A framework for access provisioning in physical access control systems

1 . A framework for access provisioning in a physical access control system (PACS), the framework comprising: a permissions request interface, the permissions request interface configured to permit a user or an administrator to provide a request for a permission to access/revoke access to a resource in the PACS; a permissions recommendation module, the permissions recommendation module in operable communication with the permissions request interface to receive the request, the permissions recommendation module recommending a permission to be assigned to, or removed from, the user based on at least one of an attribute presented by the user, a static permission assigned to other users, and a used permission of other users; a permissions validation module in operable communication with the permissions recommendation module, the permission validation module operable to ensure that at least one of the permission to be assigned to or to be removed from the user does not violate an existing access control policy, that the permission to be assigned to the user is sufficient for reaching all permitted resources, and that the permission to be removed from the user denies access to all revoked resources; and an approval workflow identification module operably connected to the permission validation module, the approval workflow identification module identifying an approval process required to assign or remove the permission. 2 . The framework for access provisioning in a (PACS) of claim 1 wherein the permission is to be assigned to, or removed from, the user based on at least one of an attribute presented by the user, a static permission assigned to other users, and a used permission of other users. 3 . The framework for access provisioning in a (PACS) of claim 2 wherein the recommending a permission is based on existing access control policies for users with a selected attribute. 4 . The framework for access provisioning in a (PACS) of claim 2 wherein the recommending a permission is based on static permissions for users with a similar attribute. 5 . The framework for access provisioning in a (PACS) of claim 2 wherein the recommending a permission is based on a used permission for users with a similar attribute. 6 . The framework for access provisioning in a (PACS) of claim 2 , wherein the attribute is specific to the user. 7 . The framework for access provisioning in a (PACS) of claim 2 , wherein the attribute is generic to a group of users. 8 . The framework for access provisioning in a (PACS) of claim 1 , wherein the attribute is at least one of a user's role, a user's department, a badge type, a badge/card ID. 9 . The framework for access provisioning in a (PACS) of claim 1 , further including an administrator at least one of, reviewing, adding to, and removing from the recommended permission and presenting accepted recommended permissions to the permissions validation module. 10 . The framework for access provisioning in a (PACS) of claim 1 , further including the permissions validation module ensuring that the permission to be assigned to the user is sufficient for reaching all permitted resources, or that the permission to be removed from the user denies access to all revoked resources. 11 . The framework for access provisioning in a (PACS) of claim 10 , further including the permissions validation module generating a report identifying any violations of access to permitted resources based on the permission or any access to revoked resources based on revoked permissions. 12 . The framework for access provisioning in a (PACS) of claim 1 , wherein not violating an existing access control policy includes ensuring that users with a selected attribute do not have the permissions to access a selected resource with another selected attribute. 13 . The framework for access provisioning in a (PACS) of claim 11 , further including the permissions validation module generating a report identifying any access control policy violations. 14 . The framework for access provisioning in a (PACS) of claim 11 , wherein the permissions validation module is invoked by an administrator. 15 . The framework for access provisioning in a (PACS) of claim 1 wherein the approval workflow identification module identifies a manager of a resource to approve a recommended permission. 16 . The framework for access provisioning in a (PACS) of claim 15 wherein the approval workflow identification module identifies user information required to complete the approval. 17 . The framework for access provisioning in a (PACS) of claim 15 wherein the approval workflow identification module at least one of, identifies authorized approvers for verifying the identified user information and invokes an external workflow engine and configures it with the identified user information. 18 . A physical access control system (PACS) with a framework for access provisioning, the physical access control system comprising: a user, the user having a credential including user information stored thereon, the user presenting the credential to request access to a resource protected by a door; a reader in operative communication with the credential and configured to read user information from the credential; a controller executing a set of access control permissions for permitting access of the user to the resource, the permissions generated with a framework for access provisioning, the framework comprising: a permissions request interface, the permissions request interface configured to permit a user or an administrator to provide a request for a permission to access/revoke access to a resource in the PACS; a permissions recommendation module, the permissions recommendation module in operable communication with the permissions request interface to receive the request, the permissions recommendation module recommending a permission to be assigned to, or removed from, the user based on at least one of an attribute presented by the user, a static permission assigned to other users, and a used permission of other users; a permissions validation module in operable communication with the permissions recommendation module, the permission validation module operable to ensure that at least one of the permission to be assigned to or to be removed from the user does not violate an existing access control policy, that the permission to be assigned to the user is sufficient for reaching all permitted resources, and that the permission to be removed from the user denies access to all revoked resources; and an approval workflow identification module operably connected to the permission validation module, the approval workflow identification module identifying an approval required to assign or remove the permission, wherein the controller is disposed at the door to permit access to the resource via the door. 19 . The physical access control system of claim 18 , wherein the credential is at least one of a badge, a magnetic card, an RFID card, a smart card, a FOB, and a mobile device. 20 . A method of access provisioning in a physical access control system (PACS), the method comprising: a receiving a request from at least one of a user and an administrator to provide a permission to access or revoke a permission access to a resource in the PACS; recommending a permission to be assigned to, or removed from, the user based on at least one of an attribute presented by the user, a static permission assigned to other users, and a used permission of other users; validating tha