Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:

METHOD AND SYSTEM TO MANAGE ACCESS BASED ON VALIDATION OF COMPLIANCE RULES

Applicant

Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India

Preamble to the description:
The following specification particularly describes the invention and the manner in which it is to be performed.
TECHNICAL FIELD
[001] The disclosure herein generally relates to access control system, and, more particularly, to method and system to manage access based on validation of compliance rules.

BACKGROUND
[002] In enterprise applications, an administrator manages access to resources for a user. The resources are labelled with compliance rules which may be with a validity for specific time interval or without validity. The administrator checks whether the user is compliant to the associated compliance rules with the resources. Existing approaches check whether the user is compliant before granting access to any resources which results in searching complex dataset which is a time consuming process. In current approaches, these checks were performed using queries and require manual effort to identify applicable users and to manage their access. Further, application performance is affected, and maintenance cost is very high. Accordingly, the existing approaches are unsuccessful while identifying compliant users and managing the corresponding access of the resources.

SUMMARY
[003] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one aspect, a processor implemented method of managing the access of one or more resources based on the validation of the one or more compliance rules is provided. The processor implemented method includes at least one of: receiving, via one or more hardware processors, one or more parameters as an input; generating, via the one or more hardware processors, one or more access policies based on the one or more parameters; determining, via the one or more hardware processors, a compliance status associated with the one or more access policies based on one or more types of one or more compliance rules; and managing, via the one or more hardware processors, one or more valid users to access one or more resources based on the compliance status determined by the one or more access policies. The one or more parameters include: (i) a relationship path associated with a user, (ii) a relationship path associated with the one or more resources, (iii) an information associated with the one or more resources, and (iv) the one or more compliance rules. The one or more types of the one or more compliance rules include: (a) the one or more compliance rules with a validity period, or (b) the one or more compliance rules without the validity period.
[004] In an embodiment, the step of determining the compliance status if the one or more compliance rules with the validity period, further include (a) generating, via the one or more hardware processors, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources; and (b) generating, via the one or more hardware processors, a compliance rule code for the one or more compliance rules. In an embodiment, the relationship path code is generated based on two characters for a role associated with the user, and two characters for the one or more resources. In an embodiment, the compliance rule code is generated based on two characters from each of the one or more compliance rules. In an embodiment, the step of determining the compliance status if the one or more compliance rules without the validity period, further include, generating, via the one or more hardware processors, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources. In an embodiment, the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update an access policy evaluation result. In an embodiment, an access to the user is revoked if the user is non-compliant to a compliance rule. In an embodiment, information associated with a non-compliant user is added at a forbidden path of the access policy evaluation result. In an embodiment, the access to the user is restored if the user is complaint to the non-compliant rule and the access policy evaluation result is updated.
[005] In another aspect, there is provided a system to manage the access of one or more resources based on the validation of the one or more compliance rules. The system includes a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: receive, one or more parameters as an input; generate, one or more access policies based on the one or more parameters; determine, a compliance status associated with the one or more access policies based on one or more types of one or more compliance rules; and manage, one or more valid users to access one or more resources based on the compliance status determined by the one or more access policies. The one or more parameters include: (i) a relationship path associated with a user, (ii) a relationship path associated with the one or more resources, (iii) an information associated with the one or more resources, and (iv) the one or more compliance rules. The one or more types of the one or more compliance rules include: (a) the one or more compliance rules with a validity period, or (b) the one or more compliance rules without the validity period.
[006] In an embodiment, the one or more hardware processors are further configured by the instructions to determine the compliance status if the one or more compliance rules with the validity period, include: (a) generate, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources; and (b) generate, a compliance rule code for the one or more compliance rules. In an embodiment, the relationship path code is generated based on two characters for a role associated with the user, and two characters for the one or more resources. In an embodiment, the compliance rule code is generated based on two characters from each of the one or more compliance rules. In an embodiment, the one or more hardware processors are further configured by the instructions to determine the compliance status if the one or more compliance rules without the validity period, include, generate, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources. In an embodiment, the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update an access policy evaluation result. In an embodiment, an access to the user is revoked if the user is non-compliant to one or more compliance rules. In an embodiment, information associated with a non-compliant user is added at a forbidden path of the access policy evaluation result. In an embodiment, the access to the user is restored if the user is complaint to a non-compliant rule and the access policy evaluation result is updated.
