The Multi-Tenant Complexity

Multi-tenant buildings present access control challenges that single-tenant systems don't face: different groups of people need different levels of access, and those access levels must be managed independently for each tenant while sharing common infrastructure. A tenant should be able to grant access to their suite to their own employees without affecting access to other tenants' spaces. Building management needs to access all areas. After-hours deliveries need lobby access but not suites.

Solving this requires a system architecture that separates credential databases and access levels logically while sharing the physical hardware.

Zoning by Access Level

Multi-tenant access control is built around access levels — logical groupings that define which doors a credential can open and during what time windows. A well-designed multi-tenant system has at minimum three levels:

  • Building common: Lobby, parking garage, shared restrooms, common-area amenities. Access during business hours for all tenant employees; after-hours requires additional credential check.
  • Tenant suite: Each tenant's private office or suite. Only that tenant's employees (and building management) have access. Tenant administrators manage their own roster without building management involvement.
  • Restricted areas: Server rooms, electrical/mechanical rooms, management offices. Access limited to designated individuals only.

Tenant-Managed vs. Building-Managed Credentials

Modern cloud-based access control platforms support tenant portals — each tenant has their own login to manage their own roster of credential holders. Tenants can add a new employee, set their access level, and issue a credential (physical card or mobile) without calling building management. When an employee leaves, the tenant administrator can revoke access immediately from any browser.

Building management retains a master view of all credentials across all tenants and all doors. This separation of administrative responsibility is critical for a smoothly run multi-tenant building — building management doesn't want to process every hire/fire request from 15 tenants, and tenants don't want to wait on building management to handle their own roster changes.

Facility Codes

In card-based systems, different tenants can be assigned different facility codes — meaning a card programmed for Tenant A cannot present at Tenant B's door even if someone tried. This is a security layer that prevents credential misuse across tenant boundaries without requiring separate physical hardware per tenant.

Visitor Management

Visitor access is one of the most common management gaps in multi-tenant buildings. An effective visitor management process includes:

  • A lobby intercom or video intercom system that allows visitors to call the specific tenant they're visiting
  • Tenant-issued temporary credentials (day-pass or time-limited cards) for expected visitors
  • A visitor log — either digital (visitor signs in on a tablet that records name, host, time-in) or physical
  • Lobby-only access for visitors without appointment (they cannot proceed to suite floors without escort or pre-issued credential)

Visitor management is particularly important for medical buildings, financial offices, and any tenant handling sensitive client data — where unauthorized individuals in the suite can represent liability, compliance, or confidentiality risks.

After-Hours Access

After-hours access in a multi-tenant building requires a clear policy enforced by the access system:

  • Which doors remain locked after business hours (typically all except the primary lobby entry)
  • Which credentials have after-hours access (not all employees automatically should)
  • Whether after-hours entry triggers a notification to building management or security
  • How deliveries are handled (delivery dock with a separate after-hours credential, intercom system, or scheduled delivery windows only)

Most enterprise access control platforms support time-zone scheduling — the same credential that allows 24/7 access for a senior manager can be set to business-hours-only for a front desk employee, controlled from a single management interface.

Audit Trail Requirements

Multi-tenant buildings — especially those with any regulated tenants (healthcare, financial, legal) — should retain access logs for a meaningful period. HIPAA recommends 6 years for covered entities. Financial institutions often require 7 years. For the building as a whole, 90 days is a practical minimum for incident investigation; 1 year is better for liability management.

Access control event logs are increasingly important in insurance claims, HR investigations, and legal proceedings. A building that can produce a timestamped log showing exactly who entered what door at what time has a significant advantage in any investigation or dispute involving building access.

Free Commercial Site Survey

Multi-tenant access control system design requires a site survey — the door count, tenant configuration, and integration requirements vary too much for any accurate proposal without seeing the building. Philibert Security provides free commercial site surveys for multi-tenant buildings of any size.