FORM 2
THE PATENTS ACT, 1970 (39 of 1970) THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
NETWORK
APPLICANT
of Office-101, Saffron, Nr. C JIO PLATFORMS LIMITED
380006, Gujarat, India; Nationality : India
The following specification particularly describes
the invention and the manner in which
it is to be performed

RESERVATION OF RIGHTS
[0001] A portion of the disclosure of this patent document contains material,
which is subject to intellectual property rights such as, but are not limited to, copyright, design, trademark, Integrated Circuit (IC) layout design, and/or trade dress protection, belonging to Jio Platforms Limited (JPL) or its affiliates (hereinafter referred as owner). The owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights whatsoever. All rights to such intellectual property are fully reserved by the owner.
TECHNICAL FIELD
[0002] The present disclosure generally relates to a means to selectively allow
users access in a communication network. In particular, the present disclosure
relates to implementing a system for selectively barring users in a communication
network.
DEFINITION
[0003] As used in the present disclosure, the following terms are generally
intended to have the meaning as set forth below, except to the extent that the context
in which they are used to indicate otherwise.
[0004] The network functions (NFs) are the logical entities or software-based
functionalities that define how the network operates and processes data.
[0005] The policy control function (PCF) determines the mobile network
resources and services needed to support connected devices. The PCF is vital for
ensuring the customer experience of modern voice and data services.
[0006] The provisioning gateway (PGW) is a subsystem of the carrier's service
system which is used by client to manage SIM card system and maintain a
lightweight directory access protocol (LDAP) database.
[0007] The subscription profile repository (SPR) is a logical database which
includes subscriber related information related to policy and charging control. The

SPR may be a subset of the home subscriber server (HSS), providing information
such as subscriber allowed services, permitted QoS and charging related
information.
[0008] The public land mobile network (PLMN) is a mobile operator's cellular
network in a specific country. Each PLMN has a unique PLMN code that combines
an MCC (Mobile Country Code) and the operators' MNC (Mobile Network Code).
[0009] The tracking area code (TAC) is an identifier for the tracking area and
is unique within a public land mobile network (PLMN).
[0010] The subscription permanent identification (SUPI) is a unique identifier
used to represent a subscriber's permanent identity.
[0011] The data network name (DNN) defines the point through which devices
connect to the Internet.
[0012] The general public subscription identifier (GPSI) is used for addressing
a 3GPP subscription in data networks outside the realms of a 3GPP system. GPSIs
are public identifiers such as a mobile station international subscriber directory
number (MSISDN) or an external identifier.
[0013] The access and mobility management function (AMF) handles critical
control plane functions like registration management, connection management,
reachability management, mobility management and access authentication.
[0014] The session management function (SMF) is the control function that
manages the user sessions including establishment, modification and release of
session.
[0015] The binding support function (BSF) allows PCFs to register, update and
remove the binding information from it, and allows NF consumers to discover the
selected PCF.
BACKGROUND
[0016] The following description of related art may be intended to provide
background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section be used only

to enhance the understanding of the reader with respect to the present disclosure,
and not as admissions of prior art.
[0017] In a communication network, such as a 5G or 6G network, the network
may receive request from users to latch on to the network. However, due to
application requirements, there may be a need to selectively allow a user access to
the communication network in a specific area. Selectively allowing may refer to
allowing the user to access to the network in an event when certain conditions are
met, and disallowing the user in an event the conditions are not met. Currently, the
network may not have a functionality to selectively allow or bar users.
[0018] There may, therefore, be a requirement in the art for a means to
selectively bar users in a communications network.
SUMMARY
[0019] In an exemplary embodiment, a method for selectively barring a user to
attach to a network is described. The method comprises receiving, by a policy control function (PCF), a request to attach to the network, along with user location data from a network function (NF). The method comprises determining, by the PCF, at least one of plurality of parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data. The method comprises determining, by a rule engine, at least one of plurality of conditions based on the at least one of plurality of parameters, the PLMN and the TAC. The plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC. The method comprises comparing, by the rule engine, the values corresponding to the determined at least one of plurality of conditions with values of a custom field of a subscriber profile in a subscription profile repository (SPR). The method comprises based on comparison, if the values corresponding to the determined at least one of plurality of conditions match with the values of the custom field of the subscriber profile in the SPR, the request is accepted. If the values corresponding to the determined at least one of plurality of conditions do not match with the values of the custom field of the subscriber profile in the SPR, the request is rejected.

