Claims:1. A method optimizing performance of policy searching and evaluation, the method comprising a processor implemented steps of:
defining, by one or more hardware processors, a plurality of user attributes and resource attributes for identifying a set of potential users accessing a set of pre-defined resources in a system;

based upon the plurality of user attributes and resource attributes:

creating, by the one or more hardware processors, one or more policies in the system to provide a user access to one or more resource modules for a policy based access control, wherein the one or more resource modules comprises of data and metadata on an information system;
generating, using a user code generating module, a first set of codes for authorizing one or more authenticated users from a plurality of users to the one or more resource modules; and
generating, using a policy code generating module, a second set of codes based upon the first set of codes and one or more resource identifiers for performing a comparison between the second set of codes with a set of policy codes for identifying the one or more policies matching with the plurality of user attributes;

performing, by the one or more hardware processors, the comparison of the set of policy codes with the second set of codes to obtain one or more matching codes for identifying the one or more policies matching one or more user attributes amongst the plurality of user attributes; and
determining, by the one or more hardware processors, at least a subset of policies from the one or more policies matching the one or more user attributes amongst the plurality of user attributes for obtaining a final set of policies from the one or more policies relevant to one or more authorization requests relevant to the users.

2. The processor implemented method of claim 1, wherein the step of generating the set of policy codes comprises performing a mapping of the set of policy codes generated to the one or more policies created for performing the identification of the one or more policies matching the one or more user attributes amongst the plurality of user attributes.

3. The processor implemented method of claim 1, wherein the step of performing the comparison between the second set of codes with the set of policy codes is preceded by generating, using the policy code generating module, the set of policy codes for the one or more policies for optimizing the performance of searching and evaluating the one or more policies created.

4. The processor implemented method of claim 1, wherein the step of obtaining the final set of policies from the one or more policies is preceded by performing a selection of a category of policies from the one or more policies created based upon the mapping and the plurality of resource attributes for optimizing the performance of evaluating the final set of policies from the one or more policies.

5. A system comprising:
a memory storing instructions;
one or more communication interfaces; and
one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to:
define, by one or more hardware processors, a plurality of user attributes and resource attributes for identifying a set of potential users accessing a set of pre-defined resources in a system;

based upon the plurality of user attributes and resource attributes:

create, by the one or more hardware processors, one or more policies in the system to provide a user access to one or more resource modules for a policy based access control, wherein the one or more resource modules comprises of data and metadata on an information system;
generate, using a user code generating module, a first set of codes for authorizing one or more authenticated users a the plurality of users to the one or more resource modules; and
generate, using a policy code generating module, a second set of codes based upon the first set of codes and one or more resource identifiers to perform a comparison between the second set of codes with a set of policy codes for identifying the one or more policies matching with the plurality of user attributes;

perform, by the one or more hardware processors, the comparison of the set of policy codes with the second set of codes to obtain one or more matching codes for identifying the one or more policies matching one or more user attributes amongst the plurality of user attributes; and
determine, by the one or more hardware processors, at least a subset of policies from the one or more policies matching the one or more user attributes amongst the plurality of user attributes for obtaining a final set of policies from the one or more policies relevant to one or more authorization requests relevant to the users.

6. The system of claim 4, wherein the one or more hardware processors are further configured to generate the set of policy codes by mapping the set of policy codes generated to the one or more policies created to perform the identification of the one or more policies matching the one or more user attributes amongst the plurality of user attributes.

7. The system of claim 4, wherein the one or more hardware processors are further configured to perform a selection of a category of policies from the one or more policies created based upon the mapping and the plurality of resource attributes to optimize the performance of evaluating the final set of policies from the one or more policies for obtaining the final set of policies from the of one or more policies.

8. The system of claim 4, wherein the one or more hardware processors are further configured to perform the comparison between the second set of codes with the set of policy codes by generating, using the policy code generating module, the set of policy codes for the one or more policies to optimize the performance of searching and evaluating the one or more policies created.
, Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
SYSTEMS AND METHODS FOR OPTIMIZING POLICY SEARCHING AND EVALUATION

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
[0001] The present disclosure generally relates to optimizing performance of policy searching and evaluation. More particularly, the present disclosure relates to systems and methods for optimizing performance of policy searching and evaluation.