[007] In yet another aspect, there are provided one or more non-transitory machine readable information storage mediums comprising one or more instructions which when executed by one or more hardware processors causes at least one of: receiving, one or more parameters as an input; generating, one or more access policies based on the one or more parameters; determining, a compliance status associated with the one or more access policies based on one or more types of one or more compliance rules; and managing, one or more valid users to access one or more resources based on the compliance status determined by the one or more access policies. The one or more parameters include: (i) a relationship path associated with a user, (ii) a relationship path associated with the one or more resources, (iii) an information associated with the one or more resources, and (iv) the one or more compliance rules. The one or more types of the one or more compliance rules include: (a) the one or more compliance rules with a validity period, or (b) the one or more compliance rules without the validity period.
[008] In an embodiment, the step of determining the compliance status if the one or more compliance rules with the validity period, further include (a) generating, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources; and (b) generating, a compliance rule code for the one or more compliance rules. In an embodiment, the relationship path code is generated based on two characters for a role associated with the user, and two characters for the one or more resources. In an embodiment, the compliance rule code is generated based on two characters from each of the one or more compliance rules. In an embodiment, the step of determining the compliance status if the one or more compliance rules without the validity period, further include, generating, a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources. In an embodiment, the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update an access policy evaluation result. In an embodiment, an access to the user is revoked if the user is non-compliant to a compliance rule. In an embodiment, information associated with a non-compliant user is added at a forbidden path of the access policy evaluation result. In an embodiment, the access to the user is restored if the user is complaint to the non-compliant rule and the access policy evaluation result is updated.
[009] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[010] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[011] FIG. 1 illustrates a block diagram of a system to manage access of one or more resources based on validation of one or more compliance rules, according to some embodiments of the present disclosure.
[012] FIG. 2 illustrates a functional block diagram of the system of FIG.1, according to some embodiments of the present disclosure.
[013] FIG. 3 is an exemplary flow diagram illustrating a method of managing the access of one or more resources based on the validation of the one or more compliance rules, according to some embodiments of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS
[014] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
[015] There is a need for an approach to manage the access of one or more resources for a user. Embodiment of the present disclosure provides a method and system to manage access of one or more resources for a user based on validation of one or more compliance rules. The embodiment of present disclosure provides a relationship-based access control by validation of one or more compliance rules to manage the access of the one or more resources for the user. The embodiment of present disclosure provides the access to each resource based on one or more access policies. The one or more resources are associated with the one or more compliance rules. The one or more compliance rules may have a validity period or without validity period. The user can access each resource if a user is compliant to an associated compliance rule. When the user is non-complaint, the system identifies one or more access impacted resources by identifying one or more applicable access policies which utilizes the one or more compliance rules. An access to a specific resource is revoked upon identifying the specific resource by updating a stored access policy evaluation result. The system utilizes the stored access policy evaluation result to provide the access to the one or more resources. The embodiment of present disclosure sends a notification to the user before ‘n’ number of days to inform that access revocation to the one or more resources to be performed.
[016] Referring now to the drawings, and more particularly to FIGS. 1 through 3, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[017] FIG. 1 illustrates a block diagram of a system 100 to manage access of one or more resources based on validation of one or more compliance rules, according to some embodiments of the present disclosure. In an embodiment, the system 100 includes one or more processor(s) 102, communication interface device(s) or input/output (I/O) interface(s) 106, and one or more data storage devices or memory 104 operatively coupled to the one or more processors 102. The memory 104 includes a database. In an embodiment, the database 104 further include a policy folder and policy database. The one or more processor(s) processor 102, the memory 104, and the I/O interface(s) 106 may be coupled by a system bus such as a system bus 108 or a similar mechanism. The system 100 is further connected via the I/O interface(s) 106. The one or more processor(s) 102 that are hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more processor(s) 102 is configured to fetch and execute computer-readable instructions stored in the memory 104. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud, and the like.