[0020] In some embodiments, the plurality of parameters comprises a
subscription permanent identification (SUPI), a data network name (DNN), and a general public subscription identifier (GPSI).
[0021] In some embodiments, the network function includes an access and
mobility management function (AMF), a sessions management function (SMF), and a binding support function (BSF).
[0022] In some embodiment, the method further comprises provisioning, by a
provisioning gateway (PGW), the subscriber profile and storing, by the PGW, the subscriber profile to the SPR.
[0023] In some embodiment, the subscriber profile includes a SUPI, a DNN,
and a GPSI along with the values of the custom field and the custom field comprises
a PLMN and/or a TAC corresponding to user’s subscribed location data.
[0024] In some embodiment, the PGW is configured to operate based on rule
exclusivity, a plurality of rule conditions, and rule name. The rule exclusivity, the plurality of rule conditions, and the rule name are defined as attributes to match using logical operators and corresponding actions. The actions comprise accept user, reject user and overwrite user.
[0025] In another exemplary embodiment, a system for selectively barring a
user to attach to a network is described. The system comprising a policy control function (PCF), a provisioning gateway (PGW), and a subscription profile repository (SPR). The PCF comprises a receiving unit configured to receive a request to attach to the network along with user location data from a network function (NF). A determining unit is configured to determine at least one of plurality of parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data. A rule engine is configured to determine at least one of plurality of conditions based on the at least one of plurality of parameters, the PLMN and the TAC. The plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC. The rule engine is configured to compare the values corresponding to the determined at least one of plurality of conditions with values of a custom field of a subscriber profile in the subscription profile repository (SPR). On detecting

that the values corresponding to the determined at least one of plurality of conditions match with the values of the custom field of the subscriber profile in the SPR, a processing unit is configured to accept the request. On detecting that the values corresponding to the determined at least one of plurality of conditions do not match with the values of the custom field of the subscriber profile in the SPR, the processing unit is configured to reject the request.
[0026] In some embodiments, the plurality of parameters comprises a
subscription permanent identification (SUPI), a data network name (DNN), and a general public subscription identifier (GPSI).
[0027] In some embodiment, the network function includes an access and
mobility management function (AMF), a sessions management function (SMF), and a binding support function (BSF).
[0028] In some embodiment, the PGW is configured to provision the
subscriber profile. The PGW is configured to store the subscriber profile to the SPR.
[0029] In some embodiment, the subscriber profile includes a SUPI, a DNN,
and a GPSI along with the values of the custom field. The custom field comprises
a PLMN and/or a TAC corresponding to user’s subscribed location data.
[0030] In some embodiment, the PGW is configured to operate based on rule
exclusivity, plurality of rule conditions, and rule name. The rule exclusivity, the plurality of rule conditions, and the rule name are defined as attributes to match using logical operators and corresponding actions. The actions comprise accept user, reject user and overwrite user.
[0031] In some embodiment, a user equipment is communicatively coupled
with the network. The network receives a connection request from the user equipment. The network sends an acknowledgment of the connection request to the UE. The UE transmits a plurality of signals in response to the connection request. The network comprising a policy control function (PCF), an access and mobility management function (AMF), a sessions management function (SMF), a binding support function (BSF) and a provisioning gateway (PGW) for selectively barring a user to attach to the network.

[0032] The foregoing general description of the illustrative embodiments and
the following detailed description thereof are merely exemplary aspects of the teachings of this disclosure, and are not restrictive.
OBJECTS OF THE INVENTION
[0033] An object of the present invention is to provide a system and a method
for selectively barring users from a communication network.
[0034] Another object of the present invention is to provide a system and a
method for selectively allowing access to users based on their location.
[0035] Another object of the present invention is to provide a system and a
method that selectively allows users access to networks based on whether there is a
matching of current user location with corresponding provisioned data.
[0036] Another object of the present invention is to provide a system and a
method that improves security of any facility hosting the network by allowing only
authorized users to latch on to the network.
BRIEF DESCRIPTION OF DRAWINGS
[0037] The accompanying drawings, which are incorporated herein, and
constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes the disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0038] FIG. 1 illustrates an exemplary network architecture in which or with
which embodiments of the present disclosure may be implemented.

