Skip to end of metadata
Go to start of metadata

Introduction

It is possible to use the ASTRA web application to manage authorizations that can then be provisioned into groups that are maintained in the UW Groups service.  Some examples of how these groups can be used would be to populate email lists, to manage Sharepoint access, and to restrict access to Enterprise Data Warehouse (EDW). 

Groups Service

 The Groups Web Service documentation is a good place to learn more about this UW-IT offering.   

Groups can be built from both the ASTRA eval and production environments.  Each group name has a "group stem", which is the leading substring of a group name. The naming convention of the group stem varies in order to distinguish between groups populated with authorizations from the ASTRA evaluation environment verses those from the ASTRA production environment.

Group Stem Naming Convention

Environment of ASTRA authorizations

Group Stem

GWS URL

EVAL

u_astratst

https://iam-ws.u.washington.edu/groups_ws/v2

PROD

u_astra

https://iam-ws.u.washington.edu/groups_ws/v2

Guidelines for Group Membership from ASTRA Authorizations:

ASTRA Groups Naming Convention

There is a suggested naming convention for groups that are populated with ASTRA authorizations.  The name will include the group stem and pertinant information about the applicaton, role (if applicable), action (if applicable), and ASTRA Role.  If there is no ASTRA role in the group name it's safe to assume that it's for "User" authorizations.  Here are some examples of groups that have been populated with ASTRA authorizations:

Group Name

ASTRA Environment

Explanation of Name

u_astra_findesktop_authorizers_safi

Production

Group is made up of authorizers for the Financial Desktop application with the SAFI role.

u_astra_findesktop_safi_inquiry

Production

Group is made up of users (implied by lack of ASTRA role in name) for the Financial Desktop with the SAFI role and Inquiry action.

u_astra_urole_analyst

Production

EDW groups all have "urole" in the name.   This particular group is made up of Users with the EDW application and Analyst role.

u_astratst_eis_reviewer

Evaluation

Group is made up of users for the EIS application with the Reviewer role.

u_astratst_ASTRA_Delegators

Evaluation

Group made up of all the ASTRA delegators for every application in the ASTRA evaluation enviroment.

When Are ASTRA Authorizations Moved Into Groups?

The reconcilation of ASTRA authorizations into Groups is controlled by regularly scheduled tasks, and these groups can be updated as often as necessary.  Typically groups that are used in mailing lists are updated once daily, whereas the groups that manage access to the Enterprise Data Warehouse are updated each hour.  ASTRA is flexible in how often and when groups can be updated.  The job that updates groups on a daily basis runs at 2:35AM, and the job that updates groups hourly runs every hour on the hour.  If there is a specific time or interval that a group needs to be updated that doesn't correspond with currently scheduled tasks then a new task can be created to accomodate that need.  Please discuss your application's requirements with an ASTRA team member.

Specifying Groups in an Application Schema File

An application's authorization heirarchy is defined in an ASTRA schema XML file.  Any groups that will be populated with authorizations from ASTRA are also defined in that same schema XML file.  Along with an application's "privilege", "role", "action" and "span of control" codes and descriptions, "groups" are also defined in this file.

Groups can be defined by:

Allowed?

ASTRA Role (User, Authorizer, Delegator)

One or more can be included in a group

Privilege

One or more can be included in a group

Roles

Zero or more can be included in a group

Actions

Zero or more can be included in a group

Span of Control Type

Zero or more can be included in a group

Span of Control Values

Not allowed in a group, with some possible exceptions for customized group creation.