BACKGROUND
[0002] Computing world has been experiencing an explosive development in technology and its application in both government and corporate sectors. Computer systems in today’s world comprise of massively networked and interconnected systems through intranet or internet. Further with the growth of digital technologies, Internet of things (IoT) based applications and cloud networks, where thousands of devices and applications are interconnected and accessed by the thousands of people across an organization and by millions of people across the world, security becomes a larger and more prevalent issue of concern. Often an organization may deploy security mechanisms that enable remote access while maintaining a level of authentication and authorization to those resources. Also, organizations employ virtual private networks (VPNs) to provide employees with remote access to system’s resources. Employees are often allowed to obtain access to important resources from a variety of computing devices, including kiosks, mobile devices, and home computers, as well as computing devices provided and maintained by the organization. Also, in an environment such as a shared-resource service bureau environment, where many employees and/or clients have access to a computer system capable of running numerous applications, it is often desirable to have the ability to restrict access by certain users or classes of users to one or more features of such applications.
[0003] Therefore, one of the most challenging problems in managing large networks may result from the complexity of security administration, making authorization an important issue in computer and network systems. In this regard, authorization mechanisms exist in operating systems, applications, or anywhere resource access control is concerned. Authorization may comprise of authentication and access control. Authentication may, inter-alia, deal with determining who is a user and access control may often deals with the problem “what is the purpose of the user to access a resource and how far the user may access a resource. Historically, access control has been based on the identity of a user requesting execution of a capability to perform an operation (e.g., read) on an object (e.g., a file). This was done directly either as in a discretionary access control or a mandatory access control or through predefined attribute types, such as roles or groups assigned to that user as in a role based access control. However, with the increase in security challenges, the policy based access control has gained a lot of importance.
[0004] In a policy based access control, the user provides access on the resources by creating a policy and whenever any user attempts to access the resource, a policy engine evaluates all the policies applicable to the resource and provides access based on the evaluation result. Policies define how the users interact with the different systems and applications. The traditional systems and methods provide for the policy based access control, however the policy engine evaluates the policies which may not be applicable to the authorization context and that severely effects the performance of the system.

SUMMARY
[0005] The following presents a simplified summary of some embodiments of the disclosure in order to provide a basic understanding of the embodiments. This summary is not an extensive overview of the embodiments. It is not intended to identify key/critical elements of the embodiments or to delineate the scope of the embodiments. Its sole purpose is to present some embodiments in a simplified form as a prelude to the more detailed description that is presented below.
[0006] Systems and methods of the present disclosure enable optimizing performance of policy searching and evaluation. In an embodiment of the present disclosure, there is provided a method for optimizing performance of policy searching and evaluation, the method comprising: defining, by one or more hardware processors, a plurality of user attributes and resource attributes for identifying a set of potential users accessing a set of pre-defined resources in a system; based upon the plurality of user attributes and resource attributes: (i) creating, by the one or more hardware processors, one or more policies in the system to provide a user access to one or more resource modules for a policy based access control, wherein the one or more resource modules comprises of data and metadata on an information system; (ii) generating, using a user code generating module, a first set of codes for authorizing one or more authenticated users from a plurality of users to the one or more resource modules; and (iii) generating, using a policy code generating module, a second set of codes based upon the first set of codes and one or more resource identifiers for performing a comparison between the second set of codes with a set of policy codes for identifying the one or more policies matching with the