[0039] FIG. 2A illustrates an exemplary block diagram of a system for
selectively barring users from a network, in accordance with an embodiment of the
present disclosure.
[0040] FIG. 2B illustrates an exemplary block diagram of a policy control
function for selectively barring users to latch to a network, in accordance with an
embodiment of the present disclosure.
[0041] FIG. 3 illustrates an exemplary schematic diagram of a system for
selectively barring users from a network, in accordance with an embodiment of the
present disclosure.
[0042] FIG. 4A illustrates a schematic flow diagram for selectively barring
users from a network, in accordance with an embodiment of the present disclosure.
[0043] FIG. 4B illustrates a schematic flow diagram for selectively barring
users to latch to a network, in accordance with an embodiment of the present
disclosure.
[0044] FIG. 5 illustrates an exemplary computer system in which or with which
embodiments of the present disclosure may be implemented.
DETAILED DESCRIPTION
[0045] In the following description, for the purposes of explanation, various
specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. It will be apparent, however, that embodiments of the present disclosure may be practiced without these specific details. Several features described hereafter can each be used independently of one another or with any combination of other features. An individual feature may not address all of the problems discussed above or might address only some of the problems discussed above. Some of the problems discussed above might not be fully addressed by any of the features described herein.
[0046] The ensuing description provides exemplary embodiments only, and is
not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary

embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the disclosure as set forth.
[0047] Specific details are given in the following description to provide a
thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.
[0048] Also, it is noted that individual embodiments may be described as a
process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function.
[0049] The word “exemplary” and/or “demonstrative” is used herein to mean
serving as an example, instance, or illustration. For the avoidance of doubt, the subject matter disclosed herein is not limited by such examples. In addition, any aspect or design described herein as “exemplary” and/or “demonstrative” is not necessarily to be construed as preferred or advantageous over other aspects or designs, nor is it meant to preclude equivalent exemplary structures and techniques known to those of ordinary skill in the art. Furthermore, to the extent that the terms “includes,” “has,” “contains,” and other similar words are used in either the detailed description or the claims, such terms are intended to be inclusive—in a manner

similar to the term “comprising” as an open transition word—without precluding any additional or other elements.
[0050] Reference throughout this specification to “one embodiment” or “an
embodiment” or “an instance” or “one instance” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[0051] The terminology used herein is for the purpose of describing particular
embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
[0052] The various embodiments of the present disclosure will be explained in
detail with reference to FIGs. 1 – 5.
[0053] FIG. 1 illustrates an exemplary network architecture 100 in which or
with which embodiments of the present disclosure may be implemented.
[0054] Referring to FIG. 1, the network architecture 100 may include one or
more computing devices or user equipment (104-1, 104-2…104-N) associated with one or more users (102-1, 102-2…102-N) in an environment. A person of ordinary skill in the art will understand that one or more users (102-1, 102-2…102-N) may be individually referred to as the user 102 and collectively referred to as the users 102. Similarly, a person of ordinary skill in the art will understand that one or more user equipment (104-1, 104-2…104-N) may be individually referred to as the user

equipment 104 and collectively referred to as the user equipment 104. A person of
ordinary skill in the art will appreciate that the terms “computing device(s)” and
“user equipment” may be used interchangeably throughout the disclosure. Although
three user equipment 104 are depicted in FIG. 1, however any number of the user
5 equipment 104 may be included without departing from the scope of the ongoing
description.
[0055] In an embodiment, the user equipment 104 may include, but is not
limited to, a handheld wireless communication device (e.g., a mobile phone, a smart
phone, a phablet device, and so on), a wearable computer device(e.g., a head-
10 mounted display computer device, a head-mounted camera device, a wristwatch
computer device, and so on), a Global Positioning System (GPS) device, a laptop
computer, a tablet computer, or another type of portable computer, a media playing
device, a portable gaming system, and/or any other type of computer device with
wireless communication capabilities, and the like. In an embodiment, the user
15 equipment 104 may include, but is not limited to, any electrical, electronic, electro¬
mechanical, or an equipment, or a combination of one or more of the above devices
such as virtual reality (VR) devices, augmented reality (AR) devices, laptop, a
general-purpose computer, desktop, personal digital assistant, tablet computer,
mainframe computer, or any other computing device, wherein the user equipment
20 104 may include one or more in-built or externally coupled accessories including,
but not limited to, a visual aid device such as a camera, an audio aid, a microphone,
a keyboard, and input devices for receiving input from the user 102 or the entity
such as touch pad, touch enabled screen, electronic pen, and the like. A person of
ordinary skill in the art will appreciate that the user equipment 104 may not be
25 restricted to the mentioned devices and various other devices may be used.
[0056] Referring to FIG. 1, the user equipment 104 may communicate with a
system 108, for example, a system for selectively barring users 102 from a
communication network 106. In an embodiment, the network 106 may include at
least one of a Fifth Generation (5G) network, 6G network, or the like. The network
30 106 may enable the user equipment 104 to communicate with other devices in the
network architecture 100 and/or with the system 108. The network 106 may include
11

