FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention:
METHOD AND SYSTEM FOR PROVIDING ACCESS CONTROL TO
NEAREST ASSOCIATED RESOURCE
Applicant
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD [001] The disclosure herein generally relates to the field of access control and more specifically, to a system and method for providing access to associated resources of an accessible resource in an enterprise.
BACKGROUND
[002] Enterprise access control has some distinct characteristics from other domains. Though, the enterprise access control characteristics have undergone many changes due to the number of ways information can be consumed, provided, used, disseminated in a distributed, and mobile environment. To tackle these access control needs, access control models have also gone through changes. These changes led to complexity and inefficiency in access enforcement.
[003] Usually, resources in the enterprise are associated with different entities such as project, location, account, unit etc. which requires association-based access control. Thus, the user is associated to the resources in some manner. In general, administrator provides access to the resources by creating policies. In enterprises, multiple users and multiple resources are maintained. To provide access to each of the resources, the administrator needs to put a lot of effort in creating the policies and identifying the access privileges for each of the policies.
SUMMARY
[004] Embodiments of the disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method and system for providing access of associated resources in an enterprise is provided.
[005] In one aspect, a processor-implemented method for providing access of associated resources in an enterprise is provided. It would be appreciated that the administrator provides access to the resource and that resource is called accessible resource and the resources that are associated with the accessible resource through same entity or different entity and that resources are called associated resources.

The method includes one or more steps such as receiving a request from a user to get access of plurality of associated resources of an accessible resource, and fetching one or more credentials of the user, a usage history information and nature of plurality of associated resource to be accessed, evaluating the access control policy to determine an association of the accessible resource with the plurality of associated resources, identify a relationship path with at least one nearest accessible resources to provide access to the plurality of associated resources. Herein, the relationship path is in graphical format based on a Resource Description Framework (RDF) and recommending a new access control policy for the plurality of associated resources in accordance with the identified dynamic relationship path. Herein, the new access control policy having a corresponding set of privilege access rights related to the plurality of associated resources.
[006] In another aspect, a system is configured for providing access to the associated resources in an enterprise is provided. The system includes an input/output interface configured to receive request from a user to get access of plurality of associated resources of an accessible resource, fetch one or more credentials of the user, a usage history information and nature of plurality of associated resource to be accessed, and evaluate the access control policy to determine an association of the accessible resource with the plurality of associated resources. It would be appreciated that the administrator provides access to the resource and that resource is called accessible resource and the user does not have access permission on the resource, but it is associated with the accessible resource those resource is called associated resources. Further, the system is configured to identify a relationship path between the accessible resource and the associated resources to provide access to the plurality of associated resources. Herein, the relationship path is in graphical format based on a Resource Description Framework (RDF). The system further recommends a new access control policy for the plurality of associated resources in accordance with the identified dynamic relationship path. Herein, the new access control policy having a corresponding set of privilege access rights related to the plurality of associated resources.
[007] In yet another aspect, one or more non-transitory machine-readable

information storage mediums are provided comprising one or more instructions, which when executed by one or more hardware processors causes a method for providing access of associated resources in an enterprise is provided. It would be appreciated that the administrator provides access to the resource and that resource is called accessible resource and the user does not have access permission on the resource, but it is associated with the accessible resource those resource is called associated resources. The method includes one or more steps such as receiving, via an input/output interface, a request from a user to get access of plurality of associated resources of an accessible resource, and fetching one or more credentials of the user, a usage history information and nature of plurality of associated resource to be accessed, evaluating the access control policy to determine an association of the accessible resource with the plurality of associated resources. Further, the method includes identifying the relationship path between the accessible resource and the associated resource and use that relationship path for providing access to the associated resources. , Herein, the relationship path is in graphical format based on a Resource Description Framework (RDF). Furthermore, the method includes recommending a new access control policy for the plurality of associated resources in accordance with the identified dynamic relationship path. Herein, the new access control policy having a corresponding set of privilege access rights related to the plurality of associated resources.
[008] It is to be understood that the foregoing general descriptions and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS [009] The accompanying drawings, which are incorporated in and
constitute a part of this disclosure, illustrate exemplary embodiments and, together
with the description, serve to explain the disclosed principles:
[010] FIG. 1 illustrates a network diagram of an exemplary system for
providing access of associated resources in an enterprise, according to an
embodiment of the present disclosure.

