ASTRA 2.1 automated deprovisioning

Last updated: February 8, 2023

ASTRA 2.1 enables customers with integrated applications to apply a policy for managing their authorizations in ASTRA, and thereby automate access removal for terminated employees. Adoption is underway now for applications with access policies involving current employees and others authorized based on business need.

Overview

Before ASTRA 2.1, application teams and/or individual authorizers had to do periodic access reviews and manually remove authorizations to comply with access policies for their applications. With ASTRA 2.1, access policies can be applied to authorizations in ASTRA, so that authorizers can only create new authorizations that align with access policies, and current authorizations are automatically removed by ASTRA when employees terminate their employment.

ASTRA authorizers benefit from the improved efficiency of automated removal of authorizations. For example, ASTRA authorizers don’t have to search for and remove authorizations for terminated employees. Instead, ASTRA 2.1 will remove them automatically for applications that adopt ASTRA 2.1.

Business application owners, their teams, and related data custodians benefit from more effective information security and compliance with audit requirements, as authorizations in ASTRA will align better with access policies for applications that adopt ASTRA 2.1. Improved efficiency applies as well, for people and teams involved in day-to-day management of authorizations.

Operations

Yes, authorizers should continue to review authorizations for terminated employees, job transfers, and others who no longer need access to applications. As applications adopt ASTRA 2.1 automated deprovisioning, authorizers will find fewer active authorizations for terminated employees. ASTRA will continue to email quarterly status notifications as reminders.

ASTRA uses Workday business terms and data to differentiate “current employees” from other people: specifically, employees who have “Active” or “Leave” status in Workday are treated as current employees. ASTRA relies on the Operational Data Store (ODS) for this Workday data, and under normal operating conditions will be 24-48 hours behind current data in Workday.

Under normal operating conditions, ASTRA will be 24-48 hours behind current data in Workday. If you are creating an authorization for a new employee, they must have “Active” or “Leave” status in Workday, and you need to wait 24-48 hours for ASTRA to be updated from Workday.

This error message means the person (or process) you’re trying to authorize isn’t allowed to be authorized based on the access policy defined for the application.

  • If you are authorizing a new employee, you may need to wait 24-48 hours for ASTRA to be updated from Workday. Once their “Active” or “Leave” status in Workday has been updated in ASTRA, you should be able to authorize them. Contact your HR support partner to confirm status in Workday.
  • If you are authorizing someone who isn’t a current employee, you may need to contact the application team for further instructions.

Yes, as applications adopt ASTRA automated deprovisioning and access policies involving current employees, authorizers may need to follow new practices and procedures to create authorizations for people (and processes) who aren’t current employees. To learn more, check the support information for specific applications.

Adoption and implementation

The following applications have adopted or have planned timeframes for adopting ASTRA automated deprovisioning

Application
Abbreviation
Support info
ASTRA 2.1 Status
Date of adoption
Business Domain
Ariba System Administration ARIBA Admin ARIBA Roles and Authorization Active 2020-11-30 Finance
eProcurement eProc Active 2020-11-30 Finance
eReimbursement eReimbursement Active 2020-11-30 Finance
Payment to Individuals P2I Active 2020-11-30 Finance
ProCard ProCard Active 2020-11-30 Finance
Sourcing Sourcing Active 2020-11-30 Finance
eTravel eTravel eTravel access exception requests Active 2020-11-30 Finance
Financial Desktop MyFD About Access to MyFD Active 2020-11-30 Finance
Enterprise Data Warehouse EDW Request Access to Reports, Analytics, and Data Active 2020-12-07 IT

Application owners and their teams can decide if and when they want to adopt automated deprovisioning.

ASTRA 2.1 features can be adopted by applications that rely on the ASTRA Web interface and delegators/authorizers for managing their authorizations. These application teams can refer to our ASTRA 2.1 onboarding guide for details. Automated deprovisioning isn’t applicable to applications that integrate authorization data into ASTRA through other methods.

The following table includes status information for applications that rely on ASTRA, based on the last update from each application team. Pending status means no information has been collected.

Application
Abbreviation
Support info
ASTRA 2.1 Status
Last update
Business Domain
System to Administer Grants Electronically SAGE Pending Research, Finance
Cost Share Module eFECS Cost Share Pending Finance
Effort Reporting eFECS Effort Report Pending Finance
EDMS EDMS Pending IT
TeamBudget TeamBudget Pending Finance
Equipment Insurance System EIS Pending Finance
Canvas Canvas Pending Student
Space Inventory Management System SIMS Pending Facilities
MyUW Support Application MyUW Pending Student
WorkStudy WorkStudy Pending Student
Enrollment Confirmation System for Administration ECS Admin Pending Student
Office of Student Financial Aid Web Page OSFA Staff Pending Student
Student Personal Services View for SFS Staff SPS View for SFS Pending Student
Tax Forms Tax Pending HR, Finance
Employee Search Employee Search Pending HR
Security Management Application Tool SMAT Pending IT
HRPayroll Web Service HRPWS Pending HR
Pivot Pivot Pending Student
eTransmittal eTransmittal Pending Finance
Who Can Web Service WhoCanWS Pending IT
Student Groupcode Associations Student Groupcode Pending Student
Data Administration Personnel and Payroll DAPP Pending HR
Electronic Research Administration ERA Pending Research
Grant and Contract Certification Reports GCCR Pending Research, Finance
Financial Web Service FWS Pending Finance
Person Web Service PWS Pending IT
SIS Web Stats SIS Web Stats Pending Student
Supplier Registration Workflow Supplier Registration Pending Finance
New or Modified Tuition Category Workflow Tuition Change Pending Student
Electronic Academic Records System EARS Pending Student
Content Web Service CWS Pending IT
IdCard Service IdCardWS Pending IT
Enterprise and Departmental Data Integration Editor EDDIE Pending IT
U-PASS Membership Manager U-PASS Pending Transportation
Space Web Service SpaceWS Pending Space
Student Web Service SWS Pending Student
VEBA VEBA Pending HR
Department Tools for Time Schedule Dept Tools Pending Student
Tax A188 Monitor Tax A188 Monitor Pending HR, Finance