a wireless card or some other transceiver connection to facilitate this
communication. In another embodiment, the network 106 may be implemented as,
or include any of a variety of different communication technologies such as a wide
area network (WAN), a local area network (LAN), a wireless network, a mobile
5 network, a Virtual Private Network (VPN), the Internet, the Public Switched
Telephone Network (PSTN), or the like.
[0057] In another exemplary embodiment, the centralized server 112 may
include or comprise, by way of example but not limitation, one or more of: a stand¬alone server, a server blade, a server rack, a bank of servers, a server farm, hardware
10 supporting a part of a cloud service or system, a home server, hardware running a
virtualized server, one or more processors executing code to function as a server,
one or more machines performing server-side functionality as described herein, at
least a portion of any of the above, some combination thereof.
[0058] In an embodiment, the user equipment 104 is communicatively coupled
15 with the network 106. The network 106 may receive a connection request from the
user equipment 104. The network 106 may send an acknowledgment of the connection request to the UE 104. The UE 104 may transmit a plurality of signals in response to the connection request. The network comprising a policy control function (PCF), an access and mobility management function (AMF), a sessions
20 management function (SMF), a binding support function (BSF) and a provisioning
gateway (PGW) for selectively barring the user 102 to attach to the network 106.
[0059] Although FIG. 1 shows exemplary components of the network
architecture 100, in other embodiments, the network architecture 100 may include fewer components, different components, differently arranged components, or
25 additional functional components than depicted in FIG. 1. Additionally, or
alternatively, one or more components of the network architecture 100 may perform
functions described as being performed by one or more other components of the
network architecture 100.
[0060] FIG. 2A illustrates an exemplary block diagram 200A of the system 108
30 for selectively barring users 102 from the network 106, in accordance with an
embodiment of the present disclosure.
12

[0061] The system 108 may include one or more processors 202 and a memory
204 communicably coupled to the one or more processors 202. The one or more
processor(s) 202 may be implemented as one or more microprocessors,
microcomputers, microcontrollers, edge or fog microcontrollers, digital signal
5 processors, central processing units, logic circuitries, and/or any devices that
process data based on operational instructions. Among other capabilities, one or
more processor(s) 202 may be configured to fetch and execute computer-readable
instructions stored in a memory 204 of the system 108. The memory 204 may be
configured to store one or more computer-readable instructions or routines in a non-
10 transitory computer-readable storage medium, which may be fetched and executed
to create or share data packets over a network service. The memory 204 may include
any non-transitory storage device including, for example, volatile memory such as
Random-Access Memory (RAM), or non-volatile memory such as Erasable
Programmable Read-Only Memory (EPROM), flash memory, and the like.
15 [0062] In an embodiment, the system 108 may include an interface(s) 206. The
interface(s) 206 may include a variety of interfaces, for example, interfaces for data
input and output devices, referred to as I/O devices, storage devices, and the like.
The interface(s) 206 may facilitate communication of the system 108. The
interface(s) 206 may also provide a communication pathway for one or more
20 components of the system 108. Examples of such components include, but are not
limited to, processing unit/engine(s) 210 and a database 220.
[0063] The processing unit/engine(s) 210 may be implemented as a
combination of hardware and programming (for example, programmable
instructions) to implement one or more functionalities of the processing engine(s)
25 210. In examples described herein, such combinations of hardware and
programming may be implemented in several different ways. For example, the
programming for the processing engine(s) 210 may be processor-executable
instructions stored on a non-transitory machine-readable storage medium and the
hardware for the processing engine(s) 210 may comprise a processing resource (for
30 example, one or more processors), to execute such instructions. In the present
examples, the machine-readable storage medium may store instructions that, when
13

