The service capabilities reflect optional functionality of a service. The information is static and does not change during device operation. The following capabilities are available: The maximum number of entries returned by a single Get<Entity>List or Get<Entity> request. The device shall never return more than this number of entities in a single response. Indicates the maximum number of access points supported by the device. Indicates the maximum number of areas supported by the device. Indicates that the client is allowed to supply the token when creating access points and areas. To enable the use of the commands SetAccessPoint and SetArea, the value must be set to true. Used as extension base for AccessPointInfo. A user readable name. It shall be up to 64 characters. Optional user readable description for the AccessPoint. It shall be up to 1024 characters. Optional reference to the Area from which access is requested. Optional reference to the Area to which access is requested. Optional entity type; if missing, a Door type as defined by [ONVIF Door Control Service Specification] should be assumed. This can also be represented by the QName value "tdc:Door" – where tdc is the namespace of the door control service: "http://www.onvif.org/ver10/doorcontrol/wsdl". This field is provided for future extensions; it will allow an access point being extended to cover entity types other than doors as well. Reference to the entity used to control access; the entity type may be specified by the optional EntityType field explained below but is typically a Door. The AccessPointInfo structure contains basic information about an access point instance. An access point defines an entity a credential can be granted or denied access to. The AccessPointInfo structure provides basic information on how access is controlled in one direction for a door (from which area to which area). Multiple access points may cover the same door. A typical case is one access point for entry and another for exit, both referencing the same door. The capabilities for the AccessPoint. The AccessPoint structure shall include all properties of the AccessPointInfo structure, a reference to an authentication profile instance, and optionally a number of input and output devices. A reference to an authentication profile which defines the authentication behavior of the access point. The AccessPoint capabilities reflect optional functionality of a particular physical entity. Different AccessPoint instances may have different set of capabilities. This information may change during device operation, e.g. if hardware settings are changed. The following capabilities are available: A list of security level tokens that this access point supports. See [Authentication Behavior Service Specification]. Indicates whether or not this AccessPoint instance supports EnableAccessPoint and DisableAccessPoint commands. Indicates whether or not this AccessPoint instance supports generation of duress events. Indicates whether or not this AccessPoint has a REX switch or other input that allows anonymous access. Indicates whether or not this AccessPoint instance supports generation of AccessTaken and AccessNotTaken events. If AnonymousAccess and AccessTaken are both true, it indicates that the Anonymous versions of AccessTaken and AccessNotTaken are supported. Indicates whether or not this AccessPoint instance supports the ExternalAuthorization operation and the generation of Request events. If AnonymousAccess and ExternalAuthorization are both true, it indicates that the Anonymous version is supported as well. Basic information about an Area. Used as extension base. User readable name. It shall be up to 64 characters. User readable description for the Area. It shall be up to 1024 characters. The AreaInfo structure contains basic information about an Area. An ONVIF compliant device shall provide the following fields for each Area: The Area structure shall include all properties of the AreaInfo structure and optionally a parent area token, an OccupancyControl structure and/or an Antipassback structure. The AccessPointState contains state information for an AccessPoint. An ONVIF compliant device shall provide the following fields for each AccessPoint instance: Indicates that the AccessPoint is enabled. By default this field value shall be True, if the DisableAccessPoint capabilities is not supported. The Decision enumeration represents a choice of two available options for an access request: The decision is to grant access. The decision is to deny access. Non-normative enum that describes the various reasons for denying access. The following strings shall be used for the reason field: The device shall provide the following event, whenever a valid credential is not enabled or has been disabled (e.g., due to credential being lost etc.) to prevent unauthorized entry. The device shall provide the following event, whenever a valid credential is presented though it is not active yet;: e.g, the credential was presented before the start date. The device shall provide the following event, whenever a valid credential was presented after its expiry date. The device shall provide the following event, whenever an entered PIN code does not match the credential. The device shall provide the following event, whenever a valid credential is denied access to the requested AccessPoint because the credential is not permitted at the moment. The device shall provide the following event, whenever the presented credential is not authorized. The device shall provide the following event, whenever the request is denied and no other specific event matches it or is supported by the service. The capability response message contains the requested Access Control service capabilities using a hierarchical XML capability structure. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of AccessPointInfo items. Tokens of AccessPointInfo items to get. List of AccessPointInfo items. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of AccessPoint items. Tokens of AccessPoint items to get. List of AccessPoint items. AccessPoint item to create Token of created AccessPoint item AccessPoint item to create or modify AccessPoint item to modify Token of AccessPoint item to delete. Token of the AccessPoint. Token of the AuthenticationProfile. Token of the AccessPoint. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of AreaInfo items. Tokens of AreaInfo items to get. List of AreaInfo items. