1. Introduction

The safety and security of public facilities depend fundamentally on the quality of automated control processes. As urban infrastructure grows, particularly in major administrative centers, the complexity of managing access for thousands of individuals simultaneously increases. Congress halls, theaters, and large academic buildings are characterized by high variability in access scenarios. Throughout a single day, staff shifts occur, contractors move through temporary zones, and massive influxes of visitors happen during major events [1, p. 45].

Practical experience shows that as the number of access points increases, the hardware—such as turnstiles and electromagnetic locks—is rarely the bottleneck. Instead, the logic of control, encompassing rule consistency, processing speed, and network resilience, becomes the primary limiting factor. Inefficient optimization leads to queues at checkpoints, increased conflict situations, and fragmented security logs. The goal of this research is to develop and justify a set of optimization methods for ACMS that ensure minimal decision time while maintaining high security and comprehensive logging.

2. Literature Review and Problem Statement

Traditional systems rely heavily on Role-Based Access Control (RBAC), where access rights are assigned to static roles such as «security», «admin», or «visitor». While RBAC is straightforward to administer, it severely lacks the flexibility required to handle context-dependent conditions. For example, restricting a contractor's access exclusively to active event hours is cumbersome in pure RBAC. Conversely, Attribute-Based Access Control (ABAC) defines rights through subject, object, and environmental attributes [2, p. 38]. Recent studies in automation suggest that hybridizing RBAC and ABAC provides optimal balance, retaining administrative simplicity while enabling dynamic rule enforcement [3, p. 112].

Performance issues in large-scale ACMS frequently stem from centralized architectural paradigms. In these setups, a single server handles decision-making, database writes, and integration calls to video or fire systems. During peak loads—such as the opening of a major exhibition—resource contention (CPU, Disk I/O) leads to severe latency. Research based on queuing theory demonstrates that the sequential processing of access events creates a bottleneck [4, p. 210]. When thousands of users present their credentials within a 15-minute window, database locks and synchronous external API calls cause response times to spike beyond the acceptable 500-millisecond threshold.

Furthermore, the transition from legacy Wiegand protocols to the Open Supervised Device Protocol (OSDP) has improved physical security through encryption but increased the computational load on controllers [5, p. 14]. This necessitates a shift toward Edge computing, where local controllers possess enough processing power and memory to cache complex policies and evaluate them autonomously [6, p. 102345]. Thus, the core problem is engineering a distributed logic flow that mitigates central server dependency during traffic surges without compromising global security directives.

3. Proposed Methodology: Adaptive Event-Driven Control

To resolve the identified bottlenecks, we propose a three-tier functional separation strategy. The first tier is the Edge Level, comprising local controllers that perform primary credential validation using locally cached rules. The second tier is the Core Services Level, responsible for global administration, complex policy generation, and analytics. The third tier is the Asynchronous Integration Level, which interfaces with CCTV, Fire Alarms, and Human Resources systems via a centralized message broker [7, p. 2350].

Fig. 1. Structural Diagram of Distributed ACMS with Edge Processing

Optimization begins with the formalization of the hybrid RBAC+ABAC logic. RBAC acts as the «skeleton», defining the baseline permissions for a user's primary role. ABAC functions as an «overlay» that evaluates situational attributes. To further enhance security against credential sharing and tailgating, we integrate a Risk-Adaptive Access Control (RAdAC) layer [8, p. 55]. This layer dynamically calculates a risk score for every access attempt based on weighted anomalous characteristics. The risk score is determined by the formula:

where represents the weight of the specific anomaly and is the boolean or normalized value of the anomaly trigger. Tracked anomalies include unusual access times ( ), high frequency of sequential accesses indicating pass-back attempts ( ), and spatial inconsistencies ( ). If exceeds a predefined threshold, the system alters the physical response—for instance, requiring a biometric secondary factor [9, p. 148].

4. Performance Evaluation and Simulation Results

The effectiveness of the proposed optimization was evaluated using a discrete-event simulation modeled on the traffic patterns of the «Aulie-Ata» Congress Hall. We compared a Baseline architecture (centralized, synchronous processing) against the Optimized architecture (distributed caching, event-driven asynchronous integration, hybrid logic).

