ISO/IEC 20933:2019

INTERNATIONAL ISO/IEC
STANDARD 20933
Second edition
2019-01
Information technology — Distributed
application platforms and services
(DAPS) — Framework for distributed
real-time access systems
Technologies de l'information — Services et plate-formes
d'application distribuées — Structure pour les contrôles d'accès
diffusés en temps réel
Reference number
©
ISO/IEC 2019
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions and acronyms. 1
4 Conformance . 3
5 Overview . 3
6 Transaction . 4
7 Time stamping function . 6
8 Module . 6
8.1 Policy module . 6
8.2 Access-point module . 7
8.3 RED module . 7
8.4 Processing module . 7
8.5 Storage module . 7
9 Messages of each interface . 7
9.1 Messages of Policy interface . 8
9.2 Message of Access interface . 8
9.3 Messages of Processing interface . 9
9.4 Messages of Storage interface .11
10 Messages of external interfaces .13
10.1 Access request from external interface (In) .13
10.2 Final result notification to external interface (Out) .13
10.3 Time stamp notification .14
11 Access system performance management .14
11.1 Transaction processing time .15
11.2 Request performance time .15
11.3 Module processing time .16
11.4 Data transmission time .17
11.5 Request performance time for retrieve .17
11.6 Module processing time for retrieve .17
11.7 Data transmission time for retrieve .18
11.8 Request performance time for store .18
11.9 Module processing time for store .19
11.10 Data transmission time for store .19
11.11 Access point processing time .19
Annex A (informative) Service access control system .21
Annex B (informative) Share information between different Access systems .22
Annex C (informative) Usage of time stamping .23
Annex D (informative) List of messages .26
© ISO/IEC 2019 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Ecma International (as ECMA-412) and drafted in accordance with its
editorial rules. It was assigned to Joint Technical Committee ISO/IEC JTC 1, Information technology, and
adopted under the “fast-track procedure”.
This second edition cancels and replaces the first edition (ISO/IEC 20933:2016), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— added new functionalities on performance management mechanisms;
— editorial improvements and clarifications to the text of the document.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO/IEC 2019 – All rights reserved

Introduction
Technology for real-time access control is widely used in many situations such as entrance gates of
facilities and service access control systems. Membership and settlement services also benefit from
real-time access control systems connected via networks and using database information.
Sophisticated cloud, virtualisation, database, networking technology and services and the evolution of
authentication technology such as biometrics, NFC, QR codes used in distributed and modular access
control systems enable previously underserved users and operators to innovate around new use cases.
Taking into account the many technologies, this document specifies the reference model and common
control functions. It gives direction for ongoing innovation and development of technology and system
integration of distributed real-time access control system.
nd
This 2 edition of the Standard introduces new functionalities on performance management
mechanisms. Performance management mechanisms allow an Access system to be evaluated for
performance by using specific elements and metrics. This edition also provides a number of editorial
improvements and clarifications to the text of the Standard.
st
NOTE In the 1 edition the title of the Standard was Access systems.
© ISO/IEC 2019 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 20933:2019(E)
Information technology — Distributed application
platforms and services (DAPS) — Framework for
distributed real-time access systems
1 Scope
This document specifies a framework for a distributed real-time Access system. It includes:
1) an ID triggered modular system architecture, the functions of the modules, the semantics of
messages those modules exchange, and elements of messages;
2) the system behaviour from the time it receives an access request until the time it sends the result
along with the sequence;
3) performance measurement mechanisms using a time stamping function that can be employed for
the evaluation of the system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions and acronyms
For the purposes of this document, the following terms, definitions and acronyms apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
Accessor
someone or something that interacts with the Access system
3.2
access-ID
identifier in an Access request
3.3
access-ID-obtained-time
time when an Access-point module obtains an access-ID
3.4
access-point-ID
identifier of an Access-point module
3.5
Access-request
request trigger of processing for access system
© ISO/IEC 2019 – All rights reserved 1

