FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention:
METHODS AND SYSTEMS FOR ACCESS CONTROL MANAGEMENT
USING A POLICY TEMPLATE
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description:
The following specification particularly describes the invention and the
manner in which it is to be performed.

TECHNICAL FIELD [001] The disclosure herein generally relates to the field of access control and management, and more specifically to methods and systems for creating access control and management for resources.
BACKGROUND
[002] Any organization handles multiple projects and applications, and each application maintains many resources and users. Hence, access control and management of resources to users is key aspect for information security and forms an integral part of the organization. Most of the conventional techniques use access policies to provide access to the users for the resources. The access policy is created using a resource name with some other names such as filename. Further, the application maintains the same type of resources and for each of the resources, the administrator creates the access policy. The access policy needs to be created for each resource access to each user and thus each resource contains at least 3 to 4 access policies. Hence, the policies count continues to increase as the number of resources increases.
[003] Thus, managing the polices (policy management) becomes difficult due to the increase in policies, and degrades the application performance when users access the resources. Further, duplicate access policies may exist with increase of the actual access policies and thus lot of efforts to be put in to search and manage the applicable access policies. The administrator needs to know the details of the users, privileges before providing access to the resources. There are some conventional techniques that use the access policy templates. However, the above said technical problems remain the same due to lack of suitable implementation.
SUMMARY [004] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems.

[005] In an aspect, a processor-implemented method for access control management for one or more resources is provided. The method including the steps of: receiving resource details of each of the one or more resources; checking an availability of (i) user details of each of one or more users, and (ii) access privilege details associated with each of the one or more resources for each of the one or more users; generating a policy template for each of the one or more resources, based on the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources; creating the access control for each of the one or more users, to each of the one or more resources, using the policy template corresponding to each of the one or more resources; receiving an access control request for one of the one or more resources, from one of the one or more users; fetching the resource details of the corresponding resource and the user details of the corresponding user; evaluating the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user, to determine the access permission for the corresponding resource to the corresponding user; determining either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted, wherein the standard access privilege details are determined based on the user details of the corresponding user and the resource details of the corresponding resource, using a trained machine learning (ML) model; and managing the access control for the corresponding resource, to the corresponding user, based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details.
[006] In another aspect, a system for access control management for one or more resources is provided. The system includes: a memory storing instructions; one or more Input/Output (I/O) interfaces; and one or more hardware processors coupled to the memory via the one or more I/O interfaces, wherein the one or more hardware processors are configured by the instructions to: receive resource details of each of the one or more resources; check an availability of (i) user details of each of the one or more users, and (ii) access privilege details associated with each of

the one or more resources for each of the one or more users; generate a policy template for each of the one or more resources, based on the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources; create access control for each of the one or more users, to each of the one or more resources, using the policy template corresponding to each of the one or more resources; receive an access control request for one of the one or more resources, from one of the one or more users; fetch the resource details of the corresponding resource and the user details of the corresponding user; evaluate the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user, to determine the access permission for the corresponding resource to the corresponding user; determine either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted, wherein the standard access privilege details are determined based on the user details of the corresponding user and the resource details of the corresponding resource, using a trained machine learning (ML) model; and manage the access control for the corresponding resource, to the corresponding user, based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details.
[007] In yet another aspect, there is provided a computer program product comprising a non-transitory computer readable medium having a computer readable program embodied therein, wherein the computer readable program, when executed on a computing device, causes the computing device to: receive resource details of each of one or more resources; check an availability of (i) user details of each of one or more users, and (ii) access privilege details associated with each of the one or more resources for each of the one or more users; generate a policy template for each of the one or more resources, based on the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources; create access control for each of the one or more users, to each of the one or more resources, using the policy template corresponding