[018] The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface device(s) 106 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a camera device, and a printer. Further, the I/O interface device(s) 106 may enable the system 100 to communicate with other devices, such as web servers and external databases. The I/O interface device(s) 106 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. In an embodiment, the I/O interface device(s) 106 can include one or more ports for connecting number of devices to one another or to another server.
[019] The memory 104 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random-access memory (SRAM) and dynamic random-access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 104 includes module (s) 110 and a repository 112 for storing data processed, received, and generated by the module (s) 110. The module (s) 110 may include routines, programs, objects, components, data structures, and so on, which perform particular tasks or implement particular abstract data types.
[020] Further, the database stores information pertaining to inputs fed to the system 100 and/or outputs generated by the system (e.g., data/output generated at each stage of the data processing) 100, specific to the methodology described herein. More specifically, the database stores information being processed at each step of the proposed methodology.
[021] Additionally, the module (s) 110 may include programs or coded instructions that supplement applications and functions of the system 100. The repository 112, amongst other things, includes a system database 114 and other data 116. The other data 116 may include data generated as a result of the execution of one or more modules in the module (s) 110. Further, the database stores information pertaining to inputs fed to the system 100 and/or outputs generated by the system (e.g., at each stage), specific to the methodology described herein. Herein, the memory for example the memory 104 and the computer program code configured to, with the hardware processor for example the processor 102, causes the system 100 to perform various functions described herein under.
[022] FIG. 2 illustrates a functional block diagram of the system 100 of FIG.1, according to some embodiments of the present disclosure. The system 200 may be an example of the system 100 (FIG. 1). In an example embodiment, the system 200 may be embodied in, or is in direct communication with the system, for example the system 100 (FIG. 1). The system 200 is configured to provide a relationship-based access control in an enterprise application. The system 200 includes a user, an admin, a web service application programming interface (API) 202, a policy creation unit 204, a resources 206A-N, a code generator 208, and a policy engine 210. The system 200 is configured to receive one or more parameters as an input. In an embodiment, the one or more resources 206A-N corresponds to an offshore development center (ODC), documents, a printer, and a server. The policy creation unit 204 is configured to generate the one or more access policies based on the one or more parameters. In an embodiment, the one or more access policies corresponds to one or more rules for accessing the one or more resources 206A-N. For example, the one or more access policies may include the one or more compliance rules associated with the one or more resources 206A-N. The one or more parameters corresponds to (i) a relationship path associated with the user, (ii) a relationship path associated with the one or more resources 206A-N, (iii) an information associated with the one or more resources 206A-N, and (iv) one or more compliance rules. The one or more resources 206A-N are associated with the one or more compliance rules. The system 100 is configured to identify one or more types of the one or more compliance rules. In an embodiment, the one or more types of the one or more compliance rules corresponds to (a) the one or more compliance rules with a validity period (e.g., “Course A” to be completed by the user for every one-year time interval specified with an expiration date and time), or (b) the one or more compliance rules without the validity period (e.g., without any expiration date and time).
[023] The code generator 208 is configured to determine a compliance status associated with the one or more access policies based on (i) a relationship path code, or (ii) a compliance rule code, and (iii) a combination thereof. In an embodiment, the relationship path code with corresponding relationship details is stored in one cache and the compliance rule code with corresponding compliance rule details in another cache to reuse. The code generator 208 is configured to generate (i) the relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources 206A-N, and (ii) a compliance rule code for the one or more compliance rules, if the one or more compliance rules include the validity period. The relationship path code corresponds to two characters for a role associated with the user, and two characters for the one or more resources 206A-N. The access policy may be created with a file name in a format e.g., relPathCode_compRuleCode1CompRuleCode2.xml.
[024] For example, every user includes a relationship path with the one or more resources 206A-N i.e.,
(a) TeamMember; ExecutedIn (Team Member to ODC relationship path);
(b) ProjectLeader; ExecutedIn (Project Leader to ODC relationship path);
(c) ProjectLeader: ExecutedIn; BelongsTo (TeamMember to Printer); and