The elements of the "AstraGroup" are:

  • groupName:  The group name is a combination of a group stem (u_astra) and the group name specified in the application schema file as illustrated below.  The group stem varies by ASTRA environment and we want only one application schema file for all ASTRA environments, thus the group stem is stored in another ASTRA configuration file.  The group name naming convention is typically spelled out as "astra stem value) + "privilege" (application) + "role" (if part of the group) + "action" (if part of the group)
  • groupDescription:  A short description of this group, this name appears in the Groups web application
  • privilegeCd: This is the privilege code that ASTRA uses to represent the application in the schema.
  • roleCd:  This is optional, and is the role code that ASTRA uses to represent a role in the application.
  • actionCd: This is optional, and is the action code that is used in the schema to represent an action for the role.
  • socTypeCd: This is optional, and if it is part of a privilege/role/action authorization combination it will be specifed here too.  Note that you cannot specify specific SOC values to be included or excluded from the group.  Span of control values are not stored in the group either, so the span of control value portion of an authorization is unspecified and unavailable in a group.
  • astraRoleCd:  This specifies the ASTRA role of the authorizations to be added to the group.  It can be "User" (people who are authorized to use the application itself), "Authorizer" (people who are ASTRA authorizers and can authorizer users of this application), or "Delegator" (people who are ASTRA Delegators, they create ASTRA authorizers).
  • runTimeInterval:  Specifies how often this group should be refreshed with ASTRA authorization updates.

Can a Group Be Comprised of Authorizations from Different Applications, or Multiple Roles Within One Application?

There can be any number of "AstraGroup" sets within the "ASTRAGroups" section.  Any group can be made up of one or more applications, one or more ASTRA Roles, any number of roles, and any number of actions.  The way this is done is to create an "AstraGroup" for each combination of ASTRA role, application, role, action and SOC type that is to populate that group.  The key to populating one group with multiple "AstraGroup" entries in the schema file is to use the same "groupName" in each "AstraGroup".

Example of Specifying Groups in an ASTRA Application Schema:

<ASTRAGroups>
      <ASTRAGroup>
        <groupName>testrole_watcher</groupName>
        <groupDescription>ASTRA Watcher TestRole</groupDescription>
        <privilegeCd>TestPriv</privilegeCd>
        <roleCd>Test_Watcher</roleCd>
        <actionCd>Watch</actionCd>
        <socTypeCd_1>BgtInc</socTypeCd_1>
        <socTypeCd_2></socTypeCd_2>
        <socTypeCd_3></socTypeCd_3>
        <socTypeCd_4></socTypeCd_4>
        <socTypeCd_5></socTypeCd_5>
        <astraRoleCd>User</astraRoleCd>
        <runTimeInterval>daily</runTimeInterval>
      </ASTRAGroup>

      <ASTRAGroup>
        <groupName>testrole_watcher</groupName>
        <groupDescription>ASTRA Watcher TestRole</groupDescription>
        <privilegeCd>TestPriv</privilegeCd>
        <roleCd>Test_Watcher</roleCd>
        <actionCd>Watch</actionCd>
        <socTypeCd_1>OrgInc</socTypeCd_1>
        <socTypeCd_2></socTypeCd_2>
        <socTypeCd_3></socTypeCd_3>
        <socTypeCd_4></socTypeCd_4>
        <socTypeCd_5></socTypeCd_5>
        <astraRoleCd>User</astraRoleCd>
        <runTimeInterval>daily</runTimeInterval>
      </ASTRAGroup>
</ASTRAGroups>

Using ASTRA Groups

Since the ASTRA groups are automatically maintained on a regular schedule (hourly or daily for example) it is not possible to to manual editing of the group membership directly through the Groups Service web application.  The only way to affect the membership of these ASTRA-generated groups is to manage an authorization in ASTRA, which in turn will be reflected in the corresponding group once it's regularly scheduled update occurs.

It is recommended that an application using this ASTRA-generated group should create it's own group, and then add the ASTRA-generated group as a member.  This way additional members can be added to the group without making any changes to ASTRA.  This is the preferred method for using an ASTRA-generated group in a Mailman group.

Here's more info about Groups synchonization to Mailman:  Synchronize Groups with Mailman Lists

 

 

 

  • No labels