to each of the one or more resources; receive an access control request for one of the one or more resources, from one of the one or more users; fetch the resource details of the corresponding resource and the user details of the corresponding user; evaluate the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user, to determine the access permission for the corresponding resource to the corresponding user; determine either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted, wherein the standard access privilege details are determined based on the user details of the corresponding user and the resource details of the corresponding resource, using a trained machine learning (ML) model; and manage the access control for the corresponding resource, to the corresponding user, based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details.
[008] In an embodiment, the user details of each of the one or more users comprises a user identity and one or more user roles; the resource details of each of the one or more resources comprises a resource identity, a resource type, and a resource association; and the access privilege details associated with each of the one or more resources, comprises one or more access privileges.
[009] In an embodiment, generating the policy template for each of the one or more resources, when non-availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources, comprising: identifying one or more matching resources for each of the one or more resources, using the corresponding resource details; extracting the user details of each of one or more available users, if available, for each of the one or more matching resources; identifying one or more associated resources for each of the one or more resources, using the corresponding resource details; extracting the user details of each of one or more available users, if available, for each of the one or more associated resources; and generating the policy template for each of one or more resources, using (i) the resource details and (ii) the user

details extracted from the one or more matching resources and the one or more associated resources.
[010] In an embodiment, the policy template for each of the one or more resources, when the availability of the user details of each of the one or more users, is generated using (i) the user details, and (ii) the resource details.
[011] In an embodiment, generating the policy template for each of the one or more resources, when the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources, comprising: extracting a privilege code for each of the one or more resources, if available, using the access privilege details associated with each of the one or more resources; generating the privilege code for each of the one or more resources, if not available, using the access privilege details associated with each of the one or more resources, and a code generation function; and generating the policy template for each of the one or more resources, using (i) the user details, (ii) the resource details, and (iii) the privilege code.
[012] In an embodiment, the trained ML model is obtained by: receiving a training dataset comprising (i) training resource details of each of a plurality of training resources, (ii) training user details of each of a plurality of training users associated with each of the plurality of training resources, and (iii) training access privilege details associated with each of the plurality of training resources; and training a supervised ML model with the training dataset, to obtain the trained ML model.
[013] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS [014] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:

[015] FIG. 1 is an exemplary block diagram of a system for access control management for resources, in accordance with some embodiments of the present disclosure.
[016] FIGS. 2A and 2B illustrates exemplary flow diagrams of a processor-implemented method for access control management for resources, in accordance with some embodiments of the present disclosure.
[017] FIG. 3 illustrates an exemplary flow diagram for generating a policy template for each of one or more resources, when non-availability of (i) the user details of each of one or more users, and (ii) the access privilege details associated with each of the one or more resources, in accordance with some embodiments of the present disclosure.
[018] FIG. 4 illustrates an exemplary flow diagram for generating the policy template for each of one or more resources, when the availability of (i) the user details of each of one or more users, and (ii) the access privilege details associated with each of the one or more resources, in accordance with some embodiments of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS [019] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments.
[020] The present disclosure solves the technical problems in the art for access control and management for resources using a policy template. The policy template according to the present disclosure is automatically generated for each resource based on the availability of (i) the user details of users, and (ii) the access privilege details associated with the resources. If both (i) the user details of users, and (ii) the access privilege details associated with the resources are not available,

then the present disclosure identifies the users and the associated user details based on the matching resources and the policy template is generated based on the identified information. Thus, the access control management for the resources is achieved using the policy templates.
[021] Referring now to the drawings, and more particularly to FIG. 1 through FIG. 4, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary systems and/or methods.
[022] FIG. 1 is an exemplary block diagram of a system 100 for access control management for resources, in accordance with some embodiments of the present disclosure. In an embodiment, the system 100 includes or is otherwise in communication with one or more hardware processors 104, communication interface device(s) or input/output (I/O) interface(s) 106, and one or more data storage devices or memory 102 operatively coupled to the one or more hardware processors 104. The one or more hardware processors 104, the memory 102, and the I/O interface(s) 106 may be coupled to a system bus 108 or a similar mechanism.
[023] The I/O interface(s) 106 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface(s) 106 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a plurality of sensor devices, a printer and the like. Further, the I/O interface(s) 106 may enable the system 100 to communicate with other devices, such as web servers and external databases.
[024] The I/O interface(s) 106 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface(s) 106 may include one or more ports for connecting a number of computing systems with one another or to another server computer. Further, the I/O interface(s) 106

