Skip to end of metadata
Go to start of metadata

Introduction

Once the decision is made to use ASTRA for access management the business owners and application developers have an important task to undertake.  They must design an effective "schema" that is loaded into ASTRA.  The schema is stored in XML format and represents the business rules that determine how people can use their application.  A schema is a hierarchical structure and consists of a privilege, roles within that privilege, actions that can be taken on these roles, and any span of control values that further qualify what the users can act upon in the application. 

It's important to consider how the authorization management for this application will be conducted.  Will the authorization responsibilites be rolled out to ASTRA authorizers in the campus departments, kept within a central business unit, or a combination of both?  The number and complexity of the roles must be balanced while keeping the campus authorizers in mind.  The roles should be intuitive and well documented to ensure an smooth roll out to campus.  Too many nuanced roles can prove to be confusing and require an increased work load on the application's client support team. 

ASTRA Schema Heirarchy

An ASTRA schema for an application has the following privilege/role/action/span of control heirarchy:

NOTE: The ASTRA schema heirarchy is designed such that each application has its own roles, and these roles are not shared between applications at this time.

What else does ASTRA needs to know about the application and spell out in it's schema?

When designing a schema for ASTRA there is some basic information that needs to be specified, including:

  1. Who is the business owner of the applicaiton?
  2. Who is the technical contact for the application?
  3. Is two-factor authentication required in order to log into this application?
  4. Will the authorization management be distributed out to departments on campus, or maintained in a central office?
  5. What is the application's URI?
  6. What is the application's Support URI?
  7. What is the application's client support email address?
  8. What is the application's developer team email address?

Information about the Privilege, Roles, Actions and Span of Control in the schema:

Privilege:

Database Column Name

Data Type

Allow Nulls?

Visible in UI?

PrivilegeCd

varchar(25)

No

No

AbbrDesc

varchar(20)

No

Yes

FullDesc

varchar(50)

Yes

Yes

HelpText

varchar(5000)

Yes

Yes

Role:

Database Column Name

Data Type

Allow Nulls?

Visible in UI?

RoleCd

varchar(25)

No

No

AbbrDesc

varchar(20)

No

Yes

FullDesc

varchar(50)

No

Yes

HelpText

varchar(5000)

Yes

Yes

Action:

Database Column Name

Data Type

Allow Nulls?

Visible in UI?

ActionCd

varchar(25)

No

No

AbbrDesc

varchar(20)

No

Yes

FullDesc

varchar(50)

No

Yes

HelpText

varchar(5000)

Yes

Yes

Span of Control Type:

Many applications require the use of span of control in order to allow their users to only have access to the data they need to perform their job duties.  Span of Control types in most cases are institutionally defined and maintained in a central data store.  There are occasions when an application may need to define their own custom span of control type, if this is the case that application will need to maintain the source of that data.  ASTRA refreshes span of control values from each SOC type's official data source on a nightly basis.  

Institutional Span of Control Types available for use in ASTRA include: 
  • Organization Code
  • Budget Number
  • College
  • Curriculum code
  • Facility Number
  • Facility Type
  • Major
  • Payroll Distribution Code
  • Payroll Unit Group
  • SDB Program Code
  • Special Program

Populating Groups with Authorizations

 It's possible to create Groups by populating them with the people who have been authorized for any specific role/action/SOCType/ASTRA role combination(s) as desired.  It is not advised to make groups that are defined down to the span of control value level (specific budget numbers is one example), as that can lead to too many sparsely populated groups.  The group requirements are also stored in the application schema XML file.

The following values are required in order to define a group for an application:

  1. ASTRA role, i.e. User, Authorizer or Delegator?
  2. Privilege
  3. Role (optional)
  4. Action (optional)
  5. Span of Control TYPE (not VALUE!  also optional)
  6. Group name, sans group stem.  (The group stem is defined elsewhere, and in the production environment it is "u_astra".  The eval group stem is "u_astratst".)

NOTE: There can be multiple combinations of the above criteria in one group.

ASTRA Schema Sample XML

You can see a sample ASTRA Schema file for the application named "TestPriv_v2.xml" here.

