FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention
METHOD AND SYSTEM FOR ACCESS CONTROL OF RESOURCES IN MULTI-LOCATION WORKING ENVIRONMENT
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
[001] The embodiments herein generally relate to the field of resource access control mechanisms and, more particularly, to a method and system for access control of resources in multi-location working environment.
BACKGROUND
[002] Post the pandemic hybrid work environment has become quite common. However, this has also led to certain challenges such as information security, resource access control among others. One of the major reasons is that there is no fix pattern of an employee visiting the workplace or working from a remote location. Furthermore, concepts such as satellite offices, which are multiple branches of the same organization that are opened for an employee to work from, makes it further challenging to provide automatic access to the employee. It can be well understood that workplace resources that are accessible to an employee from his/her base location may be largely different than when he/she works from a satellite office. Additionally unauthorized access by wrongly acquiring user identity card or password is an added challenge at places or scenarios where user verification is not possible
[003] Even though user authentication or resource control approaches have been proposed in literature, the conventional approaches mostly rely on user details as received by the system or key based access systems. There is no attempt in the literature to validate the user legitimacy during resource access control. But in some situations, validating user’s legitimacy can be a critical requirement. . For example, most of the employees in modern businesses work from home or office. When employees work from home, they still have access to the office. If the employee's ID card is lost, the attacker might be able to enter the office. Some enterprises protect their office resources by enabling employees to submit requests for access to the office through applications. However, there may still be some issues with that; in some instances, the employee may not use the access even

though they made an office request. When employees work from home or the office, the business must safeguard its resources.
[004] Thus, intelligent automation of resource control access management in a multiple work location environment is a complex technical problem to be addressed.
SUMMARY
[005] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems.
[006] For example, in one embodiment, a method for access control of resources in multi-location working environment is provided. The method includes detecting a current work location of a user from one of a formal work location of an enterprise and a remote work location based on a user Identifier (UID) captured during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at an entry of the formal work location;
[007] Further, the method includes identifying a set of resources allotted to the UID from among a plurality of resources provided by the enterprise at the formal work location if the detected current location is the formal work location, wherein a resource among the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources. The unique code represents a hierarchical access level of the resource from among plurality of access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is set to disabled.
[008] Further, the method includes creating an access path for the user, on a successful gate entry record generated for the user by dynamically generating a

user tree graph for the UID using the identified set of nodes with a node associated with gate entry as a starting node and the status field set to accessed, wherein position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code.
[009] Furthermore, the method includes tracking movement of the user based on the unique code of a current node identified with the status as ‘accessed’, wherein position of the node in the user tree graph enables locating a current location of the user at a current hierarchical level, wherein the status is set to enabled for only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code, wherein status of the one or more resources is reset to disabled when the user is moves away by more than one level from the current hierarchical level, and wherein the user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion.
[010] In another aspect, a system for access control of resources in multi-location working environment is provided. The system comprises a memory storing instructions; one or more Input/Output (I/O) interfaces; and one or more hardware processors coupled to the memory via the one or more I/O interfaces, wherein the one or more hardware processors are configured by the instructions to The method includes detecting a current work location of a user from one of a formal work location of an enterprise and a remote work location based on a user Identifier (UID) captured during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at an entry of the formal work location;
[011] Further, the system identifies a set of resources allotted to the UID from among a plurality of resources provided by the enterprise at the formal work location if the detected current location is the formal work location, wherein a resource among the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources. The unique code represents a hierarchical access level of the resource from among plurality of

access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is set to disabled.
[012] Further, the system creates an access path for the user, on a successful gate entry record generated for the user by dynamically generating a user tree graph for the UID using the identified set of nodes with a node associated with gate entry as a starting node and the status field set to accessed, wherein position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code.
[013] Furthermore, the system tracks movement of the user based on the unique code of a current node identified with the status as ‘accessed’, wherein position of the node in the user tree graph enables locating a current location of the user at a current hierarchical level, wherein the status is set to enabled for only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code, wherein status of the one or more resources is reset to disabled when the user is moves away by more than one level from the current hierarchical level, and wherein the user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion.
[014] In yet another aspect, there are provided one or more non-transitory machine-readable information storage mediums comprising one or more instructions, which when executed by one or more hardware processors causes a method for access control of resources in multi-location working environment. The method includes detecting a current work location of a user from one of a formal work location of an enterprise and a remote work location based on a user Identifier (UID) captured during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at an entry of the formal work location;