may include one or more ports for connecting a number of devices to one another or to another server.
[025] The one or more hardware processors 104 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 104 are configured to fetch and execute computer-readable instructions stored in the memory 102. In the context of the present disclosure, the expressions ‘processors’ and ‘hardware processors’ may be used interchangeably. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, portable computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
[026] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 102 includes a plurality of modules 102a and a repository 102b for storing data processed, received, and generated by one or more of the plurality of modules 102a. The plurality of modules 102a may include routines, programs, objects, components, data structures, and so on, which perform particular tasks or implement particular abstract data types.
[027] The plurality of modules 102a may include programs or computer-readable instructions or coded instructions that supplement applications or functions performed by the system 100. The plurality of modules 102a may also be used as, signal processor(s), state machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 102a can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 104, or by a combination thereof. In an embodiment, the plurality of modules 102a can include

various sub-modules (not shown in FIG. 1). Further, the memory 102 may include information pertaining to input(s)/output(s) of each step performed by the processor(s) 104 of the system 100 and methods of the present disclosure.
[028] The repository 102b may include a database or a data engine. Further, the repository 102b amongst other things, may serve as a database or includes a plurality of databases for storing the data that is processed, received, or generated as a result of the execution of the plurality of modules 102a. Although the repository 102b is shown internal to the system 100, it will be noted that, in alternate embodiments, the repository 102b can also be implemented external to the system 100, where the repository 102b may be stored within an external database (not shown in FIG. 1) communicatively coupled to the system 100. The data contained within such external database may be periodically updated. For example, data may be added into the external database and/or existing data may be modified and/or non-useful data may be deleted from the external database. In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS). In another embodiment, the data stored in the repository 102b may be distributed between the system 100 and the external database.
[029] Referring to FIGS. 2A and 2B, components and functionalities of the system 100 are described in accordance with an example embodiment of the present disclosure. For example, FIGS. 2A and 2B illustrates exemplary flow diagrams of a processor-implemented method 200 for access control management for resources, in accordance with some embodiments of the present disclosure. Although steps of the method 200 including process steps, method steps, techniques or the like may be described in a sequential order, such processes, methods and techniques may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any practical order. Further, some steps may be performed simultaneously, or some steps may be performed alone or independently.

[030] At step 202 of the method 200, the one or more hardware processors 104 of the system 100 are configured to receive resource details of each resource of one or more resources for which the access control and management is required. In an embodiment, the one or more resources either a software resources such as modules, programs, routines, documents and so on, or a hardware resources such as memory, processors, and so on, or a combination thereof. Further, in an embodiment, the one or more resources are associated with a project, multiple projects, or present in a specific location or a building, or scattered across multiple locations such as cloud resources, or a combination thereof.
[031] The resource details of each resource include a resource identity, a resource type, and a resource association. The resource identity is a unique identity for identifying a particular resource. In an embodiment, the resource identity is a resource name or a resource identification number (ID), or a combination thereof with which the resource is uniquely identified among the other resources. The resource type defines the type of the resource such as software resource, hardware resource, and so on. In an embodiment, the resource type includes a document, a server, an offshore data center (ODC), memory, version control, and so on. The resource association defines how the resource is associated with a certain project, a team, a location, an office, and so on. In an embodiment, the resource details of each resource are stored in the repository 102b of the system 100.
[032] At step 204 of the method 200, the one or more hardware processors 104 of the system 100 are configured to check an availability of (i) user details and (ii) access privilege details. The user details are for each user of one or more users who may need access to each of the one or more resources received at step 202 of the method 200. The user details of each user include a user identity and one or more user roles. The user identity is a unique identity for identifying a particular user. In an embodiment, the user identity is a name of the user or a user identification number (ID), or a combination thereof with which the user is uniquely identified among the other users. Each user may be tagged to one or more user roles, wherein the user role for each user defines the type of the user based on the work role and corresponding to a particular resource. For example, the user roles for a

project include a project manager role, project developer role, administrator role, team member role, and so on.
[033] The access privilege details are associated with each resource of the one or more resources received at step 202 of the method 200, for each user of the one or more users. The access privilege details include one or more access privileges. In an embodiment, the access privilege details include opening the resource, editing the resource, viewing the resource, copying the resource and so on, or a combination thereof. In an embodiment, the user details of each user and the access privilege details associated with each resource, if available, are stored in the repository 102b of the system 100.
[034] At step 206 of the method 200, the one or more hardware processors 104 of the system 100 are configured to generate a policy template for each resource of the one or more resources, based on the availability of (i) the user details and (ii) the access privilege details, checked at step 204 of the method 200. The policy template for each resource is generated automatically based on the availability or non-availability of the user details and (ii) the access privilege details.
[035] The policy template maintains the resource details and user details. A single policy template can be used to provide access to multiple resources. The administrator can create the access by selecting only resource or resources and users. In some cases, the administrator can select privileges (custom privileges) for some resource access. The policy template reduces the system effort in managing the access to the resources. A system maintained by the administrator maintains a smaller number of access policy templates and thus the application performance is not affected even with the increase of users and the resources. Further, the policy template improves the application performance while evaluating the access. The policy template reduces the effort in searching the applicable policies for the resource.
[036] Also, the policy template reduces the admin effort in identifying accessible users(roles) or access privileges for the resource. The administrator need not worry about users, privileges for the resource while providing access. Further, the single policy template can be used to provide accesses to multiple resources (in

