enter, where, when and under what circumstances by combining barrier groups, identity groups, schedules, an authentication profile and direction.

The authentication profile declares what means of authentication shall be performed by the access point. There are five available authentication profiles:

Card: Card must be presented and valid for access to be granted.
Card + PIN: Card and PIN must be presented and valid for access to be granted.
PIN: PIN must be presented and valid for access to be granted.
REX: No credential needed; pressing the REX button will grant access.
Unlocked: No credential needed at all; the barriers will be unlocked.

The direction attribute of the rule declares whether the rule is an ingress or an egress rule.

TIP

The direction attribute can be used to create different egress rules with different schedules and different authentication profiles, e.g. require REX only during office hours and require card outside office hours.

Hardware support

YourSixOS supports access controllers from Axis Communications, see the supported devices list.

Using supported access controllers, YourSix support the following access hardware:

Access points

Wiegand readers (with or without keypad)
OSDP readers (with or without keypad)
REX (buttons and PIR)

TIP

YourSixOS also supports readers on both sides of the door to allow for high-security installations.

An administrator can create a combination of authenticated and REX egress rules using schedules to allow REX exit during office hours and enforce authenticated (using a reader) exit during evenings and weekends.

Locks

Wired strikes and motorized locks.
Magnetic locks for gates and similar.
Automated doors and barriers that require only a short dry-contact pulse.

Feedback

Barrier monitors (magnetic contacts and similar) for alarming and feedback/visualization of barrier's actual physical state.
- Includes support for extra long access times on identity-basis.

Limitations

The number of identities per organization is capped to 10000 to not end up with overloaded controller hardware.
Events (barrier accessed, alarms etc) are buffered in the controller in case the Internet connection is suffering an outage. The number of events that can be buffered is 10000, after which the event buffer will overflow and subsequent events will be dropped.

Architectural summary

Barriers are a type of security thing that is hosted by a supported device (access controller). One device (controller) may serve multiple barriers.

Authorization is performed on individual barriers or a parent resource such as the device, allowing for multi-tenant deployments.

Physical access control ​

Functionality ​

Access management model ​

Barriers ​

Identities ​

Credentials ​

Identity groups ​

Barrier groups ​

Schedules ​

Rules ​

Hardware support ​

Access points ​

Locks ​

Feedback ​

Limitations ​

Architectural summary ​