FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention:
METHOD AND SYSTEM FOR CONTEXTUAL RELATIONSHIP BASED
ACCESS CONTROL
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD [001] The disclosure herein generally relates to the field of information security and, more particular, to a method and system for contextual relationship based access control.
BACKGROUND
[002] A resource is an important asset of an organization. Resources associated with an organization include computing devices, sensitive documents, printing and scanning devices, work zone and the like. Unauthorized access of any resource may lead to data loss and similar consequences. Hence an access control mechanism is necessary for effective protection of resources. A unique access control characteristic of enterprises should be based on an association of a resource with an entity and a user’s compliance to certain policies. For example, the user should be allowed to access the resources associated with his/her project only.
[003] Conventional methods utilize role based access control. The role based access control is not suitable for large enterprises since it includes a large number of roles. Here the access is granted until the user is associated with a role which mandates a role for each user. This leads to access to all resources without considering the sensitivity and criticality of the resources. Further, role based access control is unable to restrict access to resource based on its span. To implement such controls additional configurations are needed along with roles. Further, the role based approach is inefficient as it requires superfluous mappings and requires huge administrative effort. Hence it is challenging to provide access to resources based on the sensitivity and criticality of the system with less administrative effort and efficiency.
SUMMARY
[004] Embodiments of the present disclosure present technological
improvements as solutions to one or more of the above-mentioned technical
problems recognized by the inventors in conventional systems. For example, in one
embodiment, a method for contextual relationship based access control is provided.

The method includes a receiving an access request from a user, wherein the access request is a resource access request. Further the method includes obtaining an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource, wherein the access path includes a number of relationships, a relationship hierarchy and a number of optional relationships. Furthermore, the method includes identifying a relationship type associated with the access path, wherein the relationship type includes one of, an individual relationship and a hierarchical relationship. Furthermore, the method includes obtaining a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path. Furthermore, the method includes identifying an unvisited shortest relationship path from the plurality of relationship paths based on the number of relationships associated with each of the plurality of relationship paths, wherein the unvisited relationship path is marked as visited after traversing. Furthermore, the method includes identifying a matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path. Finally, the method includes allowing the user to access the resource if the relationship path value is set to one.
[005] In another aspect, a system for contextual relationship based access control is provided. The system includes at least one memory storing programmed instructions, one or more Input /Output (I/O) interfaces, and one or more hardware processors operatively coupled to the at least one memory, wherein the one or more hardware processors are configured by the programmed instructions to receive an access request from a user, wherein the access request is a resource access request. Further, the one or more hardware processors are configured by the programmed instructions to obtain an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource, wherein the access path comprises a number of relationships, a relationship hierarchy and a number of optional relationships. Furthermore, the one or more hardware processors are configured by the

programmed instructions to identify a relationship type associated with the access path, wherein the relationship type includes one of, an individual relationship and a hierarchical relationship. Furthermore, the one or more hardware processors are configured by the programmed instructions to obtain a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify an unvisited shortest relationship path from the plurality of relationship paths based on the number of relationships associated with each of the plurality of relationship paths, wherein the unvisited relationship path is marked as visited after traversing. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path. Finally, the one or more hardware processors are configured by the programmed instructions to allow the user to access the resource if the relationship path value is set to one.
[006] In yet another aspect, a computer program product including a non-transitory computer-readable medium having embodied therein a computer program for contextual relationship based access control is provided. The computer readable program, when executed on a computing device, causes the computing device to receive an access request from a user, wherein the access request is a resource access request. Further, the computer readable program, when executed on a computing device, causes the computing device to obtain an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource, wherein the access path includes a number of relationships, a relationship hierarchy and a number of optional relationships. Furthermore, the one or more hardware processors are configured by the programmed instructions the computer readable program, when executed on a computing device, causes the computing device to identify a relationship type associated with the access path, wherein the relationship type includes one of, an individual relationship and a hierarchical relationship.

Furthermore, the computer readable program, when executed on a computing device, causes the computing device to obtain a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to identify an unvisited shortest relationship path from the plurality of relationship paths based on the number of relationships associated with each of the plurality of relationship paths, wherein the unvisited relationship path is marked as visited after traversing. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to identify a matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path. Finally, the one or more hardware processors are configured by the programmed instructions to allow the user to access the resource if the relationship path value is set to one.
[007] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[008] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[009] FIG. 1 is a functional block diagram of a system for contextual relationship based access control, according to some embodiments of the present disclosure.
[010] FIG. 2 is an exemplary flow diagram for a method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[011] FIG. 3A and 3B are exemplary flow diagrams for a method to identify a matching relationship path for contextual relationship based access

control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[012] FIG. 4 is an exemplary Enterprise Relationship (ER) model for the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[013] FIG. 5A is an exemplary relationship graph for the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[014] FIG. 5B is an exemplary linear access path associated the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[015] FIG. 6 illustrates an overall architecture illustrating the method for contextual relationship based access control, in accordance with some embodiments of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS [016] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments. [017] Embodiments herein provide a method and system for contextual relationship based access control. The method and system for contextual relationship based access control provides a controlled access to critical and sensitive resources based on contextual relationship between a user and a plurality of resources. Initially, the system receives an access request and obtains a corresponding access path for the access request. The access path is further evaluated based on a plurality of contextual relationship to permit the user for accessing the plurality of resources. The access path is evaluated using a

