Access control

Access control systems, in depth

The definitive guide to learn how to choose, buy and install the best access control solution for your business.

Discover Raixer

What is access control?

The objective of access control

It is true that companies still need to control who passes through their doors. But they also want to be able to manage access. That is, to be able to decide who can (and who can't) pass. In corporate environments, physical keys have given way to electronic access controls. These systems are capable of providing access to authorized users in a simple way. At the same time, they prevent unauthorized persons from passing through

Access control guide

Parts of an access control system

Instead of carrying keys from one side to another, most companies use access or identity cards (the typical card with the user's photo and name) to access reserved areas. Workspaces, files with confidential information or doors can use access control systems. In large buildings, external access is the responsibility of the building. While interior doors, access is managed by the tenant company.

If this is the first time you've read about access controls, you may think that the system consists of cards and a reader next to the door, right? You're wrong. The truth is that there are other parts that are working behind the scenes to make the magic of ¡Alohomora! work. This guide is designed to help you understand how access control systems work and the jargon you need to communicate with providers of this type of solution.

3 basic components of an access control system

Users

Systems such as card readers, numeric keypads, or the app.

Administrators

Control panels of the access management system, integrations or APIs.

Infrastructure

From closing and opening systems to hardware to connect the control system to the cloud.

When they start investigating security, the first thing most people do is call a local installer, consultant or security company. However, understanding the fundamentals of access control is free if you do an exhaustive search on the internet or find a guide like this one.

Do you need to be an access control specialist if you want to install one in your company? The truth is that it is not mandatory, but it is highly recommended. You will see that it will save you a lot of time in the medium term. When the project is underway and your suppliers start speaking an unintelligible jargon for you... you will have to learn at a forced pace. Especially if the project delivery deadline is breathing down your neck. Or when employees arrive next Monday and your office still doesn't have access control.

Introduction to access controls

Access control systems are used to monitor who enters a building, facility, or restricted areas of an office. The operation is usually very simple. Different types of access groups or levels are assigned to users (employees, managers, suppliers, and visitors).

For example, these four user groups will be able to use their card or app to open the main door of the building. However, only employees and managers will be able to access the office area. Moreover, only IT department employees will be able to access the server room.

When do you need to control physical access to your building?

There are some reasons that may seem obvious to you: physical security is one of them. You don't want people outside the company to be able to access the facilities. However, there are two additional reasons why you might need physical access control.

Data Protection Law and ISO 27000

For example, these four user groups will be able to use their card or app to open the main door of the building. However, only employees and managers will be able to access the office area. Moreover, only IT department employees will be able to access the server room.

  1. Medical facilities (hospitals, clinics, etc.) are responsible for safeguarding the medical records of patients - normally in physical files -. According to the GDPR, only personnel directly involved in patient care can access their medical records.
  2. Banks and insurance companies are responsible for safeguarding the financial information of their clients. This is classified as sensitive information.
  3. Some companies need to comply with quality standards, such as ISO 27002 - the standard for information security or ISO 27032 for cybersecurity management.

Intellectual property

Some businesses guard very sensitive information and intellectual property. For example, software development companies, startups or pharmaceutical companies. These companies not only need to be able to know who accesses the facilities but also control access to certain areas.

Users.
Access cards, card reader and access control keypad

  1. Credentials. The best-known part of access control systems are cards, identification badges and, more recently, mobile applications that make a little sound when presented to the reader and unlock the door. This is known as credentials because they carry the data about the user necessary for the system to identify it and proceed to allow access. That is, to be authorized to enter.
  2. Access cards typically work via proximity or contactless. Instead of inserting them - as was the case with old credit cards - just place them within 3 to 10 centimeters of the card reader. The operation is similar with mobile apps. The advantage of using personalized credentials (instead of cards) is that any recorded event is associated with the person. For example, the opening of a door.
  3. Card reader. The card reader is usually embedded in the wall, next to the door. It is responsible for reading the credentials presented by the user and sends the request to the server to open the door. Some access control systems use numeric keypads or biometrics (fingerprints) instead of the traditional card reader.

Administrators.
Access management panel, integrations or API

  1. Access management panel. The administrative part of the access control system is the management panel (also known as a portal). It is where the administrator, head of security, or IT manager sets which people (users) and when (schedules) are authorized to access the premises. This usually requires the panel, typically in the cloud, and a way to provision access (in the case of cards, a card configurator).
  2. In more complex systems, manual operations can be automated. For example, access provisioning (creating or deleting users and authorizations) can be automated through the connection of the access control system with the company's employee directory. In this way, at the moment a new corporate user account is created, an access authorization is generated at the same time. It can be integrated through API or through services such as Google Apps, Microsoft Azure or Okta.

