Access control: a practical definition for real entry points
Access control is the set of people, rules, and tools used to decide who can enter which areas, when, and under what conditions—and to record what happened. In properties that manage people, vehicles, and deliveries, access control is not only about stopping intruders; it is also about keeping traffic moving, ensuring legitimate visitors are served, and making sure incidents can be investigated.
Think of access control as a repeatable decision process at every entry point (lobby door, vehicle gate, loading dock, service elevator): identify the person/vehicle, verify their claim, grant/deny the correct level of access, and document the outcome.
(1) Core objectives: safety, security, service, continuity
Safety
Prevent harm to people and property by controlling entry into hazardous or high-risk areas (mechanical rooms, rooftops, construction zones) and by ensuring emergency routes are not compromised.
- Example: A contractor arrives to work near electrical panels. Access is allowed only after verifying training/permit and issuing a temporary badge that unlocks only the service corridor and the specific room.
Security
Reduce unauthorized entry, theft, vandalism, and privacy breaches by limiting access to those with a legitimate need.
- Example: A person claims to be a delivery driver but cannot provide the correct recipient name or tracking reference. Access to residential floors is denied; the package is not accepted.
Service
Provide a smooth, respectful experience for residents, employees, visitors, and vendors while still applying consistent controls.
- Listen to the audio with the screen off.
- Earn a certificate upon completion.
- Over 5000 courses for you to explore!
Download the app
- Example: A frequent courier is pre-registered with a vendor profile. Reception can quickly verify identity and direct them to the correct drop-off point without delaying the lobby.
Continuity
Keep operations running during disruptions (staff changes, system outages, peak traffic, incidents) by having clear procedures and backups.
- Example: If the badge system is down, staff switch to a paper log and manual ID checks, using a pre-approved access list and supervisor escalation rules.
(2) Key terms you must use consistently
| Term | Practical meaning at an entrance | Example |
|---|---|---|
| Authorized | Allowed to enter a specific area under defined conditions | A tenant with an active credential entering the lobby at any time |
| Unauthorized | Not allowed, or allowed only after additional verification/approval | A visitor without a host confirmation attempting to access elevators |
| Identity | Who the person/driver claims to be | “I’m Alex Chen from ABC Plumbing” |
| Authentication | How you verify the identity claim | Government ID + vendor work order + photo match |
| Authorization | What the authenticated person is permitted to do | Access to loading dock and service elevator only, 09:00–12:00 |
| Logging | Recording key details for accountability and investigation | Name, company, time in/out, destination, host, badge number |
| Escalation | When and how to involve a supervisor/management/tenant | Unverified vendor requests access to restricted area → call property manager |
Step-by-step: the access decision in 6 actions
- Greet and pause the flow: create a natural stop point before the secure boundary (door, turnstile, gate arm).
- Identify the request: person/vehicle/delivery purpose, destination, and who they are meeting.
- Authenticate: check ID, credential, pre-registration, work order, appointment, or host confirmation.
- Authorize: apply the minimum access needed (area + time + method).
- Issue/activate access: badge, QR pass, key, gate release, elevator call, or escort instruction.
- Log and monitor: record details; watch for tailgating or route deviation; ensure return/checkout if required.
(3) Roles and responsibilities at entry points
Security staff
- Primary control: enforce entry rules consistently and professionally.
- Verification: authenticate visitors/vendors/drivers; confirm authorizations.
- Monitoring: observe behavior, prevent tailgating, respond to alarms.
- Documentation: maintain accurate logs and incident notes.
- Escalation: trigger supervisor/management response when criteria are met.
Reception / concierge
- Service + control: manage visitor flow, host notifications, and package intake while maintaining boundaries.
- Credential handling: issue temporary passes, collect returns, manage sign-in/out.
- Information discipline: avoid disclosing tenant details to unverified parties (e.g., unit numbers, schedules).
Property management
- Policy owner: defines access rules, approved vendor lists, and escalation thresholds.
- Risk decisions: sets which areas are restricted/sensitive and what proof is required.
- Continuity planning: ensures backup procedures exist for outages and staffing gaps.
- Audit and improvement: reviews logs, incidents, and recurring exceptions.
Tenants (residents or business occupants)
- Host responsibility: confirm expected visitors and provide accurate instructions.
- Credential care: protect badges/keys; report loss immediately.
- No “courtesy bypass”: avoid letting unknown people follow them through secure doors.
Vendors and contractors
- Proof of purpose: provide work order, appointment, and point of contact.
- Scope compliance: stay within authorized areas and time windows.
- Badge/escort rules: wear visible identification; follow escort requirements.
Practical example: who does what for a contractor visit
Scenario: Elevator maintenance vendor arrives at 07:30 for scheduled work.
1) Reception checks schedule and notifies property management contact.
2) Security authenticates: ID + vendor badge + work order.
3) Security authorizes: service entrance + machine room only, 07:30–10:30.
4) Reception issues temporary pass; security logs entry and tools brought in.
5) If vendor requests access to another area: escalate to property management.
