Centralized Identity Management (CIM) - Huge Step Forward

Thanks @Misbah I always count on your explanation of the new features. This helps a lot!

saurabh.raheja

Hello

Will the option to add users using import actions still continue to be available?

Thanks

Saurabh

@saurabh.raheja

Yes, but not in the same way as you currently do now. Instead of importing directly into a model, you will be loading the users into Administration. I will play with this next week as well as ask this question and get back to you because you are not the only one that this impacts.

Rob

saurabh.raheja

Thanks for getting back! Yeah, I guessed it would impact a lot of people and the way we manage entitlements within Anaplan right now.

I will be looking forward to your response and further developments in this space.

Saurabh

@prakashnishtala

@saurabh.raheja

I am supposed to play with this Wednesday of next week, so if I don't get back to you by Thursday, please feel free to ping me again (I will try to save this thread, but it might get lost in the shuffle).

Rob

@rob_marshall @Misbah

Question posed by @BrentOrr is can you assign someone the User Admin role that IS NOT a workspace admin? Meaning, there only job in Anaplan is to add/delete users?

@JaredDolich

That is my understanding, but will confirm next week. There will be a new role created (User Administration) and you would assign people that role.

Rob

benjamin_audroi

I think it's a great addition and it makes more sense to centralize this feature.

However, it will indeed change our user management processes by import actions.

@rob_marshall I am also curious to see how that will be handled next thursday.

Do you happen to know when our current processes to add users to a model/workspace will not work anymore ?

Thank you,

@benjamin_audroi

To be perfectly honest, no, I don't but it will not be at the end of this month. It is my understanding this will be more of a phased approach, so no ripping of the bandaid. Again, let me get more details and I will get back to you.

Rob

david.edwards_*50531

I'll second all of these concerns, as multiple of my clients and former employers will be impacted if the "add user through import" option is taken away. This is a pretty drastic change if so, and I feel that many customers will be blindsided by this.

Misbah

Now this is interesting. I would have Imagined all the imports into User section would stay as - is. People running the Import action would need to be User Admins if this is to work. Since it is Anaplan it can be exact opposite to what I think. Looking forward to seeing some nice stuff next week.

Another question asked by one of Anaplan's major accounts.

Does this new USER ADMIN role have to be part of a Model Builder license – or can be done at the Enterprise user license level?

All,

So my bug bash for tomorrow got pushed out a week, but this is what I have found out so far without playing with it:

@saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users. At this time, it is going to stay as is and there will be an API that will update Administration with the new users. I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
@BrentOrr @JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them. Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA. Again, I am hoping to test this next week.
@JaredDolich - Does the new User Admin role have to be part of the Model Builder license. From what I have found out, the answer would be no. In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users). Now, don't hold me to that as I am not a sales person, but this is what I have been told. When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.

I think I hit the majority of questions, if not all, but if I missed a question, please let me know.

Rob

@rob_marshall @Misbah @david.edwards @benjamin_audroi @saurabh.raheja

Thanks Rob! Best 5 Kudos I've ever spent. Let me know if you discover anything different. I'd like to update the customers that have been asking.

DaanishSoomar

Thanks for the insight @Misbah! As @JaredDolich mentioned your explanations are always something I look forward to.

The feature I am most excited for is the 4. Users that get added automatically have “No Access”, I know there have been methods to do this in the past but there have been some flaws in this approach.

Ultimately more security > less security.

johan_vangerwen

@rob_marshall do you have an update/some final answers regarding these 3 points?

@johan_vangerwen

Which three points specifically are you asking about? I thought I had answered them in the above post.

Rob

johan_vangerwen

@rob_marshall Hi Rob, I mean (forget the last topic, your are not a sales person 😉 😞

@saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users. At this time, it is going to stay as is and there will be an API that will update Administration with the new users. I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
@BrentOrr @JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them. Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA. Again, I am hoping to test this next week.
@JaredDolich - Does the new User Admin role have to be part of the Model Builder license. From what I have found out, the answer would be no. In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users). Now, don't hold me to that as I am not a sales person, but this is what I have been told. When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.

alexpavel

@rob_marshall about the import actions which add a user. My hope is that the only change that CIM will bring is: if the import action will add a user, the user who launches the import user action is mandatory to be setup with "User Admin" role.

There will be needed synchronization with CIM, but if this will be already implemented with Phase 2, I hope this will not be disabled in the future.

Why disable something that is already in place and make more difficult the adding of a user by obligating the current integrations to launch a specific REST API to add a user?

I agree that, if the user who launches the import users action does not have the "User Admin" role, to be returned the error and the user should not be added.

Adding a user through an import user's action is just the first step. More important with these import actions is the update of the security in that particular model.

Other considerations:

CIM is definitely a big step forward in the segregation of roles between Model Builders (workspace admin) and Security administrators. This segregation is valid only for adding the users to a workspace. This will give control to Security admins on the active users on workspaces and licenses used.

My impression is that this segregation should go further and be applied also in every model: to have the possibility of different users (Security admins) who are able to setup User roles, selective access, etc... from the Model Builders. What do you think?

Alex

https://community.anaplan.com/t5/Releases/CIM-Phase-2-rollout-update/ba-p/105108

For more information on CIM, check out this link:

Rob

Misbah

Yes, read it yesterday as soon as the notification hit my inbox. Didn't understand the delaying part at all. Why the delay - Any theory behind it?

@Misbah

You know I can't answer that in an open forum. 🙂

DaanishSoomar

Hmm @Misbah and @rob_marshall - this is an interesting development.

I believe keeping WSA's role the same while adding User Admin almost makes both roles and their responsibilities a bit redundant.

Are you able to help clarify the segregation of responsibilities that CIM will aim to create? Is there value behind making somone only a User Admin instead of Workspace Admin?