specific, matching resources), as the single policy template can be reused to provide access to all the matching resources associated with the multiple applications or projects or accounts.
[037] In accordance with the present disclosure, the policy template for each resource of the one or more resources, is generated under each of the following cases: (i) when non-availability of the user details and the access privilege details, (ii) when the availability of only the user details, and (iii) when the availability of both the user details and the access privilege details.
[038] FIG. 3 illustrates an exemplary flow diagram for generating the policy template for each of one or more resources, when non-availability of (i) the user details of each of one or more users, and (ii) the access privilege details associated with each of the one or more resources, in accordance with some embodiments of the present disclosure. As shown in FIG. 3, at step 206a1, one or more matching resources for each resource of the one or more resources, are identified, using the corresponding resource details.
[039] In an embodiment, the one or more matching resources are the resources other than the one or more resources whose resource details are received at step 202 of the method 200. In other words, the one or more matching resources are the resources that are either closing matching or similar to the resource received at step 202 of the method 200, but are associated with a different project, or of the same project of a different location, and so on. The one or more matching resources for each resource received at step 202 of the method 200 are identified using the associated resource details. More specifically, the resources whose resource type is same of similar to the resource type of the resource are the matching resources for that resource received at step 202 of the method 200.
[040] For example, if the resource type of the resource received at step 202 of the method 200 is a word document, then the other one or more other word documents associated with a different project, or of the same project of a different location, and so on, are the matching resources for that resource received at step 202 of the method 200.

[041] At step 206a2, the user details of each available user of the one or more available users, for each matching resource of the one or more matching resources identified at step 206a1 are extracted, if the one or more users (the one or more available users) available for that matching resource. The user details of each available user are same as that of the user details as described at step 204 of the method 200. More specifically, one or more least accessible users and one or more maximum accessible users are identified for the corresponding matching resource.
[042] At step 206a3, one or more associated resources for each matching resource of the one or more matching resources identified at step 206a1, are identified using the corresponding resource details. The resources whose resource details which are same or similar to that of the resource details of each of the one or more matching resources are the one or more associated resources for each matching resource of the one or more matching resources. In case, the one or more associated resources are not available, then the other resources apart from the matching resources and the associated resources are checked to identify the users associated with such resources. If any users identified for such resources, then the maximum accessible users and the minimum accessible users among the identified users are mapped to the corresponding resource.
[043] At step 206a4, the user details of each available user of the one or more available users, for each associated resource of the one or more associated resources identified at step 206a3 are extracted, if the one or more users (the one or more associated users) available for that associated resource. The user details of each available user are same as that of the user details as described at step 204 of the method 200.
[044] At step 206a5, the policy template for each resource is generated, using (i) the resource details of the corresponding resource, and (ii) the user details of each of the one or more matching resources extracted at step 206a2 and the user details of each of the one or more associated resources extracted at step 206a4. More specifically, the policy template for each resource comprises (i) the user roles of the one or more matching resources and the one or more associated resources, and (ii)

