User Access Management: Part 2 - This is how we do it

edited December 2022 in Best Practices

At Anaplan, we are using Anaplan internally for many of our business processes; this is how we set up our User Access Management.

Anaplan User Access overview

Unlike most enterprise software, Anaplan is extremely customizable.

Access happens at 3 levels:

  1. Page builders are provisioned at the tenant level
  2. Model builders or workspace administrators are provisioned at the workspace level
  3. User access is provisioned at the model level

Screen Shot 2021-11-02 at 10.26.11 AM.png


Decentralized (“In-Model”)


An in-model solution to manage user access exclusively in that model.


  • Ideal for single/limited use case Anaplan deployments 
  • Ideal in situations where an administrator is also a model builder/manager  


  • Administrator has visibility into all model data
  • Must manage users in multiple places for more Anaplan deployments involving 2+ use cases 

A stand-alone model to manage users across multiple models within a customer tenant.


  • Ideal for multi-use case Anaplan deployments, or customers who plan to expand use cases
  • Single place to manage user access across multiple models 
  • Limit administrator access to sensitive data outside of the user access management model 


  • More complex to deploy
  • Risk that spoke model and central model become unsynchronized 


Screen Shot 2021-11-02 at 12.54.11 PM.png

*IAM = Identity and Access Management

IAM Data-driven Provisioning Solution

Okta or Similar IAM Configuration

  • Set-up Applications to align with your Models (Anaplan.FP&A, Anaplan.SPM)
  • Create groups that align with Model Roles (Full Access, Executives, Analysts)

Anaplan Configuration

Centralized Provisioning Model:

  • Map Okta Applications to Anaplan Models (create saved view for each model)
  • Ensure Okta Model Roles align with Model Roles in each Anaplan Model



In Spoke Model(s):

  • Create staging area for user access settings from the central model
  • Create import process in model to import user settings into native user settings



Centralized Provisioning App:

  • Create a page to manage and provision model role access across multiple Models/Workspaces
  • Create a page for each model to provision Selective Access (if applicable) and run update process ad hoc



HyperConnect (Informatica)

Schedule processes to run in sequence:

  1. Load IAM Data Into Hub
  2. Load IAM Hub Data into Centralized Provisioning Model
  3. Load Transformed User Access Settings into Respective Spoke Models

Ready for Part 3?

We have 1 more example to share!


Got feedback on this content? Let us know in the comments below.

Contributing authors: Paul Rosal, Becca Robertson, and Corey Jacoby.


  • Excellent (exemplary!) set of documentation on the app. Thank you!