Quick summary
Effective policies prevent lockouts and security gaps. Use this template to define schedules, credential tiers, and audit routines that stay consistent across teams.
Capture stakeholders, schedule blocks, hardware choices, and change control so access stays predictable during audits or staff turnover.
Map doors by risk tier
Start by listing every door and assigning a risk tier. Public entry doors need convenient access and clean visitor workflows. Staff-only doors need tighter hours and change control. High-value areas (IT rooms, cash storage, private offices) need strict approvals and longer audit retention.
Document each door with location, use case, default schedule, and any life-safety constraints. This prevents accidental lockouts and keeps the policy defensible when leadership or compliance teams review it.
For restricted and critical zones, plan the hardware upfront. The Enterprise Access Hub (EAH-8) is the best fit for server rooms and high-density closets where you need multiple doors managed from one secure location.
- Public: lobby, main entrance, delivery vestibule
- Staff: office suites, break rooms, internal corridors
- Restricted: IT closets, records rooms, finance areas
- Critical: server rooms, pharmacy, sensitive storage
Visitor and vendor workflows
Define how temporary access is issued, who approves it, and how badges or mobile credentials are revoked. Store a playbook for deliveries, service calls and after-hours access.
Use short, time-bound schedules for vendors and document the sponsor responsible for each badge. For regular visitors, keep a standing template so front-desk staff can assign access in under a minute.
Promote mobile credentials in the UniFi Identity/Endpoint app, especially Mobile Tap and Touch Pass, so staff can unlock by tapping a phone instead of opening the app.
- Create a visitor credential type with automatic expiration
- Require a sponsor name and reason for access
- Log vendor entry/exit in the same ticketing system used for facilities
Emergency overrides
Document how to safely unlock or lock down doors during emergencies and who has authority. Practice the steps annually and store instructions where staff can reach them quickly.
Confirm which doors are fail-secure vs fail-safe and align the policy with fire code requirements. If a door must unlock during a power failure, document alternative controls for after-hours security.
- Define who can trigger global unlock/lockdown
- Keep a printed override procedure near the control station
- Ensure the PoE++ switch is on a UPS with at least a 1-hour runtime; the standard UA-Hub relies on PoE power only
- Test UPS-backed power and release hardware twice per year
FAQs
How do we handle lost badges?
Disable the credential immediately, document the incident, and audit recent entries for anomalies. Keep spare badges and a quick-issue SOP ready.
What belongs in our access policy?
Roles, schedules, credential tiers, change control, and an exportable audit trail. Review quarterly and after staff changes.
Checklist
- Map roles and default schedules
- Define credential tiers and approval process
- Write change-control and audit procedures
- Practice emergency overrides annually
- Verify First Person In rules for doors that must stay locked until a manager arrives
- Store a one-page SOP near the console
Define roles and credential tiers
List every stakeholder—full-time staff, contractors, cleaning crews, residents—and assign default access windows. Note escalation paths for temporary overrides, after-hours emergencies, and lost credentials.
Clarify who approves new credentials, who handles terminations, and how long inactive badges stay valid. These decisions keep policy consistent even when staffing changes.
UniFi Access Policy Template
Copy this policy template into your IT handbook and rename schedules to match each door group.
| Door group | Default schedule | After-hours rule | Notes |
|---|---|---|---|
| Lobby / Main entry | Mon-Fri 7am-7pm | Security team approval | Visitor badge template |
| Staff office doors | Mon-Fri 7am-9pm | Manager approval | Auto-expire at 90 days |
| IT / server rooms | Mon-Fri 8am-6pm | IT lead approval | Two-person approval for vendors |
| Delivery / loading | Mon-Fri 8am-5pm | Facilities approval | Camera bookmark on entry |
Keep schedule names consistent so reporting and audits are easy to understand.
Credential lifecycle checklist
- Issue: verify role, assign default schedule, record sponsor
- Modify: log schedule changes with reason and ticket number
- Suspend: disable immediately for lost badges
- Terminate: revoke on last day and archive access logs
Stakeholder worksheet
Capture the names and responsibilities for everyone who touches access control. This prevents confusion during staffing changes and avoids the classic problem of “nobody knows the password.”