executed by the processing resource, implement the processing engine(s) 210. In
such examples, the system 108 may include the machine-readable storage medium
storing the instructions and the processing resource to execute the instructions, or
the machine-readable storage medium may be separate but accessible to the system
5 108 and the processing resource. In other examples, the processing engine(s) 210
may be implemented by an electronic circuitry.
[0064] FIG. 2B illustrates an exemplary block diagram 200B of a policy
control function (PCF) 222 for selectively barring users to latch to the network 106, in accordance with an embodiment of the present disclosure.
10 [0065] The PCF 222 comprises a receiving unit 224, a determining unit 226, a
rule engine 228 and a processing unit 230.
[0066] The receiving unit 224 is configured to receive a request to attach to the
network 106 along with user location data from the network function (NF). The network function includes an access and mobility management function (AMF), a
15 sessions management function (SMF), and a binding support function (BSF).
[0067] The determining unit 226 is configured to determine at least one of
plurality of parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data. The plurality of parameters comprises a subscription permanent identification (SUPI), a data
20 network name (DNN), and a general public subscription identifier (GPSI).
[0068] The rule engine 228 is configured to determine at least one of plurality
of conditions based on the at least one of plurality of parameters, the PLMN and the TAC. The plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC. For example, the conditions may
25 comprise combinations such as SUPI and PLMN and TAC, DNN and PLMN and
TAC, GPSI and PLMN and TAC, etc.
[0069] The provisioning gateway (PGW) is configured to provision a
subscriber profile. The PGW is configured to store the subscriber profile to the SPR. The subscriber profile includes a SUPI, a DNN, and a GPSI along with values of
30 the custom field. The custom field comprises a PLMN and/or a TAC corresponding
to user’s subscribed location data. The PGW and the rule engine are configured to
14

operate based on rule exclusivity, plurality of rule conditions, and rule name. The
rule exclusivity, the plurality of rule conditions, and the rule name are defined as
attributes to match using logical operators and corresponding actions. The logical
operators are such as, without limitations, AND, OR, NOT, etc. The actions
5 comprise accept user, reject user and overwrite user.
[0070] The rule engine 228 is configured to compare values corresponding to
the at least one of plurality of conditions with values of the custom field of the subscriber profile in the subscription profile repository (SPR). For example, comparing values of PLMN and TAC of combination SUPI and PLMN and TAC
10 with the values of PLMN and TAC of the subscriber profile.
[0071] On detecting that the values corresponding to the at least one of
plurality of conditions match with the values of the custom field of the subscriber profile in the SPR, the processing unit 230 configured to accept the request. On detecting that the values corresponding to the at least one of plurality of conditions
15 do not match with the values of the custom field of the subscriber profile in the
SPR, the processing unit 230 configured to reject the request.
[0072] FIG. 3 illustrates an exemplary schematic diagram 300 of the system
108 for selectively barring users 102 from the network 106, in accordance with an embodiment of the present disclosure.
20 [0073] To implement functionalities of the system 108, the system 108 may
include a subscription profile repository (SPR) 302, a provisioning gateway (PGW) 304, a policy control function (PCF) 306, a rules engine 308 installed within the PCF 306, an access and mobility management function (AMF) 310, a sessions management function (SMF) 312, and a binding support function (BSF) 314. The
25 system 108 may particularly include functions of the SPR 302 and the PCF 306.
[0074] In order to provision subscribers in SPR 302, the PCF 306 may
provision subscription permanent identification (SUPI), data network name (DNN), and general public subscription identifier (GPSI) along with a field value corresponding to a location of the user 102. The field value may relate to public
30 land mobile network (PLMN) and/or tracking area code (TAC). The PCF 306 may
provide the rule engine 308 with a rules-based approach, where the rules engine
15