[011] FIG. 2 is a flow diagram to illustrate a method for providing access of associated resources in an enterprise, in accordance with some embodiments of the present disclosure.
[012] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems and devices embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes, which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION OF EMBODIMENTS [013] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
[014] The embodiments herein provide a method and system for providing access of associated resources in an enterprise. It has been observed that in an enterprise access control has some distinct characteristics from other domains. Herein, the resources are associated with different entities such as project, location, account, unit etc. which requires associated based access control that is user associated to resource in some manner.
[015] In enterprise applications when a relationship-based access control is used for controlling the resource access, every accessible resource has a relationship with the associated resources and based on relationship the access is provided. The multiple resources are associated to the entities directly or indirectly. Administrator or relevant stakeholders configures entities and corresponding resources. Entities are a superset of resources which may or may not require any

access privileges. For example, a project is an entity for which access privileges are not associated. Whereas work zone is an entity where access is required. Entities are classified according to sensitivity of information it handles, critically of projects. When administrator configures entities/resources, relationships are created between them. These are called static relations which my not change as a consequence of user actions. There are dynamic relations which are created between a user and the resource and access privileges to the resources are dependent on the various factors such as classification, threat, impact, and risk. Relationship paths are maintained in the relationship database.
[016] In one instance, administrator manually provides access to the users to the resources by creating a policy. The resources are associated to the entities. In some cases, the user need access to the associated resources. To provide access permission to the nearest resources, the system verifies the resource association with the accessible resource and based on that it provides access permission.
[017] In yet another instance, the privilege access rights are provided to users who got access to the associated resource dynamically. Privileges are grouped according to their sensitivity. For example, view is a very low sensitive privilege, view & edit are medium sensitive privilege, whereas copy, print, download, are high privileged. They are grouped and associated with a resource at the time of access. Based on the user authority, user trust, device, provided privilege access rights in historical access, the privilege access rights are evaluated.
[018] Referring now to the drawings, and more particularly to FIG. 1 through FIG. 2, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[019] FIG. 1 illustrates a block diagram of a system (100) for providing access to associated resources of an accessible resource in an enterprise , in accordance with an example embodiment. Although the present disclosure is explained considering that the system (100) is implemented on a server, it may be understood that the system (100) may comprise one or more computing devices

(102), such as a laptop computer, a desktop computer, a notebook, a workstation, a cloud-based computing environment and the like. It will be understood that the system (100) may be accessed through one or more input/output interfaces 104-1, 104-2... 104-N, collectively referred to as I/O interface (104). Examples of the I/O interface (104) may include, but are not limited to, a user interface, a portable computer, a personal digital assistant, a handheld device, a smartphone, a tablet computer, a workstation, and the like. The I/O interface (104) are communicatively coupled to the system (100) through a network (106).
[020] In an embodiment, the network (106) may be a wireless or a wired network, or a combination thereof. In an example, the network (106) can be implemented as a computer network, as one of the different types of networks, such as virtual private network (VPN), intranet, local area network (LAN), wide area network (WAN), the internet, and such. The network (106) may either be a dedicated network or a shared network, which represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), and Wireless Application Protocol (WAP), to communicate with each other. Further, the network (106) may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices. The network devices within the network (106) may interact with the system (100) through communication links.
[021] The system (100) supports various connectivity options such as BLUETOOTH®, USB, ZigBee, and other cellular services. The network environment enables connection of various components of the system (100) using any communication link including Internet, WAN, MAN, and so on. In an exemplary embodiment, the system (100) is implemented to operate as a stand-alone device. In another embodiment, the system (100) may be implemented to work as a loosely coupled device to a smart computing environment. Further, the system (100) comprises at least one memory with a plurality of instructions, one or more databases (112), and one or more hardware processors (108) which are communicatively coupled with the at least one memory to execute a plurality of