plurality of user attributes; performing, by the one or more hardware processors, the comparison of the set of policy codes with the second set of codes to obtain one or more matching codes for identifying the one or more policies matching one or more user attributes amongst the plurality of user attributes; determining, by the one or more hardware processors, at least a subset of policies from the one or more policies matching the one or more user attributes amongst the plurality of user attributes for obtaining a final set of policies from the one or more policies relevant to one or more authorization requests relevant to the users; generating the set of policy codes by performing a mapping of the set of policy codes generated to the one or more policies created for performing the identification of the one or more policies matching the one or more user attributes amongst the plurality of user attributes; performing the comparison between the second set of codes with the set of policy codes by generating, using the policy code generating module, the set of policy codes for the one or more policies for optimizing the performance of searching and evaluating the one or more policies created; and obtaining the final set of policies from the one or more policies by performing a selection of a category of policies from the one or more policies created based upon the mapping and the plurality of resource attributes for optimizing the performance of evaluating the final set of policies from the one or more policies.
[0007] In an embodiment of the present disclosure, there is provided a system for optimizing performance of policy searching and evaluation, the system comprising one or more processors; one or more data storage devices operatively coupled to the one or more processors and configured to store instructions configured for execution by the one or more processors to: define, by one or more hardware processors, a plurality of user attributes and resource attributes for identifying a set of potential users accessing a set of pre-defined resources in a system; based upon the plurality of user attributes and resource attributes: (i) create, by the one or more hardware processors, one or more policies in the system to provide a user access to one or more resource modules for a policy based access control, wherein the one or more resource modules comprises of data and metadata on an information system; (ii) generate, using a user code generating module, a first set of codes for authorizing one or more authenticated users a the plurality of users to the one or more resource modules; (iii) generate, using a policy code generating module, a second set of codes based upon the first set of codes and one or more resource identifiers to perform a comparison between the second set of codes with a set of policy codes for identifying the one or more policies matching with the plurality of user attributes; perform, by the one or more hardware processors, the comparison of the set of policy codes with the second set of codes to obtain one or more matching codes for identifying the one or more policies matching one or more user attributes amongst the plurality of user attributes; determine, by the one or more hardware processors, at least a subset of policies from the one or more policies matching the one or more user attributes amongst the plurality of user attributes for obtaining a final set of policies from the one or more policies relevant to one or more authorization requests relevant to the users; generate the set of policy codes by mapping the set of policy codes generated to the one or more policies created to perform the identification of the one or more policies matching the one or more user attributes amongst the plurality of user attributes; perform a selection of a category of policies from the one or more policies created based upon the mapping and the plurality of resource attributes to optimize the performance of evaluating the final set of policies from the one or more policies for obtaining the final set of policies from the of one or more policies; and perform the comparison between the second set of codes with the set of policy codes by generating, using the policy code generating module, the set of policy codes for the one or more policies to optimize the performance of searching and evaluating the one or more policies created.
[0008] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
[0010] Fig. 1 illustrates a block diagram of a system for optimizing performance of policy searching and evaluation according to an embodiment of the present disclosure;
[0011] Fig. 2 is an architecture illustrating the components of a system for optimizing performance of policy searching and evaluation according to an embodiment of the present disclosure; and
[0012] Fig. 3 is a flowchart illustrating the steps involved for optimizing performance of policy searching and evaluation according to an embodiment of the present disclosure.