3.6
Distributed real-time access system
data processing system distributed in the network which is activated by an access request and
completed when the processing result accepts or denies that request within a reasonable period of time
3.7
Final-Result-Notification
notification of the final result of a transaction
3.8
function-ID
identifier of function
3.9
Policy-getter
message to request the Policy module to set the rules
3.10
Policy-setter
message to set the rules to the RED module
3.11
Processing-request
request to execute a function
3.12
Processing-response
response to a Processing-request
3.13
RED
Rule Evaluation and Dispatching
3.14
receivedTime
time when a module receives a request from another module
3.15
Retrieve-request
request to retrieve data from storage
3.16
Retrieve-response
response to a Retrieve-request
3.17
rule-ID
identifier of rules
3.18
sendingTime
time when a module sends a response or a Transaction-start-request to another module
3.19
Store-request
request to store data to storage
3.20
Store-response
response to a Store-request
2 © ISO/IEC 2019 – All rights reserved

3.21
Time-stamp-Notification
notification to provide time stamp information
3.22
transaction-ID
identifier of a transaction
3.23
Transaction-start-request
request to initiate a transaction
4 Conformance
Conformant Access systems progress transactions by interpreting the applicable rules. Conformant
modules implement the requests on their interfaces, the corresponding responses and time stamping
as specified herein.
5 Overview
This clause is an overview of the system model and the functions of a distributed real-time Access system.
The Access system consists of 5 modules "Access-point, Policy, Processing, RED and Storage" and
4 interfaces "Access-interface, Policy-interface, Processing-interface and Storage-interface”. There are
also 2 external interfaces “In” and “Out”.
The Access system model is shown in Figure 1.
Figure 1 — Access system model
The Access system starts a transaction triggered by an Access ID which is included in Access request
from the Accessor through the external interface (In). After the necessary process, the Access system
completes the transaction by sending the final result to the receiver through the other external
interface (Out).
The Access system has a mechanism, the time stamp function, to measure processing time for the
evaluation of the Access system performance.
© ISO/IEC 2019 – All rights reserved 3

6 Transaction
A transaction is a suite of functions and message exchanges to generate a final result and send it to a
receiver. A transaction starts from the time an Access system receives an access request and completes
after it sends the result.
When an Access-request is received by the Access-point module, a transaction proceeds to a generated
state. In the generated state, the Access-point module generates a transaction-ID which identifies a
transaction. The transaction_ID is created based on an activated access-ID. The Access-point module
sends Transaction-start-request with the transaction-ID to the RED module.
After sending a Transaction-start-request, a transaction proceeds to an on-going state. At the on-
going state, the RED module interprets the rules set by the Policy module. According to the result
of the interpretation, the RED module sends request messages to the Processing or Storage module.
Upon receiving a request message, the Processing module and the Storage module send response
messages to the RED module. The RED module interprets the rules again. The RED module repeats the
above procedure until the final result is decided based on rules and sends a final result (Final-Result-
Notification) to the receiver through the external interface (Out).
After sending the final result, the transaction proceeds to a completed state. When a transaction is
completed, the usage of the access-ID is also completed. An example of message sequence is shown in
Annex A.
The state machine of a transaction is shown in Figure 2.
NOTE 1 access-ID is not defined in this document and is usually managed by a service provider. The life cycle
and generation of an access-ID is not in the scope of this document.
NOTE 2 This behaviour of a transaction described above is for a transaction under stable condition when a
response based on a request during a transaction is received within a reasonable period of time.
In the case of a system fault, such as power loss, network failure, or module malfunction when no
response is received within a reasonable period of time, this document does not define any exceptional
system management rules. However, the rules for providing such system failure, such as stopping a
transaction, resetting the system, or making a re-access request to the Accessor, should be provided in
the actual system.
4 © ISO/IEC 2019 – All rights reserved