modules (114) therein. The components and functionalities of the system (100) are described further in detail.
[022] In the preferred embodiment, the system (100) is configured to receive a request from a user to get access of plurality of associated resources of an accessible resource. It is to be noted that an access control policy is provided by an administrator regarding the accessible resource. The administrator captures all the units’ account details, project details and its resource details and stores in a graphical format such as Resource Description Framework (RDF) format. In the enterprises, relationship hierarchy can be based on role or designation. For each user relationship, authority is assigned, which indicates user may have elevated privileges based on other factors. Each relationship is assigned authority. Based on authority, the access privileges are affected. Authority decreases if resource is assigned to an entity that is higher than the user relationship path with entity. For example, if user is associated with a project as project leader attempts to access a resource associated with entity unit, his authority is reduced.
[023] It would be appreciated that, when a new unit is created in the system (100), the system (100) stores the unit details in the graph format. A unit has multiple accounts and each account maintains multiple projects. Each project maintains multiple resources. Every user has a relationship path with the resources in the unit. The administrator provides access to one of the resources based on relationship path. When user attempts to access the resource that user does not have access any permission. The system (100) checks the resource is associated with any of the nearest accessible resource that user got access through administrator. The system (100) uses the graph, to identify the relationship path between the resource and the accessible resource. The system (100) traverses through the nodes of the graph to identify the relationship path if they are not tagged to same entity or identifies the relationship path when two resource nodes tagged to single entity. The system (100) uses the identified relationship path for providing access to the associated resource.
[024] In one instance, wherein the accessible resource in the enterprise has association with different entities such as project, location, account, unit etc. which requires association based access control and the user is associated to the resource

in some manner. In the enterprise when a relationship-based access control is used for controlling the resource access, every user has a relationship path with the resource and based on that access is provided. It would be appreciated that in every enterprises multiple resources are associated to the entities directly or indirectly.
[025] In one example, wherein an administrator provides access to one or more software developers to access the Offshore Delivery Centre -1 (ODC-1) by creating an access policy. A project-1 is executing in ODC-1 and Offshore Delivery Centre -2(ODC-2). The one or more developers need access to ODC-2. The system determines an association of ODC-1 and ODC-2 through project-1. Based on association the system provides access dynamically by creating a new policy. The system uses the relationship path ODC-1 to ODC-2 i.e. ODC-1> Project-1 > ODC-2.
[026] In another embodiment, the system (100) fetches one or more credentials of the user, a usage history information and nature of plurality of associated resource to be accessed. Herein, the usage history information is generated as a result of previously accessed the accessible resource.
[027] Further, the system (100) is configured to evaluate the administrator created access control policy based on the fetched one or more credentials of the user, the usage history information and the nature of plurality of associated resource to determine an association of the accessible resource with the plurality of associated resources.
[028] In one example, wherein an administrator of a project A, provides access to a user U to an ODC-1 by creating a policy. When, the user U attempts to access a resource i.e. a Linux Server of an ODC-2, the system (100) checks the relationship path of the user U with the ODC-2 and the resource. If the relationship path exists, the system (100) grants access permission dynamically by creating the access policy based on relationship path i.e. ODC-1> Project-1> ODC-2 > Linux server with minimal access privileges. After granting the access permission with the minimal access privilege, the user U can request for additional privileges. When user U request for additional privileges, the system (100) evaluates the access privilege.