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of Area items. Tokens of Area items to get. List of Area items. Area item to create Token of created Area item Area item to create or modify Area item to modify Token of Area item to delete. Token of AccessPoint instance to get AccessPointState for. AccessPointState item. Token of the AccessPoint instance to enable. Token of the AccessPoint instance to disable. Token of the Access Point instance. Optional token of the Credential involved. Optional reason for decision. Decision - Granted or Denied. This operation returns the capabilities of the access control service. A device which provides the access control service shall implement this method. This operation requests a list of AccessPointInfo items matching the given tokens. The device shall ignore tokens it cannot resolve and shall return an empty list if there are no items matching the specified tokens. The device shall not return a fault in this case. If the number of requested items is greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all AccessPointInfo items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. Please refer to section 4.8.3 in [ONVIF PACS Architecture and Design Considerations] for more details. The number of items returned shall not be greater than the Limit parameter. This operation requests a list of AccessPoint items matching the given tokens. The device shall ignore tokens it cannot resolve and shall return an empty list if there are no items matching the specified tokens. The device shall not return a fault in this case. If the number of requested items is greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all AccessPoint items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. The number of items returned shall not be greater than the Limit parameter. This operation creates the specified access point in the device. The token field of the AccessPoint structure shall be empty and the device shall allocate a token for the access point. The allocated token shall be returned in the response. If the client sends any value in the token field, the device shall return InvalidArgVal as a generic fault code. This method is used to synchronize an access point in a client with the device. If an access point with the specified token does not exist in the device, the access point is created. If an access point with the specified token exists, then the access point is modified. A call to this method takes an AccessPoint structure as input parameter. The token field of the AccessPoint structure shall not be empty. A device that signals support for the ClientSuppliedTokenSupported capability shall implement this command. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation modifies the specified access point. The token of the access point to modify is specified in the token field of the AccessPoint structure and shall not be empty. All other fields in the structure shall overwrite the fields in the specified access point. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation deletes the specified access point. If it is associated with one or more entities some devices may not be able to delete the access point, and consequently a ReferenceInUse fault shall be generated. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation defines the authentication behavior for an access point. This operation reverts the authentication behavior for an access point to its default behavior. This operation requests a list of AreaInfo items matching the given tokens. The device shall ignore tokens it cannot resolve and shall return an empty list if there are no items matching the specified tokens. The device shall not return a fault in this case. If the number of requested items is greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all AreaInfo items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. The number of items returned shall not be greater than the Limit parameter. This operation requests a list of Area items matching the given tokens. The device shall ignore tokens it cannot resolve and shall return an empty list if there are no items matching the specified tokens. The device shall not return a fault in this case. If the number of requested items is greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all Area items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. The number of items returned shall not be greater than the Limit parameter. This operation creates the specified area in the device. The token field of the Area structure shall be empty and the device shall allocate a token for the area. The allocated token shall be returned in the response. If the client sends any value in the token field, the device shall return InvalidArgVal as a generic fault code. This method is used to synchronize an area in a client with the device. If an area with the specified token does not exist in the device, the area is created. If an area with the specified token exists, then the area is modified. A call to this method takes an Area structure as input parameter. The token field of the Area structure shall not be empty. A device that signals support for the ClientSuppliedTokenSupported capability shall implement this command. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation modifies the specified area. The token of the area to modify is specified in the token field of the Area structure and shall not be empty. All other fields in the structure shall overwrite the fields in the specified area. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation deletes the specified area. If it is associated with one or more entities some devices may not be able to delete the area, and consequently a ReferenceInUse fault shall be generated. If no token was specified in the request, the device shall return InvalidArgs as a generic fault code. This operation requests the AccessPointState for the access point instance specified by the token. This operation allows enabling an access point. A device that signals support for DisableAccessPoint capability for a particular access point instance shall implement this command. This operation allows disabling an access point. A device that signals support for the DisableAccessPoint capability for a particular access point instance shall implement this command. This operation allows to deny or grant decision at an access point instance. A device that signals support for ExternalAuthorization capability for a particular access point instance shall implement this method. Copyright (c) 2010-2017 by ONVIF: Open Network Video Interface Forum. All rights reserved.
The AccessControl service implements the Authentication and Authorization functionality and controls the actions to get access to various Access Points controlling access to Doors and Areas.
The basic data structures used by the service are: * CredentialInfo holding basic information of a credential.
* AccessPointInfo holding basic information on how access is controlled in one direction for a door (from which area to which area) defined in the DoorControl service.