Infrastructure.
Electric locks, access control panels and servers

  1. Electric locks. Electric locks are often used to electrify the unlocking of doors. They are usually wired to a power source. Some locks remain locked while they are connected to the light and open when disconnected (fail safe). Others, on the contrary, open only when they receive power and remain closed when disconnected (fail secure).
  2. The choice between one type or another of electric lock will depend on the area where it is to be installed. For example, building entrance doors usually need fail-safe locks, as they must comply with emergency regulations. Server rooms, on the other hand, must be protected by fail-secure locks. The reason is that they must be closed at all times, even in fires or evacuations of the building. Fail-secure
  3. Smart controllers. Access control panels or smart controller are not usually installed in areas visible to users. In fact, they are usually placed in false ceilings or walls or in the server room. The reason is to avoid accidental disconnection of the cables that connect it to the electrical locks.
  4. When a user presents a valid credential, the controller receives the request to open a certain relay - and thereby open the door it is connected to.
  5. Access control servers. Any access control system needs a server where permissions are stored in a database. Therefore, the server is the “brain” of the access control system.

In reality, it is the server that makes the decision to open (or not) the door to a certain user, when it compares in its database whether the presented credential is authorized for that door.

The server can be installed on premises on a computer with Windows or Linux, in the cloud, or even in a decentralized manner on each intelligent controller.

The server is also responsible for storing activity logs and events. In this way, administrators can obtain reports on who, how, and when they accessed the doors during a certain period of time.

If a local server is chosen, in addition to the hardware, software is necessary to execute access control. For its management, it is necessary for the administrator to be there in person. This management can be very cumbersome - especially if it is a multiple building -, that's why cloud servers are having so much success.

  1. Cables. Cables are often the most forgotten part of access control systems. Despite their low price, poor wiring planning before deploying the system can be very expensive.
  2. In the first phase of the construction project, it is important to specify to the developer which cables should be installed. Not doing so will mean that, when the time comes, you will have to make grooves, hide them with conduits or leave them in sight.

Types of access controls

In addition to local access control systems, those in which the server is located in the same building (these are the ones we have discussed in the previous section), you have three other options:

  1. Cloud-based access control systems
  2. Mobile access control systems
  3. IoT Access Control Systems

A good way to understand what these new access control systems consist of is to give the example of GMail. When you open an account in Google's email service, your emails are stored in the cloud instead of on your computer. The cloud is nothing more than the server of another company - the service provider. In this way, it allows you to access your emails from any browser, as long as you have the correct credentials (your username and password).

Cloud-based access control systems

In this type, access control permissions are not stored on a local server but in the cloud. This means that the administrator can manage these authorizations from home, or from the Bahamas, simply by using an app on their computer's browser. It is very useful for those responsible for managing the security of multiple buildings.

Mobile access control systems

Mobile access control systems work identically to traditional card-based systems. The only difference is that the card is replaced by an app on their phones. Once the user has downloaded the access control app, they must authenticate their account (credential) and, when the administrator has granted them permissions (digital keys), they can start opening doors.

IoT Access Control Systems

Your mobile can update its operating system –the one that controls Bluetooth, NFC or internet connection chips– unattended (or by clicking Update). The IoT approach to the Raixer system allows connecting doors to the internet and receiving Over-The-Air updates to add extra security layers or new functionalities.

Cloud-based access control systems

In this type, access control permissions are not stored on a local server but in the cloud. This means that the administrator can manage these authorizations from home, or from the Bahamas, simply by using an app on their computer's browser. It is very useful for those responsible for managing the security of multiple buildings.

Mobile access control systems

Mobile access control systems work identically to traditional card-based systems. The only difference is that the card is replaced by an app on their phones. Once the user has downloaded the access control app, they must authenticate their account (credential) and, when the administrator has granted them permissions (digital keys), they can start opening doors.

IoT Access Control Systems

Your mobile can update its operating system –the one that controls Bluetooth, NFC or internet connection chips– unattended (or by clicking Update). The IoT approach to the Raixer system allows connecting doors to the internet and receiving Over-The-Air updates to add extra security layers or new functionalities.

Security levels in access controls

Role-Based Access Control (RBAC)

When using this security level, permissions are granted based on the user's role. Each user has a single role. It is the simplest for administrators to manage because they can edit roles –and with it, user groups–.

Discretionary Access Control (DAC)

The user has direct control over the system software. That is, a single access method allows opening all doors using any opening method offered by Raixer: automatic access, missed call or directly with the app.

Mandatory Access Control (MAC)

The antonym of the DAC paradigm. When MAC is established, certain hardware or software restricts access. This can be a password or a numeric keypad on the access control system. You can open the doors with the same opening methods.

Role-Based Access Control (RBAC)

When using this security level, permissions are granted based on the user's role. Each user has a single role. It is the simplest for administrators to manage because they can edit roles –and with it, user groups–.

Discretionary Access Control (DAC)

The user has direct control over the system software. That is, a single access method allows opening all doors using any opening method offered by Raixer: automatic access, missed call or directly with the app.

Mandatory Access Control (MAC)

The antonym of the DAC paradigm. When MAC is established, certain hardware or software restricts access. This can be a password or a numeric keypad on the access control system. You can open the doors with the same opening methods.

Operation of access control

In the modern world we are in - where everything is on demand - access is critical and is often taken for granted. It's easy to say “I want to restrict and control access to my office, that's why I need to buy an access control”, the question really should be: “How do I install an access control system that has no friction for my users while ensuring the security and control of my company?”