- System owner (approves policy changes)
- Daily operator (issues badges and guest access)
- IT or facilities contact (hardware and firmware)
- Security lead (audits and incident response)
Build schedule blocks in UniFi Access
Translate business hours, holiday closures, and delivery windows into schedule objects. Use descriptive names and group doors logically—Lobby, Warehouse, Roof Access—so anyone reviewing the system understands coverage at a glance.
Use the First Person In requirement for sensitive doors so they stay locked until an authorized manager enters, even if the schedule is set to unlock.
Create exception schedules for weather events or maintenance windows. Storing these templates now means you can adjust quickly later without rebuilding from scratch.
Deploy reliable hardware
The standard Door Hub (UA-Hub-Door) is a single-door controller with a lock relay plus an aux relay for door operators or sirens. Use the Gate Hub for a gate plus side door, and the Enterprise Access Hub (EAH-8) when you need to manage up to eight doors from one secure closet.
The Door Hub runs on PoE++ only, so place the switch on a UPS for backup power. The Enterprise Access Hub adds battery backup support for higher-resilience deployments.
For legacy Wiegand retrofits, use the UniFi Retrofit Hub; the Reader G2 is a native PoE reader.
Label conduit, door hardware, and reader cables at both ends so technicians know exactly which components belong to each opening.
Use clean power, protected pathways, and clear labeling for relay outputs (lock, aux) plus input wiring (door position, request-to-exit). This reduces troubleshooting time during emergencies.
Ubiquiti UniFi Access Hub (UA-Hub)
- Single-door controller with lock relay plus an auxiliary output
- Powered by PoE++ (use a UPS-backed switch for backup)
- Starting at $199 MSRP (check current pricing)
Ubiquiti UniFi Access Reader G2
- NFC and mobile unlock reader with handwave request-to-exit
- PoE-powered and IP55-rated for outdoor installations
- Starting at $139 MSRP (check current pricing)
Document change control and audits
Create a simple change log capturing who altered schedules, when, and why. Include ticket numbers, approving managers, and any associated compliance notes.
Schedule quarterly reviews to verify logs, camera bookmarks, and visitor badges align with policy. Pair the review with exportable reports so you can respond quickly to audits or legal requests.
Archive monthly exports in a shared security folder with a clear naming convention (site, month, and door group).
Policy approval and change requests
Define who signs off on policy changes and how requests are submitted. A simple form or ticket keeps approvals visible and prevents ad-hoc edits. When staff changes roles or departments, update both the access policy and the access request workflow so the system stays aligned with organizational changes.
Keep a short list of approved changes so front-line staff are not forced to improvise under pressure.
Audit trail and data retention
Decide how long you keep access logs and how you store them. Many offices keep 90 days on hand and archive for one year, while regulated environments may keep longer. Align log retention with your camera retention so investigations are consistent.
Store exports in a shared folder with read-only permissions, and document who can request a report. A clear process reduces delays when incidents happen.
Common pitfalls to avoid
- Overlapping schedules that accidentally grant 24/7 access
- Vendor badges without auto-expiration
- No documented handoff when a manager leaves
- Unlabeled hardware that slows down emergency service
First 30 days rollout plan
Treat the first month as a stabilization period. Log every schedule change, review badge activity weekly, and verify that visitor workflows match real-life behavior. Adjust schedules early so staff builds trust in the system.
After the first month, lock in the policy and only make changes through the documented request process so the system stays consistent.
- Week 1: verify door schedules against actual hours
- Week 2: review visitor access logs and approvals
- Week 3: test emergency overrides and failover
- Week 4: export reports and archive in shared folder
Train staff and plan response
Provide a one-page quick-start for front desk or facilities teams, covering how to issue credentials, revoke access, and contact support. Store the sheet near the primary workstation and in a shared drive.
Rehearse lockout and emergency scenarios annually so staff know exactly how to respond when badges fail or alarms trigger.
Need help with Door Schedule and Credential Policy Template for UniFi Access?
Get a fast quote and see how we design and install this service in Westchester County, NY.
Disclosure: Some links may be affiliate. As an Amazon Associate, we earn from qualifying purchases.