DETAILED DESCRIPTION OF THE EMBODIMENTS
[0013] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0014] The embodiments of the present disclosure provides systems and methods for optimizing performance of policy searching and evaluation. Many organizations provide access to their systems and applications in a secure manner. Existing mechanisms for controlling such access typically employ user credentials, such as by requiring external users to provide a recognized username and a corresponding password. With the growth of digital technologies and Internet of Things (IoT) based applications, numerous other devices (such as mobiles) have been provided with the capacity to access computers remotely, and are being used to access, download and sensitive information. These devices are regarded as greatly enhancing user productivity by allowing ready access to data, but security is often inadequate and may introduce new security threats. These security threats may, inter-alia, comprise theft of these devices (for example, a mobile leading to loss of sensitive information) and vulnerability that may arise during the synchronization of a mobile device with a desktop or comparable computer. Policies define how the users interact with the different systems and applications.
[0015] Policy based access control provides for defining attribute to describe session property, performing a new policy management method that is free from application logic, and advocating an independent access control decision mechanism. As a consequence, the policy based access control is more flexible on restricting session, and makes great progress on multi-policy supporting. However, in the policy based access control, a user provides access on the resources by creating a policy and whenever any user attempts to access the resource, a policy engine may evaluate all the policies applicable to the resource and provides access based on the evaluation result. The traditional systems and methods provide for the policy based access control, however the policy engine evaluates the policies which may not be applicable to the authorization context and that severely effects the performance of the system. Hence, there is a need for a technology that provides for classification of the policies based on the associated resources and improving the system performance by selecting least of the policies matching with user attributes for evaluation from amongst the multiple policies created.
[0016] Referring now to the drawings, and more particularly to FIG. 1 through FIG. 3, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[0017] FIG. 1 illustrates an exemplary block diagram of a system 100 for optimizing performance of policy searching and evaluation. In an embodiment, the system 100 includes one or more processors 104, communication interface device(s) or input/output (I/O) interface(s) 106, and one or more data storage devices or memory 102 operatively coupled to the one or more processors 104. The one or more processors 104 that are hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
[0018] The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface device(s) can include one or more ports for connecting a number of devices to one another or to another server.
[0019] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
[0020] According to an embodiments of the present disclosure, referring to FIG. 2, the architecture and components of the system for optimizing performance of policy searching and evaluation may now be considered in detail. A client application 201 may comprise of one or more software programs that may integrate with processing capabilities of another program and may help in creating one or more applications (for example, windows based applications) and one or more application services (for example, a profile application service) which may be used, inter-alia, for authenticating a user and determining one or more roles for an authenticated user. To access any resource in the client application 201, the user needs to authenticate by providing username, password. A user code generating module 202 generates the user codes for the successful authenticated users. For example, the user whose role is developer, designation is software engineer, location is Hyderabad, account is Bank of America is attempting to authenticate with the system and after successful authentication it generates the user codes as 1DE2SE3HY4BA, where 1 is attribute ID and DE is attribute value of role, 2 is attribute id and SE is attribute value of designation and 3 is attribute id and HY is attribute value of location. A policy code generating module 203 generates policy codes based upon the user codes generating by the user code generating module 202 for identifying policies matching with user attributes. For example, the user for which the user code is: 1DE2SE3HY4BA attempts to access project document RDF, the policy picker generates code as: 1DE2SE3HY4BA15RDF. A database 204 stores policy mapping details, for example, policy file attributes like Role: Developer, Designation: AST, Location: CHENNAI. A policy selector module 205 helps in selecting policies mapped or tagged with policy codes. The policy selector 205 module also communicates list of policies to a policy engine 206 for evaluation. The policy engine 206 evaluates the policies provided by the system 101. A policy creation module 207 is used by the one or more hardware processors 104 for creating policies in the system 100.
[0021] FIG. 3, with reference to FIG. 1, illustrates an exemplary flow diagram of a method for optimizing performance of policy searching and evaluation according to an embodiment of the present disclosure. In an embodiment the system 100 comprises one or more data storage devices of the memory 102 operatively coupled to the one or more hardware processors 104 and is configured to store instructions for execution of steps of the method by the one or more processors 104. The steps of the method of the present disclosure will now be explained with reference to the components of the system 100 as depicted in FIG. 1 and the flow diagram. In the embodiments of the present disclosure, a policy based access control shall be implemented in the system 100. In the embodiments of the present disclosure, the hardware processors 104 when configured the instructions performs one or more methodologies described herein.