relationship graph. The plurality of contextual relationship includes a hierarchical relationship, a temporal relationship and an optional relationship. Here, the relationship graph is searched in both forward and reverse directions simultaneously, which increases the time efficiency of the system.
[018] Referring now to the drawings, and more particularly to FIGS. 1 through 6, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[019] FIG. 1 is a functional block diagram of a system 100 for contextual relationship based access control, according to some embodiments of the present disclosure. The system 100 includes or is otherwise in communication with hardware processors 102, at least one memory such as a memory 104, an I/O interface 112. The hardware processors 102, memory 104, and the Input /Output (I/O) interface 112 may be coupled by a system bus such as a system bus 108 or a similar mechanism. In an embodiment, the hardware processors 102 can be one or more hardware processors.
[020] The I/O interface 112 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 112 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a printer and the like. Further, the I/O interface 112 may enable the system 100 to communicate with other devices, such as web servers and external databases.
[021] The I/O interface 112 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface 112 may include one or more ports for connecting a number of computing systems with one another or to another server computer. The I/O interface 112 may include one

or more ports for connecting a number of devices to one another or to another server.
[022] The one or more hardware processors 102 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, node machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 102 is configured to fetch and execute computer-readable instructions stored in the memory 104.
[023] The memory 104 may include any computer-readable medium known in the art including, for example, volatile memory, such as Static Random Access Memory (SRAM) and Dynamic Random Access Memory (DRAM), and/or non-volatile memory, such as Read Only Memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 104 includes a plurality of modules 106 and an access control unit 114. The memory 104 also includes a data repository (or repository) 110 for storing data processed, received, and generated by the plurality of modules 106 and the access control unit 114.
[024] The plurality of modules 106 include programs or coded instructions that supplement applications or functions performed by the system 100 for contextual relationship based access control. The plurality of modules 106, amongst other things, can include routines, programs, objects, components, and data structures, which performs particular tasks or implement particular abstract data types. The plurality of modules 106 may also be used as, signal processor(s), node machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 106 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 102, or by a combination thereof. The plurality of modules 106 can include various sub-modules (not shown). The plurality of modules 106 may include computer-readable instructions that supplement applications or functions performed by the system 100 for contextual relationship based access control.

[025] The data repository (or repository) 110 may include a plurality of abstracted piece of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 106 and the modules associated with access control unit 114. The data repository may include Enterprise Relationship (ER) models and relationship graphs associated with the method for contextual relationship based access control.
[026] Although the data repository 110 is shown internal to the system 100, it will be noted that, in alternate embodiments, the data repository 110 can also be implemented external to the system 100, where the data repository 110 may be stored within a database (not shown in FIG. 1) communicatively coupled to the system 100. The data contained within such external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 1) and/or existing data may be modified and/or non-useful data may be deleted from the database (not shown in FIG. 1). In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS).
[027] FIG. 2 is an exemplary flow diagram for a processor implemented method for contextual relationship based access control implemented by the system of FIG. 1 according to some embodiments of the present disclosure. In an embodiment, the system 100 includes one or more data storage devices or the memory 104 operatively coupled to the one or more hardware processor(s) 102 and is configured to store instructions for execution of steps of the method 200 by the one or more hardware processors 102. The steps of the method 200 of the present disclosure will now be explained with reference to the components or blocks of the system 100 as depicted in FIG. 1 and the steps of flow diagram as depicted in FIG. 2. The method 200 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method 200 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through

a communication network. The order in which the method 200 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 200, or an alternative method. Furthermore, the method 200 can be implemented in any suitable hardware, software, firmware, or combination thereof.
[028] At step 202 of the method 200, the one or more hardware processors 102 receive an access request from a user, wherein the access request is a resource access request, wherein the resource comprises one of, a computing device, a document, a work zone and the like. The user can be a developer, a unit head, a product delivery owner and the like.
[029] At step 204 of the method 200, the one or more hardware processors 102 obtain an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource. The access path includes a number of relationships, a relationship hierarchy and a number of optional relationships. For example, considering the access path r;n;r1@2;r2, ‘n’ indicates number of relations in a hierarchy. “@o” indicates number of optional relations. In the above example, “@2” indicates that there are 2 optional relationships, means the relationship r1 is optional but can occur maximum 2 times.
[030] At step 206 of the method 200, the one or more hardware processors 102 identify a relationship type associated with the access path. The relationship type includes one of, an individual relationship and a hierarchical relationship. The type of relationship is represented along with the access path while creating the policy. For example, “UnitHead:3” in a relationship path indicates that this is a hierarchical relationship with 3 levels forward in the hierarchy. In another example, “TeamMemberOf:-3” indicates that the hierarchical relationship is with 3 backward levels.
[031] At step 208 of the method 200, the one or more hardware processors 102 obtain a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path. For example, the plurality of relationship paths associated with the access path r:3;r1@2;r2 are

