User Access Management: Part 2 - This is how we do it
At Anaplan, we are using Anaplan internally for many of our business processes; this is how we set up our User Access Management.
Anaplan User Access overview
Unlike most enterprise software, Anaplan is extremely customizable.
Access happens at 3 levels:
- Page builders are provisioned at the tenant level
- Model builders or workspace administrators are provisioned at the workspace level
- User access is provisioned at the model level
Terminology
Decentralized (“In-Model”) |
Centralized |
An in-model solution to manage user access exclusively in that model. Pros:
Cons:
|
A stand-alone model to manage users across multiple models within a customer tenant. Pros:
Cons:
|
*IAM = Identity and Access Management
IAM Data-driven Provisioning Solution
Okta or Similar IAM Configuration
- Set-up Applications to align with your Models (Anaplan.FP&A, Anaplan.SPM)
- Create groups that align with Model Roles (Full Access, Executives, Analysts)
Anaplan Configuration
Centralized Provisioning Model:
- Map Okta Applications to Anaplan Models (create saved view for each model)
- Ensure Okta Model Roles align with Model Roles in each Anaplan Model
In Spoke Model(s):
- Create staging area for user access settings from the central model
- Create import process in model to import user settings into native user settings
Centralized Provisioning App:
- Create a page to manage and provision model role access across multiple Models/Workspaces
- Create a page for each model to provision Selective Access (if applicable) and run update process ad hoc
HyperConnect (Informatica)
Schedule processes to run in sequence:
- Load IAM Data Into Hub
- Load IAM Hub Data into Centralized Provisioning Model
- Load Transformed User Access Settings into Respective Spoke Models
Ready for Part 3?
We have 1 more example to share!
Got feedback on this content? Let us know in the comments below.
Contributing authors: Paul Rosal, Becca Robertson, and **** Jacoby.