An Information Technology (IT) infrastructure includes IT assets, components, systems, applications, and resources within a particular environment (e.g., an organization). Directed graphs can be used to model the IT infrastructure by providing a graphical representation of relationships within the IT infrastructure. Security measures are typically implemented within the directed graphs to protect the underlying IT infrastructure. Security measures can protect the IT infrastructure from unauthorized access, unintended modification, malicious attacks, and so on. Graph authorization is a type of security measure that can be used to authorize access to portions of the IT infrastructure for a user or a group of users.
Conventional graph authorization techniques may be inefficient, difficult to maintain, and too complex. Conventionally, when an administrator tried to restrict a group of users to a portion of the model, elements of queries received from the group were modified to contain limiting rules to restrict results. The results were restricted to contain only components that the group of users should have access to. In addition the administrator was usually forced to manually maintain authorization at a Configuration Item level (e.g. the CI level: an object or link in the CMDB model) making sure it is always consistent with the required policy for each group of users. This may be a simple task for a small organization with a small amount of users. However, as the IT infrastructure grows, and more users utilize the IT infrastructure, it becomes difficult to maintain customized limiting rules for different groups of users, especially because each new query must be modified to comply with the limiting rules. Manually modifying queries is inefficient and error prone. This is not practical in practice because a trivial way to solve the problem is to manually keep authorization information over every CI and make sure all CIs shown to the user pass a security policy filter. This process leaves the data base administrator to determine how to define authorization polices for millions of CIs. Since this would be an enormous manual task, some kind of a script could be created to run periodically and insert the authorization policy information. Even with a script, the administrator would have to convert the authorization policy to script somehow and accept the fact that when the data base changes it can be in a non-consistent state with respect to the authorization policy until the next script execution. Even modifying queries automatically may be processing intensive and complex. Furthermore, as the IT infrastructure continues to grow, the limiting rules may also become more complex.