the resource identity. Generically, the policy template for each resource in this scenario comprises: {user roles of users, resource identity}.
[045] FIG. 4 illustrates an exemplary flow diagram for generating the policy template for each of one or more resources, when the availability of (i) the user details of each of one or more users, and (ii) the access privilege details associated with each of the one or more resources, in accordance with some embodiments of the present disclosure. As shown in FIG. 4, at step 206b1, a privilege code for each of one or more resources, if available, using the access privilege details associated with each of the one or more resources for each user. Actually, the privilege code is a set of privileges for a specific resource to a specific user. For example, open and copy are a set of privileges, and forms a privilege code for the particular resource for a particular user. In an embodiment, the privilege code for each resource, if available, is stored in the repository 102b of the system 100.
[046] At step 206b2, the privilege code for each resource, if not already available, is generated using a code generation function based on the access privilege details associated with the corresponding resource. In an embodiment, the code generation function is a random number or expression generation function that randomly generates a unique code each time as the privilege code.
[047] At step 206b3, the policy template for each resource is generated, using (i) the user details, (ii) the resource details, and (iii) the privilege code either extracted at step 206b1, or the generated at step 206b2. More specifically, the policy template for each resource comprises (i) the user roles of the associated resource, (ii) the resource identity, and the privilege code. Generically, the policy template for each resource in this scenario comprises: {user roles of users, resource identity, privilege code}.
[048] The policy template for each resource, when the availability of only the user details of each user of one or more users, is generated using (i) the user details, and (ii) the resource details. More specifically, the policy template for each resource comprises (i) the user roles of the one or more users, and (ii) the resource

identity. Generically, the policy template for each resource in this scenario comprises: {user roles of users, resource identity}.
[049] As described, each resource consists of only one policy template irrespective of number of the users who need access control for that resource. In an embodiment, the policy template for each resource along with the user details of each user and the access privilege details is stored in the repository 102b of the system 100.
[050] At step 208 of the method 200, the one or more hardware processors 104 of the system 100 are configured to create the access control for each of one or more users, to each of one or more resources, using the policy template corresponding to each of one or more resources. The access control for the users who need access to the resource to be created based on the corresponding template. However, the created access control to a user for each resource to be validated at the time of actual access control request.
[051] At step 210 of the method 200, the one or more hardware processors 104 of the system 100 are configured to receive an access control request for one of the one or more resources, from one of the one or more users. Once the access control is created for each user of the one or more users for each resource based on the corresponding policy template, such access control to be validated and to grant permissions upon on the validation, when the access control request is received from the user for the resource or resources.
[052] At step 212 of the method 200, the one or more hardware processors 104 of the system 100 are configured to fetch the resource details of the corresponding resource and the user details of the corresponding user. In an embodiment, the resource details of the corresponding resource and the user details of the corresponding user, are fetched or extracted from the repository 102b of the system 100.
[053] At step 214 of the method 200, the one or more hardware processors 104 of the system 100 are configured to evaluate the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user extracted at step 212 of the method

200. The evaluation is a validation process required to determine the access permission for the corresponding resource to the corresponding user, based on the access control created for the corresponding user (at step 208 of the method 200). This evaluation results in either granted or not granted based on the access control created for the corresponding user (at step 208 of the method 200).
[054] At step 216 of the method 200, the one or more hardware processors 104 of the system 100 are configured to determine either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted at step 214 of the method 200. If the access permission for the corresponding resource is not granted at step 214 of the method 200, then access to the corresponding resource to the corresponding user is denied with a notification or warning message.
[055] The standard access privilege details are the generic access privileges as explained at step 204 of the method 200. The standard access privilege details are default and may be defined by the administrator for each resource based on the resource type and the user role. However, the custom access privilege details, are very specific in nature and specific to each resource and the user role. In an embodiment, the custom access privilege details may be defined by the administrator for each resource.
[056] Furthermore, the standard access privilege details may be defined by the administrator for each resource, by determining based on the user details of the corresponding user and the resource details of the corresponding resource. A trained machine learning (ML) model is used to determine the standard access privilege details, based on the user details of the corresponding user and the resource details of the corresponding resource.
[057] In an embodiment, the trained ML model is obtained by training a supervised machine learning model with a suitable training dataset. In an embodiment, the supervised machine learning model is one of: random forest model, support vector machine, and alike. The training dataset includes (i) training resource details of each of a plurality of training resources, (ii) training user details of each of a plurality of training users associated with each of a plurality of training

