Can we assign access to Actions in Production the same as we assign roles to production?

jspascual
edited June 2023 in Modeling

Hi,

Not sure if this has been submitted before but I quickly searched and could not find any.

Problem: Can we assign access to Actions in Production model?

Sometimes, we need to create new actions and we need to assign access to those actions in development model, so when sync to production, the roles can access those actions.

However, you can forget one or two actions, and it's just feels like somewhat unnecessary to go back into the development model, tick that action for access under the roles, then sync to production. If the model is heavy in export actions such as the model that I've been working on, it would become problematic if you forgot to tick them in the roles accesses.

Proposed solution: Can it be also allowed to be ticked in production just like how the role is also allowed to be assigned in production? We follow strict deployment processes to adhere to our IT standard and processes, and a simple change like that will have to follow our ALM processes, test scripts, etc. This will be very helpful if we can have it done also in production.

Thanks!

Answers

  • Hi,

    From your explanation, the problem is not with Anaplan settings, but rather your test scripts (or following them). They are in deployment processes so that functionalities are tested - and one of the tests should be if an end user with given role can use the new export. Or maybe your deployment process should be a little more forgiving, and allow for quick release of small changes like that (it can be easily audited using "compare revision tags" what changes are pushed).

    Having this as production setting will only introduce issues with access between environments, with testing (someone will tick the access in the dev/test environment, but forget in production) and deployment to multiple production environments.

  • Thanks for the reply @M.Kierepka .

    I understand the suggestion, and the thorough testing that developers should do prior to deploying to production. However, it will also be very helpful if the accesses for these actions can be assigned also in production just like how the role is assigned in production. The development of the actions happen in the development environment, giving roles accesses to these actions should not require anymore deployment as this gets assigned in a separate area in the model anyway and is done by someone who has full access or WSA.

    I also understand the risk of ticking/unticking the access in dev but not in production and vice versa but this becomes moot when not ticked in dev and deployed to production but should be ultimately ticked in production. When this happens, there's a need to wait for another scheduled deployment, or at least after hours to deploy this very minor change. Whereas, if we could tick this in production, then all will be good. Also if a role does not have access to an action and ask for it, then another deployment is required. It is much easier to get an approval from their manager and just tick that access rather than getting the approval, prepare for development, prepare for a preprod, create a rev tag, wait for after hours, then sync to prod.

  • Hello,

    Assigning access to actions directly in the production model is not a recommended practice due to the risk of unintentional changes. It is best to maintain strict control over access permissions through development models and follow the established deployment processes to ensure proper testing and adherence to IT standards.

    Best regard,
    RouradT8