[0022] In an embodiment of the present disclosure, at step 302, the one or more hardware processors 104 define a plurality of user attributes and resource attributes for identifying a set of potential users accessing a set of pre-defined resources in a system. In an embodiment of the present disclosure, the user may comprise of one or more entities that may have an authority to use an application, facility or system 100 and who may further interact with the system 100, typically through an interface to extract one or more functional benefits. For example, if a file XYZ has been created in the system 100, any person or a group of persons having an access to the file XYZ may be the user of the file. The user or a group of users may be defined or created in the system 100 using one or more commands. For example, using create user command, a new user account may be generated for creating a new user as:
CREATE USER keys_admin IDENTIFIED BY MyPassword;
[0023] According to an embodiment of the present disclosure, the plurality of user attributes and resource attributes may then be defined for identifying the set of potential users accessing a set of pre-defined resources in a system. The user attributes comprises of one or more properties (for example, a role or a location) of the user entities. The user attributes may be defined by an administrator and comprises of several properties, for example, name, data type, level of user accesses and default values. For example, for defining the user attributes for a business object, program management may need to be accessed as the user with the administrator role. From the administrator tab, expand roles>default>business objects may be selected. Then by selecting attributes from the attributes screen for the business object, select create attribute. Enter details such as name, type, default etc and select ok.
[0024] The resource attribute comprises any data that the business process may access during runtime and are used to store information about resources. For example, there may be a “resource type” attribute defined, in which each resource’s “resource type” is stored. Thus, to define the resource attributes, for example, in the prototypeXML string of the adapter Java file:
host
Enter the resource host name.’>\n"+
[0025] According to an embodiment of the present disclosure, based upon the plurality of user attributes and resource attributes defined, the identification of the set of potential users accessing the set of pre-defined resources in the system 100 may be performed. For example, in an organization, one or more supervisors may be allowed to delegate requests related to leave or claims approvals to a subordinate or an assistant to approve or reject the requests on behalf of the one or more supervisors. For example, the plurality of user attributes and resource attributes of the user Bob defined in the system 100 may be project: XYZ, account: ABCD, location: Pune, employee-id: 0888999, designation: Scientist. So, a supervisor X1 may create a policy X1 by selecting a combination of one or more attributes like project: XYZ, account: ABCD, location: Pune and designation: Scientist from amongst the plurality of user attributes and resource attributes. In this way, one or more users tagged or mapped to the combination of one or more attributes (project: XYZ, account: ABCD, location: Pune and designation: Scientist) may be delegated to approve or reject the requests on behalf of the supervisor X1. If two or more users tagged or mapped to the combination of one or more attributes are identified, they both may selected for delegating to approve or reject the requests on behalf of the supervisor X1. Suppose the supervisor X1 wants to select only one person, for example, Bob, to perform one or all of the delegated tasks, he may select a one (or more) more attribute/s like user name (user name: Bob) for identifying Bob to perform the delegated tasks.
[0026] According to an embodiment of the present disclosure, at step 304, the one or more hardware processors 104 create one or more policies in the system 100 to provide a user access to one or more resource modules for a policy based access control, wherein the one or more resource modules comprises of data and metadata on an information system. A policy may determine rules of accessing one or more resources of the system 100 (for example, a printer or a SecureID token). The policy may be stored in a directory server (for example, a Netscape directory server) where gateway may read them. Although a single security gateway is shown, it is contemplated that multiple gateways may protect (limit) access to one or more protected networks. Each policy may specify: (1) an entity allowed or denied access (such as the user or a user group); (2) a requested resource (for example, a web server (3) the gateway through which access occurs; (4) the authentication type, and the effective dates and times for the policy, among others. It may be noted that the one or more hardware processors 104 may create the one or more policies in the system 100 using the policy creation module 207.
[0027] The policy's scope may cover a single entity, a set of entities, or all entities. In an embodiment, the one or more policies (for example, a policy A1) may be created by the user (who wants other user(s) to access his one or more resources) through a screen provided by the system 100 to the user in the client application 201, for example, a Representational State Transfer (REST) client application, to select one or more user attributes from amongst the plurality of user attributes and a resource identifier (for example, ftp://example.org/resource.txt) for creating the one or more policies. The user selects the resource identifier and the one or more user attributes like role, designation, location, account and time period etc. Based on the selection of the resource identifier and the one or more user attributes, the system 100 may create a policy file, for example, X. policy, with selected attribute values. The policy file is an American Standard code for Information Interchange (ASCII) and may comprise of a configuration file used by Java Runtime Environment (JRE) and Java SE Development Kit (JDK) to determine the granted permissions for each Java program. It contains a list of permission information that specifies the types of system resource accesses that can be used by a Java program. Based upon the one or more policies created, the user may be granted the access to one or more resource modules for a policy based access control. In an embodiment the resource module may be used, inter-alia, to query or modify the one or more resources (of the system 100) current settings limits and may comprise of the data and metadata (for example, name, street address, city, a password required to access the target of the Uniform Resource Identifier etc.) on the information system (for example, a database management system). The one or more resource modules may further comprise of (but not limited to) a leave module, a finance module and a payroll module etc.