(i) r;r2 where r1 is optional (ii) r;r1;r2 with one r1 relationship (iii) r;r1;r1;r2 with two r1 relationships 4) r’;r2, where r’ is part of relationship hierarchy (iv) r’;r1;r2 with one r1 relationship (v) r’;r1;r1;r2 with two r1 relationships (vi) r”;r2 where r” is part of relationship hierarchy (vii) r”;r1;r2 with one r1 relationship and (viii) r”;r1;r1;r2 with two r1 relationships. In the example access path r:3;r1@2;r2, it is indicated that 3 levels of hierarchy exists.
[032] At step 210 of the method 200, the one or more hardware processors 102 identify a shortest relationship path from a plurality of unvisited relationship paths based on the number of relationships associated with each of the plurality of relationship paths. For example, the shortest path among the plurality of relationship paths from the above example is “r1;r2”.
[033] At step 212 of the method 200, the one or more hardware processors 102 identify the matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path. The method includes obtaining a first forward relationship corresponding to a first node of the unvisited shortest relationship path. The first forward relationship is marked as visited after traversing. Further, a first set of immediate nodes associated with a start node of the relationship graph is obtained based on a plurality of active forward edges corresponding to the first forward relationship. The plurality of active forward edges includes a plurality of incoming and outgoing edges associated with the start node. Furthermore, a first backward relationship corresponding to a last node of the unvisited shortest relationship path is obtained. The first backward relationship is marked as visited after traversing. Simultaneously, a second set of immediate nodes associated with an end node of the relationship graph is also obtained based on a plurality of active backward edges corresponding to the first backward relationship. The plurality of active backward edges includes a plurality of incoming edges and outgoing edges associated with the end node. Furthermore, a forward matching node is selected from the first set of immediate nodes of the relationship graph based on a comparison between the first set of immediate nodes and a neighbour node associated with the first node of the unvisited shortest relationship path.

Simultaneously, a backward matching node is selected from the second set of immediate nodes of the relationship graph based on a comparison between the second set of immediate nodes and a neighbour node associated with the last node of the unvisited shortest relationship path. A relationship path value is set as one, if the forward matching node and the backward matching node are equal, and each of the plurality of relationships of the unvisited shortest relationship path are visited. The relationship path value is set to zero otherwise. Furthermore, the first set of immediate nodes and the second set of immediate nodes are updated by obtaining a next set of immediate nodes corresponding to the forward matching node and the backward matching node respectively until a number of unvisited relationships between the first node and the last node is one. The updating is performed when the relationship path value is set to zero. The relationship path value as one, if a relationship exist between the forward matching node and the backward matching node when the number of unvisited relationships between the first node and the last node is one. The relationship path value is set to zero otherwise. Finally, the first node and the last node associated with the unvisited shortest path are updated by swapping first node and the last node with the corresponding neighbour node if the relationship path value is zero.
[034] At step 214 of the method 200, the one or more hardware processors 102 allow the user to access the resource when the relationship path value is set to one.
[035] FIG. 3A and 3B are exemplary flow diagrams for a method 300 to identify a matching relationship path for contextual relationship based access control 200 implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[036] Now referring to FIG. 3A and 3B, at step 302 of the method 300, the one or more hardware processors 102 obtain the first forward relationship corresponding to the first node of the unvisited shortest relationship path. The first forward relationship is marked as visited after traversing.
[037] At step 304 of the method 300, the one or more hardware processors 102 obtain the first set of immediate nodes associated with the start node of the

relationship graph based on the plurality of active forward edges corresponding to the first forward relationship. The plurality of active forward edges includes the plurality of incoming and outgoing edges associated with the start node.
[038] At step 306 of the method 300, the one or more hardware processors 102 obtain the first backward relationship corresponding to the last node of the unvisited shortest relationship path. The first backward relationship is marked as visited after traversing.
[039] At step 308 of the method 300, the one or more hardware processors 102 simultaneously obtain the second set of immediate nodes associated with the end node of the relationship graph based on the plurality of active backward edges corresponding to the first backward relationship. The plurality of active backward edges includes the plurality of incoming edges and outgoing edges associated with the end node.
[040] At step 310 of the method 300, the one or more hardware processors 102 select the forward matching node from the first set of immediate nodes of the relationship graph based on the comparison between the first set of immediate nodes and the neighbour node associated with the first node of the unvisited shortest relationship path.
[041] At step 312 of the method 300, the one or more hardware processors 102 simultaneously select the backward matching node from the second set of immediate nodes of the relationship graph based on the comparison between the second set of immediate nodes and the neighbour node associated with the last node of the unvisited shortest relationship path.
[042] At step 314 of the method 300, the one or more hardware processors 102 set the relationship path value as one, if the forward matching node and the backward matching node are equal, and each of the plurality of relationships of the unvisited shortest relationship path are visited. The relationship path value is set to zero otherwise.
[043] At step 316 of the method 300, the one or more hardware processors 102 update the first set of immediate nodes and the second set of immediate nodes by obtaining the next set of immediate nodes corresponding to the forward

matching node and the backward matching node respectively until the number of unvisited relationships between the first node and the last node is one. The updating is performed when the relationship path value is set to zero.
[044] At step 318 of the method 300, the one or more hardware processors 102 set the relationship path value as one, if the relationship exist between the forward matching node and the backward matching node when the number of unvisited relationships between the first node and the last node is one. The relationship path value is set to zero otherwise.
[045] At step 320 of the method 300, the one or more hardware processors 102 update the first node and the last node associated with the unvisited shortest path by swapping first node and the last node with the corresponding neighbour node if the relationship path value is zero.
[046] The access control unit 114, when executed by one or more processors of the system 100 receive the access request from the user, wherein the access request is the resource access request, wherein the resource comprises one of, the computing device, the document, the work zone and the like. The user can be the developer, the unit head, the product delivery owner and the like as illustrated in FIG. 4.
[047] FIG. 4 is an exemplary Enterprise Relationship (ER) model for the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure. Now referring to FIG. 4, the node 412 covers a plurality of users including the unit head, the delivery owner and the team member. The unit head is associated with a unit 416, the delivery owner is associated with an account 418 and the team members are associated with a project 420. In an embodiment, all users are tagged to the work zone 422, the delivery center 424 and a location 426. In an embodiment, all users should be compliant to some mandatory provisions 414, for example, Back Ground Check (BGC), Non Disclosure Agreement (NDA) and information security quiz. The plurality of resources including the web portal 428, the documents 430, the computing devices 432, the printer 434, meeting room 436 and the server 438. The web portal 428 belongs to the unit 416, the documents 430 belongs to the account

