Door Schedule and Credential Policy Template for UniFi Access

Quick summary

Strong UniFi Access policies assign every door a risk tier, a schedule owner, an approval path, and a tested emergency override.

Use this template to standardize door schedules, credential lifecycles, hardware decisions, and audit evidence before staff turnover or compliance reviews expose weak spots.

How to Map UniFi Access Doors by Risk Tier

Map each opening into a defined risk tier so schedules, approvals, hardware, and retention rules stay consistent across the site.

Document each door with its location, business purpose, default schedule, fail-safe or fail-secure behavior, and any life-safety constraints. That record becomes the baseline for both installation and policy review.

Public entrances usually need low-friction visitor handling. Staff doors need predictable business-hour coverage. Restricted and Critical zones need tighter approvals, longer log retention, and better hardware planning.

For higher-density restricted areas, the Enterprise Access Hub (EAH-8) is the clean fit because it centralizes up to eight doors in one secure closet with battery backup support.

• Public: lobby, main entrance, delivery vestibule
• Staff: office suites, break rooms, internal corridors
• Restricted: IT closets, records rooms, finance areas
• Critical: server rooms, pharmacy, sensitive storage

How Should Visitor and Vendor Credentials Work in UniFi Access?

Temporary access should be sponsor-approved, time-bound, and easy to revoke without touching permanent staff schedules.

Build one repeatable workflow for deliveries, one for scheduled vendors, and one for after-hours exceptions. Every temporary credential should record the sponsor, reason for access, start time, and automatic expiration.

For staff, promote UniFi Endpoint mobile credentials where appropriate. Ubiquiti documents BLE-based Mobile Unlock for phones and watches, while Touch Pass should be enabled only on compatible readers.

• Create a visitor credential type with automatic expiration
• Require a sponsor name and reason for access
• Log vendor entry/exit in the same ticketing system used for facilities

Creating Emergency Override Procedures for UniFi Access

Emergency procedures must define who can unlock, who can lock down, and how doors behave when utility power or network power fails.

Confirm which doors are fail-safe versus fail-secure and align that behavior with local fire and life-safety requirements. If a door must release on power loss, document what protects the building after hours.

Because the standard Door Hub (UA-Hub-Door) depends on PoE++ power, the upstream switching layer matters as much as the hub itself. Put the PoE++ switch on a UPS, define a minimum runtime, and test both release behavior and recovery steps twice per year.

• Define who can trigger global unlock/lockdown
• Keep a printed override procedure near the control station
• Ensure the PoE++ switch is on a UPS with at least a 1-hour runtime
• Test UPS-backed power and release hardware twice per year

Checklist

Who Should Approve Roles and Credential Tiers?

Every credential type needs a named approver, a default schedule, and a documented escalation path for exceptions.

Start with role-based defaults for employees, contractors, cleaning crews, and facilities vendors. Then define who approves new access, who handles same-day suspensions, and who is responsible for terminations.

This section is where access control stops being a technical project and becomes an operating policy. If approvals are vague, staff will bypass the system during rush requests.

UniFi Access Policy Template

Use one baseline schedule matrix so every door group has a default rule, an after-hours rule, and an audit note.

How Should Credential Lifecycle Management Work?

Credential lifecycle policy should define issue, modify, suspend, and terminate steps before the first badge is assigned.

At minimum, require role verification at issuance, ticket-backed changes, immediate suspension for lost credentials, and same-day revocation when employment ends. If your team later moves to Identity Enterprise, those manual steps become much easier to automate.

Who Owns Each Part of the Access-Control System?

Named ownership prevents operational lockouts during staff transitions.

Capture the names, roles, and backups for everyone who touches access control. This includes policy owners, daily operators, hardware contacts, and the person accountable for audit exports.

• System owner (approves policy changes)
• Daily operator (issues badges and guest access)
• IT or facilities contact (hardware and firmware)
• Security lead (audits and incident response)

Configuring Schedule Blocks in the UniFi Console

Build separate schedule objects for business hours, holidays, deliveries, and emergency exceptions so changes stay readable and reversible.

Use descriptive names such as Lobby - Standard Business Hours or Server Room - Manager First Person In so the policy remains understandable during audits and troubleshooting.

Use First Person In on sensitive doors that must stay locked until an authorized person arrives on site. Do not treat remote unlock as a substitute; the point is to require a valid credential event at the door before a schedule can hold it open.

Create exception schedules in advance for weather events, maintenance windows, and holidays. Prebuilt exception blocks reduce rushed edits under pressure.

Which UniFi Access Hardware Fits Each Door Type?

Choose the hub, reader, and power topology by door type, not by whichever hardware is easiest to order first.

For most standard single-door deployments, the Door Hub (UA-Hub-Door) paired with a G2 Reader (UA-G2) is the clean baseline. Use the Gate Hub for vehicular access and the EAH-8 when you need centralized control for up to eight doors from one secure closet.

The Door Hub requires PoE++, so the switch must be sized and backed up correctly. The EAH-8 adds battery backup support, which makes it a better fit for higher-resilience server-room or multi-door installations.

For legacy Wiegand or partial retrofit environments, use the UniFi Retrofit Hub instead of forcing a full rip-and-replace on day one.

Label conduit, door hardware, and reader cables at both ends so technicians know exactly which components belong to each opening.

Use clean power, protected pathways, and clear labeling for relay outputs (lock, aux) plus input wiring (door position, request-to-exit). This reduces troubleshooting time during emergencies.

If you want a practical Amazon-ready bill of materials for a standard one-door rollout, start with the Door Hub, G2 Reader, a compact PoE++ switch, and a rackmount UPS. That bundle matches the real control path this article recommends instead of treating backup power as an optional add-on.