[029] In the preferred embodiment, the system (100) is configured to identify a relationship path of the user to provide access to at least one nearest associated resource of the plurality of associated resources. Herein, the relationship path is in graphical format based on a Resource Description Framework (RDF). Further, the system (100) verifies type of both the resources. If the resource type of both the resource are same, the system (100) builds a relationship path by taking project entity. Whereas the resource type of both the resources are different, the system (100) traverses through the graph and identify the relationship path between the plurality of associated resource and the accessible resource. Further, the system (100) uses the identified relationship path using the accessible resource and the associated resource details. Furthermore, to provide access to the nearest resource, the system (100) verifies the resource association with the accessible resource and based on that, the system creates a dynamic relationship path.
[030] In another example, the user got access to the resource ODC-1 through administrator. The user attempts to access a Linux Server that belong to ODC-1. The system identifies the relationship path between the ODC-1 and the Linux server. The system (100) provides access to the Linux server dynamically using the relationship path.
[031] In the preferred embodiment, wherein the system (100) is configured to recommend a new access control policy for the at least one nearest associated resource in accordance with the identified relationship path and the evaluated usage history information of the administrator created access control policy.
[032] The new access control policy having a corresponding set of privilege access rights related to the plurality of associated resources. It is to be noted that a machine learning supervise learning model is used to identify the privilege access rights to the user who got access permission to the plurality of associated resources. If the system (100) does not receive any usage history information, the privilege access rights are determined based on the provided access rights to the resource using the new access control policy.
[033] In another instance, wherein the administrator revokes access to the plurality of associated resources provided based on the new access control policy,

the access to the associated resources are revoked dynamically when administrator revokes access to the accessible resource. It is to be noted that the privilege rights for the resources are grouped according to their sensitivity.
[034] Referring FIG. 2, to illustrate a processor-implemented method (200) for providing access to associated resources of an accessible resource in an enterprise, in accordance with an example embodiment.
[035] Initially, at the step (202), receiving, via an input/output interface, a request from a user to get access to plurality of associated resources of an accessible resource, wherein an access control policy is provided by the administrator regarding the accessible resource.
[036] At the next step (204), fetching one or more credentials of the user, a usage history information and nature of plurality of associated resource to be accessed. The usage history information is generated as a result of previously accessed the accessible resource.
[037] At the next step (206), evaluating the access control policy to assess association of the accessible resource with the plurality of associated resources.
[038] At the next step (208), inferring a relationship path of the user to provide access to at least one associated resource of the plurality of associated resources. The relationship path is in graphical format based on a Resource Description Framework (RDF). The nature of the accessible resource and the plurality of associated resources are used to identify the relationship path. It is to be noted that SPARQL language is used for identifying the relationship path between accessible resource and the plurality of associated resource.
[039] At the last step (210), recommending a new access control policy for the at least one nearest associated resource in accordance with the inferred dynamic relationship path. The new access control policy having a corresponding set of privilege access rights related to the plurality of associated resources. The set of privileged access rights are determined based on the one or more credentials of the user, and the usage history information. The access to the associated resources is revoked dynamically when the administrator revokes access of the accessible resource.

[040] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[041] The embodiments of present disclosure herein address unresolved problem of administrator provides access to the resources. In Enterprise applications, multiple users and multiple resource are maintained. The administrator needs to put a lot of effort in creating the access policies and for identifying access privileges for each of the policy. The embodiments herein provide a method and system for providing access control to a nearest associated resource of an accessible resource. Administrator provides an access control policy regarding the accessible resource. The system fetches user credentials, usage history information and nature of associated resources to be accessed to evaluate association of associated resource with the accessible resource. Further, the system infers a relationship path of the user for providing access to nearest associated resource. The system recommends a new access control policy in accordance with the inferred relationship path for providing access control.
[042] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g., an ASIC and an FPGA, or at least one microprocessor and at least one memory with software

modules located therein. Thus, the means can include both hardware means, and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
[043] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[044] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[045] Furthermore, one or more computer-readable storage media may be

utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[046] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