418, the computing devices 432 belongs to the project 420, the printers 434 belongs to the work zone 422, the meeting room 436 belongs to the delivery center 424and the server 438 belongs to the location 426.
[048] Furthermore, the access control unit 114, when executed by one or more processors 102 of the system 100, obtain the access path associated with the access request from the policy database, wherein the access path is the relationship path defining the relationship between the user and the resource. The access path includes the number of relationships, the relationship hierarchy and the number of optional relationships. For example, r:n;r1@2;r2 with 2 as optional relationship and the number of relationships as n.
[049] Furthermore, the access control unit 114, when executed by one or more processors of the system 100, identifies the relationship type associated with the access path. The relationship type includes the individual relationship and the hierarchical relationship.
[050] Furthermore, the access control unit 114, when executed by one or more processors of the system 100, obtains the plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path. The number of optional relationship associated with a relationship path is computed by counting a number of edges between the user node and the resource node associated with the relationship path.
[051] For example, the plurality of relationship paths associated with the access path r:3;r1@2;r2 are: (i) r;r2 where r1 is optional (ii) r;r1;r2 with one r1 relationship (iii) r;r1;r1;r2 with two r1 relationships 4) r’;r2, where r’ is part of relationship hierarchy (iv) r’;r1;r2 with one r1 relationship (v) r’;r1;r1;r2 with two r1 relationships (vi) r”;r2 where r” is part of relationship hierarchy (vii) r”;r1;r2 with one r1 relationship and (viii) r”;r1;r1;r2 with two r1 relationships.
[052] Furthermore, the access control unit 114, when executed by one or more processors of the system 100, identifies the unvisited shortest relationship path from the plurality of unvisited relationship paths based on the number of relationships associated with each of the plurality of relationship paths.

[053] Furthermore, the access control unit 114, when executed by one or more processors of the system 100, identify the matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path. The method includes obtaining the first forward relationship corresponding to the first node of the unvisited shortest relationship path. The first forward relationship is marked as visited after traversing. Further, the first set of immediate nodes associated with the start node of the relationship graph is obtained based on the plurality of active forward edges corresponding to the first forward relationship. The plurality of active forward edges includes the plurality of incoming and outgoing edges associated with the start node. Furthermore, the first backward relationship corresponding to the last node of the unvisited shortest relationship path is obtained. The first backward relationship is marked as visited after traversing. Simultaneously, the second set of immediate nodes associated with an end node of the relationship graph is also obtained based on the plurality of active backward edges corresponding to the first backward relationship. The plurality of active backward edges includes the plurality of incoming edges and outgoing edges associated with the end node. Furthermore, the forward matching node is selected from the first set of immediate nodes of the relationship graph based on the comparison between the first set of immediate nodes and the neighbour node associated with the first node of the unvisited shortest relationship path. Simultaneously, the backward matching node is selected from the second set of immediate nodes of the relationship graph based on the comparison between the second set of immediate nodes and a neighbour node associated with the last node of the unvisited shortest relationship path. The relationship path value is set as one, if the forward matching node and the backward matching node are equal, and each of the plurality of relationships of the unvisited shortest relationship path are visited. The relationship path value is set to zero otherwise. Furthermore, the first set of immediate nodes and the second set of immediate nodes are updated by obtaining the next set of immediate nodes corresponding to the forward matching node and

the backward matching node respectively until a number of unvisited relationships between the first node and the last node is one.
[054] In an embodiment, if the number of unvisited relationships between the current first node and the current last node is one, then the method checks whether any relationship exist between the current forward matching node and the current backward matching node. The relationship path value is set as one, when a relationship is available between the current forward matching node and the current backward matching node. The relationship path value is set to zero when the relationship is unavailable between the current forward matching node and the current backward matching node. Further, the current first node and the current last node associated with the unvisited shortest path are updated by swapping the current first node and the current last node with the corresponding neighbour node when the relationship path value is zero.
[055] FIG. 5A is an exemplary relationship graph for the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure. The relationship graph includes a plurality of nodes and a plurality of edges between each of the plurality of nodes. Each node represents one of, a user, a plurality of entities and each of a plurality of resources. Each edge represents a corresponding associated between two nodes from the plurality of nodes connected by the edge.
[056] In an embodiment, the relationship graph illustrated in the FIG. 5A includes the plurality of nodes N0, N1, N2, N3, N4, N5, N6 and N’. The node N0 is associated with the node N1 using a relationship r1. The temporal data of this relationship is a Start Date (SD) and an End Date (ED). Here the SD is is a past date which is less than a current date and the ED is unspecified which indicates that the relationship is active. The node N1 is associated with the node N2 with the relationship r2 with the SD, a past date which is less than the current date and the ED unspecified which indicates that the relationship is active. Similarly, the node N3 is associated with the node N3 with an active relationship r3 and the node n3 is associated with the node N4 with an active relationship r4. Here, the SD is the past date and the ED is a future date which indicates that the relationship is active.

