The service capabilities reflect optional functionality of a service. The information is static and does not change during device operation. The following capabilities are available: A list of identifier types that the device supports. Supported identifiers starting with the prefix pt: are reserved to define PACS specific identifier types and these reserved identifier types shall all share the "pt:<Name>" syntax. The maximum number of entries returned by a single Get<Entity>List or Get<Entity> request. The device shall never return more than this number of entities in a single response. Indicates that the device supports credential validity. Indicates that the device supports validity on the association between a credential and an access profile. Indicates that the device supports both date and time value for validity. If set to false, then the time value is ignored. The maximum number of credential supported by the device. The maximum number of access profiles for a credential. Indicates the device supports resetting of anti-passback violations and notifying on anti-passback violations. A list of exemptions that the device supports. Supported exemptions starting with the prefix pt: are reserved to define PACS specific exemption types and these reserved exemption types shall all share "pt:<Name>" syntax. The CredentialInfo type represents the credential as a logical object. The structure contains the basic information of a specific credential instance. The device shall provide the following fields for each credential. User readable description for the credential. It shall be up to 1024 characters. An external reference to a person holding this credential. The reference is a username or used ID in an external system, such as a directory service. The start date/time validity of the credential. If the ValiditySupportsTimeValue capability is set to false, then only date is supported (time is ignored). The expiration date/time validity of the credential. If the ValiditySupportsTimeValue capability is set to false, then only date is supported (time is ignored). A Credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being, that enables an individual access to a given physical facility or computer-based information system. A credential holds one or more credential identifiers. To gain access one or more identifiers may be required. A list of credential identifier structures. At least one credential identifier is required. Maximum one credential identifier structure per type is allowed. A list of credential access profile structures. A list of credential attributes as name value pairs. Key names starting with the prefix pt: are reserved to define PACS specific attributes following the "pt:<Name>" syntax. A credential identifier is a card number, unique card information, PIN or biometric information such as fingerprint, iris, vein, face recognition, that can be validated in an access point. Contains the details of the credential identifier type. Is of type CredentialIdentifierType. If set to true, this credential identifier is not considered for authentication. The value of the identifier in hexadecimal representation. Specifies the name of credential identifier type and its format for the credential value. The name of the credential identifier type, such as pt:Card, pt:PIN, etc. Specifies the format of the credential value for the specified identifier type name. The association between a credential and an access profile. The reference token of the associated access profile. The start date/time of the validity for the association between the credential and the access profile. If the ValiditySupportsTimeValue capability is set to false, then only date is supported (time is ignored). The end date/time of the validity for the association between the credential and the access profile. If the ValiditySupportsTimeValue capability is set to false, then only date is supported (time is ignored). The CredentialState structure contains information about the state of the credential and optionally the reason of why the credential was disabled. True if the credential is enabled or false if the credential is disabled. Predefined ONVIF reasons as mentioned in the section 4.2.1.8 DisabledReasons of credential service specification document. For any other reason, free text can be used. A structure indicating the anti-passback state. This field shall be supported if the ResetAntipassbackSupported capability is set to true. A structure containing anti-passback related state information. Indicates if anti-passback is violated for the credential. Contains information about a format type. A format type supported by the device. A list of supported format types is provided in [ISO 16484-5:2014-09 Annex P]. The BACnet type "CUSTOM" is not used in this specification. Instead device manufacturers can define their own format types. User readable description of the credential identifier format type. It shall be up to 1024 characters. For custom types, it is recommended to describe how the octet string is encoded (following the structure in column Authentication Factor Value Encoding of [ISO 16484-5:2014-09 Annex P]). The capability response message contains the requested credential service capabilities using a hierarchical XML capability structure. Name of the credential identifier type Identifier format types Tokens of CredentialInfo items to get. List of CredentialInfo items. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of CredentialInfo items. Token of Credentials to get List of Credential items. Maximum number of entries to return. If not specified, less than one or higher than what the device supports, the number of items is determined by the device. Start returning entries from this start reference. If not specified, entries shall start from the beginning of the dataset. StartReference to use in next call to get the following items. If absent, no more items to get. List of Credential items. The credential to create. The state of the credential. The token of the created credential Details of the credential. The token of the credential to delete. Token of Credential State of the credential. The token of the credential Reason for enabling the credential. Token of the Credential Reason for disabling the credential Token of the Credential Token of the Credential Identifiers of the credential Token of the Credential Identifier of the credential Token of the Credential Identifier type name of a credential Token of the Credential Access Profiles of the credential Token of the Credential Access Profiles of the credential Token of the Credential Tokens of Access Profiles This operation returns the capabilities of the credential service. This method returns all the supported format types of a specified identifier type that is supported by the device. This method returns a list of credential info items matching the given tokens. Only found credentials shall be returned i.e., the returned number of elements can differ from the requested number of elements. The device shall ignore tokens it cannot resolve and may return an empty list if there are no credentials matching the specified token. If the number of requested items are greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all credential info items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. Please refer section 4.8.3 in [Access Control Service Specification] for more details. The number of items returned shall not be greater than the Limit parameter. This operation returns the specified credential items matching the given tokens. The device shall ignore tokens it cannot resolve and shall return an empty list if there are no items matching specified tokens. The device shall not return a fault in this case. If the number of requested items is greater than MaxLimit, a TooManyItems fault shall be returned. This operation requests a list of all credential items provided by the device. A call to this method shall return a StartReference when not all data is returned and more data is available. The reference shall be valid for retrieving the next set of data. Please refer section 4.8.3 in [Access Control Service Specification] for more details. The number of items returned shall not be greater the Limit parameter. This operation creates a credential. A call to this method takes a credential structure and a credential state structure as input parameters. The credential state can be created in disabled or enabled state. The token field of the credential shall be empty, the device shall allocate a token for the credential. The allocated token shall be returned in the response. If the client sends any value in the token field, the device shall return InvalidArgVal as generic fault code. This operation modifies the specified credential. When an existing credential is modified, the state is not modified explicitly. The only way for a client to change the state of a credential is to explicitly call the EnableCredential, DisableCredential or ResetAntipassback command. All existing credential identifiers and credential access profiles are removed and replaced with the specified entities. This method deletes the specified credential. If it is referred to by another entity some devices may not be able to delete the credential, and consequently a ReferenceInUse fault shall be generated. This method returns the state for the specified credential. If the capability ResetAntipassbackSupported is set to true, then the device shall supply the anti-passback state in the returned credential state structure. This method is used to enable a credential. This method is used to disable a credential. This method is used to reset anti-passback violations for a specified credential. This method returns all the credential identifiers for a credential. This operation creates or updates a credential identifier for a credential. If the type of specified credential identifier already exists, the current credential identifier of that type is replaced. Otherwise the credential identifier is added. This method deletes all the identifier values for the specified type. However, if the identifier type name doesn’t exist in the device, it will be silently ignored without any response. This method returns all the credential access profiles for a credential. This operation add or updates the credential access profiles for a credential. The device shall update the credential access profile if the access profile token in the specified credential access profile matches. Otherwise the credential access profile is added. This method deletes credential access profiles for the specified credential token. However, if no matching credential access profiles are found, the corresponding access profile tokens are silently ignored without any response.