[015] Further, the method includes identifying a set of resources allotted to the UID from among a plurality of resources provided by the enterprise at the formal work location if the detected current location is the formal work location, wherein a resource among the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources. The unique code represents a hierarchical access level of the resource from among plurality of access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is set to disabled.
[016] Further, the method includes creating an access path for the user, on a successful gate entry record generated for the user by dynamically generating a user tree graph for the UID using the identified set of nodes with a node associated with gate entry as a starting node and the status field set to accessed, wherein position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code.
[017] Furthermore, the method includes tracking movement of the user based on the unique code of a current node identified with the status as ‘accessed’, wherein position of the node in the user tree graph enables locating a current location of the user at a current hierarchical level, wherein the status is set to enabled for only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code, wherein status of the one or more resources is reset to disabled when the user is moves away by more than one level from the current hierarchical level, and wherein the user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion.
[018] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[019] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[020] FIG. 1A is a functional block diagram of a system, for access control of resources in a multi-location working environment, in accordance with some embodiments of the present disclosure.
[021] FIG. 1B is an architectural overview of the system of FIG. 1A, in accordance with some embodiments of the present disclosure.
[022] FIG. 2 is a flow diagram illustrating a method for access control of resources in the multi-location working environment, using the system of FIG. 1A and 1B, in accordance with some embodiments of the present disclosure.
[023] FIG. 3 depicts sample user tree graph created for the use case scenarios with unique codes, using the system of FIG. 1A and 1B, in accordance with some embodiments of the present disclosure.
[024] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems and devices embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION OF EMBODIMENTS
[025] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are

described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
[026] As mentioned, hybrid work environment has its own complex scenarios that makes intelligent automation of resource access control management and protecting user’s resources a challenging task. Thus, embodiments of the present disclosure provide a technical solution to address the intelligent automation of complex scenarios in resource access control management arising due to hybrid work environment.
[027] Embodiments of the present disclosure provide a method and system for access control of resources in a multi-location working environment, also referred to as hybrid work environment. The method enables managing and protecting the resource/enterprise applications access in hybrid work model using tree-based graph and enable or prevent automated access to the user's relevant resources while also confirming that the user is a legitimate user. The hybrid work environment refers to formal work locations such as multiple branch locations of an enterprise and remote work locations refers to working from home location or any other location other than the formal locations/ branch offices.
[028] Referring now to the drawings, and more particularly to FIGS. 1A through 3, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[029] FIG. 1A is a functional block diagram of a system 100 for access control of resources in the multi-location working environment, in accordance with some embodiments of the present disclosure. In an embodiment, the system 100 includes an event server comprising a processor(s) 104, communication interface device(s), alternatively referred as input/output (I/O) interface(s) 106, and one or more data storage devices or a memory 102 operatively coupled to the processor(s) 104. The system 100 with one or more hardware processors is configured to execute functions of one or more functional blocks of the system 100.

[030] Referring to the components of system 100, in an embodiment, the processor(s) 104, can be one or more hardware processors 104. In an embodiment, the one or more hardware processors 104 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 104 are configured to fetch and execute computer-readable instructions stored in the memory 102. In an embodiment, the system 100 can be implemented in a variety of computing systems including laptop computers, notebooks, hand-held devices such as mobile phones, workstations, mainframe computers, servers, and the like.
[031] The I/O interface(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular and the like. In an embodiment, the I/O interface (s) 106 can include one or more ports for connecting to a number of external devices or to another server or devices such as resources from remote or formal work locations.
[032] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
[033] In an embodiment, the memory 102 includes a plurality of modules 110. The plurality of modules 110 include programs or coded instructions that supplement applications or functions performed by the system 100 for executing different steps involved in the process of access control of resources being performed by the system 100. The plurality of modules 110, amongst other things, can include routines, programs, objects, components, and data structures, which performs particular tasks or implement particular abstract data types. The plurality