Further, the node N0 is associated with the node N5 with an active relationship r1. The node N5 is associated with the node N6 with an active relationship r2. The node N6 is associated with the node N’ with an active relationship r2. The node N2 is associated with the node N’ with a passive relationship r2. The relationship r2 between the node N2 and the node N’ is inactive since the SD is and the ED are past dates which are less than the current date. For example, when referring to FIG. 5B, when SD is a future date and the ED is an unspecified date, then the relationship is currently inactive and will be activated on the future date. If SD is a past date and the ED is an unspecified date, then the relationship is active. If SD is a past date and the ED is a future date, then the relationship is active. If SD is a past date and the ED is also a past date, then the relationship is inactive. If SD is an unspecified date and the ED is a past date or future date, then the relationship is an invalid relationship.
[057] FIG. 5B is an exemplary linear access path associated the method for contextual relationship based access control implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
[058] Referring to FIG. 5B, a linear access path for the unvisited shortest relationship path r1;r2;r3;r4 between the node N0 and N4 is represented as N0-r1-N1;N1-r2-N2;N2-r3-N3;N3-r4-N4.
[059] The method of identifying the matching relationship path corresponding to the unvisited relationship path illustrated in FIG. 5B (N1-r1-N2;N1-r2-N2;N2-r3-N3;N3-r4-N4) from the relationship graph illustrated in in FIG. 5A is explained as follows: The search process starts from the node N0. Initially, the first forward relationship associated with the unvisited shortest relationship path is obtained. Here, the first relationship is r1. The first set of immediate nodes associated with the start node N0 of the relationship graph is obtained based on the plurality of active forward edges corresponding to the first forward relationship. Here, the first set of immediate nodes are N1 and N5. Similarly, the first backward relationship is obtained with is r4. The second set of immediate node is N3. The forward matching node is obtained by comparing the first set of immediate nodes with the neighbour node of the first forward

relationship which is N1. Similarly, the backward matching node is N3. The forward matching node and the backward matching node are compared and the relationship value is set to one if both are equal and each of the plurality of relationships in the linear access path are visited. The relationship path value is zero if there is no match between the forward matching node and the backward matching node. In this example, there is no match between the forward matching node and the backward matching node. Hence the start node and the end node of the relationship graph are updated with the forward matching node and the backward matching node respectively. Further, the first forward relationship r2 and the first backward relationship r3 are obtained. The first set of immediate nodes (N2) and the second set of immediate nodes (N2) are obtained. The forward matching node and the backward matching node are N2 and N2 respectively. Since the forward matching node and the backward matching node are equal and each of the plurality of relationships in the linear access path are visited, the relationship value is set to one. The user is allowed to access the resource since the relationship exist between the user and the resource.
[060] In another example, considering the relationship path r1;r5;r2 between the nodes N0 and N’. The first forward relationship is r1 and the first set of immediate node is N5. The first backward relationship is r2 and the second set of immediate node is N6. Here, the forward matching node and the backward matching node are N5 and N6 respectively. Since the forward matching node and the backward matching node are not equal, the start node and the end node are updated with the forward matching node N5 and the backward matching node n6. Similarly, the first node and the last node of the access path are updated with the next neighbor nodes which are N5 and N6 respectively. Since only one relationship exist between the first node and the last node, the method 200 checks for any relationship between the forward matching node and the backward matching node. Here, the relationship r5 exist between the nodes N5 and N6. Hence the relationship path value is set to one and the user is allowed to access the requested resource.
[061] In another example, considering the relationship path r1;r2;r2 between the nodes N0 and N’, the initial node is N0 and the end node is N’. The

first set of immediate node is {N1,N5}. The second set of immediate node is NULL since there is no active relationship between the node N’ and the node N2. Hence the relationship path r1;r2;r2 is invalid and the user is denied from accessing the resource.
[062] The method of constructing the relationship graph includes (i) receiving a plurality of relationship data comprising a plurality of resources and a plurality of entities, wherein the relationship data is stored in the database (ii) creating a node for each of the plurality of entities and each of the plurality of resources to obtain the plurality of nodes (iii) creating a logical relationship between each of the plurality of entities and each of the plurality of resources in a triple form comprising subject, predicate and object and (iv) connecting each of the plurality of nodes using an edge based on the logical relationship data, wherein the logical relationship data comprising the hierarchical data, the optional relationship data and the temporal data among each of the plurality of nodes.
[063] For example, the relationship graph of a project is constructed based on the association of the project with the plurality of other entities. Here, the association is obtained by linking an originating and terminating nodes of a relationship with an originating node and terminating node of another relationship.
[064] In an embodiment, the relationship graph is represented in the system a Resource Description Framework (RDF). Generally, the system uses RDF standard for serializing relationships. In RDF, each edge is represented as a statement in a triple form, for example, Subject, Predicate and Object.
[065] In an embodiment, searching a relation path between two nodes n, n’ is complex, if there exist a plurality of relationships. In a typical large enterprise, there can be the plurality of relationships. Each relationship in a relationship path must be active in order to be considered as a valid relationship path. Hence, relationship search is an important aspect for an efficient system. An algorithm for checking existence of a relationship path is explained below.
[066] In an embodiment, the relationship path search starts from a first node-first relation and last node-last relation simultaneously as opposed to sequential relation search. This increases efficiency because unmatched