308 may accept conditions using a plurality of parameters included in a message
(e.g., SUPI, DNN, GPSI, etc.) along with PLMN and TAC details. For example, the
conditions may comprise combinations such as SUPI and PLMN and TAC, DNN
and PLMN and TAC, GPSI and PLMN and TAC, etc. Such details may be included
5 in the request from SMF 312 or AMF 310. The rule engine 308 may compare the
values with the PLMN and TAC values that are provisioned for the user 102. In some embodiments, the PLMN and TAC values may be provisioned in a custom field attribute while creating a subscriber profile. The rules engine 308 may provide instructions to accept user 102 or reject user 102 accordingly.
10 [0075] The rules engine 308 may be defined through a command line interface
(CLI) in a graphic user interface (GUI). The subscriber provisioning may occur via the PGW 304. The PGW 304 may operate based on rule exclusivity, rule conditions, rule name, etc. that may be defined as attributes to match using logical operators such as, without limitations, AND, OR, NOT, etc. and their corresponding actions.
15 [0076] Further, attribute values may use other operators, such as “=”, “!=”, “<”,
“<=”, “>”, “>=”, “eq”, “neq”, “gt”, “lt”, “range”, “within range”, “wildcards”, etc.
using such operators, complex actions and conditions may be created.
[0077] In an embodiment, the user equipment 104 is attached to a particular
tracking area code (TAC) only. The location in which the user 102 is allowed to
20 attach in the network is part of the SPR data. When the user equipment 104 attempts
to latch to the network by sending a request to the PCF 306, the TAC coming in the request is compared with the TAC in a user (e.g., subscriber) profile (i.e., SPR data). The TAC in the user profile provides information corresponding to the subscribed areas of the user. If the TAC coming in the request matches with the TAC in the
25 user profile, the user equipment 104 is allowed to attach to the network, otherwise
the request is rejected. In this way, the user equipment 104 is allowed to attach and use services in a subscribed location of the network only.
[0078] FIG. 4A illustrates an exemplary schematic flow diagram 400A for
selectively barring users 102 from the network 106, in accordance with an
30 embodiment of the present disclosure.
16

[0079] Referring to FIG 4A, the subscriber data is provisioned in the SPR 416.
The PGW 414 may provision attributes (e.g., SUPI, DNN, GPSI, etc.) along with a custom field. PLMN and TAC data may be stored in the SPR 416.
[0080] In an aspect, the create/update request may be received from the user
5 102 along with user details. The SMF or AMF may initiate a request (e.g.,
SMPolicyControlCreate) or may update the received request along with user details data (e.g., UserLocationInfo in SMPolicyContext data structure or SMPolicyControl update data structure). Further, the PCF 412 may store the user location data in a cache. The request received from the user 102 is evaluated based
10 on the rules. The PCF 412 may accept or reject the user request as per policy. The
policy may enable comparison of the received user location data with the user
location data stored during an instance of provisioning. If the data matches, the user
102 may be accepted, else, the user 102 may be rejected.
[0081] Thus, the system 108 may enable the PCF 412 to allow a user 102 to
15 attach or access the network 106 based on a current location of the user 102 and
whether the current location is updated in the subscriber information associated with the user 102 that was initially provisioned. In one instance, a user 102 may be allowed to latch on to a network 106 if the user request from SMF or AMF including the user details (e.g., SUPI, GPSI, DNN, etc.) matches with the corresponding data
20 that was initially provisioned for the user 102 based on PLMN, TAC. On detecting
that there is a mismatch in data, the user 102 may not be allowed to access the network.
[0082] Thus, the PCF 412 may provide a flexibility for users 102 to be allowed
or disallowed in a network 106 based on their location. During subscriber
25 provisioning in the SPR 416 through the PGW 414, the PLMN and TAC attributes
may also be provisioned, associated with the user 102. Based on receipt of request from the user 102 via the AMF or SMF, the rules engine 406 may compare the attributes in the received request and the attributes present in the provisioned data. Furthermore, the PCF 412 may be configured to supersede any default behavior in
30 order to meet any particular application requirement.
17