Amazon Pick

Ubiquiti UniFi Access Hub (Amazon)

• Single-door UniFi Access controller for standard office entries
• Good fit when the project already has separate reader and lock hardware
• Amazon-ready option for the core door controller in a one-door deployment

View on Amazon

Amazon Pick

Ubiquiti UA-G2 Access Reader G2 (Amazon)

• Standard UniFi G2 reader for NFC and mobile-based unlock
• Clean fit for staff doors, vestibules, and interior restricted doors
• Pairs naturally with the Door Hub on a single-door rollout

View on Amazon

Amazon Pick

Ubiquiti Professional 8 PoE Switch (Amazon)

• Compact managed switch with PoE+ and PoE++ output for access closets
• Better fit for Door Hub power than entry switches that stop at PoE+
• Strong Amazon-backed switch pick for a small UniFi Access deployment

View on Amazon

Amazon Pick

CyberPower CP1500PFCRM2U Rackmount UPS (Amazon)

• 1500VA / 1000W pure sine wave UPS for rack and closet installs
• Short-depth 2U form factor suits compact commercial racks
• Practical backup layer for the PoE++ switch that feeds the access hub

$359.95

View on Amazon

When Should You Use UniFi Identity Enterprise Instead of Local UniFi Access?

Use local UniFi Access when one site can manage credentials manually, and use Identity Enterprise when account lifecycle automation becomes a security requirement.

For a single site with a stable team, local UniFi Access administration is often enough. Administrators can manage schedules, assign credentials, and export logs directly from the console.

Move up to UniFi Identity Enterprise when you need centralized people management, directory integration, or automated deprovisioning tied to Google Workspace, Microsoft Entra, LDAP-based directories, or SCIM workflows. That change materially improves offboarding and reduces the chance that a forgotten account remains active.

• Local UniFi Access: best for single-site teams with manual badge issuance
• UniFi Identity Enterprise: best when HR-driven onboarding and offboarding must flow from the identity provider
• UniFi Fabrics: useful when multiple sites need one people and permissions model

How Does This Template Support Audits and Compliance Reviews?

The template supports compliance work by defining approvals, retention, physical safeguards, and evidence exports in one repeatable policy.

Auditors rarely want a brand preference. They want proof that access is role-based, reviewed, time-bound where necessary, and traceable when an incident occurs. This template gives IT and facilities a shared operational record for that review.

How Secure Are Mobile Credentials in UniFi Access?

Mobile credentials should be treated as managed corporate credentials, not as informal convenience features.

Ubiquiti documents BLE-based Mobile Unlock for UniFi Endpoint and a per-site token mechanism that generates unique encryption keys for UniFi-issued access cards and pocket keyfobs. In practice, that means native UniFi mobile credentials and UniFi-issued NFC credentials are safer choices than unmanaged legacy cards that are hard to track or revoke.

Document how lost phones are handled, require screen lock and MFA on managed devices, and disable mobile access immediately when a device is lost or an employee departs.

How Should Change Control and Retention Work?

Change control should record who changed a schedule, why it changed, and which ticket or approval authorized the edit.

Create a simple log for schedule changes, override approvals, and credential exceptions. Pair that with quarterly reviews that verify access logs, camera bookmarks, visitor badges, and exported reports still align with the written policy.

For most offices, 90 days of readily available access logs is a practical baseline. Higher-regulation environments may need longer retention and tighter review workflows. Align access-log retention with video retention so investigations do not end with mismatched timelines.

• Archive monthly exports in a shared security folder with a clear naming convention

• Give report request authority to a short, named list of admins

• Link door events to related incident or facilities tickets when something unusual happens

• Review policy changes quarterly, not only after something breaks

• Security cameras and access control checklist

• Best low-cost PoE switches

• Security and access packages that hold up

Common pitfalls to avoid

• Overlapping schedules that accidentally grant 24/7 access
• Vendor badges without auto-expiration
• No documented handoff when a manager leaves
• Unlabeled hardware that slows down emergency service

First 30 days rollout plan

Treat the first month as a stabilization period. Log every schedule change, review badge activity weekly, and verify that visitor workflows match real-life behavior. Adjust schedules early so staff builds trust in the system.

After the first month, lock in the policy and only make changes through the documented request process so the system stays consistent.

• Week 1: verify door schedules against actual hours
• Week 2: review visitor access logs and approvals
• Week 3: test emergency overrides and failover
• Week 4: export reports and archive in shared folder

Train staff and plan response

Provide a one-page quick-start for front desk or facilities teams, covering how to issue credentials, revoke access, and contact support. Store the sheet near the primary workstation and in a shared drive.

Rehearse lockout and emergency scenarios annually so staff know exactly how to respond when badges fail or alarms trigger.

If you need a commercial access-control design reviewed before rollout, our commercial technology team can validate door groups, PoE power planning, and retention assumptions against the actual site.

FAQs

How do we handle lost badges or lost phones?

Disable the credential immediately, document the incident, and review recent door events for anything unusual. Keep spare badges and a quick-issue SOP ready so operations do not stall.

What belongs in a UniFi Access policy?

Roles, schedules, credential tiers, emergency overrides, change control, retention, and an exportable audit trail. Review the document quarterly and after staffing or facility changes.

Does First Person In work with remote unlock?

No. First Person In should require a valid credential event at the door, not a remote release from elsewhere. Keep that distinction explicit in the policy so admins do not weaken the control during exceptions.

When is Identity Enterprise worth the extra complexity?

Identity Enterprise becomes worth it when onboarding and offboarding must follow the identity provider automatically, or when multiple sites need one shared people and permissions model.