User Access Management: Part 2 - This is how we do it

At Anaplan, we are using Anaplan internally for many of our business processes; this is how we set up our User Access Management.

Note that the examples here leverage the Bulk API for adding new users to models. If you have enabled the tenant-level option to Manage users in Administration only, then Workspace administrators can't add or remove users from within a model. They also can't add users through an import.

Anaplan User Access overview

Unlike most enterprise software, Anaplan is extremely customizable.

Access happens at 3 levels:

Page builders are provisioned at the tenant level
Model builders or workspace administrators are provisioned at the workspace level
User access is provisioned at the model level

Screen Shot 2021-11-02 at 10.26.11 AM.png

Terminology

Decentralized (“In-Model”)

Centralized

An in-model solution to manage user access exclusively in that model.

Pros:

Ideal for single/limited use case Anaplan deployments
Ideal in situations where an administrator is also a model builder/manager

Cons:

Administrator has visibility into all model data
Must manage users in multiple places for more Anaplan deployments involving 2+ use cases

A stand-alone model to manage users across multiple models within a customer tenant.

Pros:

Ideal for multi-use case Anaplan deployments, or customers who plan to expand use cases
Single place to manage user access across multiple models
Limit administrator access to sensitive data outside of the user access management model

Cons:

More complex to deploy
Risk that spoke model and central model become unsynchronized

Screen Shot 2021-11-02 at 12.54.11 PM.png

*IAM = Identity and Access Management

IAM Data-driven Provisioning Solution

Okta or Similar IAM Configuration

Set-up Applications to align with your Models (Anaplan.FP&A, Anaplan.SPM)
Create groups that align with Model Roles (Full Access, Executives, Analysts)

Anaplan Configuration

Centralized Provisioning Model:

Map Okta Applications to Anaplan Models (create saved view for each model)
Ensure Okta Model Roles align with Model Roles in each Anaplan Model

In Spoke Model(s):

Create staging area for user access settings from the central model
Create import process in model to import user settings into native user settings

Centralized Provisioning App:

Create a page to manage and provision model role access across multiple Models/Workspaces
Create a page for each model to provision Selective Access (if applicable) and run update process ad hoc

HyperConnect (Informatica) or REST API Solution

Schedule processes to run in sequence:

Load IAM Data Into Hub
Load IAM Hub Data into Centralized Provisioning Model
Load Transformed User Access Settings into Respective Spoke Models

Ready for Part 3, click here!

We have 1 more example to share!

Feedback on this content? Let us know in the comments below.

Comments

AnyaS

Excellent (exemplary!) set of documentation on the app. Thank you!

Quick Links

Recent release news

July 2025 platform releases and what’s next
Check out the latest Anaplan feature updates and enhancements in our July 2025 official release notes. The information below offers supplemental information to that post. Planning experience External URL navigation button Page builders can configure navigation action buttons to link to external URLs, including non-Anaplan…
Recording now available! July 30 platform release event
If you missed our July 30, 2025 platform release event, the recording is now available! In this webinar, we highlight the most recent feature releases and how to take advantage of these in your environment. Our expert-led session demonstrated new features and innovations, provided a technical deep-dive and “how-to”,…