	US 12,147,559 B1
	Secure geolocation-based data access control in a distributed computing environment
Umesh Bangalore Rangappa, Bengaluru (IN); Krishnaraj Sooji, Bengaluru (IN); and Prabhu Karthik Ganesan, Bengaluru (IN)
Assigned to FMR LLC, Boston, MA (US)
Filed by FMR LLC, Boston, MA (US)
Filed on Dec. 29, 2023, as Appl. No. 18/399,972.
Int. Cl. G06F 21/62 (2013.01); H04L 9/40 (2022.01)

CPC G06F 21/6227 (2013.01) [H04L 63/08 (2013.01); H04L 63/107 (2013.01)]

26 Claims

1. A system for secure geolocation-based data access control in a distributed computing environment, the system comprising a server computing device having a memory for storing computer-executable instructions and a processor that executes the computer-executable instructions to:

capture a data access request from a remote computing device via a first communication channel, the data access request including a data query, a requestor geolocation, and a requestor identity corresponding to a user of the remote computing device;

determine whether the requestor geolocation corresponds to a non-restricted zone or a restricted zone;

determine whether the requestor identity has permission to receive a full view or a masked view of data responsive to the data query;

compare the requestor geolocation to a baseline geolocation associated with the requestor identity, including determining whether the requestor identity is associated with a plurality of recent prior data access requests from geolocations other than the baseline geolocation;

retrieve data responsive to the data query;

generate a response to the data access request, the response including:

a full view of the retrieved data when (i) the requestor geolocation corresponds to a non-restricted zone or the requestor geolocation matches the baseline geolocation, and (ii) the requestor identity has permission to receive the full view, or

a masked view of the retrieved data when (i) the requestor geolocation corresponds to a restricted zone and the requestor geolocation does not match the baseline geolocation or (ii) the requestor identity has permission to receive the masked view; and

when the generated response comprises a masked view of the retrieved data:

determine that the user of the remote computing device has requested a full view of the responsive data by evaluating a key-value pair stored in the data access request; and

decline the full view request when the requestor identity is associated with a plurality of recent prior data access requests from geolocations other than the baseline geolocation, or

authenticate the remote computing device using the requestor identity via a second communication channel and update the generated response to comprise the full view of the retrieved data upon successful authentication of the remote computing device when the requestor identity is not associated with a plurality of recent prior data access requests from geolocations other than the baseline geolocation; and

transmit the generated response to the remote computing device.