of modules 110 may also be used as, signal processor(s), node machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 110 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 104, or by a combination thereof. The plurality of modules 110 can include various sub-modules (not shown) for access control of resources.
[034] Further, the memory 102 may comprise information pertaining to input(s)/output(s) of each step performed by the processor(s) 104 of the system100 and methods of the present disclosure. Further, the memory 102 includes a database 108. The database (or repository) 108 may include a plurality of abstracted piece of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 110. Thus, the database can store events tapped by the event server and a user tree graph generated for each user tagged with associated user Identifier (UID), who is currently working in the hybrid model.
[035] Although the database 108 is shown internal to the system 100, it will be noted that, in alternate embodiments, the database 108 can also be implemented external to the system 100, and communicatively coupled to the system 100. The data contained within such external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 1) and/or existing data may be modified and/or non-useful data may be deleted from the database. In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS). Functions of the components of the system 100 are now explained with reference to steps in flow diagrams in FIG. 2, the system architectural overview of FIG. 1B and an example user tree graph depicted in FIG. 3
[036] As depicted in the system architectural overview of FIG. 1B, the system 100 controls resource access of a user working in the multi-location or hybrid working environment. As can be seen in FIG. 1B, the user, for example the employee of an organization, which provides hybrid work environment, can opt to work either

in a remote location or a formal work location. Further, when working in the formal work location, user has selective access to one or more resources from among a plurality of resources of the enterprise made available to users (employees) at a particular formal work location (branch office). The selective access is based on the user tree graph generated by an event server in the system 100. Thus, the method and system via the event server, dynamically creates the user tree graph utilizing user-applicable resources when it captures or taps resource access events of the user. Further, the system 100, via the event based server can grant or disable access to the user's resources in accordance with the user tree graph by checking whether the user is a legitimate user using conditions defined and explained in conjunction with method of FIG. 2, example user tree graph of FIG. 3, and use case scenarios. Thereafter according to the user's environment, the event server can activate multifactor authentication. The system 100 also defends resources against unauthorized or illegitimate users. Further, the system 100 activates resource access without the need for administrator intervention. Thus, the system 100 safeguards resources in the hybrid work model.
[037] FIG. 2 is a flow diagram illustrating a method 200 for access control of resources in the multi-location working environment, using the system of FIG. 1A and 1B, in accordance with some embodiments of the present disclosure.
[038] In an embodiment, the system 100 comprises one or more data storage devices or the memory 102 operatively coupled to the processor(s) 104 and is configured to store instructions for execution of steps of the method 200 by the processor(s) or one or more hardware processors 104. The steps of the method 200 of the present disclosure will now be explained with reference to the components or blocks of the system 100 as depicted in FIG. 1A and 1B and the steps of flow diagram as depicted in FIG. 2. Although process steps, method steps, techniques or the like may be described in a sequential order, such processes, methods, and techniques may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps to be performed in that order. The steps of processes

described herein may be performed in any order practical. Further, some steps may be performed simultaneously.
[039] Referring to the steps of the method 200, at step 202 of the method 200, the one or more hardware processors 104 of the event server detect a current work location of a user from one of a formal work location and a remote work location of defined by the enterprise or organization the user is employed with. The formal location can be opted by the user from among a plurality of formal work locations offered by the enterprise.
[040] The user is identified with a user Identifier (UID) captured by the event server during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at the formal work location. Thus, if both events above are detected, the event server of the system 100 can record that user is at office along with his/her enterprise allocated device, such as laptop or tab.
[041] At step 204 of the method 200, the one or more hardware processors 104 identify a set of resources for the UID from among a plurality of resources provided by the enterprise if the detected current location is the formal work location. The set of resources are identified by the enterprise based on user’s assigned tasks. The identified set of resources varies in accordance with the opted formal location. For example, when the formal work location is one among base locations identified for user by the enterprise, the scope of resource access will be different than compared to scope of resource access when the formal work location is a non-base location, also referred as satellite office. Each resource among the set of resources is present across same or different hierarchical access levels. Each of the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources. The unique code represents a hierarchical access level of the resource from among plurality of access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is

set to disabled. The unique code generation is further explained in conjunction with FIG. 3. The plurality of resources in the formal work location include department(s) level access, for example Off-shore development Centers (ODCs) that have restricted access in offices, desktops, printers within each department etc. Similarly, the plurality of resources in the remote work location include laptops, tablets etc., and the like..
[042] At step 206 of the method 200, the one or more hardware processors 104 create an access path for the user, on a successful gate entry record generated for the user by dynamically generating a user tree graph for the UID using the identified set of nodes. A node associated with gate entry as a starting node and the status field set to accessed. A position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code.
[043] Once the user tree graph is created, then at step 208 of the method 200, the one or more hardware processors 104 track movement of the user based on the unique code of a current node identified with the status as ‘accessed’, wherein position of the node in the user tree graph enables locating a current location of the user at a current hierarchical level.
a) The status of only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code is set to enabled. For example, when a unauthorized user ( such as friend of the useris already sitting in the same ODC1 but not officially assigned the desktop) attempts to authenticate the desktop (with a unique code X) used with a shared password, the system verifies the legitimacy of the user by verifying if status of the associated higher hierarchical level resource (say ODC1), tracked using the user tree graph and ODC1 unique code is set to accessed for the UID associated with the desktop. If ODC1 entry in showing status as non-accessed in the user tree graph of the UID, then an unauthorized user is identified.
b) The status of the one or more resources is reset to disabled when the user is moves away by more than one level from the current hierarchical level. With reference to the above ODC example, if true user moves out of the ODC1