We Claim:
1. A processor-implemented method (200) comprising:
receiving (202), via an input/output interface (104), a request from a user to get access to a plurality of associated resources of an accessible resource, wherein the accessible resource has an access control policy provided by an administrator;
fetching (204), via a one or more hardware processors (108), a usage history information and a nature of the plurality of associated resources to determine an association of the accessible resource with the plurality of associated resources, wherein the usage history information is generated as a result of a previously accessed accessible resource;
evaluating (206), via the one or more hardware processors (108), the access control policy to assess the association of the accessible resource with the plurality of associated resources;
inferring (208), via the one or more hardware processors (108), a relationship path of the user with each of the plurality of associated resources to determine at least one nearest associated resource of plurality of associated resources based on the relationship with the accessible resource, wherein the relationship path is stored in a graphical format; and
recommending (210), via the one or more hardware processors (108), a new access control policy for the at least one nearest associated resource in accordance with the inferred relationship path, wherein the new access control policy having a corresponding set of privilege access rights provided to the plurality of associated resources.
2. The processor-implemented method (200) of claim 1, wherein the nature of
the accessible resource and the plurality of associated resources are used to
identify the relationship path.

3. The processor-implemented method (200) of claim 1, wherein the set of privilege access rights are determined based on the usage history information.
4. The processor-implemented method (200) of claim 1, wherein the access to the plurality of associated resources are revoked dynamically when the administrator revokes access of the accessible resource.
5. A system (100) comprising:
an input/output interface (104) to receive a request from a user to get access to a plurality of associated resources of an accessible resource, wherein the accessible resource has an access control policy provided by an administrator; one or more hardware processors (108);
a memory in communication with the one or more hardware processors (108), wherein the one or more hardware processors (108)are configured to execute programmed instructions stored in the memory, to:
fetch a usage history information and a nature of the
plurality of associated resources to determine an association
of the accessible resource with the plurality of associated
resources, wherein the usage history information is
generated as a result of a previously accessed accessible
resource;
evaluate the access control policy to assess the association
of the accessible resource with the plurality of associated
resources;
infer a relationship path of the user with each of the plurality
of associated resources to determine at least one nearest
associated resource of plurality of associated resources
based on the relationship with the accessible resource,

wherein the relationship path is stored in a graphical format;
and
recommend a new access control policy for the at least one
nearest associated resource in accordance with the inferred
relationship path, wherein the new access control policy
having a corresponding set of privilege access rights
provided to the plurality of associated resources.
6. The system (100) of claim 5, wherein the nature of the accessible resource and the plurality of associated resources are used to identify the relationship path.
7. The system (100) of claim 5, wherein the set of privilege access rights are determined based on the usage history information.
8. The system (100) of claim 5, wherein the access to the plurality of associated resources are revoked dynamically when the administrator revokes access of the accessible resource.
9. A non-transitory computer readable medium storing one or more instructions which when executed by one or more processors on a system, cause the one or more processors to perform method comprising:
receiving (202), via an input/output interface (104), a request from a user to get access to a plurality of associated resources of an accessible resource, wherein the accessible resource has an access control policy provided by an administrator;
fetching (204), via a one or more hardware processors (108), a usage history information and a nature of the plurality of associated resources to determine an association of the accessible resource with the plurality of associated resources, wherein the usage history

information is generated as a result of a previously accessed
accessible resource;
evaluating (206), via the one or more hardware processors (108),
the access control policy to assess the association of the accessible
resource with the plurality of associated resources;
inferring (208), via the one or more hardware processors (108), a
relationship path of the user with each of the plurality of associated
resources to determine at least one nearest associated resource of
plurality of associated resources based on the relationship with the
accessible resource, wherein the relationship path is stored in a
graphical format; and
recommending (210), via the one or more hardware processors
(108), a new access control policy for the at least one nearest
associated resource in accordance with the inferred relationship
path, wherein the new access control policy having a corresponding
set of privilege access rights provided to the plurality of associated
resources.