The answer lies in the Raixer access control system. It allows anyone who is authorized to pass while maintaining exhaustive control over who does it.

5 steps to implement your access control

The goal of access control is not to allow anyone to access your space, but to authorize access only to those who have the relevant permissions.

1. Authorization

The authorization phase is the one in which anonymous individuals become users. The first step is to define a corporate policy. That is, to define what users can and cannot do. This should include who has access to each of the doors and which users in the organization can share access (authorize others).

The next step is to establish role-based access control (RBAC), as we explained in the previous section. By assigning roles to each user, they obtain a series of permissions. In this way, administrators can make massive edits (to multiple users) simply by changing parameters in the role.

Most companies use employee directories along with RBAC, as these lists include all employees and also their different access levels.

2. Authentication

Authentication is one step beyond mere authorization. At this stage, users present their credentials to the reader (access card or mobile app). The reader validates their credentials and determines (via the server) whether the electric lock should open the door or not.

3. Access

Once the credentials have been authenticated, the access tools in this step ensure that the correct door opens quickly and comfortably for the user at the right time.

  1. Unlocking
  2. Trigger
  3. Infrastructure: If the door opens, multiple events occur: The user is successfully authenticated; the user has requested the opening; the door has opened and the door has closed.

4. Management

This phase helps administrators with several challenges, including adding new access points (doors or buildings), registering new users, maintaining security, or resolving common incidents in access control systems.

  1. Scale: Cloud-based access control systems help SMEs and businesses expand their current offices or offices in other buildings through modular extensions of their current installation.
  2. Monitoring: Online control systems send real-time alerts to administrators or security personnel. In this way, they can quickly know what unauthorized or unknown event has occurred and where. It allows them to investigate this fact immediately, while it is recorded in the history.
  3. Incident resolution: Modern access control systems allow administrators to configure permissions remotely or rely on the provider to resolve incidents. This is one of the major advantages over access controls with local servers.

5. Audit

Auditing physical access controls is very useful for any business. In addition, it helps companies in certain sectors to comply with special requirements.

  1. Scalability: Businesses can regularly run system reviews and ensure that access controls are properly installed and functioning correctly. Additionally, they can notify administrators if a former employee has attempted to access the office.
  2. Suspicious Events: As access points are regularly monitored every time access occurs, auditing is much simpler for security personnel. The information stored can be very useful for discovering suspicious behavior patterns –when compared to historical data.

Choosing an access system

The technological environment is evolving a lot in recent years. Especially in the field of physical security, where new companies and access control technologies are emerging like mushrooms. This can be confusing for those people in charge of buying the access control system for their company. However, if certain logical steps are followed, the task can be more straightforward.

The first step the company must take – a truism warning! – is to count how many doors the access control will be installed on. Consider not only the entrance or exit doors of the building or office but also those of rooms or halls with valuable equipment (server or communications rooms, for example). Or if the company stores valuable information (medical centers or data protected by law), the rooms where it is housed.

Once this count is done, the team must be in charge of searching for options, finding suppliers and requesting budgets for access control systems. A qualified installer is one who, before sending you a budget, wants to visit the building or office and see the typology of doors.

There are multiple ways to evaluate the quality of an access control provider. However, the budget is the key piece to do so. Avoid those providers that pack a lot of information into each line of the budget - it usually denotes poor quality and little attention to detail.

Anatomy of the perfect access control budget

  1. The type and number of electric closing devices (electric locksets, pistons, etc.) that will be necessary and the place where they will be installed.
  2. The smart controller that will connect the locks (i.e., the doors) to the internet.
  3. The wiring necessary for the installation of access control.
  4. The management software license and support. This line usually includes storage on servers and user limits.

It is also important that the budget includes some type of professional liability insurance. Many owners or property managers require their tenants to be responsible for any damage or malfunctions during the use or installation of access controls.

Finally, for those who want to dig a little deeper into what to look for when buying an access control system, we have prepared a checklist.

Discover Raixer

What to consider before buying an access control system

  1. Compatibility with third-party hardware and avoiding lock-in.
  2. Security support.
  3. Comply with national quality regulations.
  4. Integration with security and surveillance systems (CCTV).
  5. Integration with existing hardware (electric locks) to reduce costs.
  6. Compatibility with modern forms of communication (cloud access or mobile access control) and especially IoT.
  7. Robustness.
  8. End-to-end data encryption and military encryption.
  9. Easy to use and install
  10. Economical and with professional technical support behind.
  11. Highly configurable with features such as geo-fencing, temporary access, RBAC, and other factors.
Discover Raixer
We will be delighted to better understand your case and help you resolve all your doubts.
Sign up for a demo
Menu
Raixer
Newsletter
Castellana 43,
28046 Madrid, Spain
910 38 12 21Write to us on Whatsapphello@raixer.com
TouristOfficesReal EstateElderly CareDevelopersInstallersDistributors
BlogOperationAccess ControlFAQsLegal NoticeContactAssemblyAPIAffiliatesBuy
© 2026 - Raixer.com
Designed in Pamplona. Manufactured in Madrid