Figure 2 — Transaction State Machine
The rules are composed of procedural steps and branch steps to determine exchanges of messages.
Figure 3 illustrates a procedural step and Figure 4 illustrates a branch step. A procedural step
determines the next execution. A branch step selects the next rule depending on the branch condition.
Figure 3 — Procedural step
© ISO/IEC 2019 – All rights reserved 5

Figure 4 — Branch step
The rules shall define:
— the sequence of exchanging messages;
— the conditions of granting or denying access;
— the function-ID which specifies a request function for the Processing module and identifies the
sender function of the Processing module in messages of the storage interface;
— the destination of Final-Result-Notification.
The rules should define:
— the destination and the timing of Time-stamp-Notification.
At least one rule is linked to Access ID.
7 Time stamping function
Each module except the Policy module has a time stamping function. The time stamping function is
used to measure the duration of a transaction, request performance time and the processing time at
each module. Usage of time stamping functions are shown in Annex C.
The time stamping function of each module records receivedTime and sendingTime in each response
message. The time stamping function of the RED module also logs the time when it sends and receives
messages.
8 Module
This clause describes the modules that are shown in the Access system model (Figure 1).
8.1 Policy module
The Policy module is a module that defines the behaviour of an Access system.
The Policy module shall keep the source of the rules.
The Policy module shall set the rules identified by rule-ID to the RED module.
6 © ISO/IEC 2019 – All rights reserved

8.2 Access-point module
The Access-point module is an interface module between an Access system and Accessors.
The Access-point module receives an access request and generates a transaction.
When an Access-point module receives an Access-request including an access-ID, it shall generate a
transaction-ID and Transaction-start-request and shall send it to the RED module.
The Access-point module shall have its own identifier as access-point-ID.
8.3 RED module
The RED module is a module for the rule evaluation and dispatching (RED) functions of a distributed
real-time access system.
The RED module shall process a transaction and manage time stamping function (logging, notifications).
These functions shall be controlled by the rules that are set by the Policy module.
To manage time stamping information, the RED module shall log receivedTime and sendingTime in each
message. The RED module also shall log the time when it sends and receives messages. The RED module
shall send Time-stamp-Notification to the receiver(s) through the external interface (Out).
8.4 Processing module
The Processing module is a module that executes various functions related to transactions.
The Processing module shall execute functions requested by the RED module.
When the Processing module receives a Processing-request from the RED module, it shall execute the
function identified by function-ID in the Processing-request. After that it shall generate a Processing-
response that includes the execution result and shall send it to the RED module.
The Processing module shall be able to send Store-request and Retrieve-request to the RED module for
accessing data in the Storage module.
8.5 Storage module
The Storage module is a module that stores data related to transactions.
The Storage module shall store and retrieve data by requests from RED module.
When the Storage module receives a Store-request, the Storage module shall store the data, shall
generate a Store-response and shall send it to the RED module. When the Storage module receives a
Retrieve-request, the Storage module shall retrieve the data, shall generate a Retrieve-response that
includes the retrieved data and shall send it to the RED module.
The Storage module may be used for sharing information between different transactions in the same
Access system or a different Access system as shown in Annex B.
9 Messages of each interface
This clause specifies the messages which each module shall exchange via interfaces. Each message shall
contain a number of elements specified in Clause 9. In this document, the messages are specified by an
ASN.1 expression. Encoding rules are not specified.
Messages exchanged in the Access system are shown in Annex D.1.
© ISO/IEC 2019 – All rights reserved 7

9.1 Messages of Policy interface
The Policy interface is the interface between the Policy module and the RED module. Policy-setter and
Policy-getter messages are exchanged though the Policy interface.
The Policy module uses Policy-setter to set the rules for the RED module and may send Policy-setter at
any time. The RED module may use Policy-getter to request the Policy module to set the rules at any
time. Policy-getter is an optional
...