IT Connect
Your connection to information technology at the UW

ASTRA 2.1 automated deprovisioning

ASTRA 2.1 enables customers with integrated applications to apply a policy for managing their authorizations in ASTRA, and thereby automate access removal for terminated employees. Adoption is underway now for applications with access policies involving current employees and others authorized based on business need.

Overview

What is ASTRA 2.1 automated deprovisioning?

Before ASTRA 2.1, application teams and/or individual authorizers had to do periodic access reviews and manually remove authorizations to comply with access policies for their applications. With ASTRA 2.1, access policies can be applied to authorizations in ASTRA, so that authorizers can only create new authorizations that align with access policies, and current authorizations are automatically removed by ASTRA when employees terminate their employment.

What are the benefits to authorizers?

ASTRA authorizers benefit from the improved efficiency of automated removal of authorizations. For example, ASTRA authorizers don’t have to search for and remove authorizations for terminated employees. Instead, ASTRA 2.1 will remove them automatically for applications that adopt ASTRA 2.1.

What are the benefits to application owners, their teams, and data stewards?

Business application owners, their teams, and related data custodians benefit from more effective information security and compliance with audit requirements, as authorizations in ASTRA will align better with access policies for applications that adopt ASTRA 2.1. Improved efficiency applies as well, for people and teams involved in day-to-day management of authorizations.

Operations

Do ASTRA authorizers still need to review authorizations?

Yes, authorizers should continue to review authorizations for terminated employees, job transfers, and others who no longer need access to applications. As applications adopt ASTRA 2.1 automated deprovisioning, authorizers will find fewer active authorizations for terminated employees. ASTRA will continue to email quarterly status notifications as reminders.

What business terms and data does ASTRA use to define "current employee"?

ASTRA uses Workday business terms and data to differentiate “current employees” from other people: specifically, employees who have “Active” or “Leave” status in Workday are treated as current employees. ASTRA relies on the Operational Data Store (ODS) for this Workday data, and under normal operating conditions will be 24-48 hours behind current data in Workday.

When creating authorizations for new employees, how long does it take ASTRA to know they are a current employee?

Under normal operating conditions, ASTRA will be 24-48 hours behind current data in Workday. If you are creating an authorization for a new employee, they must have “Active” or “Leave” status in Workday, and you need to wait 24-48 hours for ASTRA to be updated from Workday.

When creating an authorization, ASTRA says "This party is not allowed to be authorized for this application." What does this mean?

This error message means the person (or process) you’re trying to authorize isn’t allowed to be authorized based on the access policy defined for the application.

  • If you are authorizing a new employee, you may need to wait 24-48 hours for ASTRA to be updated from Workday. Once their “Active” or “Leave” status in Workday has been updated in ASTRA, you should be able to authorize them. Contact your HR support partner to confirm status in Workday.
  • If you are authorizing someone who isn’t a current employee, you may need to contact the application team for further instructions.

Does ASTRA automated deprovisioning change how authorizers handle shared UW NetIDs, contingent workers, academic affiliates, and others with no status in Workday, as well as processes?

Yes, as applications adopt ASTRA automated deprovisioning and access policies involving current employees, authorizers may need to follow new practices and procedures to create authorizations for people (and processes) who aren’t current employees. To learn more, check the support information for specific applications.

Adoption and implementation

The following applications have adopted or have planned timeframes for adopting ASTRA automated deprovisioning

Application
Abbreviation
Support info
ASTRA 2.1 Status
Date of adoption
Business Domain
Ariba System Administration ARIBA Admin ARIBA Roles and Authorization In Progress 2020-11-30 Finance
eProcurement eProc In Progress 2020-11-30 Finance
eReimbursement eReimbursement In Progress 2020-11-30 Finance
Payment to Individuals P2I In Progress 2020-11-30 Finance
ProCard ProCard In Progress 2020-11-30 Finance
Sourcing Sourcing In Progress 2020-11-30 Finance
eTravel eTravel eTravel access exception requests In Progress 2020-11-30 Finance
Financial Desktop MyFD About Access to MyFD In Progress 2020-11-30 Finance
Enterprise Data Warehouse EDW Request Access to Reports, Analytics, and Data In Progress 2020-12-07 IT

Do all applications have to adopt ASTRA automated deprovisioning?

Application owners and their teams can decide if and when they want to adopt automated deprovisioning.

How do applications transition to use ASTRA 2.1 automated deprovisioning?

ASTRA 2.1 features can be adopted by applications that rely on the ASTRA Web interface and delegators/authorizers for managing their authorizations. These application teams can refer to our ASTRA 2.1 onboarding guide for details. Automated deprovisioning isn’t applicable to applications that integrate authorization data into ASTRA through other methods.

What are the adoption plans for other applications that use ASTRA?

The following table includes status information for applications that rely on ASTRA, based on the last update from each application team. Pending status means no information has been collected.

Application
Abbreviation
Support info
ASTRA 2.1 Status
Last update
Business Domain
System to Administer Grants Electronically SAGE Pending Research, Finance
Cost Share Module eFECS Cost Share Pending Finance
Effort Reporting eFECS Effort Report Pending Finance
EDMS EDMS Pending IT
TeamBudget TeamBudget Pending Finance
Temporary Hourly Employment Monitoring Temporary Employment Pending HR, Finance
Equipment Insurance System EIS Pending Finance
Canvas Canvas Pending Student
Space Inventory Management System SIMS Pending Facilities
MyUW Support Application MyUW Pending Student
WorkStudy WorkStudy Pending Student
Enrollment Confirmation System for Administration ECS Admin Pending Student
Office of Student Financial Aid Web Page OSFA Staff Pending Student
Student Personal Services View for SFS Staff SPS View for SFS Pending Student
Tax Forms Tax Pending HR, Finance
Employee Search Employee Search Pending HR
Security Management Application Tool SMAT Pending IT
HRPayroll Web Service HRPWS Pending HR
Pivot Pivot Pending Student
eTransmittal eTransmittal Pending Finance
Who Can Web Service WhoCanWS Pending IT
Student Groupcode Associations Student Groupcode Pending Student
Data Administration Personnel and Payroll DAPP Pending HR
Electronic Research Administration ERA Pending Research
Grant and Contract Certification Reports GCCR Pending Research, Finance
Financial Web Service FWS Pending Finance
Person Web Service PWS Pending IT
SIS Web Stats SIS Web Stats Pending Student
Supplier Registration Workflow Supplier Registration Pending Finance
New or Modified Tuition Category Workflow Tuition Change Pending Student
Electronic Academic Records System EARS Pending Student
Content Web Service CWS Pending IT
IdCard Service IdCardWS Pending IT
Enterprise and Departmental Data Integration Editor EDDIE Pending IT
U-PASS Membership Manager U-PASS Pending Transportation
Space Web Service SpaceWS Pending Space
Student Web Service SWS Pending Student
VEBA VEBA Pending HR
Suite of Rome applications Rome Pending Finance
Rome Internal applications Rome-Internal Pending Finance
Department Tools for Time Schedule Dept Tools Pending Student
Tax A188 Monitor Tax A188 Monitor Pending HR, Finance
Last reviewed November 18, 2020