(d) UnitHead; MappedTo; MappedTo; BelongsTo (UnitHead to Documents).
[025] The system 200 maintains a list of words and using that, reads the relationship paths and generate one or more meaningful codes for the relationship path. e.g., TeamMember; ExecutedIn; BelongsTo (Relationship Path between TeamMember to Documents). For example, the list of words corresponds to Team, Member, Executed, In, Software, Engineer, Developer, Project, Leader, Delivery, Owner etc. The system 200 reads the relationship path and uses the words for generating the codes. In the relationship path, considering first and last relationship e.g., TeamMember and BelongsTo. The list of words is considered to generate the code from the relationship path e.g., TeamMember->TM and BelongsTo->BT. Divides the TeamMember into Team and Member and generates the code: TM. Divides the BelongsTo into Belongs and To and generates the code BT. The compliance rule code corresponds to two characters for each of the one or more compliance rules. For example, if a resource is associated with multiple compliance rules and in that, two compliance rules have a validity period. The system 200 maintains list of words and generates the code for compliance rules that have the validity period.
[026] The code generator 208 is configured to generate only a relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources 206A-N, if the one or more compliance rules are without the validity period. In an embodiment, two characters from a user role and two characters from the resource is considered to generate the relationship path code. If the resource associated compliance rules do not have any validity, then the relationship path code creates an access policy with a file name in a format e.g., relPathCode.xml.
[027] An access to the one or more resources 206A-N for at least one valid user is managed based on the compliance status determined by the one or more access policies. The admin provides the access to each of the one or more resources 206A-N for the user based on the one or more access policies. The system 100 identifies a user who have valid compliance rules based on the created access policies and stores the user’s compliance rules, resource details in a cache. A notification is communicated before ‘n’ number of days before revoking the access to the user. For example, the notification is communicated via email, but not limited to a “push” or “pop-up” in an application dashboard while the one or more resources 206A-N is accessed by the user. The compliance rule details associated with validity details are communicated i.e., a validity end date and access impacted resource details etc. The compliance status associated with the user is monitored by running a batch program at a periodic time interval to generate an access policy evaluation result. The batch program runs as per the time interval mentioned in a configuration file. An access to the user is revoked if the user is non-compliant to the compliance rule. An information associated with at least one non-compliant user is added at a forbidden path (e.g., a configuration name) of the access policy evaluation result. For example, when a user attempts to access a resource, who is non-complaint to one of the resource associated compliance rules. The system 100 monitors the relationship path of the user with the resource and identifies an applicable policy and corresponding result. The access policy evaluation result is checked and denies access to the user if forbidden path of the access policy evaluation result includes the details of the specific user.
[028] The access to the user is restored if the user’s compliance status is changed from the non-compliant to complaint, by deleting user details mentioned in the forbidden path thereby the access policy evaluation result is updated. In an embodiment, when the user accesses the resource 206A for first time, an associated access policy is evaluated and stored in the access policy evaluation result at the database 104. The policy engine 210 is configured to store the policy evaluation result in cache. The system 100 utilizes the stored access policy evaluation result, when the user accesses the resource 206A subsequently through an offline mode.
[029] FIG. 3 is an exemplary flow diagram illustrating a method 300 of managing the access of one or more resources based on the validation of the one or more compliance rules, according to some embodiments of the present disclosure. In an embodiment, the system 100 comprises one or more data storage devices or the memory 104 operatively coupled to the one or more hardware processors 102 and is configured to store instructions for execution of steps of the method by the one or more processors 102. The flow diagram depicted is better understood by way of following explanation/description. The steps of the method of the present disclosure will now be explained with reference to the components of the system as depicted in FIGS. 1 and 2.
[030] At step 302, the one or more parameters are received as an input. The one or more parameters corresponds to (i) the relationship path associated with the user, (ii) the relationship path associated with the one or more resources 206A-N, (iii) an information associated with the one or more resources 206A-N, and (iv) the one or more compliance rules. At step 304, the one or more access policies is generated based on the one or more parameters. At step 306, the compliance status associated with the one or more access policies is determined based on the one or more types of the one or more compliance rules. The one or more types of the one or more compliance rules corresponds to: (a) the one or more compliance rules with a validity period, or (b) the one or more compliance rules without the validity period. At step 306A, the step of determining the compliance status of the one or more compliance rules with the validity period, further include (a) the relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources 206A-N is generated; and (b) At step 306B, the