[0028] According to an embodiment of the present disclosure, the one or more hardware processors 104 generate using the user code generating module 202, a first set of codes for authorizing one or more authenticated users from the plurality of users to the one or more resource modules. This is preceded by the user creating the one or more policies in the system 100 selects one or more attributes (for example, role, designation, project details etc.) pertaining to the other user(s) intending to access the one or more resources. For example, a user whose role is developer, designation is software engineer, location is Hyderabad, account is Bank of America is attempting to authenticate with the system 100 and after successful authentication, the one or more hardware processors 104 generate using the user code generating module 202, the first set of codes, also known as user code/s as 1DE2SE3HY4BA where:
1DE?1 is Attribute ID and DE is attribute value of Role.
2SE-> 2 is attribute id and SE is attribute value of Designation.
3HY->3 is attribute id and HY is attribute value of Location.
The user creating the one or more policies may comprise of any person who has an authority to create and/or define accesses (for example access to the system resources like a printer) for the other user(s) intending to access the one or more resources for example, a supervisor, a project manager or an administrator. The other user(s) may comprise of a team member, a coordinator or any other person associated with the user creating the one or more policies and to be authorized (by the user creating the one or more policies) to access the one or more resources.
[0029] When the other use(r) want(s) to access the one or more resources they first need to login into the client application 201 using the policy based access control being implemented by the system 100. Upon successful authentication with the system 100, the one or more hardware processor 104 may generate using the user code generating module 202, the first set of codes, known as the user codes, for authorizing the one or more authenticated users to the one or more resource modules. The first set of codes may be generated using the one or more authenticated users attributes, identifier(s) ids (for example, employee id) and attribute values (for example, a user X having files less than 1). For example, for a user A, whose role is developer, designation is software engineer, location is Hyderabad, account is Bank of America is the first set of codes may be generated as user code 1DE2SE3HY4BA. Based upon the first set of codes (that is the user codes) generated, the user authorizing the other user(s) interacts with the client application 201 by establishing a communication through one or more means (for example, using an access token or a session identifier). For example, while accessing Google’s ™ API, an access token OAuth 2.0 may be generated so that one or more applications of the other user(s) may interact with Google’s ™ OAuth 2.0 server for obtaining consent of the other user(s) to perform an application programming interface (API) request on behalf of the other user(s). The client application 201, upon receiving the communication from the system 100 through one or more means (for example, by receiving the access token transmitted by the system 100) displays a home page thereby authenticating the other user(s) to access the one or more resources (for example, project documents uploaded in. When the other user(s) attempt(s) to access the one or more resources or modules for example, project documents, the client application 201 communicates the details of the one or more resources and the access token back to the system 100.
[0030] According to an embodiment of the present disclosure, the one or more hardware processors 104, generate using the policy code generating module 203, a second set of codes (explained below with an example in the following paragraph) based upon the first set of codes and one or more resource identifiers for performing a comparison between the second set of codes with a predefined system generated codes for identifying the one or more policies matching with the plurality of user attributes. Upon receiving the details of the one or more resources and the communication from the client application 201 (for example, via the access token sent by the client application 201 which was transmitted by the system 100 to the client application 201), the one or more hardware processors 104 upon being instructed by the system 100 further generate the second set of codes using the first set of codes and the one or more resource identifiers using the code generating module.
[0031] The code generating module may generate the second set of codes using the one or more user attributes (selected or defined by the user creating one or more policies) for example, role, location, account and the one or more resource details like the Unique Resource Identifier (URI). The detailed flow of how the second set of codes are generated by the code generating module may now be considered in detail along with an example. If the policy file is created by the one or more user attributes like developer, system engineer, Nelson, Hyderabad and the resource identifier LA, the code generating module may generate the second set of codes as 1DE2SE3NE4HYLA. In the second set of code generated, 1,2,3,4 are attribute ids and DE, SE, NE, HY, LA are the attribute values of the other user(s) intending to access the one or more resources. Similarly, if the policy file is created with the one or more user attributes like ALL (ROLE), System Engineer, Nelson, Hyderabad and the resource identifier as LA, the second set of code for the policy is 2SE3NE4HYLA, where 2,3 and 4 are the attribute ids of the user and SE, NE, HY and LA are the attribute values.
