Manual key management and unaligned access rules create security risks and administrative overhead. By defining a clear door-access model, you can ensure that the access granted in OfficeRnD (the Source of Truth) matches the physical locks (the Source of Enforcement) across all locations. This strategy allows you to scale your operations while maintaining the "least privilege" principle for space security.
The goal is not to document a specific feature, but to help you design a system that mirrors what you sell, who is entitled to access, and when access should be granted.
In this article
Categorize your space into access zones
Define access rules for member personas
Map OfficeRnD records to your door access system
Establish naming conventions for access groups
Prerequisites
Admin access to the OfficeRnD Admin Portal.
An active integration with a supported door access system.
A clear map of your building's physical layout and door locations.
What this model is designed to achieve
A well-designed access model should:
Reflect your business logic and OfficeRnD setup.
Be enforced reliably at doors through your door access system.
Reduce lockouts, support load, and security risk.
Scale cleanly across multiple locations without constant manual fixes.
Choose your optimization goal
Before configuring your software and hardware, you must decide which operational outcome is most important for your business. Picking a primary goal helps you accept specific tradeoffs in your setup.
Choose your main priority to define the goal you want to achieve:
Simplicity: Focus on a small number of access groups that are easy for staff to manage.
Security: Prioritize strict "least privilege" access, ensuring users only enter areas they have paid for.
Automation: Design the system so that access is granted and revoked entirely through OfficeRnD without manual intervention.
Flexibility: Allow for local variances where different locations have unique door rules.
Pick one primary goal and design your architecture and model around it.
Categorize your space into zones
Organize your location into specific zones before you look at individual doors. In a professional access model, zones come first and doors second, as doors are simply the tools used to implement a zone.
Review your floor plan and group areas into these five standard categories:
Public: Lobby or reception areas where visitors may enter without credentials during business hours.
Member: Shared coworking areas, kitchens, and phone booths.
Bookable: Meeting rooms or specific event spaces.
Tenant-only: Private office suites or dedicated floors.
Restricted: Staff rooms, storage areas, IT closets, or garage entries.
Identify which doors act as "gatekeepers" and control entry into each zone.
Ensure your door access software reflects these zones as specific Access Groups.
Focus on zones first and doors second, as doors are simply the tools you use to implement a zone.
Define personas and minimum required access
Determine the minimum level of access required for each type of person (persona) using your space. Following the "least privilege" rule, you should only add access when it is required for the user's plan or role.
Identify the minimum access required for these common personas:
Staff: 24/7 access to all zones, including Restricted areas.
Members: Access to the Member zone based on their plan. You could restrict it only to business hours or make it 24/7.
Private office teams: 24/7 access to their specific Tenant-only suite and shared Member amenities.
Meeting room bookers: Time-bound access to Public and Bookable zones.
Day pass users: Time-bound access to Public and Member zones.
Cleaners/Contractors: Limited access to specific zones during scheduled shifts.
Visitors: Generally, no door access; they should be greeted at the Public zone.
Set your default to the least privilege and add access only when the user's plan or role requires it.
Choose the source of truth and override policy
To automate your workspace, you must distinguish between where access is decided and where it is physically triggered.
Source of truth: Use OfficeRnD to decide who should have access.
Map access based on active plan, location, add-ons, and booking times.
If a membership is canceled or expires, the access is removed.
When a booking ends, access is removed.
Source of enforcement: Use your Door Access (DA) system to physically lock or unlock doors and determine which doors should be locked and when.
In your DA software, configure your doors and access groups.
Configure schedules to manage temporal access.
Set up and manage credentials.
Temporary exceptions
Managed in your DA system with expiry and audit trail.
Always double-check every exception you make.
Treat OfficeRnD as the final decision-maker for access and your door system only as the physical enforcement tool.
Establish naming conventions
Using a consistent naming convention for your access groups prevents confusion and reduces the risk of granting incorrect permissions. Additionally, it allows you to build a scalable door access model.
Use a standard format for every access group you create in your door access software.
Follow a standard format for all groups:
β[LOCATION] | [PERSONA] | [ZONE] | [SCHEDULE]Examples of effective group names:
LON | MEMBERS | AMENITIES | BH(London members, coworking zone, business hours).
NYC | BOOKINGS | ROOMS | TIMEBOUND
(New York visitors, meeting rooms, during booking only).SOF | STAFF | RESTRICTED | 24/7
(Sofia staff, storage/IT, always active).
Avoid creating "one-off" or custom groups for individual users. Instead, add users to these standardized groups to keep your security audit simple.
Keep your total group count under control and avoid creating "one-off" or custom groups for individual users.
Define lifecycle automation rules
Automating the start and end of access permissions reduces the risk of former members or unpaid visitors entering your space.
Provide access: Set the system to grant access automatically when a membership status becomes Active. You can also choose to only grant access after a membership is marked as Paid.
Remove access: Configure rules to revoke access immediately when a membership ends, when a cancellation effective date is reached, or if an account becomes delinquent beyond your allowed grace period.
Set booking buffers: For visitors, turn on access a specific number of minutes before a booking (for example, 15 minutes) and turn it off a set number of minutes after it ends.
Define grace periods: Establish explicit, limited grace periods (for example, 24 to 72 hours) for members to resolve billing issues before their keys are deactivated.
Maintain consistency: Keep these rules identical across all locations to avoid complex case-by-case handling.
Maintain consistent automation rules across all locations and avoid the risks of case-by-case manual handling.
Establish monitoring and audit operations
A secure model requires clear rules for who can change permissions and how you respond to technical failures.
Define permissions: Limit the number of admins who can change doors, access groups, and schedules within the Admin Portal.
Detect issues: Monitor your door access dashboard for offline doors, spikes in denied entries, or controller failures.
Create a rescue process: Document an after-hours rescue process for members who are locked out due to hardware failure.
Review access logs: Determine how long to keep logs, and which staff roles can view them for security audits.
Use break-glass access: Make sure any emergency "break-glass" access is time-bound, role-limited, and fully auditable.
Ensure any emergency break-glass access is time-bound, role-limited, and fully auditable.
Door/Zones Matrix (Template)
Download the attached file (look at the end of the article). Add one row per door (or per zone if doors are identical).
Open the image to see an example of how you can build your model
Field guidance
Zone: Keep a fixed set (Public / Member / Bookable / Tenant-only / Restricted).
Criticality:
High = lockout or security incident;
Med = inconvenience;
Low = optional.
Entitlement (System of record): Typically, OfficeRnD.
Enforcement system: DA System.
Schedule rule: BH, 24x7, booking-based, contractor nights, etc.
Access group(s): Follow your naming convention; avoid one-off custom groups.
Booking-based?
Yes for meeting rooms and day passes;
No for memberships and tenancies.
Recommended default group set (per location)
LOC | MEMBERS | AMENITIES | BH
LOC | MEMBERS | FULL | 24x7
LOC | BOOKINGS | AMENITIES | TIMEBOUND (Day pass)
LOC | BOOKINGS | BOOKABLE | TIMEBOUND (Meeting rooms)
LOC | TENANTS | <SUITE or FLOOR> | 24x7
LOC | STAFF | RESTRICTED | 24x7
LOC | CONTRACTORS | RESTRICTED | NIGHT (optional)