3 Limit People by Reader
Feenics Access Levels can be used to limit which people get distributed to which readers. This is described in this section.
3.1 Mapping People to Readers - How it Works
To understand how people are distributed to readers based on Feenics Access Levels, it is helpful to understand the following.
As shown below, Access Levels create the mapping between a Person and a SAFR Reader:
While Feenics allows multiple SAFR Readers to be assigned to an Access Level, only one of the Access Level should contain a SAFR Reader. If a person is assigned to an Access Level with multiple SAFR Readers, that Person will only be added to the first Access Level that contains a SAFR Reader.
Therefore, its important to only assign a single SAFR Reader to a Feenics Access Level.
Further, as shown below, a Person may be assigned to multiple Feenics Access Levels:
But, if more than one of the Access Levels contains a SAFR Reader, the same issue described above applies. Feenics will only added to the first SAFR Reader of the first Access Level.
Therefore, its important to assign only a single Access Level containing a SAFR Reader to a person. Its ok to have other Access Levels assigned to that person, as long as those Access Levels do not contain a SAFR Reader.
3.2 Options for Limiting People by Reader
There are two ways to limit distribution of people to SAFR Readers.
-
Create one Access Level for each reader / Assign on or more Access Levels to each Person
-
Essentially means that you are assigning persons to doors one by one.
-
Simplest model for small number of doors where significant variation in access exists.
-
For large numbers of Doors, this is not practical
-
Create Access Levels with groups of readers (a reader may exist in more than 1 Access Level). Assign only one Access level for each Person.
-
Each group of readers represents a unique set of access privileges.
-
There needs to be sufficient number of groups to represent all combinations of privileges needed.
-
E.g. Building has 3 types of doors: Lobby, Internal, Executive
-
Visitors would be granted access to Lobby only
-
General staff have access to Lobby and Internal
-
Executives would have access to all
-
This model does not work well when unique combinations of access become required.
-
E.g. In above example, if there are 3 data rooms and different people need access to one or more of them, combinations become too complex. E.g.:
-
Data1+Data2+General
-
Data1+Data2+Exec
-
Data2+Data3+…
-
…
-
Create Access Levels for groups of readers (no reader exists in more than 1 Access Level). Assign only one Access Level for each Person
-
Access Levels should be split into distinct permission sets that apply universally to all people.
-
E.g. Building with 3 types of doors (Lobby, Internal, Exec) and 3 Data Rooms where access to each room is individualized
-
Access Levels:
-
Lobby Doors
-
Internal Doors
-
Exec Doors
-
Data1
-
Data2
-
Data3
-
Persons get assigned based on need:
-
E.g. Tech Staff with access to Data 1 and 2:
-
Lobby + Internal + Data1 + Data2
-
This method may require splitting groups if later a person needs to be limited to a subset of those doors. E.g. If Internal Doors needs to get segmented.
-
This model may be the best tradeoff between simplicity and flexibility