FORM 2
THE PATENTS ACT, 1970 (39 of 1970) & THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See section 10, rule 13)
1. Title of the invention: METHOD AND SYSTEM FOR POLICY BASED ACCESS
CONTROL
2. Applicant(s)
NAME NATIONALITY ADDRESS
TATA CONSULTANCY Indian Nirmal Building, 9th Floor,
SERVICES LIMITED Nariman Point, Mumbai,
Maharashtra 400021, India
3. Preamble to the description
COMPLETE SPECIFICATION
The following specification particularly describes the invention and the manner in which it
is to be performed.

TECHNICAL FIELD
[0001] The embodiments herein generally relates to a method for policy based access control technology and, more particularly, improving efficiency in policy creation, searching and evaluation in the access control technology.
BACKGROUND
[0002] In the field of information security, access control is a process that controls resources’ access in accordance with the authorization rules. The user creates a policy in the system to control access on a resource. The policy may comprise users’ attributes, resource attributes and access type such as open, edit etc. The system may store all authorization policies on a policy server. To arrive at an authorization decision, the policy engine of the system evaluates all applicable policies for a resource. A typical large enterprise or data-market place may have thousands of access control policies created to secure its corresponding resources. If the policy evaluation is not efficient, the system cannot scale and it may degrade performance.
[0003] When a user attempts to access a resource, the policy enforcement point (PEP) component intercepts the request and forwards the request to the policy decision point (PDP), which evaluates the applicable policies with the help of policy information point (PIP). The policy evaluation process involves policy searching to find applicable policies for the resource in the authorization request. Further, the policy evaluation policy compares user, resource and access attributes with the attributes in the authorization policy or attributes from the PIP. The searching process may take a long time, as the policy size grows. In some scenarios, some policies are never evaluated because inapplicability to an authorization request due to change in the user, and resource attributes or duplicate policies. In this scenario, the time taken for searching applicable policies increases as the policy size grows due to the obsolete policies. In another scenario, to improve efficiency, picking policies in right order is desirable.
SUMMARY
[0004] The following presents a simplified summary of some embodiments of the disclosure in order to provide a basic understanding of the embodiments. This summary is not an extensive overview of the embodiments. It is not intended to identify key/critical elements of the embodiments or to delineate the scope of the embodiments. Its sole purpose is to present some embodiments in a

simplified form as a prelude to the more detailed description that is presented below.
[0005] In view of the foregoing, an embodiment herein provides a method for policy based access control technology.
[0006] In one aspect, a method for policy based access control. The method comprises creating one or more access control policies to authorize access on a resource. The policy comprising one or more user attributes, one or more resource identifier attributes and access type. Further, the process evaluates the one or more access control policies on a policy server using a policy engine. The evaluation process results in a number of evaluation counts of each access control policy within a given time interval. Marking each access control policy based on the number of evaluation counts of the policy engine, wherein the marking order of the access control policy is updated if the number of evaluation count of the access control policies changes in a given time interval. The process tags here the access control policies with atleast one resource based on the resource attribute information in each of the access control policies. It would be appreciated that generally the policy file is automatically associated on the resource if the policy file contains resource information. This happen while creating policy. However, in some cases policy file does not have resource information and that policy files are associated on the resource when user manually associates the policy on the resource. Further, whenever the user attempts to access the resource, the process receives the user and resource details and provides the policies that are available in the folder named with resource attributes.
[0007] In another aspect, a system for policy based access control. The system is configured to create one or more access control policies to authorize access on a resource, wherein the policy comprising one or more user attributes, one or more resource identifier attributes and access type. It evaluates the one or more access control policies on a policy server using a policy engine and the evaluation results in a number of evaluation counts of each access control policy within a given time interval. Further, the system marks each access control policy based on the number of evaluation counts of the policy engine. The marking order of the access control policies is updated if the number of evaluation count of the access control policies changes in a given time interval and tagging the access control policies with atleast one resource based on the resource attribute information in each of the access control policies. It would be appreciated that generally the policy file is automatically associated on the resource if the policy file contains resource information. This

happen while creating policy. However, in some cases policy file does not have resource information and that policy files are associated on the resource when user manually associates the policy on the resource. Further, whenever the user attempts to access the resource, the system receives user and resource details and provides the policies that are available in the folder named with resource attribute.
[0008] It should be appreciated by those skilled in the art that any block diagram herein represent conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computing device or processor, whether or not such computing device or processor is explicitly shown.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
[0010] Figure. 1 illustrates a system for policy based access control according to an embodiment of the present disclosure;
[0011] Figure 2 illustrates a schematic for marking order of one or more policies based on evaluation count according to an embodiment of the present disclosure;
[0012] Figure 3 illustrates a method for policy based access control according to an embodiment of the present disclosure; and
[0013] Figure. 4 illustrates a method for updating the marking order of one or more policies according to an embodiment of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
[0014] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. The examples used herein are

intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0015] Referring fig. 1, a system 100 for policy based access control. The system comprises a memory 102, a processor 104 which is communicatively coupled with the memory, a policy engine 106, a policy marking module 108, a policy server 110, a policy database 112, and a client application 114.
[0016] In the preferred embodiment, the user creates one or more access control policies in the system 100 to authorize access on a resource. The policy comprises one or more user attributes, one or more resource identifiers and access type. The system evaluates the one or more access control policies using the policy engine 106 and mark the policy based on the number of evaluation count using the policy marking module 108. Further, the system tags the one or more access control policies with atleast one resource based on resource attribute information.
[0017] In the preferred embodiment, the policy engine 106 performs the policy search, the policy evaluation and decision formation. The policy engine 106 searches for applicable policies based in the attributes of a resource. The policy engine 106 fetches attributes of a resource based on the resource identifier in the authorization request. Further, the policy engine 106 evaluates the policies in the order of preference based on policy marking. After evaluation, the policy engine returns deny/allow result. Where the policy marking module considers the count of the policy only whose evaluation return result is allowed.
[0018] In the preferred embodiment, the policy marking module 108 of the system that marks the policies with some code. The policy marking module 108 marks the policies based on the evaluation count in a given time interval. Further, the policy marking module 108 helps the policy engine to easily select the right policy.
[0019] Referring fig. 2, the policy marking module 108 marks one or more policies as policy 1, policy 2, policy 3 and so on, wherein the marking is in order based on the evaluation count in a given time interval. The policy engine selects a policy from one or more policies in order such that policy 1 has less evaluation count then policy 2 and policy 2 has less evaluation count then policy 3 and so on.

[0020] In the preferred embodiment, the user stores policy association information in a policy database 112. The system identifies an applicable access control policy from the one or more access control policies based on the tagging information available in policy database 112.
[0021] In the preferred embodiment, the policy server 110 facilitates the communication between the Client application 114, the policy engine 106, policy database 112 and folders of the policies.
[0022] In the preferred embodiment, the client application 114 provides the user details and resource details to the system to identify the relevant policy from the policy server and the system 100 receives the user and resource details and based on the tagging information, the system 100 identifies the applicable policies.
[0023] Referring fig. 3, a method 300 for policy based access control. The process creates and marks the one or more policies to authorize access on a resource.
[0024] At the step 302, where the process creates one or more access control policies. The policy includes one or more user attributes, one or more resource identifier attributes and access type. The policy is stored on the policy server under a designated folder created for the application.
[0025] At the step 304, where the process evaluates the one or more access control policies on the policy server using a policy engine. The evaluation results in a number of evaluation counts of each access control policy within a given time interval.
[0026] At the step 306, where the process marks each access control policy based on the number of evaluation counts using the policy marking module. The marking order of the access control policy is updated if the number of evaluation count of the access control policies changes in a given time interval.
[0027] At the step 308, the system tags the policy on the resource automatically if the policy file contains resource details and this tag is created when the policy is created in the system. However, in some cases, the policy file does not contain resource information and for that, user need to associate policy on the resource and at backend, the system tags the policy on the resource by storing association information in database

[0028] Finally at the step 310, where the process identifies an applicable access control policy from the one or more access control policies based on tagging information stored in the database. The policy engine evaluates the identified access control policy, wherein the evaluation is based on marking order of the identified applicable policies.
[0029] Referring fig. 4, where the process analyze one or more tagged policy results in cache for the authorization request of the user, wherein the analysis provides either to skip or to continue with the evaluation. Skipping the policy evaluation, if policy result for an authorization request found in the cache. The system stores policy evaluation result in cache, if the time taken for evaluating the policy is more than the mentioned in configuration file. The policy result from the cache is deleted if the policy file is updated.
[0030] In one embodiment, the system archives the associated policies which are not evaluated in a given period time. The policy server 110 continuously monitors the evaluation count of the policies. If the evaluation count is zero or not changed for a pre-defined period of time, it achieves the policy and informs the owner of the policy. The policy owner may act on the notification, checks archived policies and may modify the policy and make it the active policy; or delete the policy if it is no longer applicable.
[0031] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[0032] A system and method for policy creation and evaluation in a policy based access control. In this framework, a policy is created to control access on a resource. In the process of evaluating policies, the system marks the policies with some code that are evaluated more number of times in a given time interval by the policy engine. The policy includes users’ attributes, resource identifiers and access type and stored on the policy server under a designated folder. The process provides an auto tagging of a policy to the resource based on resource attribute information in the

policy. When a user attempts to access the resource, the system receives the user details and resource details. Further, the system identifies applicable policies based on tagging information stored in the database and it evaluates the policies that are marked and available in the resource before evaluating the policies that are associated along with multiple resource.
[0033] The embodiments of present disclosure herein addresses problem of inefficiency in policy creation, searching and evaluation. In current systems, the policy engine need to search the applicable policies and after that it should evaluate each and every policy to find the applicable policies and in some cases, it is evaluating the policies that are not related to the resource and due to that, the system performance is degrading with the increase of policy files in the system. To provide access on the resource to the user, it has to evaluate multiple policies to check whether user is allowed to access.
[0034] It is, however to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[0035] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can

comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[0036] The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
[0037] A data processing system suitable for storing and/or executing program code will include at least one processor coupled directly or indirectly to memory elements through a system bus. The memory elements can include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
[0038] Input/output (I/O) devices (including but not limited to keyboards, displays, pointing devices, etc.) can be coupled to the system either directly or through intervening I/O controllers. Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters.
[0039] A representative hardware environment for practicing the embodiments may include a hardware configuration of an information handling/computer system in accordance with the embodiments herein. The system herein comprises at least one processor or central processing unit (CPU). The CPUs are interconnected via system bus to various devices such as a random access memory (RAM), read-only memory (ROM), and an input/output (I/O) adapter. The I/O adapter can connect to peripheral devices, such as disk units and tape drives, or other program storage devices that are readable by the system. The system can read the inventive instructions on the program storage devices and follow these instructions to execute the methodology of the embodiments herein.

[0040] The system further includes a user interface adapter that connects a keyboard, mouse, speaker, microphone, and/or other user interface devices such as a touch screen device (not shown) to the bus to gather user input. Additionally, a communication adapter connects the bus to a data processing network, and a display adapter connects the bus to a display device which may be embodied as an output device such as a monitor, printer, or transmitter, for example.
[0041] The preceding description has been presented with reference to various embodiments. Persons having ordinary skill in the art and technology to which this application pertains will appreciate that alterations and changes in the described structures and methods of operation can be practiced without meaningfully departing from the principle, spirit and scope.

I/We Claim:
1. A method for policy based access control, wherein the method comprising steps of:
creating one or more access control policies to authorize access on a resource, wherein the policy comprising one or more user attributes, one or more resource identifier attributes and access type;
evaluating the one or more access control policies on a policy server using a policy engine, wherein the evaluation results in a number of evaluation counts of each access control policy within a given time interval;
marking each access control policy based on the number of evaluation counts of the policy engine, wherein the marking order of the access control policy is updated if the number of evaluation count of the access control policies changes in a given time interval; and
tagging the access control policies with atleast one resource based on the resource attribute information in each of the access control policies.
2. The method claimed in claim 1, further comprising:
identifying an applicable access control policy from the one or more access control policies based on tagging information stored in the database; and
evaluating the identified access control policies on the policy server using a policy engine, wherein the evaluation is based on marking order of the identified applicable policies.
3. The method claimed in claim 1, further comprising:
analyzing one or more tagged policy results in cache for the authorization request of the user, wherein the analysis provides either to skip or to continue with the evaluation; and
Skipping the policy evaluation, if policy result for an authorization request found in the cache.
4. The method claimed in claim 1, wherein the access control arrangement receives resource
and user details from the client application.

5. The method claimed in claim 1, wherein the access control arrangement identifies atleast one associated access control policy for the resource by verifying the marking of the tagged policies.
6. The method claimed in claim 1, wherein each access control policy is associated with atleast one resource.
7. The method claimed in claim 1, wherein the marking is a process to mark a code to each access control policy based on resource.
8. The method claimed in claim 1, wherein the policy engine evaluates the one or more policies comprising steps of:
assessing one or more access control policies based on the tagging information from
the database;
evaluating each access control policy based on marking order of policies; and updating the marking order based on the change in evaluation count of the associated
access control policy.
9. A system for policy based access control, wherein the system comprising:
a memory having one or more computer readable instructions;
at least one processor communicatively coupled with the memory, wherein the at least one processor executing one or more steps of:
creating one or more access control policies to authorize access on a resource, wherein the policy comprising one or more user attributes, one or more resource identifier attributes and access type;
evaluating the one or more access control policies on a policy server using a policy engine, wherein the evaluation results in number of evaluation counts of each access control policy within a given time interval;
marking each access control policy based on the number of evaluation counts of the policy engine of the framework, wherein the marking order of the access control policy is updated if the output of evaluation count of the access control policies changes in a given time interval, and
tagging the access control policies with atleast one resource based on the resource attribute information in each of the access control policies.

10. The system claimed in claim 9, wherein the system is configured to execute one or more
steps of:
identifying an applicable access control policy from the one or more access control policies based on tagging information stored in the database; and
evaluating the identified access control policies on the policy server using a policy engine, wherein the evaluation is based on marking order of the identified applicable policies.
11. The system claimed in claim 9, wherein the system is configured to execute one or more
steps of:
analyzing one or more tagged policy results in cache for the authorization request of the user, wherein the analysis provides either to skip or to continue with the evaluation; and
skipping the policy evaluation, if policy result for an authorization request found in the cache.