compliance rule code for the one or more compliance rules is generated. In an embodiment, the relationship path code is generated based on two characters for a role associated with the user, and two characters for the one or more resources 206A-N. In an embodiment, the compliance rule code is generated based on two characters from each of the one or more compliance rules. At step 310, the step of determining the compliance status of the one or more compliance rules without the validity period, further include the relationship path code for the relationship path associated with the user and the relationship path associated with the one or more resources 206A-N are generated. In an embodiment, the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update the access policy evaluation result. In an embodiment, an access to the user is revoked if the user is non-compliant to the one or more compliance rules. In an embodiment, information associated with the non-compliant user is added at the forbidden path of the access policy evaluation result. In an embodiment, the access to the user is restored if the user is complaint to the non-compliant rule and the access policy evaluation result is updated. At step 308, access to the one or more resources 206A-N for the one or more valid user is managed is based on the compliance status determined by the one or more access policies.
[031] In an exemplary embodiment, considering an application, in which when “Developer” is provided with an access to the offshore development center (ODC) i.e., “ODC1”. The ODC1 is associated with the one or more compliance rules of a background check (BGC) and “I Security Quiz” and a “Project Leader is provided access to a server “Server1 and associated with the background check (BGC). The system 100 creates the one or more access policies with a name “DLD1_SQ.xml by validating the input parameters. The relationship Path is “Developer; ExecutedIn”. The system 100 creates the access policy with the name “PLSR.xml. The relationship Path is “ProjectLeader; ExecutedIn; MappedTo; MappedTo; BelongsTo”. Whenever the created policy is evaluated i.e., DLD1_SQ.xml for the first time, which identifies the users i.e., (a) Reads the policy and identify the applicable users based on the relationship path and user’s validity compliance rules e.g., identifies the User A and user B as a “developers”; and (b) stores the users and user’s validity compliance rule, along with the user’s compliance status validity end date details in the cache e.g., the user A, compliance details, compliance validity date & the user B, compliance details, compliance validity date. The system 100 runs a batch program for every time interval that check the user compliance status. The system 100 revokes the user access when user becomes non-compliant to the compliance status e.g., the user A becomes non-compliant, and stores user details in the forbidden path of the policy evaluation result. Restores the access when user’s compliance status changes from non-compliant to compliant e.g., updates details of the user ‘A’ from the policy evaluation result. When user access the resource, the system 100 identifies applicable policies based on the file names.
[032] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[033] The embodiment of present disclosure herein addresses unresolved problem of managing access for the user to the one or more resources. The embodiment of present disclosure provides a relationship-based validation of compliance rules to manage an access to the one or more resources for the user. The embodiment of the present disclosure can identify one or more applicable users with corresponding status of compliance based on validity period for every specific time interval. The embodiment of the present disclosure identifies applicable policies for the resource that need to be evaluated when the user accesses the resource. The embodiment of the present disclosure identifies the users whose access is impacted by the compliance rules. The embodiment of the present disclosure revoke and restore the access of the users based on the validity status of the compliance rules. Subsequently, the users are alerted by a notification. The embodiment of the present disclosure reduces complexity when any new change comes in functionality, thereby the maintenance cost and the time are reduced. The embodiment of the present disclosure automatically updates any changes i.e., functionalities adaptable for new features.
[034] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g., an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
[035] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[036] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[037] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[038] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims. , Claims:We Claim:
1. A processor implemented method (300), comprising:
receiving, via one or more hardware processors, a plurality of parameters as an input, wherein the plurality of parameters comprises: (i) a relationship path associated with a user, (ii) a relationship path associated with a plurality of resources (206A-N), (iii) an information associated with the plurality of resources (206A-N), and (iv) a plurality of compliance rules (302);
generating, via the one or more hardware processors, a plurality of access policies based on the plurality of parameters (304);
determining, via the one or more hardware processors, a compliance status associated with the plurality of access policies based on at least one type of the plurality of compliance rules, and wherein the at least one type of the plurality of compliance rules comprises: (a) the plurality of compliance rules with a validity period, or (b) the plurality of compliance rules without the validity period (306); and
managing, via the one or more hardware processors, at least one valid user to access the plurality of resources (206A-N) based on the compliance status determined by the plurality of access policies (308).