(4) Access control boundaries: mapping areas by sensitivity
Clear boundaries prevent confusion and reduce “exceptions.” Define areas by how much harm could occur if access is misused.
Public areas
Spaces intended for general access with minimal controls, but still monitored.
- Examples: sidewalk frontage, public-facing retail entrance, external plaza.
- Typical controls: lighting, cameras, signage, visible staff presence.
Semi-public areas
Spaces where access is expected but should be guided or time-limited.
- Examples: lobby, reception area, visitor waiting zone, public restrooms (if applicable).
- Typical controls: reception check-in, visitor passes, elevator controls, clear lines of sight.
Restricted areas
Spaces limited to authorized tenants, staff, or approved vendors.
- Examples: residential floors, office suites, staff-only corridors, parking levels, loading dock.
- Typical controls: badge readers, turnstiles, vehicle gate credentials, intercom verification, escort rules.
Sensitive areas
Spaces where unauthorized access could cause major safety, security, or operational impact.
- Examples: security control room, server/IT rooms, key storage, CCTV/NVR room, electrical/mechanical rooms, roof access, chemical storage, cash handling areas.
- Typical controls: dual authentication (badge + PIN), strict logging, limited authorized list, alarms, mandatory escort, tool/material checks.
Step-by-step: define a boundary at an entrance
- Choose the “stop line”: the exact point where a person must be verified (desk, door, gate arm).
- Assign the area type: semi-public vs. restricted vs. sensitive.
- Set the proof required: ID, credential, host confirmation, work order, vehicle plate match.
- Set the access method: badge reader, QR pass, intercom, escort, key control.
- Set the logging rule: what must be recorded and where.
- Set escalation triggers: unclear identity, unusual request, after-hours, sensitive area access.
(5) Risk-based thinking: common threats and how consistency reduces them
Risk-based access control means applying more verification where the impact is higher, and applying simple, fast controls where the impact is lower—without creating loopholes.
Threat: tailgating (piggybacking)
What it looks like: An unauthorized person follows closely behind an authorized person through a secure door or gate.
Why it works: People are polite, distracted, or in a hurry; the boundary is not enforced.
Procedure controls:
- Position staff so they can see the secure door/gate and make eye contact with entrants.
- Use a standard phrase: “For everyone’s safety, please badge in individually.”
- Require visitors to stop at reception before elevators; do not allow “I’m with them” without confirmation.
- For vehicle gates: one vehicle per open cycle; close gate between vehicles when feasible.
Threat: impersonation
What it looks like: Someone claims to be a vendor, courier, new employee, or tenant to gain access.
Why it works: Staff accept vague details, rely on uniforms, or skip authentication during busy periods.
Procedure controls:
- Authenticate with at least two factors when risk is higher: photo ID + work order/appointment/host confirmation.
- Do not accept “I’m here all the time” as proof; use a vendor list or prior registration.
- Verify destination and contact: call the host/tenant using a known number (not a number provided by the visitor).
- Issue time-limited, area-limited passes; require visible display.
Threat: package diversion and delivery manipulation
What it looks like: A person redirects a package, claims to pick up on behalf of a tenant, or accesses storage areas to steal.
Why it works: Weak chain-of-custody, unclear acceptance rules, and poor logging.
Procedure controls:
- Define where deliveries may go: reception desk, lockers, loading dock, or tenant-only acceptance.
- Log deliveries with key fields: carrier, tracking/reference, recipient name/unit, time, condition, staff initials.
- Require recipient verification for pickups: ID + match to recipient/authorized pickup list.
- Restrict access to package rooms; treat them as restricted or sensitive depending on volume/value.
How consistent procedures reduce risk (without slowing everything down)
- Predictability: everyone knows the steps, so fewer “exceptions” are exploited.
- Fairness: the same rules apply to all, reducing pressure on staff to bend them.
- Faster decisions: clear criteria (what proof is acceptable) reduces hesitation.
- Better investigations: good logs make it possible to reconstruct events and identify patterns.
Entrance control-point checklist (quick field use)
Use this checklist to identify where access control must be strongest at an entrance. Answering “No” indicates a control gap to address.
- Stop line exists: Is there a clear point where everyone must pause before entering restricted space?
- Area type defined: Is it clear whether the next area is semi-public, restricted, or sensitive?
- Identity captured: Do we know who the person/driver is (name/company) before granting access?
- Authentication method set: Do staff know exactly what proof is required for visitors, vendors, and deliveries?
- Authorization is limited: Can we limit access by area and time (not “full access” by default)?
- Logging is reliable: Are entries, deliveries, and temporary passes recorded consistently (including time out/return)?
- Tailgating controls: Can staff see the door/gate, and is there a rule for one-person/one-credential?
- Escalation triggers: Do staff know when to call a supervisor/management/tenant (and how)?
- Delivery chain-of-custody: Is there a defined handoff point and pickup verification process?
- Backup plan: If systems fail or traffic spikes, is there a manual process that maintains control?
