Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Identity and Access Management > ASTRA 
Description
TSAR
User docs 
Developer docs 
Login to ASTRA
Login to ASTRA (Training Only)
Contact us

ASTRA

Description

On this page:

What is ASTRA?

ASTRA stands for "Access to Systems, Tools, Resources and Applications". ASTRA is an integrated, distributed, auditable authorization management service available for use with UW administrative software applications. The service consists of both a Web interface to allow convenient management of authorizations and a set of API's that applications use to look up authorization information.

Why UW Needs Integrated Authorization

Multiple systems, multiple controls

Over the last few years many new administrative computer systems have been implemented at the University of Washington. As these systems were introduced, procedures and mechanisms to control access to them were also developed. The end result is that there are multiple authorization schemes in use. This is undesirable from several perspectives. For example, a manager or administrator wishing to give a newly hired staff member access to HEPPS, OPUS, and the Laboratory Safety System must follow three quite different and separate procedures.

The solution?

This proliferation of authorization mechanisms can only be countered through the development of a central, infrastructural approach to authorization. ASTRA represents that approach: The goal of ASTRA is to provide a single point of entry for authorization on the Web This will take some years to achieve, as many of the older systems can be adapted to use ASTRA only with great expense and difficulty. The good news is that systems in development, future systems, and many of those recently developed and now in production, can and will use ASTRA to control access.

ASTRA Concepts and Rules

Consuming Application

A Consuming Application is an application at the University of Washington, typically an administrative application.

Authorization attributes

ASTRA is an attribute authority. By this, we mean that ASTRA is a repository of attributes that are defined by other applications. ASTRA stores attributes that are meaningful to Consuming Applications even if they are not meaningful to ASTRA. ASTRA does not determine what a given attribute means; this is the role of the Consuming Application team. Since the goal of ASTRA is to support system authorization needs for years to come, it was necessary to design a flexible and comprehensive scheme that could adapt to many different kinds of needs and deal with many kinds of details. The scheme developed currently consists of a set of attributes that are attached to an individual identity, usually a person:

  • Privilege (typically, the application)
  • Role (typically, a type of user)
  • Action (typically, an action that the user can perform)
  • Span-of-control (a restriction upon that action)
  • Qualifier (a further restriction on a span-of-control)

These attributes are related hierarchically, each level being "owned" by the level above it. They are also related in a "one to many" fashion.

Types of people recognized by ASTRA

Super-Delegator

Super-Delegators create Delegators. Currently, Super-Delegators cannot use the ASTRA web interface to create Delegators. The ASTRA support team must create their Delegators by proxy.

Super-Delegators (also referred to as Authorizing Agents) have been identified for each School, College, Branch Campus and Business Unit.

Delegator

A Delegator is someone who uses ASTRA to give someone else access to ASTRA. Delegators create Authorizers. There are fewer Delegators than either Authorizers or Users. They are often campus administrators.

Authorizer

An Authorizer is someone who uses ASTRA to give someone else access to a campus application. Authorizers create Users. There are more Authorizers than Delegators, but fewer than Users. Authorizers are typically people who perform some type of administrative role with regards to particular applications.

User

A User is someone who uses a campus application such as SAGE, E-Procurement, or OWLS.

Who is using ASTRA today?

Since ASTRA was released into production in January, 2003, there has been a steady increase in the number of applications using ASTRA and the number of people being given access through ASTRA.

Number of Users, Authorizers, and Delegators in ASTRA Consuming Applications, by Month


Number of Users, Authorizers, and Delegators in ASTRA, by Consuming Application


How does ASTRA work (behind the scenes)?

What does ASTRA do when you try to access a system?

When the individual so authorized attempts to use that system:

  • They present it with their UW NetID
  • The system responds by checking the ASTRA database
  • If the UW NetID is found in ASTRA in conjunction with the name of that system, then the authorization information is transferred from ASTRA to the "consuming" application
  • The person is allowed access to the system