ASTRA Schema Sample XSD

xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="[http://www.w3.org/2001/XMLSchema]" elementFormDefault="qualified" attributeFormDefault="unqualified">

<xs:complexType name="spanOfControlType">
<xs:sequence>
<xs:element name="spanOfControl" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="auth" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="spanOfControlTypeType" use="required"/>
<xs:attribute name="isRequired" type="xs:boolean" use="required"/>
<xs:attribute name="inputControl" type="xs:string" use="optional"/>
<xs:attribute name="isMultiValue" type="xs:boolean" use="optional"/>
<xs:attribute name ="regExRestriction" type="xs:string" use="optional"/>
<xs:attribute name ="doesSupportWildcard" type="xs:boolean" use="optional" />
<xs:attribute name="clientValidation" type="xs:string" use="optional"/>
<xs:attribute name="serverValidation" type="xs:string" use="optional"/>
<xs:attribute name="format" type="xs:string" use="optional"/>
</xs:complexType>

<xs:complexType name="authType"
<xs:attribute name="addInWebApp" type="xs:boolean" use="optional"/>
<xs:attribute name="canGrant" type="xs:boolean" use="optional"/>
<xs:attribute name="canDelegate" type="xs:boolean" use="optional"/>
<xs:attribute name="allowUse" type="xs:boolean" use="optional"/>
<xs:attribute name="allowAuthorize" type="xs:boolean" use="optional"/>
<xs:attribute name="allowDelegate" type="xs:boolean" use="optional"/>
<xs:attribute name="allowSuperDelegate" type="xs:boolean" use="optional"/>
<xs:attribute name="effBegDate" type="xs:date" use="optional"/>
<xs:attribute name="effEndDate"type="xs:date" use="optional"/>
<xs:attribute name="gdsGroupName" type="xs:string" use="optional"/>
<xs:attribute name="gdsGroupDescription" type="xs:string" use="optional"/>
</xs:complexType>
<xs:element name="astra">
<xs:complexType>
<xs:sequence>
<xs:element name="privilege">
<xs:complexType>
<xs:sequence>
<xs:element name="helpText" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="role" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="helpText" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="action" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="helpText" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="spanOfControl" type="xs:string" minOccurs="0" maxOccurs="unbounded"></xs:element>
<xs:element name="auth" type="authType" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="code" type="xs:string" use="required"/>
<xs:attribute name="codeAbbrDesc" type="xs:string" use="required"/>
<xs:attribute name="codeDescription" type="xs:string" use="required"/>
<xs:attribute name="displayOrder" type="xs:int" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="code" type="xs:string" use="required"/>
<xs:attribute name="codeAbbrDesc" type="xs:string" use="required"/>
<xs:attribute name="codeDescription" type="xs:string" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="ASTRAGroups">
<xs:complexType>
<xs:sequence>
<xs:element name="ASTRAGroup">
<xs:complexType mixed="true">
<xs:sequence>
<xs:element name="groupName" type="xs:string" />
<xs:element name="groupDescription" type="xs:string" />
<xs:element name="privilegeCd" type="xs:string" />
<xs:element name="roleCd" type="xs:string" />
<xs:element name="actionCd" type="xs:string" />
<xs:element name="socTypeCd_1" type="xs:string" />
<xs:element name="socTypeCd_2" type="xs:string" />
<xs:element name="socTypeCd_3" type="xs:string" />
<xs:element name="socTypeCd_4" type="xs:string" />
<xs:element name="socTypeCd_5"type="xs:string" />
<xs:element name="astraRoleCd" type="xs:string" />
<xs:element name="runTimeInterval" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="code" type="xs:string" use="required"/>
<xs:attribute name="codeAbbrDesc" type="xs:string" use="required"/>
<xs:attribute name="codeDescription" type="xs:string" use="required"/>
<xs:attribute name="businessContactUWNetid" type="xs:string" use="required"/>
<xs:attribute name="technicalContactUWNetid" type="xs:string" use="required"/>
<xs:attribute name="managementStyle" type="xs:string" use="required"/>
<xs:attribute name="isSecuridRequired" type="xs:boolean" use="required"/>
<xs:attribute name="supportsOrgCodeWildcard" type="xs:boolean" use="optional"/>
<xs:attribute name="supportsRecycledBudgetNumbers" type="xs:boolean" use="optional"/>
<xs:attribute name="referenceURL" type="xs:string" use="optional"/>
<xs:attribute name="appFamilyCode" type="xs:string" use="optional"/>
<xs:attribute name="uri" type="xs:string" use="optional"/>
<xs:attribute name="supportUri" type="xs:string" use="optional"/>
<xs:attribute name="supportEmailAddress" type="xs:string" use="optional"/>
<xs:attribute name="devTeamEmail" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
  • No labels