relationship paths will be detected early as two relation searches are performed at a time. Further, the present disclosure provides different logic for even and odd number of relationships in the relationship path.
[067] For even number of relationships, same methodology explained in previous paragraphs is followed until all relationships are processed. As a final step, it is checked whether same node exists in the two set of nodes, if a Relationship Path (RP) is found. Let us consider an example in the figure, relationship path r1;r2;r3;r4. First it gets two sets of nodes for first and last relationships r1 and r4 respectively, then, for each element from the two sets, it checks for relations r2 and r3. Finally, in these two sets, if same node exists, implies, one node is there that connects r2 and r3 which completes the relationship path r1;r2;r3;r4.
[068] A pseudocode for performing the relationship search is give below:
Input: Start node corresponding to the user or resource, End node corresponding to the user or resource. Returns True, if relationship path is found otherwise returns False.
Pseudocode 1:
1) [Rs] <- getrelations [RP] //Get relations from a relationship path ex:r1;r2.r3.r4; Rs is a set of relations
2) c <- Rs.count //c is number of relations in a relationship path RP
3) //Count of relationships in a relationship path
4) If c == 0 then exit
5) If c == 1 then
6) Return Checkrelationshipexists(Start node, End node, Rs[0],Current Date)
7) End if;
8) Nea.add = StartNode;Nsa.add=EndNode; //Nea, Nsa are sets of nodes
9) For i=0;i++;i < c Loop Loop through all relationships
Nea-cnt = Nea.count;
For j=0;j++; Nea-cnt Loop

Nea =Ø;
Ne = Ø;
[Ne] =getnodesforrelationship( Nea[j],
Rs[i], current date)
If [Ne] != Ø && Ne.count > 0 then [Nea] =+
[Ne] End Loop; Nsa-cnt = Nsa.count; For k=0;k++;Nsa-cnt Loop
Nsa = Ø;
Ns = Ø;
[Ns] = getnodesforrelationship( Nsa[k],
Rs[(c -1) - i], current date)
If [Ns] != Ø && Ns.count > 0 then [Nsa] =+
[Ns] End Loop;
10) If (Nea == Ø || Nsa == Ø) then return false;
11) If (i + 1 == (c -1) – i) then //even number of relationships
12) If samenodeExists([Nea], [Nsa]) then
13) return true
14) Elseif (i + 2 == (c -1) – i) //odd number of relationships
For j=0;j++; Nea-cnt Loop
For k=0;k++;Nsa-cnt Loop If
Checkrelationshipexists(Nea[j],Nsa[ k], Rs[i+1], Current Date) == True then
Return true; End if; ii. End Loop;

End Loop;
15) End Loop
16) Return False;
[069] The above mentioned algorithm initially checks whether a node exists for the first relationship, and last relationship in the relationship path RP. If there is only one relationship in the RP then it checks relationship exists between start node and end node. Otherwise, it checks all relationships in a loop. This algorithm follows different paths for even or odd number of relationships.
[070] In an example for odd number of relationships, when the relationship path is r1;r5;r2 as shown in the FIG. 5, the plurality of immediate nodes associated with relationship r1, and r2 with start node n0 and end node n’ are obtained. The result is the node N5 for r1, the node N6 for r2. As a next step, the pseudocode 2 checks for r5 exists between the nodes N5 and N6 using Checkrelationshipexists algorithm explained below. The said pseudocode returns True if the relationship exists, otherwise False. Pseudocode 2:
Checkrelationshipexists (StartNode, EndNode, RelationshipLabel, CurrentDate)
return True or False
1) [E] <-FindEdges(Startnode, EndNode)
2) If E == Ø return false
3) For i=0;i++;E.count Loop
4) If E[i].label = RelationshipLabel then
5) SD = E[i].StartDate;
6) ED = E[i].EndDate;
7) If ((SD == Ø && ED == Ø) || (CurrentDate > SD && CurrentDate < ED)) then 8) Return true;

9) End IF
10) return false
11) End Leoop

[071] The Checkrelationshipexists algorithm checks whether or not an active relationship exists between two nodes. For example, in the figure, for the edge N0 X r1 X N1, it returns true because active relationship exists, where as in case of the edge N2 X r2 X N’, it returns false because of inactive relationship.
[072] In an embodiment, the pseudocode 3 for the method getnodesforrelationship is explained below: Pseudocode 3:
getnodesforrelationship (Node, RelationshipLabel, CurrenDate) returns set of Nodes
1) [E] [N] <-getallimmediatedgeswithNodes(Node, RelationshipLabel, CurrenDate
2) Nodes = Ø

12) For i=0;i++;E.count Loop
13) If Checkrelationshipexists(Node, N[i], RelationshipLabel ,CurrentDate) == True then 14) Nodes.add = N[i];

15) End If;
16) End Loop;
17) Return Nodes;
[073] The getnodesforrelationship algorithm obtains a plurality of nodes on the other side of an edge for an active relationship. For example, for the node N0 and relationship r1, it returns node N1 in the edge N0 X r1 X N1 where as for the node N2 and relationship r2, it will not return any node even though relationship exists because the relation r2 is inactive.
[074] In an embodiment, pseudocode 4 for samenodeExists method is explained below: Pseudocode 4:
samenodeExists (SNodeset, ENodeset) Returns True, if same node exists in nodesets, otherwise False.
For i=0;i++;SNodeset.count Loop
For j=0;J++;ENodeset.count Loop

If SNodeset[i] = ENodeset[j] then Return true; End If; End Loop; End Loop; Return False
[075] Finally, the access control unit 114, when executed by one or more processors of the system 100 allow the user to access the resource when the relationship path value is set to one.
[076] FIG. 6 illustrates an overall architecture illustrating the method for contextual relationship based access control, in accordance with some embodiments of the present disclosure. Now referring to FIG. 6, the architecture includes a user management unit, an ER management unit and a policy management unit. The user management unit, the ER management unit and the policy management unit are present inside the access control unit 114.
[077] In an embodiment, the user management unit includes a user module 602, an access enforcement module 604, a relationship evaluator module 606, an authorization validation module 608, a resource 610 and a relationship trigger module 612. The relationship trigger module 612 is executed when a change is detected in the relationship context. For example, when a compliance is end dated upon expiry the relationship trigger module is executed to evaluate access policies applicable to the compliance and informs the decision to the resource owner. The access enforcement module 604 intercepts access requests, constructs access requests with required inputs, transforms access request to a form understandable to the authorization validation module 608. The relationship evaluator module 606 evaluates the existence of a relationship between the user and the resource. The authorization validation module 608 searches applicable policies for the access request, determines the access decision with the inputs from policy engine, determines access decision based on the net result of access policy and informs the access decision to access enforcement module.

