PSA: Deleted Models are no longer inaccessible to Workspace Admins

Anaplan introduced a new feature that allows for models that have been deleted to be restored by any workspace admin. This is wonderful for customers and partners to self serve when a model is deleted accidentally or needs to be restored and the hassle of going through Anaplan support/your BP makes it challenging or not worth the effort.

Historically speaking, there is/was a paper trail that existed when a model is restored and therefore if there is an exposure of sensitive data that it could be pursued appropriately based off of the actions, intentions, and results of what occurs, as well, generally decisions not being made in a vacuum, generally requiring sign off, or inclusion of other parties. In addition, deletion made the information inaccessible without those steps being taken.

The new feature allows for any workspace admin to un-delete the model, un-archive it, then perform any normal model activit(ies) including rolling back to a previous revision tag, and possibly gaining access to the data that was deleted from the workspace to allow them to be granted access to the Workspace as a Workspace Admin.

While this a somewhat niche situation, this feature has made 2 of our workspaces a no go zone for all but 2 of our CoE members.

I hope no one else is impacted by this find, but I wouldn't be posting about it otherwise.

Accepted answers

All comments

Tiffany.Rice

Thanks @obriegr for raising these considerations. Completely understand the need to exercise caution when dealing with private/confidential data.

Does the time parameter help to mitigate some of these concerns? Workspace administrators can only restore a model within 14 days of deletion. https://help.anaplan.com/restore-a-deleted-model-f2323188-177a-47c8-bafd-ea88b6c4be89 I view this capability as a means to self-serve in the instances where you inadvertently deleted a model or a there was a sudden change of heart (oh wait, we really did need that!?!?). Beyond the 2 week window, the restoration process would be the same as in past, working with Anaplan support teams.

One other point to ponder, while the restore/un-archive is available to all admins only those with a access assigned to the model will be able to view it once it is moved to "Standard" mode. I did a quick test of this with one of my teammates, we set his role to "No Access" and while he was able to restore/un-archive, he had no access to the model itself.

Key caveat to mention - when creating new users in a sensitive workspace I avoid selection Workspace Admin in the creation dialogue as that will grant access to all models in the workspace including those that are archived. Instead I create the user in the targeted model and then assign WSA via the users panel.

obriegr

I don't disagree, pointing out that it generates a possible security risk that was not clearly communicated. I generally try and keep up with the newsletters (now discontinued; eg. I don't get an email anymore when there is new features released).

Thus articulated as a PSA. That being said, if a bad actor has WSA access, they can easily add in another email (their personal) to the workspace, say they are testing things, and consume the data without leaving any trace of their behavior, during those 2 weeks.

I would consider it a vulnerability and needs to be communicated at least once when deletion of a model occurs per WSA, communicating similar information to what you have shared with regards to timelines, etc.

In addition, that 14 day window still limits access of other WSA that previously you could allow, so a button that says, yes I am certain I would like to remove access to this model and do not plan on restoring access without Anaplan's assistance.

Quick Links

Can you help?

Unanswered questions

Create a Filter to show all the elements of that level based on selection in hierarchy
Hello Community members, Requirement Details: I have 5 levels of composite hierarchy list (A1, A2, A3, A4, A5). I have published a module in UX, Now the requirement is If user select a list member from A4 level in the context selector or Custom Filter I have to display all the list members under that A4 level. How can I…
import monthly data with months in columns
is there a way to import data with months in columns (usual excel table view)? I have to transform the data so there are rows to cover each period in the upload data form, but I am wondering if there is a better way to just import the data as is with the months in the columns. please let me know what you think. thank you,
Cloudworks Big Query Integration Fail
Hello, I am receiving an 'Anaplan Upload Failed' Status Description when testing my integration with a Big Query dataset. The integration imports data from BQ to our Anaplan model. No other details given in the error log. I suspect that Cloudworks is not even picking up the file but am not sure what we did wrong on the set…