[0032] The one or more hardware processors 104 may then perform a comparison of the second set of codes generated with the predefined system generated codes for identifying the one or more policies matching with the plurality of user attributes. For example, if the second set of codes generated by the code generated module based upon the first set of codes and the one or more resource identifiers is 1DE2SE3HY4BA15RDF and the predefined system generated code is IDE2SE3HY4BA15RDF (stored policy code tagged with the one or more policies), the one or more hardware processors 104 perform a comparison between the second set of codes with a predefined system generated codes for identifying the one or more policies matching with the plurality of user attributes. Since the second set of codes matches with the predefined system generated codes (the code IDE2SE3HY4BA15RDF matches), the one or more hardware processors 104 may select the one or more policies mapped or tagged the predefined system generated codes, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies (explained below in step 308 below).
[0033] According to an embodiment of the present disclosure, the one or more hardware processors 104 may perform a further comparison of the attributes ids and the attribute values of the second set of codes with the attributes ids and the attribute values of the predefined system generated codes. If the comparison of the attributes ids and the attribute values of the second set of codes with the attributes ids and the attribute values of the predefined system generated codes matches, the one or more hardware processors 104 may perform a further comparison between the one or more user attributes of the second set of codes with the one or more user attributes of the predefined system generated codes. If the comparison of the one or more user attributes matches, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies (explained below in step 308 below). For example, if the second set of code generated is 1DE2SE3HY4BA15RDF and the predefined system generated code is 1DE2SE4BA15RDF, then 1, 2 and 4 are the attribute ids, DE, SE and BA are the attribute values of role, designation and project name respectively and 15 is the attribute id of resource RDF. It may be noted that in the predefined system generated code (that is 1DE2SE4BA15RDF) 3HY is missing (where 3 is the attribute id and HY is the attribute value of a location), that is, location attribute id is missing. This means that the one or more policies may be applicable to any location. Here, there is a match, that is the second set of codes match with the predefined system generated code and hence, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies. According to an embodiment, if the attribute id is missing in the predefined system generated code, the one or more policies may be applicable to the one or more users having the particular attribute id. Therefore, even if the location attribute id, that is, 3HY missing in the predefined system generated code (1DE2SE4BA15RDF), the one or more policies may be considered as applicable to the one or more users having the particular attribute id. Similarly (talking another example), if the second set of codes is 1DE2SE3CH4BA15RDF and the predefined system generated code is 1DE2SE4BA15RDF, it will be a match since the one or policies will be applicable to the one or more users in Chennai. Thus, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies.
[0034] However, if the predefined system generated code is 1DE2AS3BF4HY and there is a mismatch based upon the comparison between the second set of codes and the predefined system generated codes, the one or more policies may not be selected.
[0035] According to an embodiment of the present disclosure, the one or more hardware processors 104 generate using the policy code generating module 203, a set of policy codes for the one or more policies for performing a comparison of the set of policy codes with the second set of codes for identifying the one or more policies matching the one or more user attributes amongst the plurality of user attributes. The set of policy codes may comprise of a set of stored codes tagged with the one or more policies. It may be noted that in an embodiment of the present disclosure, generating the set of policy codes for the one or more policies may further comprise performing a mapping of the set of policy codes generated with the one or more policies created for performing the identification of the one or more policies matching the one or more user attributes amongst the plurality of user attributes. Whenever the one or more policies are created in the system 100, the set of policy codes may be generated the one or more hardware processors 104 using the policy code generating module 203 by selecting the attribute values and the attribute ids from the policy file. For example, the policy file is created with the given attributes like Role: Developer, Designation: AST, Location: CHENNAI, ACCOUNT: BFSI, RESOURCE IDENTIFIER: FDC.
The set of policy codes generated by the policy code generating module 203 may be: 1DE2AS3CH4BF15FDC.
The system 100 through the one or more hardware processors 104 tags the one or more policies with the generated set of policy codes 1DE2AS3CH4BF15FDC.
If any other use(r) create(s) a new policy file with the same attributes like Role: Developer, Designation: AST, Location: CHENNAI, ACCOUNT: BFSI, RESOURCE IDENTIFIER: FDC.
The Policy code generating module 203 generates set of policy codes same as above 1DE2AS3CH4BF15FDC and the system 100 through the one or more hardware processors 104 checks if policy code already exists and if it exists it tags this policy to the already existing policy code.
Upon performing the mapping, the one or more hardware processors 104 may then store the mapping details or the tagging details (for example, the policy file attributes like Role: Developer, Designation: AST, Location: CHENNAI, ACCOUNT: BFSI, RESOURCE IDENTIFIER: FDC and the set of policy code as) in the database 204. It may be noted that if one or more codes already exists in the system 100, the one or more policies may be mapped or tagged to one or more existing codes and the one or more existing codes may be identified as the set of policy codes. For example, if the existing one or more existing codes is 1DE2AS3CH4BF15FDC, the one or more policies may be mapped or tagged to the existing code 1DE2AS3CH4BF15FDC.