after working on the desktop, the desktop access is automatically deactivated, and remains so until a user event of re-entry to ODC is not captured. Thus, any fraudster cannot use the desktop once the user moves out of the ODC access level even if he/she has wrongfully acquired the desktop password. c) The user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion. For example, user may have access to two desktops in same ODC in same subarea where user presence at both desktops is well understood. However, if desktop and printer are at two different areas in ODC, only one device access is enabled as user cannot be present at two far away locations at same instance.
[044] The method triggers a security event indicating unauthorized access or unauthenticated user to an administrator when an attempt is detected to access the resources other than the resources that are more than a one level away from the immediate next level of the user. Further, the method limits access of the user to the resources associated with enterprise applications when the user is detected to be working from remote work location.
[045] Creation of user tree graph for the organization or enterprise: [046] In a practical scenario, referring to the system architectural overview of FIG. 1B, each enterprise maintains different types of resources (for example: ODC ( say areal 1), desktops, servers ( say area-2), printers, conference rooms (say area 3), etc., in formal work location and issued laptops, tabs, etc., when specifically working in remote work locations. The system 100 identifies each resource in a node object. Each node class maintains information about the resource details, access status details, and the unique code.
[047] The unique code is used to identify the subsequent resources. For example, if user’s current location is identified as office (formal work location-1-say base location), the system 100 generates the first level node say for the office main gate and assigns dynamically a unique code.

[048] Next, the system 100 generates nodes for the second level resources such as ODC1, server room and conference rooms by identifying those resources. The system 100 generates code for each of the second level resources by using the top-level ( first level resource) resource code as reference. The unique code created in this manner aids in the identification of subsequent resources (for example, above level and below level resources). Similarly, the system 100 identifies the third level resources and creates nodes for each of the resources and generates corresponding code for each of the third level resources that is derived from priori levels such as first and second level resources.. The code helps identify its top-level resources and its subsequent resources in an efficient way. The system creates nodes for each of the resource in the office and connects through the codes. The codes help to easily traverse from one node to another node.
[049] Thus, it can be understood that all nodes are connected through codes, and it represents the user tree graph. Nodes are class objects that contain information about access status, resource details, and the unique code (also referred to as ‘code’). The code is used to efficiently identify the subsequent nodes.
[050] Use-Case Scenario 1 for device access at formal work location:
[051] As depicted in FIG. 3, the system 100 creates a sample user tree graph with the unique codes for each identified resource for the user associated with a specific UID. For each of the office branches (plurality of formal work locations), the system 100 generates a unique branch code (branch ID).
[052] For each formal work location, such as each branch office, the system 100 generates and maintains unique code for each resource based on associated resource ID, associated hierarchical level and resource that is present at previous access level. The event server of the system 100 identifies all the resources that belong to the branch office using the unique codes. The system 100 generates the user tree graph by connecting nodes associated with only the resources identified for each UID. Thus, all the resources that are at same hierarchical level of a user accessible branch office but not included in the user tree are disabled for the UID. For example, the grey filled resources depict not allocated resources and user is denied access to them. As depicted in example of FIG. 3. The user tree graph is

