PSA: Deleted Models are no longer inaccessible to Workspace Admins


Anaplan introduced a new feature that allows for models that have been deleted to be restored by any workspace admin. This is wonderful for customers and partners to self serve when a model is deleted accidentally or needs to be restored and the hassle of going through Anaplan support/your BP makes it challenging or not worth the effort.

Historically speaking, there is/was a paper trail that existed when a model is restored and therefore if there is an exposure of sensitive data that it could be pursued appropriately based off of the actions, intentions, and results of what occurs, as well, generally decisions not being made in a vacuum, generally requiring sign off, or inclusion of other parties. In addition, deletion made the information inaccessible without those steps being taken.

The new feature allows for any workspace admin to un-delete the model, un-archive it, then perform any normal model activit(ies) including rolling back to a previous revision tag, and possibly gaining access to the data that was deleted from the workspace to allow them to be granted access to the Workspace as a Workspace Admin.

While this a somewhat niche situation, this feature has made 2 of our workspaces a no go zone for all but 2 of our CoE members.

I hope no one else is impacted by this find, but I wouldn't be posting about it otherwise.


  • Tiffany.Rice
    edited May 13

    Thanks @obriegr for raising these considerations. Completely understand the need to exercise caution when dealing with private/confidential data.

    Does the time parameter help to mitigate some of these concerns? Workspace administrators can only restore a model within 14 days of deletion. I view this capability as a means to self-serve in the instances where you inadvertently deleted a model or a there was a sudden change of heart (oh wait, we really did need that!?!?). Beyond the 2 week window, the restoration process would be the same as in past, working with Anaplan support teams.

    One other point to ponder, while the restore/un-archive is available to all admins only those with a access assigned to the model will be able to view it once it is moved to "Standard" mode. I did a quick test of this with one of my teammates, we set his role to "No Access" and while he was able to restore/un-archive, he had no access to the model itself.

    Key caveat to mention - when creating new users in a sensitive workspace I avoid selection Workspace Admin in the creation dialogue as that will grant access to all models in the workspace including those that are archived. Instead I create the user in the targeted model and then assign WSA via the users panel.

  • obriegr

    I don't disagree, pointing out that it generates a possible security risk that was not clearly communicated. I generally try and keep up with the newsletters (now discontinued; eg. I don't get an email anymore when there is new features released).

    Thus articulated as a PSA. That being said, if a bad actor has WSA access, they can easily add in another email (their personal) to the workspace, say they are testing things, and consume the data without leaving any trace of their behavior, during those 2 weeks.

    I would consider it a vulnerability and needs to be communicated at least once when deletion of a model occurs per WSA, communicating similar information to what you have shared with regards to timelines, etc.

    In addition, that 14 day window still limits access of other WSA that previously you could allow, so a button that says, yes I am certain I would like to remove access to this model and do not plan on restoring access without Anaplan's assistance.