[0036] According to an embodiment of the present disclosure, at step 306, the one or more hardware processor 104, perform the comparison of the set of policy codes with the second set of codes to obtain the one or more matching codes for identifying the one or more policies matching the one or more user attributes amongst the plurality of user attributes. Based upon the comparison of the set of policy codes with the second set of codes, in case of a match between the set of policy codes and the second set of codes, the one or more hardware processors 104 using the policy selector module 205 further selects or picks the one or more policies mapped or tagged to the set of policy codes. In case of a mismatch, none of the one or more policies are selected or picked. For example, if the second set of code generated is 1DE2SE3HY4BA15RDF and the set of policy code (predefined system generated code) is 1DE2SE3HY4BA15RDF, then 1, 2, 3 and 4 are the attribute ids, DE and SE, HY and BA are the attribute values of role, designation, location and project name respectively and 15 is the attribute id of the resource RDF. Here, there is a match and hence, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies.
[0037] According to an embodiment of the present disclosure, at step 308, the one or more hardware processors 104 determines at least a subset of policies from the one or more policies matching the one or more user attributes amongst the plurality of user attributes for obtaining a final set of policies from the one or more policies relevant to one or more authorization requests relevant to the users. This is preceded by performing an evaluation by the policy engine 206, of the one or more policies selected based upon the comparison of the set of policy codes with the second set of codes in step 306 above. For example, if the one or more hardware processors 104 using the policy selector module 205 communicate the list of the one or more policies (for example, apply-xyz and interpret-xyz) to the policy engine 206, the policy engine 206 evaluates the one or more policies (apply-xyz and interpret-xyz) available in policy folders as per list. The traditional systems and methods provide for the policy based access control. However, in the traditional systems and methods the policy engine evaluates the policies which may not be applicable to the authorization context and that severely effects the performance of the system. Thus, the present disclosure improves the performance of the policy evaluation as the policy engine 206 performs the evaluation of the one or more policies and the performance engine may perform the evaluation of the one or more policies based upon one or more resource attributes from amongst the plurality of resource attributes. The one or more hardware processors 104 may perform a comparison of the one or more resource attributes defined and one or more attempting user attributes to obtain a set of matching user attributes for evaluating the one or more policies. For example, if the existing policy code mapped or tagged with the one or more policies is 1DE2SE3HY4BA and the set of policy code generated is 1DE2SE3HY4BA15RDF, then the one or more hardware process or 104 may perform a comparison of the attributes ids and the attribute values of the set of policy code generated with the attributes ids and the attribute values of the existing policy code mapped or tagged with the one or more policies.
[0038] If the comparison matches, the one or more hardware processors 104 may perform a further comparison between the one or more user attributes of the set of codes generated with the one or more user attributes of the existing policy code. If the comparison of the one or more user attributes matches, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies (explained below in step 308 below). In this example if the second set of code generated is 1DE2SE3HY4BA15RDF and the existing policy code is 1DE2SE3HY4BA, then 1 and 2 are the attribute ids, DE and SE are the attribute values of role and designation respectively and 15 is the attribute id of resource. Here, there is a match and hence, the one or more hardware processors 104 may further allow the policy engine 206 to evaluate the one or more policies. Thus, if the policy apply-xyz is mapped or tagged to the existing policy code, the hardware processors 104 selects using the policy engine 206 the policy apply-xyz.
[0039] According to an embodiment of the present disclosure, the present disclosure may enhance the system’s performance by optimizing performance of policy searching and evaluation. The traditional systems and methods provide for a single or multiple policies tagged to the one or more resources and whenever any of the user attempts to access the one or more resources, the system may allow the policy engine to evaluate each and every policy tagged to the one or more resources. However, according to an embodiment of the present disclosure, suppose a set of policies like policy A, policy B, policy C, policy D and policy E are tagged to the one or more resources R. When the user U attempts to access the one or more resources R, the policy selector module 205 may select the one or more policies and not all, for example, the policy selector module 205 may select the policy A and the policy C (as the one or more user attributes of the policy and the policy C matches with the attempting user attributes) by performing a comparison of the set of codes. The system 100 (through the one or more hardware processors 104) may then allow the policy engine 206 to evaluate the policy A and the policy C and thereby skipping since the one or more user attributes of the policy B, policy D and the policy E may not match with the attempting user attributes.
[0040] It may be noted that the output of all the steps performed above (that is, steps 302 to 308) for example, the plurality of user attributes and resource attributes, the first and the second set of codes and the set of policy codes and the final set of policies obtained from the one or more policies created etc. gets stored in the memory 102 of the system 100.
[0041] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[0042] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[0043] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[0044] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[0045] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, BLU-RAYs, flash drives, disks, and any other known physical storage media.
[0046] It is intended that the disclosure and examples be considered as exemplary only, with a true scope and spirit of disclosed embodiments being indicated by the following claims.