[078] In an embodiment, the ER management module includes a relationship mapping manager 614, a relationship hierarchy manager 616 to manage a plurality of hierarchies, a resource management module 618, a relationship database 620, the relationship graph 622, a user management module 624 and an entity management module 626. The relationship mapping manager 614 handles relationship creation, modification, authority, hierarchy and storage. The Resource Management module 618 contains all the resources that need to be protected. The Relationship Database 620 stores the plurality of relationships. The user management module 624 is involved in user creation and associating the user to an entity. The entity management module 626 handles entity creation and entity mappings. In an embodiment, the policy management unit includes a policy engine 628, a policy evaluator 630, a relationship evaluator 632, a policy database 634, a policy updation module 636. The policy engine 628 reads access policies, evaluates the access policies with the help of the policy evaluator and relationship evaluator and passes the result to the authorization decision module. The policy evaluator 630 evaluates access policies with the help of the relationship evaluator. The policy database 634 stores the policies. The policy updation module 636 acts as the user interface for administrator to create/update access policies.
[079] In an embodiment, the relationship evaluator 632 checks whether any active relationship exist between the user and a resource. The relationship evaluator 632 starts with the start node (User or Process or Account) and destination node (Resource) and continue to check for relationships until it finds a common node. If relationship path contains hierarchical and optional relationships, it splits, appends and forms new relationship paths and evaluates all relationship paths until it finds relationship path between the user and resource.
[080] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do

not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[081] The embodiments of present disclosure herein address unresolved problem of contextual relationship based access control based on temporal, hierarchical and optional relationships. Here, the search process is performed in both forward and backward direction simultaneously which reduces execution time and thereby increasing the system efficiency. Further, the system handles odd number of relationships and even number of relationships in an efficient manner.
[082] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs, GPUs and edge computing devices.
[083] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with

the instruction execution system, apparatus, or device. The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise. Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e. non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.

[084] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.
[085]

WE CLAIM:
1. A processor implemented method (200), the method comprising:
receiving an access request from a user, wherein the access request is a resource access request (202);
obtaining an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource, wherein the access path comprises a number of relationships, a relationship hierarchy and a number of optional relationships (204);
identifying a relationship type associated with the access path, wherein the relationship type comprises one of, an individual relationship and a hierarchical relationship (206);
obtaining a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path (208);
identifying an unvisited shortest relationship path from the plurality of relationship paths based on the number of relationships associated with each of the plurality of relationship paths (210), wherein the unvisited relationship path is marked as visited after traversing;
identifying a matching relationship path corresponding to the unvisited shortest relationship path from a relationship graph based on a plurality of relationships associated with the unvisited shortest relationship path (212); and
allowing the user to access the resource if the relationship path value is set to one (214).
2. The method as claimed in claim 1, wherein the relationship graph comprises
a plurality of nodes and a plurality of edges, wherein each node represents one of, a user, a plurality of entities and each of a plurality of resources, wherein each edge represents a corresponding association between two nodes from the plurality of nodes.

3. The method as claimed in claim 1, wherein the active edges are obtained by checking a temporal data associated with each edge between the user node and the resource node.
4. The method as claimed in claim 1, wherein the method of identifying the matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path comprising:
obtaining a first forward relationship corresponding to a first node of the unvisited shortest relationship path, wherein the first forward relationship is marked as visited after traversing;
obtaining a first set of immediate nodes associated with a start node of the relationship graph based on a plurality of active forward edges corresponding to the first forward relationship, wherein the plurality of active forward edges comprises a plurality of incoming and outgoing edges associated with the start node;
obtaining a first backward relationship corresponding to a last node of the unvisited shortest relationship path, wherein the first backward relationship is marked as visited after traversing;
simultaneously obtaining a second set of immediate nodes associated with an end node of the relationship graph based on a plurality of active backward edges corresponding to the first backward relationship, wherein the plurality of active backward edges comprises a plurality of incoming edges and outgoing edges associated with the end node;
selecting a forward matching node from the first set of immediate nodes of the relationship graph based on a comparison between the first set of immediate nodes and a neighbour node associated with the first node of the unvisited shortest relationship path;
simultaneously selecting a backward matching node from the second set of immediate nodes of the relationship graph based on a comparison

between the second set of immediate nodes and a neighbour node associated with the last node of the unvisited shortest relationship path;
setting a relationship path value as one, if the forward matching node and the backward matching node are equal, and each of the plurality of relationships of the unvisited shortest relationship path are visited, wherein the relationship path value is set to zero otherwise;
updating the first set of immediate nodes and the second set of immediate nodes by obtaining a next set of immediate nodes corresponding to the forward matching node and the backward matching node respectively until a number of unvisited relationships between the first node and the last node is one, wherein the updating is performed when the relationship path value is set to zero;
setting the relationship path value as one, if a relationship exist between the forward matching node and the backward matching node when the number of unvisited relationships between the first node and the last node is one, wherein the relationship path value is set to zero otherwise; and updating the first node and the last node associated with the unvisited shortest path by swapping first node and the last node with the corresponding neighbour node if the relationship path value is zero.
5. The method as claimed in claim 1, wherein each edge of the relationship graph is marked as visited after traversing the corresponding edge.
6. The method as claimed in claim 1, wherein the method further comprises constructing the relationship graph by:
receiving a plurality of relationship data comprising a plurality of resources and a plurality of entities, wherein the relationship data is stored in a database;
creating a node for each of the plurality of entities and each of the plurality of resources to obtain the plurality of nodes;