resources, and (iii) training access privilege details associated with each of the plurality of training resources.
[058] The training resource details of each training resource are same as that of the details as explained at step 202 of the method 200. The training user details of each training user associated with each training resource are same as that of the details as explained at step 204 of the method 200. Similarly, the training access privilege details associated with each training resource are same as that of the details as explained at step 204 of the method 200.
[059] The supervised machine learning model is then trained with the training dataset obtain the trained ML model. While training, the training resource details of each of the plurality of training resources and the training user details of each of the plurality of training users are used as the input variables and the training access privilege details associated with each of the plurality of training resources is used as the output variable. The relation between the input variables and the output variable is then built while training the supervised machine learning model. The trained ML model is obtained once all the samples present in the training dataset is completed. Further, the obtained trained ML model may be validated with some samples present in the training dataset before its actual application.
[060] At step 218 of the method 200, the one or more hardware processors 104 of the system 100 are configured to manage the access control created at step 208 of the method 200, for the corresponding resource, to the corresponding user. The access control is managed based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details obtained at step 216 of the method 200.
[061] The method and systems of the present disclosure provides the policy template for each resource, which is generated automatically based on the availability or non-availability of the user details and (ii) the access privilege details. A single policy template can be used to provide accesses to multiple resources, as the single policy template can be reused to provide access to all the resources associated with the multiple applications or projects or accounts. The administrator can create the access by selecting only resource or resources and

users. In accordance with the embodiments of the present disclosure, the policy template reduces the system effort in managing the access to the resources. The system administrator template maintains a smaller number of access policy templates and thus the application performance is not affected even with the increase of the users and the resources.
[062] The embodiments of present disclosure herein address unresolved problem of creating the access control and management for the resources, using the policy template. The policy template is automatically generated for each resource based on the availability of (i) the user details of users, and (ii) the access privilege details associated with the resources. If both the user details of users, and (ii) the access privilege details associated with the resources are not available, then the present disclosure identifies the users and the associated user details based on the matching resources and the policy template is generated based on the identified information.
[063] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[064] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g., an ASIC

and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
[065] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[066] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.

[067] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[068] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

We Claim:
1. A processor-implemented method (200) for access control management for
one or more resources, comprising the steps of:
receiving, via one or more hardware processors, resource details of each of the one or more resources (202);
checking, via the one or more hardware processors, an availability of (i) user details of each of one or more users, and (ii) access privilege details associated with each of the one or more resources for each of the one or more users (204);
generating, via the one or more hardware processors, a policy template for each of the one or more resources, based on the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources (206); and
creating, via the one or more hardware processors, the access control for each of the one or more users, to each of the one or more resources, using the policy template corresponding to each of the one or more resources (208).
2. The method of claim 1, further comprising:
receiving, via the one or more hardware processors, an access control request for one of the one or more resources, from one of the one or more users (210);
fetching, via the one or more hardware processors, the resource details of the corresponding resource and the user details of the corresponding user (212);
evaluating, via the one or more hardware processors, the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user, to determine the access permission for the corresponding resource to the corresponding user (214);

determining, via the one or more hardware processors, either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted, wherein the standard access privilege details are determined based on the user details of the corresponding user and the resource details of the corresponding resource, using a trained machine learning (ML) model (216); and
managing, via the one or more hardware processors, the access control for the corresponding resource, to the corresponding user, based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details (218).
3. The method of claim 1, wherein:
(i) the user details of each of the one or more users comprises a user
identity and one or more user roles;
(ii) the resource details of each of the one or more resources comprises
a resource identity, a resource type, and a resource association; and
(iii) the access privilege details associated with each of the one or more
resources, comprises one or more access privileges.
4. The method of claim 1, wherein generating the policy template for each of
the one or more resources, when non-availability of (i) the user details of
each of the one or more users, and (ii) the access privilege details associated
with each of the one or more resources, comprising:
identifying one or more matching resources for each of the one or more resources, using the corresponding resource details (206a1);
extracting the user details of each of one or more available users, if available, for each of the one or more matching resources (206a2);
identifying one or more associated resources for each of the one or more resources, using the corresponding resource details (206a3);

extracting the user details of each of one or more available users, if available, for each of the one or more associated resources (206a4); and
generating the policy template for each of one or more resources, using (i) the resource details and (ii) the user details extracted from the one or more matching resources and the one or more associated resources (206a5).
5. The method of claim 1, wherein the policy template for each of the one or more resources, when the availability of the user details of each of the one or more users, is generated using (i) the user details, and (ii) the resource details.
6. The method of claim 1, wherein generating the policy template for each of the one or more resources, when the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources, comprising:
extracting a privilege code for each of the one or more resources, if available, using the access privilege details associated with each of the one or more resources (206b1);
generating the privilege code for each of the one or more resources, if not available, using the access privilege details associated with each of the one or more resources, and a code generation function (206b2); and
generating the policy template for each of the one or more resources, using (i) the user details, (ii) the resource details, and (iii) the privilege code (206b3).
7. The method of claim 2, wherein the trained ML model is obtained by:
receiving a training dataset comprising (i) training resource details of each of a plurality of training resources, (ii) training user details of each of a plurality of training users associated with each of the plurality of