generated with gate entry as base or reference node. The office gate code is L1B11 (L1 level of resource and B11 is the branch ID.) Note the assumption herein is L1 is the highest hierarchical level and gradually descends as L2, L3 and so on. Thereafter, the event server of the system 100 identifies next level resources at same hierarchical level and allotted to user in the system. In FIG. 3, the ODC1 and server room1 present at same hierarchical level (L2) are pre-allocated to the UID in system so are part of the user tree graph. However, the conference room and subsequent level resources and next immediate levels of the conference room such as Video Conference system (VS01) are not assigned to the UID.
[053] Code generation for ODC1: L2D01B11 code is generated for ODC1 (L2 is the 2nd level, D01 is the ODC code that belongs to the branch whose code is B11).
[054] Code generation for server rooms: The L2SR01B11 code is generated for the server room (L2 is the 2nd level, and SR01 is the server room code, and belongs to branch (B11 code).
[055] Next, it fetches all the third-level resources that belong to ODC1, the server room, etc. It fetches all the desktops, physical servers, etc. that belong to ODC1 and generates a unique code for each of the resources. L3DT01D01B11 code is generated for desktop 1. (L3 is a level 3 resource; DT01 belongs to D01 ODC; and B11 is the branch code.) L3DT02D01B11 code is generated for desktop 2.It fetches all the server systems that belong to the server room. L3SS01SR01B11 code is generated for server system 1. L3SS02SR01B11 code is generated for server system 2.
[056] User enters office ( formal work location) scenario: When user enters office main gate L1B11 (event captured when say user swipes his/her ID card), the system 100 starts creates the user tree graph by searching allocated resources at each level (connected nodes on the user tree graph) that are identified for the UID and L2 and L3 levels in the example of FIG. 3. The immediate next level starts with L2. Thus, after finding the resources at L2, which are ODC1, whose code is L2D01B11, and Server Room, whose code is L2SR01B11, it updates the access status to "Enabled" and user is allowed access to both resources at level L2. If user,

as depicted in FIG, 3 chooses to enter ODC1, the system 100 updates the ODC1 status to "Accessed". This status change event for ODC1 is identified, and automatically the server room status is set to “Disabled”. As per predefined criterion same user cannot be present at ODC1 and server room location physically at same time (even though they are at same level). When the user attempts to access Desktop1 L3 level, the system through the resource finder verifies the access status of ODC1, whose code is L2D01B11, and the office main gate (L1B11) access status. If previous both level access status are "accessed" and user provides the correct user allocation details such as password or authentication code, the system 100 verifies Desktop1 belongs to or is allocated the user. Thus, user is allowed access to Desktop 1. Further, if Desktop 2 is in vicinity of Desktop 1 and both can be accessed simultaneously by physical presence of single person then the predefined criterion can say “Desktop1 and Desktop 2 simultaneous access allowed”. Only in such conditional enablement, status of Desktop 2 is retained as “Enabled” even when user is accessing Desktop 1. Without the predefined criterion, as Desktop 2 status is set to “Disabled”.
[057] Use Case Scenario 2 for Tail Gate Access at formal work location: When the user attempts to access the server by entering ODC2 (area 2) from ODC1 (area1) through tailgate access, the resource identifier receives the server ( resources located in ODC2) access event details through the event server. The system 100 checks the access path by identifying top-level resources using server code. The system 100 checks the access status of all the higher-level resources, and its access status is recorded as "accessed." The system 100 also checks the access status between the desktop and the server as it receives the login from the desktop.
[058] The access sequence is recorded as Desktop->ODC1->ODC2->Server. First, the system 100 fetches higher-level resources above the server based on the server code, say ODC2 resource details using server code. Then, using desktop code, the system 100 retrieves top-level desktop resources, say ODC1 resource details using desktop code. Then the system 100 checks the levels of the ODC1 and ODC2. The access path can be built if the level is the same (for example,

ODC1 and ODC2 are both level 2 resources). The access status is failed in ODC2 as the user entered ODC2 through tailgate access. This can be one example predefined criteria for simultaneous access allowed/disallowed for same level resources. Thus subsequently, the system 100 denies access to the server and sends an email to the user.
[059] Use Case scenario 3 for password sharing (remote work location): In this scenario, the user is doing work from home and requesting a friend (team colleague) present at the office to update the jar on the server by sharing user credentials. The colleague attempts to access the server using user credentials. The resource identifier receives details from the event server. The resource identifier identifies higher-level resources associated with the user using the server code. The access status for the top-level resources is failed. The system 100 also checks the login device status. It identifies the user is current location is remote work location. The system 100 raises a security event by sending an email to the administrator.
[060] Thus, the method and system disclosed herein creates the user tree graph utilizing user-applicable resources when it gets an access event. Further, the system can grant or disable access to the user's resources based on the user tree graph and according to the user's environment, can activate multifactor authentication. The system also defends resources against unauthorized users. Further, the system activates resource access without the need for administrator intervention. Thus, the system safeguards enterprise resources in the hybrid work model.
[061] Thus, the method disclosed, using the unique codes and associated status field of each of the resource can i) track user and ii) manage access control, post confirming legitimacy of the user. This disclosed approach of access control management is computationally less intensive and time efficient and equally robust against fake users a as compared to computationally intensive key based mechanisms, that rely on user profiles and keys.
[062] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are

intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[063] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means, and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
[064] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[065] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation.

Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[066] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[067] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

We Claim:
1. A method (200) for access control of resources in multi-location working environment, the method comprising:
detecting (202), by one or more hardware processors, a current work location of a user from one of a formal work location of an enterprise and a remote work location based on a user Identifier (UID) captured during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at an entry of the formal work location;
identifying (204), by the one or more hardware processors, a set of resources allotted to the UID from among a plurality of resources provided by the enterprise at the formal work location if the detected current location is the formal work location, wherein a resource among the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources, wherein the unique code represents a hierarchical access level of the resource from among plurality of access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is set to ‘disabled’;
creating (206), by the one or more hardware processors, an access path for the user, on a successful gate entry record generated for the user by dynamically generating a user tree graph for the UID using the identified set of nodes with a node associated with gate entry as a starting node and the status field set to accessed, wherein position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code; and
tracking (202), by one or more hardware processors, movement of the user based on the unique code of a current node identified with the status

as ‘accessed’, wherein position of the node in the user tree graph enables locating a current location of the user at a current hierarchical level,
wherein the status is set to ‘enabled’ for only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code,
wherein status of the one or more resources is reset to ‘disabled’ when the user is moves away by more than one level from the current hierarchical level, and
wherein the user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion.
2. The method as claimed in claim 1, wherein the formal location is opted by the user from among a plurality of formal work locations offered by the enterprise, and the identified set of resources varies in accordance with the opted formal location.
3. The method as claimed in claim 1, wherein a security event indicating unauthorized access or unauthenticated user is triggered to an administrator when an attempt is detected to access the resources other than the resources that are more than a one level away from the immediate next level of the user.
4. The method as claimed in claim 1, comprising limited access of the user to the resources associated with enterprise applications when the user is detected to be working from remote work location.
5. A system (100) for access control of resources in multi-location working environment, the system (100) comprising:

a memory (102) storing instructions;
one or more Input/Output (I/O) interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the
one or more I/O interfaces (106), wherein the one or more hardware
processors (104) are configured by the instructions to:
detect a current work location of a user from one of a formal work location of an enterprise and a remote work location based on a user Identifier (UID) captured during at least one of i) a device login event by the user from the remote work location, and ii) a gate entry record generated for the user at an entry of the formal work location;
identify a set of resources allotted to the UID from among a plurality of resources provided by the enterprise at the formal work location if the detected current location is the formal work location, wherein a resource among the plurality of resources is identified with a unique code that establishes a hierarchical relationship among the plurality of resources, wherein the unique code represents a hierarchical access level of the resource from among plurality of access levels identified at the formal work location, a resource ID, partial unique codes of one or more resource IDs present at one or more hierarchical levels lying above the resource, a branch ID of the formal work location present at the first hierarchical level, and wherein a status field associated with each of the plurality of resources is set to ‘disabled’;
create an access path for the user, on a successful gate entry record generated for the user by dynamically generating a user tree graph for the UID using the identified set of nodes, with a node associated with gate entry as a starting node and the status field set to accessed, wherein position of each of the set of nodes is based on the hierarchical level identified for a node using the unique code; and
track movement of the user based on the unique code of a current node identified with the status as ‘accessed,’ wherein position of the node

in the user tree graph enables locating a current location of the user at a current hierarchical level,
wherein the status of only the one or more resources identified at an immediate next level using the hierarchical relationship provided by the unique code is set to ‘enabled’,
wherein status of the one or more resources is reset to ‘disabled’ when the user is moves away by more than one level from the current hierarchical level, and
wherein the user is enabled access to only a predefined number of resources among the set of resources at same hierarchical access level if the user presence and proximity among the resources currently accessed by user is agreeable in accordance with predefined criterion.
6. The system as claimed in claim 5, wherein the formal location is opted by the user from among a plurality of formal work locations offered by the enterprise, and the identified set of resources varies in accordance with the opted formal location.
7. The system as claimed in claim 6, wherein a security event indicating unauthorized access or unauthenticated user is triggered to an administrator when an attempt is detected to access the resources other than the resources that are more than a one level away from the immediate next level of the user.
8. The system as claimed in claim 6, comprising limited access of the user to the resources associated with enterprise applications when the user is detected to be working from remote work location.