Community perspective: Central User Access Management

Arnab_KPN

What is Central User Access Management?

"Central User Access Management" is an Anaplan model through which we can maintain user access management for all the models within an enterprise. This is not readily available in Anaplan AppHub, but it is easy to create and maintain. This article will explain how to do it.

Why we need it:

• Better user access control
• Better visibility in terms of user details
• Single source of truth for user details
• Easy to maintain
• Can further be extended for license management
• Model owners can manage the users in their models without the Workspace Administrator role

What needs to be built:

1. One new Anaplan model needs to be created (suggested name: "Central User Access Management") with the following functionalities:
   • Capture user details, such as user name and email address
   • Create model role
   • Map user to the required model role
   • Map user to the required selective access (if selective access is required in the spoke model)
   • Export views for each model for the users and their details, model role and selective access (if required)
2.  Anaplan components need to be created for each spoke model with the following functionalities:
   • Get the user configuration (such as user details, user model role, user selective access) from the Central User Access Management model
   • Import those details into Anaplan user access section
3. Scheduling components (Anaplan CloudWorks or other external scheduling tool integration components) need to be created if a sync is needed between the Central User Access Management model and the spoke models in an interval manner. On demand syncing can also be done by exposing the URL on an Anaplan page to run the corresponding REST API to get data from the Central User Access Management model into spoke models and implement the user configuration.

 High-level process flow:

How to build the "Central User Access Management Model" (Central UAM):

1. Key dimensions:

Master user: This list should contain all the users who need access to Anaplan models.

Model: This list should contain all the model names for which user access management will be maintained by the Central UAM.       

Model Role: This list should contain all the model roles. Model List should be the parent of this list.

Model Role User: This list should contain the users who need access for a model role. The Model Role list should be parent of this list.

Selective Access List 1 to N: The list for which selective access need to be configured need to be created in this model so that selective access can be configured and can be imported into the spoke model.

2. Key modules:

Module to capture master user details (dimension: Master User): In this module the user details need to be captured. Using the ‘Create Form’ functionality, we can add users into the Master User list and then we can capture user details into this module. We can also delete the users from this list by using ‘Delete from List Using Selection’.Module to capture model role details (dimension: Model Role): In this module model role details need to be captured. Using the ‘Create Form’ functionality we can add model roles into Model Role list and then we can capture model role details into this module. We can also delete the model roles from this list by using ‘Delete from List Using Selection’.Module to capture model role user details (dimension: Model Role User): In this module users added to the model roles need to be captured. We can create items in Model Role User list using the ‘Create Form’ functionality and then in this module against that item we can select User (to whom we can give the corresponding model role) from the Master User List in a line item and immediately we can get all the details about that user from Master User Details module.From this module only we will create export views for each spoke model for the corresponding user details and the required model role.Module to capture mapping between model role user details and the list for which selective access need to be defined (dimension: Model Role User and S01 Selective Access List): In this module we will capture the mapping between model role user details and the items from the selective access list (to which they should have selective access).From this module we will create export views for the spoke models for the mapping between Model Role User and the Selective Access list items.

How to get the user access configuration from the Central User Access Management Model into the spoke model:

1. Key dimensions:

Master user: In this list we will load the users from the export view (which we have created in the Central User Access Management model for the corresponding spoke model) who require access to this spoke model.

Model role: In this list we will define the roles available for this spoke model. We have to ensure that the name of these roles should be exactly same as the roles defined for this model as well as the model role names defined in the Central User Access Management model. We need add an additional role named as "No Access" so that we can also remove user access to the model.

Lists with selective access: These are the lists which need selective access. We need to make sure that these lists in the spoke models are always in sync with the selective access lists in the Central User Access Management model.

2. Key modules:

User details (dimension – Master User): In this module we will capture the user details and their roles and we will import the data from the Central User Access Management model.

We have to create a view in this module to export data into Anaplan user list to set up user access (user details and role) for this spoke model.

User selective access for List1 (dimension – Master User/List With Selective Access): In this module we will capture the mapping between user and the corresponding items from the selective access list. We will import this data from the selective access view which we created in the Central User Access Management model.

We have to create write/read view in this module to export data into Anaplan user list to set up selective access for the selective access list.

3. Key actions:

• Action to load Master User list from the Central User Access Management model
• Action to load User Details module from the Central User Access Management model
• Action to load selective access details from the Central User Access Management model
• Action to load user details from User Details module view into Anaplan User Access list
• Actions to load selective access details from the User Selective Access List1 module views into the Anaplan User Access list.
• Action to clean the Master User list for the users who  no longer need access to this model

 

Do you have feedback on this content? Let us know in the comments below! 

DanielDunleavy

@Arnab_KPN  How were you able to import WSA and SSO into Users section? Anaplan doesn't allow an import action into the WSA and SSO fields in the Users section.

Arnab_KPN

@DanielDunleavy 

 

Yes, you are correct. We can't import WSA and I think which won't be that much problematic to maintain as you won't be having many people with WSA access. But you can import SSO into Users section as shown below. Please let me know if you have any further question on this.

 

 

DanielDunleavy

Great, thank you for the clarification!! @Arnab_KPN