Part 1 can be found here.
At Anaplan, we are using Anaplan internally for many of our business processes; this is how we set up our User Access Management.
Note that the examples here leverage the Bulk API for adding new users to models. If you have enabled the tenant-level option to Manage users in Administration only, then Workspace administrators can't add or remove users from within a model. They also can't add users through an import.
Anaplan User Access overview
Unlike most enterprise software, Anaplan is extremely customizable.
Access happens at 3 levels:
- Page builders are provisioned at the tenant level
- Model builders or workspace administrators are provisioned at the workspace level
- User access is provisioned at the model level
Terminology
Decentralized (“In-Model”) | Centralized |
---|
An in-model solution to manage user access exclusively in that model. Pros: - Ideal for single/limited use case Anaplan deployments
- Ideal in situations where an administrator is also a model builder/manager
Cons: - Administrator has visibility into all model data
- Must manage users in multiple places for more Anaplan deployments involving 2+ use cases
| A stand-alone model to manage users across multiple models within a customer tenant. Pros: - Ideal for multi-use case Anaplan deployments, or customers who plan to expand use cases
- Single place to manage user access across multiple models
- Limit administrator access to sensitive data outside of the user access management model
Cons: - More complex to deploy
- Risk that spoke model and central model become unsynchronized
|
*IAM = Identity and Access Management
IAM Data-driven Provisioning Solution
Okta or Similar IAM Configuration
- Set-up Applications to align with your Models (Anaplan.FP&A, Anaplan.SPM)
- Create groups that align with Model Roles (Full Access, Executives, Analysts)
Anaplan Configuration
Centralized Provisioning Model:
- Map Okta Applications to Anaplan Models (create saved view for each model)
- Ensure Okta Model Roles align with Model Roles in each Anaplan Model
In Spoke Model(s):
- Create staging area for user access settings from the central model
- Create import process in model to import user settings into native user settings
Centralized Provisioning App:
- Create a page to manage and provision model role access across multiple Models/Workspaces
- Create a page for each model to provision Selective Access (if applicable) and run update process ad hoc
HyperConnect (Informatica) or REST API Solution
Schedule processes to run in sequence:
- Load IAM Data Into Hub
- Load IAM Hub Data into Centralized Provisioning Model
- Load Transformed User Access Settings into Respective Spoke Models
Ready for Part 3, click here!
We have 1 more example to share!
Feedback on this content? Let us know in the comments below.