[0083] As illustrated in FIG. 4A, at step 402, receiving, by the PCF 412, a
create/update request (e.g., SMPolicyControlCreate) from the SMF.
[0084] At step 404, receiving, by the PCF 412, a create/update request from
the AMF.
5 [0085] At step 406, the PCF 412 may retrieve PLMN and TAC from the
requests. The PCF rule engine may match the PLMN/TAC from the SMF/AMF with the PLMN/TAC from the SPR 416.
[0086] At step 408, if the PLMN/TAC from the SMF/AMF matches with the
PLMN/TAC from the SPR 416, the request is allowed.
10 [0087] At step 410, if the PLMN/TAC from the SMF/AMF does not match
with the PLMN/TAC from the SPR 416, the request is rejected.
[0088] FIG. 4B illustrates a schematic flow diagram 400B for selectively
barring users to latch to the network 106, in accordance with an embodiment of the present disclosure.
15 [0089] At step 422, receiving, by the policy control function (PCF) (412), a
request to attach to the network (106), along with user location data from a network function (NF). The network function includes an access and mobility management function (AMF), a sessions management function (SMF), and a binding support function (BSF).
20 [0090] At step 424, determining, by the PCF (412), at least one of plurality of
parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data. The plurality of parameters comprises a subscription permanent identification (SUPI), a data network name (DNN), and a general public subscription identifier (GPSI).
25 [0091] At step 426, determining, by a rule engine, at least one of plurality of
conditions based on the at least one of plurality of parameters, the PLMN and the TAC. The plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC. For example, combinations of SUPI+PLMN+TAC or DNN+PLMN+TAC or GPSI+PLMN+TAC.
30 [0092] At step 428, comparing, by the rule engine, values corresponding to the
determined at least one of plurality of conditions with values of a custom field of a
18

subscriber profile in a subscription profile repository (SPR) (416). The provisioning gateway (PGW) (414) may provision the subscriber profile and store the subscriber profile to the SPR. The subscriber profile includes a SUPI, a DNN, and a GPSI along with values of the custom field. The custom field comprises a PLMN and/or a TAC corresponding to user’s subscribed location data.
[0093] At step 430, based on comparison, if the values corresponding to the
determined at least one of plurality of conditions match with the values of the
custom field of the subscriber profile in the SPR (416), accepting the request.
[0094] At step 432, if the values corresponding to the determined at least one
of plurality of conditions do not match with the values of the custom field of the subscriber profile in the SPR (416), rejecting the request.
[0095] FIG. 5 illustrates an exemplary computer system 500 in which or with
which embodiments of the present disclosure may be implemented.
[0096] The computer system 500 may include an external storage device 510,
a bus 520, a main memory 530, a read-only memory 540, a mass storage device 550, a communication port(s) 560, and a processor 570. A person skilled in the art will appreciate that the computer system 500 may include more than one processor and communication ports. The processor 570 may include various modules associated with embodiments of the present disclosure. The communication port(s) 560 may be any of an RS-232 port for use with a modem-based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. The communication ports(s) 560 may be chosen depending on a network, such as a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system 500 connects.
[0097] In an embodiment, the main memory 530 may be Random Access
Memory (RAM), or any other dynamic storage device commonly known in the art. The read-only memory 540 may be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chip for storing static information e.g., start-up or basic input/output system (BIOS) instructions for the processor 570. The mass storage device 550 may be any current or future mass storage solution,

which can be used to store information and/or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces).
[0098] In an embodiment, the bus 520 may communicatively couple the
processor(s) 570 with the other memory, storage, and communication blocks. The bus 520 may be, e.g. a Peripheral Component Interconnect PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), USB, or the like, for connecting expansion cards, drives, and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor 570 to the computer system 500.
[0099] In another embodiment, operator and administrative interfaces, e.g., a
display, keyboard, and cursor control device may also be coupled to the bus 520 to support direct operator interaction with the computer system 500. Other operator and administrative interfaces can be provided through network connections connected through the communication port(s) 560. Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system 500 limit the scope of the present disclosure.
[0100] While considerable emphasis has been placed herein on the preferred
embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter to be implemented merely as illustrative of the disclosure and not as limitation.
ADVANTAGES OF INVENTION

[0101] The present invention provides a system and a method for selectively
barring users from a communication network.
[0102] The present invention provides a system and a method for selectively
allowing access to users based on their location.
[0103] The present invention provides a system and a method that selectively
allows users access to networks based on whether there is a matching of current
user location with corresponding provisioned data.
[0104] The present invention provides a system and a method that improves
security of any facility hosting the network by allowing only authorized users to
latch on to the network.

WE CLAIM:
1. A method for selectively barring a user (102) to attach to a network (106),
the method comprising:
receiving, by a policy control function (PCF) (222, 306), a request to attach to the network (106), along with user location data from a network function (NF);
determining, by the PCF (222, 306), at least one of plurality of parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data;
determining, by a rule engine (308), at least one of plurality of conditions based on the at least one of plurality of parameters, the PLMN and the TAC, wherein the plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC;
comparing, by the rule engine (308), the values corresponding to the determined at least one of plurality of conditions with values of a custom field of a subscriber profile in a subscription profile repository (SPR) (302); and
based on comparison, if the values corresponding to the determined at least one of plurality of conditions match with the values of the custom field of the subscriber profile in the SPR (302), accepting the request, wherein if the values corresponding to the determined at least one of plurality of conditions do not match with the values of the custom field of the subscriber profile in the SPR (302), rejecting the request.
2. The method as claimed in claim 1, wherein the plurality of parameters
comprises a subscription permanent identification (SUPI), a data network
name (DNN), and a general public subscription identifier (GPSI).