training resources, and (iii) training access privilege details associated with each of the plurality of training resources; and
training a supervised ML model with the training dataset, to obtain the trained ML model.
8. A system (100) for access control management for one or more resources,
comprising:
a memory (102) storing instructions;
one or more input/output (I/O) interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the one or more I/O interfaces (106), wherein the one or more hardware processors (104) are configured by the instructions to:
receive resource details of each of the one or more resources;
check an availability of (i) user details of each of one or more users, and (ii) access privilege details associated with each of the one or more resources for each of the one or more users;
generate a policy template for each of the one or more resources, based on the availability of (i) the user details of each of the one or more users, and (ii) the access privilege details associated with each of the one or more resources; and
create access control for each of the one or more users, to each of the one or more resources, using the policy template corresponding to each of the one or more resources.
9. The system of claim 8, wherein the one or more hardware processors (104)
are further configured to:
receive an access control request for one of the one or more resources, from one of the one or more users;
fetch the resource details of the corresponding resource and the user details of the corresponding user;

evaluate the policy template for the corresponding resource, based on the resource details of the corresponding resource and the user details of the corresponding user, to determine the access permission for the corresponding resource to the corresponding user;
determine either (i) standard access privilege details, or (ii) custom access privilege details, for the corresponding resource if the access permission for the corresponding resource is granted, wherein the standard access privilege details are determined based on the user details of the corresponding user and the resource details of the corresponding resource, using a trained machine learning (ML) model; and
manage the access control for the corresponding resource, to the corresponding user, based on either (i) the determined standard access privilege details or (ii) the determined custom access privilege details.
10. The system of claim 8, wherein:
(i) the user details of each of the one or more users comprises a user
identity and one or more user roles;
(ii) the resource details of each of the one or more resources comprises
a resource identity, a resource type, and a resource association; and
(iii) the access privilege details associated with each of the one or more
resources, comprises one or more access privileges.
11. The system of claim 8, wherein the one or more hardware processors (104)
are configured to generate the policy template for each of the one or more
resources, when non-availability of (i) the user details of each of the one or
more users, and (ii) the access privilege details associated with each of the
one or more resources, by:
identifying one or more matching resources for each of the one or more resources, using the corresponding resource details;
extracting the user details of each of one or more available users, if available, for each of the one or more matching resources;

identifying one or more associated resources for each of the one or more resources, using the corresponding resource details;
extracting the user details of each of one or more available users, if available, for each of the one or more associated resources; and
generating the policy template for each of the one or more resources, using (i) the resource details and (ii) the user details extracted from the one or more matching resources and the one or more associated resources.
12. The system of claim 8, wherein the one or more hardware processors (104)
are configured to generate the policy template for each of the one or more
resources, when the availability of the user details of each of the one or more
users, by using (i) the user details, and (ii) the resource details.
.
13. The system of claim 8, wherein the one or more hardware processors (104)
are configured to generate the policy template for each of the one or more
resources, when the availability of (i) the user details of each of the one or
more users, and (ii) the access privilege details associated with each of the
one or more resources, by:
extracting a privilege code for each of the one or more resources, if available, using the access privilege details associated with each of the one or more resources;
generating the privilege code for each of the one or more resources, if not available, using the access privilege details associated with each of the one or more resources, and a code generation function; and
generating the policy template for each of the one or more resources, using (i) the user details, (ii) the resource details, and (iii) the privilege code.
14. The system of claim 9, wherein the one or more hardware processors (104)
are configured to obtain the trained ML model by:
receiving a training dataset comprising (i) training resource details of each of a plurality of training resources, (ii) training user details of each

of a plurality of training users associated with each of the plurality of training resources, and (iii) training access privilege details associated with each of the plurality of training resources; and
training a supervised ML model with the training dataset, to obtain the trained ML model.