creating a logical relationship between each of the plurality of entities and each of the plurality of resources in a triple form comprising subject, predicate and object; and
connecting each of the plurality of nodes using an edge based on the logical relationship data, wherein the logical relationship data comprising the hierarchical data, the optional relationship data and the temporal data among each of the plurality of nodes.
7. The method as claimed in claim 1, wherein the plurality of optional relationship associated with a relationship path is computed by counting a number of edges between the user node and the resource node associated with the relationship path.
8. A system (100) comprising:
at least one memory (104) storing programmed instructions; one or more Input /Output (I/O) interfaces (112); and one or more hardware processors (102) operatively coupled to the at least one memory (104), wherein the one or more hardware processors (102) are configured by the programmed instructions to:
receive an access request from a user, wherein the access request is a resource access request;
obtain an access path associated with the access request from a policy database, wherein the access path is a relationship path defining a relationship between the user and a resource, wherein the access path comprises a number of relationships, a relationship hierarchy and a number of optional relationships;
identify a relationship type associated with the access path, wherein the relationship type comprises one of, an individual relationship and a hierarchical relationship;
obtain a plurality of relationship paths based on the relationship hierarchy and the number of optional relationships associated with the access path;

identify an unvisited shortest relationship path from the plurality of relationship paths based on the number of relationships associated with each of the plurality of relationship paths, wherein the unvisited relationship path is marked as visited after traversing;
identify a matching relationship path corresponding to the unvisited shortest relationship path from a relationship graph based on a plurality of relationships associated with the unvisited shortest relationship path; and
allow the user to access the resource if the relationship path value is set to one.
9. The system of claim 8, wherein the relationship graph comprises a plurality of nodes and a plurality of edges, wherein each node represents one of, a user, a plurality of entities and each of a plurality of resources, wherein each edge represents a corresponding association between two nodes from the plurality of nodes.
10. The system of claim 8, wherein the active edges are obtained by checking a temporal data associated with each edge between the user node and the resource node.
11. The system of claim 8, wherein the method of identifying the matching relationship path corresponding to the unvisited shortest relationship path from the relationship graph based on the plurality of relationships associated with the unvisited shortest relationship path comprising:
obtaining a first forward relationship corresponding to a first node of the unvisited shortest relationship path, wherein the first forward relationship is marked as visited after traversing;
obtaining a first set of immediate nodes associated with a start node of the relationship graph based on a plurality of active forward edges corresponding to the first forward relationship, wherein the plurality of

active forward edges comprises a plurality of incoming and outgoing edges associated with the start node;
obtaining a first backward relationship corresponding to a last node of the unvisited shortest relationship path, wherein the first backward relationship is marked as visited after traversing;
simultaneously obtaining a second set of immediate nodes associated with an end node of the relationship graph based on a plurality of active backward edges corresponding to the first backward relationship, wherein the plurality of active backward edges comprises a plurality of incoming edges and outgoing edges associated with the end node;
selecting a forward matching node from the first set of immediate nodes of the relationship graph based on a comparison between the first set of immediate nodes and a neighbour node associated with the first node of the unvisited shortest relationship path;
simultaneously selecting a backward matching node from the second set of immediate nodes of the relationship graph based on a comparison between the second set of immediate nodes and a neighbour node associated with the last node of the unvisited shortest relationship path;
setting a relationship path value as one, if the forward matching node and the backward matching node are equal, and each of the plurality of relationships of the unvisited shortest relationship path are visited, wherein the relationship path value is set to zero otherwise;
updating the first set of immediate nodes and the second set of immediate nodes by obtaining a next set of immediate nodes corresponding to the forward matching node and the backward matching node respectively until a number of unvisited relationships between the first node and the last node is one, wherein the updating is performed when the relationship path value is set to zero;
setting the relationship path value as one, if a relationship exist between the forward matching node and the backward matching node when

the number of unvisited relationships between the first node and the last node is one, wherein the relationship path value is set to zero otherwise; and updating the first node and the last node associated with the unvisited shortest path by swapping first node and the last node with the corresponding neighbour node if the relationship path value is zero.
12. The system of claim 8, wherein each edge of the relationship graph is marked as visited after traversing the corresponding edge.
13. The system of claim 8, wherein the method further comprises constructing the relationship graph by:
receiving a plurality of relationship data comprising a plurality of resources and a plurality of entities, wherein the relationship data is stored in a database;
creating a node for each of the plurality of entities and each of the plurality of resources to obtain the plurality of nodes;
creating a logical relationship between each of the plurality of entities and each of the plurality of resources in a triple form comprising subject, predicate and object; and
connecting each of the plurality of nodes using an edge based on the logical relationship data, wherein the logical relationship data comprising the hierarchical data, the optional relationship data and the temporal data among each of the plurality of nodes.
14. The system of claim 8, wherein the plurality of optional relationship associated with a relationship path is computed by counting a number of edges between the user node and the resource node associated with the relationship path.