3. The method as claimed in claim 1, wherein the network function includes an access and mobility management function (AMF) (310), a sessions management function (SMF) (312), and a binding support function (BSF) (314).
4. The method as claimed in claim 1 further comprising:
provisioning, by a provisioning gateway (PGW) (304), the subscriber profile; and
storing, by the PGW (304), the subscriber profile to the SPR (302).
5. The method as claimed in claim 1, wherein
the subscriber profile includes a SUPI, a DNN, and a GPSI along with the values of the custom field; and
the custom field comprises a PLMN and/or a TAC corresponding to user’s subscribed location data.
6. The method as claimed in claim 4, wherein
the PGW (304) is configured to operate based on rule exclusivity, a plurality of rule conditions, and rule name, wherein the rule exclusivity, the plurality of rule conditions, and the rule name are defined as attributes to match using logical operators and corresponding actions, wherein the actions comprise accept user, reject user and overwrite user.
7. A system (108) for selectively barring a user (102) to attach to a network
(106), the system (108) comprising a policy control function (PCF) (222,
306), a provisioning gateway (PGW) (304), and a subscription profile
repository (SPR) (302), the PCF (222, 306) comprising:
a receiving unit (224) configured to receive a request to attach to the network (106) along with user location data from a network function (NF);

a determining unit (226) configured to determine at least one of plurality of parameters and values of a public land mobile network (PLMN) and a tracking area code (TAC) corresponding to the user location data;
a rule engine (228) configured to determine at least one of plurality of conditions based on the at least one of plurality of parameters, the PLMN and the TAC, wherein the plurality of conditions comprises a combination of the at least one of plurality of parameters, the PLMN and the TAC;
the rule engine (228) configured to compare the values corresponding to the determined at least one of plurality of conditions with values of a custom field of a subscriber profile in the subscription profile repository (SPR) (302); and
a processing unit (230) configured to accept the request on detecting that the values corresponding to the determined at least one of plurality of conditions match with the values of the custom field of the subscriber profile in the SPR (302), wherein on detecting that the values corresponding to the determined at least one of plurality of conditions do not match with the values of the custom field of the subscriber profile in the SPR (302), the processing unit (230) configured to reject the request.
8. The system (108) as claimed in claim 8, wherein the plurality of parameters comprises a subscription permanent identification (SUPI), a data network name (DNN), and a general public subscription identifier (GPSI).
9. The system (108) as claimed in claim 8, wherein the network function includes an access and mobility management function (AMF) (310), a sessions management function (SMF) (312), and a binding support function (BSF) (314).
10. The system (108) as claimed in claim 8 further comprising:
the PGW (304) is configured to provision the subscriber profile; and

the PGW (304) is configured to store the subscriber profile to the SPR (302).
11. The system (108) as claimed in claim 8, wherein
the subscriber profile includes a SUPI, a DNN, and a GPSI along with the values of the custom field; and
the custom field comprises a PLMN and/or a TAC corresponding to user’s subscribed location data.
12. The system (108) as claimed in claim 8, wherein
the PGW (304) is configured to operate based on rule exclusivity, plurality of rule conditions, and rule name, wherein the rule exclusivity, the plurality of rule conditions, and the rule name are defined as attributes to match using logical operators and corresponding actions, wherein the actions comprise accept user, reject user and overwrite user.
13. A user equipment (104) communicatively coupled with a network (106), the
coupling comprises steps of:
receiving, by the network (106), a connection request;
sending an acknowledgment of the connection request to the UE (104); and
transmitting a plurality of signals in response to the connection request, wherein the network (106) comprising a policy control function (PCF) (222, 306), an access and mobility management function (AMF) (310), a sessions management function (SMF) (312), a binding support function (BSF) (314) and a provisioning gateway (PGW) (304) implementing a method for selectively barring a user (102) to attach to the network (106) as claimed in claim 1.