Table 1

Simulation Results Comparison of ACMS Architectures

The simulation subjected both systems to scenarios like the Event Peak. The data demonstrates that the optimized approach provides a significant reduction (25–35 %) in processing time and effectively prevents «timeout» failures during peak events, ensuring a smooth user experience.

5. Implementation Strategy

Deploying this architecture in large-scale facilities requires a meticulous, phased rollout. Phase one is the Auditing and Normalization stage. Administrators must consolidate existing roles, eliminate duplicate access zones, and establish a unified naming convention [10, p. 62].

Phase two focuses on Network Segmentation and Event Formatting. Standardized JSON payloads for access events are established to ensure seamless communication with the message broker. During this phase, integrations with external systems like CCTV and HR are rewritten to subscribe to these message queues rather than polling the ACMS database directly.

Phase three involves enabling Edge Autonomy. Local controllers are configured to download incremental rule updates from the core server. Synchronization algorithms must be implemented to handle offline scenarios. The final phase activates the RAdAC scoring layer, which should initially run in a «shadow mode» to calibrate anomaly weights without falsely denying legitimate users.

6. Conclusion

The transition to an adaptive, event-driven control paradigm represents a necessary evolution for security infrastructures in high-occupancy public buildings. By implementing a hybrid RBAC+ABAC model and offloading the critical path of decision-making to edge devices, facilities can achieve high throughput without compromising strict security mandates. The isolation of heavy integration tasks through asynchronous message brokering effectively eradicates the database deadlocks that paralyze centralized systems during crowd surges.

Future research will explore the integration of Machine Learning (ML) to dynamically adjust the weights within the RAdAC formula based on real-time pedestrian flow analytics, ultimately moving toward the creation of a complete predictive «digital twin» of the facility's security ecosystem.

References:

1. V. A. Vorona and V. A. Tikhonov, Access Control and Management Systems. Moscow: Goryachaya Liniya-Telekom, 2010. Available: https://www.rgsec.ru/wp-content/uploads/download/skud-kniga.pdf [Accessed: May 17, 2026].
2. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, «Role-Based Access Control Models», IEEE Computer, vol. 29, no. 2, pp. 38–47, 1996. DOI: 10.1109/2.485845.
3. V. C. Hu, D. Ferraiolo, and R. Kuhn, «Assessment of Access Control Systems», NIST Interagency Report 7316, 2006. Available: https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7316.pdf [Accessed: May 17, 2026].
4. A. A. Klyucharev, Access Control and Management Systems: Textbook. St. Petersburg: ITMO University, 2015. Available: https://books.ifmo.ru/file/pdf/1709.pdf [Accessed: May 17, 2026].
5. Security Industry Association (SIA), «Open Supervised Device Protocol (OSDP) v2.2», 2020. Available: https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/ [Accessed: May 17, 2026].
6. S. M. Mousavi, «Real-Time Event-Driven Processing in Distributed Architectures», IEEE Access, vol. 9, pp. 45678–45692, 2021. DOI: 10.1109/ACCESS.2021.3051123.
7. A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhar, and M. Ayyash, «Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications», IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2347–2376, 2015. DOI: 10.1109/COMST.2015.2444095.
8. R. McGraw, «Risk-Adaptable Access Control (RAdAC)», NIST Privilege Management Workshop, 2009. Available: https://csrc.nist.gov/csrc/media/events/privilege-management-workshop/documents/presentations/bob_mcgraw.pdf [Accessed: May 17, 2026].
9. A. Al-Sabaawi, «Integration of Access Control Systems with Smart Video Surveillance», IEEE Access, vol. 10, pp. 34120–34135, 2022. DOI: 10.1109/ACCESS.2022.3162134.
10. B. S. Sarsenov and D. Zhamangarin, «Optimization of Control and Management Processes in the ACMS of the 'Aulie-Ata' Congress Hall», Bulletin of Shakarim University, no. 1, pp. 45–51, 2026.