Abstract: A device may include a memory storing instructions and a processor configured to execute the instructions to identify a communication link between a first domain object and a second domain object; identify a first endpoint associated with the first domain object and a second endpoint associated with the second domain object; and determine a location relationship between the first endpoint and the second endpoint. The processor may be further configured to select a communication mechanism based on the determined location relationship; instruct the first endpoint to communicate with the second endpoint using the selected communication mechanism; and instruct the second endpoint to communicate with the first endpoint using the selected communication mechanism.

Abstract: A device may include a memory storing instructions and a processor configured to execute the instructions to identify a communication link between a first domain object and a second domain object; identify a first endpoint associated with the first domain object and a second endpoint associated with the second domain object; and determine a location relationship between the first endpoint and the second endpoint. The processor may be further configured to select a communication mechanism based on the determined location relationship; instruct the first endpoint to communicate with the second endpoint using the selected communication mechanism; and instruct the second endpoint to communicate with the first endpoint using the selected communication mechanism.

Abstract: A controller device may correspond to a physical access controller in a distributed physical access control system. The controller device may include logic configured to obtain access to a global database that include access control information for a plurality of controller devices. The logic may be further configured to derive a local access rules table from the global database, wherein the local access rules table relates users to access rules, and wherein the local access rules table is encrypted with a local access rules key; and derive a local credentials table from the global database, wherein the local credentials table relates hashed credentials to users, wherein the local credentials table stores, for a user, the local access rules key encrypted with unhashed credentials associated with the user, wherein the unhashed credentials are not stored in the controller device.

Abstract: A device may correspond to a physical access controller in a distributed physical access control system. A method, performed by the device in a distributed system, may include detecting that another device in the distributed system has become unavailable; determining that a loss of consensus has occurred in the distributed system based on detecting that the other device has become unavailable; generating a list of available devices in the distributed system; and sending an alarm message to an administrative device, wherein the alarm message indicates the loss of consensus and wherein the alarm message includes the list of available devices.

Abstract: A method relates to distributing user credentials in a distributed physical access control system, and more generally to distributing user credentials in a distributed system. A method may include storing a user credential database (DB), a first transformed credential DB and a second transformed credential DB for authenticating users to access a first and a second service provided by the device. The method may include generating the first transformed credential DB and the second transformed credential DB based on the user credential DB and comparing a credential received from a user to the first or the second transformed credential DB to determine whether to grant access to the first or the second service. The method may include distributing the user credential DB to a plurality of other devices connected in a network for the other devices to generate transformed credential DBs for authenticating users to access services.

Abstract: A device may correspond to a physical access controller in a distributed physical access control system. The device in a distributed system may include logic configured to detect a request from an application to access an application dataset, wherein the application dataset corresponds to a distributed dataset and determine whether the application dataset exists in the distributed system. The logic may be further configured to generate the application dataset in the distributed system, in response to determining that the application dataset does not exist in the distributed system, and send, to other devices in the distributed system, a request to join a dataset group that includes devices associated with the application dataset, in response to determining that the application dataset exists in the distributed system.

Abstract: A method may include a device joining a distributed database in a distributed physical access control system. The method may include storing first data in a first memory area of a memory. The first memory area may be designated to store data for a consensus-based distributed database (DB). The first data is to be added to the consensus-based distributed DB that is distributed among other devices in a network. The method may include copying the first data to a second memory area of the memory of the device and adding the device to the network, receiving data from the other devices in the network and adding the received data to the consensus-based distributed DB by storing the received data in the first memory area, and adding the first data to the consensus-based distributed DB by copying the first data from the second memory area to the first memory area.

Abstract: A device may correspond to a physical access controller in a distributed physical access control system. The device in a distributed system may include logic configured to detect a request from an application to access an application dataset, wherein the application dataset corresponds to a distributed dataset and determine whether the application dataset exists in the distributed system. The logic may be further configured to generate the application dataset in the distributed system, in response to determining that the application dataset does not exist in the distributed system, and send, to other devices in the distributed system, a request to join a dataset group that includes devices associated with the application dataset, in response to determining that the application dataset exists in the distributed system.

Abstract: A device may correspond to a physical access controller in a distributed physical access control system. A method, performed by the device in a distributed system, may include detecting that another device in the distributed system has become unavailable; determining that a loss of consensus has occurred in the distributed system based on detecting that the other device has become unavailable; generating a list of available devices in the distributed system; and sending an alarm message to an administrative device, wherein the alarm message indicates the loss of consensus and wherein the alarm message includes the list of available devices.

Abstract: A method relates to distributing user credentials in a distributed physical access control system, and more generally to distributing user credentials in a distributed system. A method may include storing a user credential database (DB), a first transformed credential DB and a second transformed credential DB for authenticating users to access a first and a second service provided by the device. The method may include generating the first transformed credential DB and the second transformed credential DB based on the user credential DB and comparing a credential received from a user to the first or the second transformed credential DB to determine whether to grant access to the first or the second service. The method may include distributing the user credential DB to a plurality of other devices connected in a network for the other devices to generate transformed credential DBs for authenticating users to access services.

Abstract: A method may include a device joining a distributed database in a distributed physical access control system. The method may include storing first data in a first memory area of a memory. The first memory area may be designated to store data for a consensus-based distributed database (DB). The first data is to be added to the consensus-based distributed DB that is distributed among other devices in a network. The method may include copying the first data to a second memory area of the memory of the device and adding the device to the network, receiving data from the other devices in the network and adding the received data to the consensus-based distributed DB by storing the received data in the first memory area, and adding the first data to the consensus-based distributed DB by copying the first data from the second memory area to the first memory area.

Abstract: A controller device may correspond to a physical access controller in a distributed physical access control system. The controller device may include logic configured to obtain access to a global database that include access control information for a plurality of controller devices. The logic may be further configured to derive a local access rules table from the global database, wherein the local access rules table relates users to access rules, and wherein the local access rules table is encrypted with a local access rules key; and derive a local credentials table from the global database, wherein the local credentials table relates hashed credentials to users, wherein the local credentials table stores, for a user, the local access rules key encrypted with unhashed credentials associated with the user, wherein the unhashed credentials are not stored in the controller device.