2. The processor implemented method (300) as claimed in claim 1, wherein the step of determining the compliance status of the plurality of compliance rules with the validity period, further comprising:
a. generating, via the one or more hardware processors, a relationship path code for the relationship path associated with the user and the relationship path associated with the plurality of resources (206A-N), and wherein the relationship path code is generated based on two characters for a role associated with the user, and two characters for the plurality of resources (206A-N) (306A); and
b. generating, via the one or more hardware processors, a compliance rule code for the plurality of compliance rules, and wherein the compliance rule code is generated based on two characters from each of the plurality of compliance rules (306B).

3. The processor implemented method (300) as claimed in claim 1, wherein the step of determining the compliance status of the plurality of compliance rules without the validity period, further comprising, generating, via the one or more hardware processors, the relationship path code for the relationship path associated with the user and the relationship path associated with the plurality of resources (206A-N) (310).

4. The processor implemented method (300) as claimed in claim 1, wherein the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update an access policy evaluation result.

5. The processor implemented method (300) as claimed in claim 1, wherein an access to the user is revoked if the user is non-compliant to at least one compliance rule, wherein information associated with at least one non-compliant user is added at a forbidden path of the access policy evaluation result, and wherein the access to the user is restored if the user is complaint to the at least one non-compliant rule and the access policy evaluation result is updated.

6. A system (100), comprising:
a memory (104) storing instructions;
one or more communication interfaces (106); and
one or more hardware processors (102) coupled to the memory (104) via the one or more communication interfaces (106), wherein the one or more hardware processors (102) are configured by the instructions to:
receive, a plurality of parameters as an input, wherein the plurality of parameters comprises: (i) a relationship path associated with a user, (ii) a relationship path associated with a plurality of resources (206A-N), (iii) an information associated with the plurality of resources (206A-N), and (iv) a plurality of compliance rules;
generate, a plurality of access policies based on the plurality of parameters;
determine, a compliance status associated with the plurality of access policies based on at least one type of the plurality of compliance rules, and wherein the at least one type of the plurality of compliance rules comprises: (a) the plurality of compliance rules with a validity period, or (b) the plurality of compliance rules without the validity period; and
manage, at least one valid user to access the plurality of resources (206A-N) based on the compliance status determined by the plurality of access policies.

7. The system (100) as claimed in claim 6, wherein the one or more hardware processors (102) are further configured by the instructions to determine the compliance status of the plurality of compliance rules with the validity period, comprises:
a. generate, a relationship path code for the relationship path associated with the user and the relationship path associated with the plurality of resources (206A-N), and wherein the relationship path code is generated based on two characters for a role associated with the user, and two characters for the plurality of resources (206A-N); and
b. generate, a compliance rule code for the plurality of compliance rules, and wherein the compliance rule code is generated based on two characters from each of the plurality of compliance rules.

8. The system (100) as claimed in claim 6, wherein the one or more hardware processors (102) are further configured by the instructions to determine the compliance status of the plurality of compliance rules without the validity period, comprises, generate, the relationship path code for the relationship path associated with the user and the relationship path associated with the plurality of resources (206A-N).

9. The system (100) as claimed in claim 6, wherein the compliance status associated with the user is monitored by running a batch program at a periodic time interval to update an access policy evaluation result.

10. The system (100) as claimed in claim 6, wherein an access to the user is revoked if the user is non-compliant to at least one compliance rule, wherein information associated with at least one non-compliant user is added at a forbidden path of the access policy evaluation result, and wherein the access to the user is restored if the user is complaint to at least one non-compliant rule and the access policy evaluation result is updated.

Dated this 17th day of May 2022

Tata Consultancy Services Limited
By their Agent & Attorney

(Adheesh Nargolkar)
of Khaitan & Co
Reg No IN-PA-1086