This is a common real-world problem - i.e., a company / department decides that security is too lax because of new requirements from the government, other clients, senior management, etc. Policy P1 is typically simple regardless of mechanism - don't lock the doors, and/or don't check the database. Just allow anybody in. Policy P2 is slightly more complex, but it's not too bad for only one person. Something to consider with policy P2: Do you need to provide access for administrative users, or is access strictly limited to the authorized person? Things to consider with mechanism M1: What happens if your one user loses the key or if it gets damaged? Things to consider with mechanism M2: What happens if the one user loses his/her badge? What happens if the database goes down or the power goes out? Do you need to provide administrative access to the database? If so, who will be the administrators, and what sorts of access restrictions will they have? For brownie points, consider what it would take to administer a bunch of badges and badge readers.
