Solved: Anaplan REST API with Cert Access: Connect to dif...

damianshameer2 · ‎01-06-2020

Hello All -

I am building a process to connect to Anaplan via REST APIs. I have an integration account and utilizing CA Cert for authentication for API authentication.

I have two workspaces, say WorkspaceA (with Model Model-A) and WorkspaceB (with Model-B). I have build a list in WorkspaceA/Model-A. My integration account has "Full Access" in both WorkspaceA and WorkspaceB.

I am trying to Import the list from WorkspaceA/Model-A into WorkspaceB/Model-B but getting the following error:

"You do not have access to the source workspace"

  "task" : {
    "taskId" : "7511C105589444B9A675E54ED16F",
    "currentStep" : "Failed.",
    "progress" : 0.0,
    "result" : {
      "details" : [ {
        "localMessageText" : "You do not have access to the source workspace",
        "occurrences" : 0,
        "type" : "importFailedGeneralError",
        "values" : [ "errorMessage", "You do not have access to the source workspace" ]
      } ],
      "failureDumpAvailable" : false,
      "objectId" : "112000000717",
      "successful" : false
    },
    "taskState" : "COMPLETE",
    "creationTime" : 1578331886369
  }

Question: Does Anaplan support connectivity between different workspaces when using CA Cert?

I have referenced the following doc https://help.anaplan.com/anapedia/Content/Import_and_Export/Import_Data_into_Models/Connect_to_a_Mod... which does not mention anything specific about CA Certs

Thanks in advance

@Fwolf

Stacey_Gibbens · ‎01-07-2020

@damianshameer2

Well, I can't dispute your experience with running integrations using a CA cert within a single workspace. If you say it works, then it works.

However, in my experience, the integration account must not be restricted to SSO only (which is what checking the SSO box does). I use an integration account associated with a CA certificate to run integrations across 3 production workspaces, with model-to-model, data uploads (from a warehouse extract), and data downloads (to be a data import back to the warehouse) on a nightly and intra-day cadence, and have been for years. The caveat is that I'm using AnaplanConnect and not the REST API, but I can't imagine authentication requirements for the integration account would be different across those two methods. That would seem cumbersome.

Please do post to let everyone know what Support says. I'd be interested to see what they say.

Thanks!

Stacey Gibbens

View solution in original post

nathan_rudman · ‎01-06-2020

1: yes we can do cross workspace imports with a user that connects via certificate

2: it shouldn't be necessary but is the user a model builder in workspace A ?

Nathan Rudman, Anaplan Model Builder

Crystal.l.Stein · ‎01-06-2020

The user running the query is a workspace admin in both the target and source workspaces and their respective models - but he is still getting this access error. The action is testing the update of changing a user's access from 'x' to 'no access' - the process runs successfully when run manually in the respective models, however, when using the rest API, it is saying he doesn't have access - could it be something in his query?

damianshameer2 · ‎01-06-2020

Hi Nathan. Thanks for replying.

Yes, the batch account is a Workspace Admin in both Workspaces. I can connect to the Source and Target Workspace but still cannot trigger cross workspace imports.

below is my setup...heavily redacted version

The both account has "Full Access" and "Workspace Admin" in Source and Target workspaces.

Source:

Source User:

Target

Target User:

ERROR:

URL to execute: https://api.anaplan.com/2/0/workspaces/xxxx/models/xxx/imports/112000000025/tasks/0EF8B476761D4FD0B09291832375ECB5

[executeGetApi] responseCode: 200
{
  "meta" : {
    "schema" : "https://api.anaplan.com/2/0/models/xx/objects/task"
  },
  "status" : {
    "code" : 200,
    "message" : "Success"
  },
  "task" : {
    "taskId" : "0EF8B476761D4FD0B09291832375ECB5",
    "currentStep" : "Failed.",
    "progress" : 0.0,
    "result" : {
      "details" : [ {
        "localMessageText" : "You do not have access to the source workspace",
        "occurrences" : 0,
        "type" : "importFailedGeneralError",
        "values" : [ "errorMessage", "You do not have access to the source workspace" ]
      } ],
      "failureDumpAvailable" : false,
      "objectId" : "112000000025",
      "successful" : false
    },
    "taskState" : "COMPLETE",
    "creationTime" : 1578349287119
  }
}

nathan_rudman · ‎01-07-2020

the URL you are calling ends with ?xxxxx
I've not seen this at the end of an API call before. Was it just added when you copied it ? are you calls actually executing with this ?

https://api.anaplan.com/2/0/workspaces/xxxx/models/xxxx/imports/112000000025/tasks/xxxxxx?_ga=2.1533...

Nathan Rudman, Anaplan Model Builder

damianshameer2 · ‎01-07-2020

I removed my workspace id and model id.

I have no issue connecting to Anaplan and executing imports/exports/uploads/downloads/processes/action...We have already built a few PROD processes that utilizes these APIs.

The main issue now is cross workspace imports....This is failing as per the json i posted earlier.

ben_speight · ‎01-07-2020

Are the source and/or target workspaces normally secured with single sign-on? If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace.

damianshameer2 · ‎01-07-2020

Ben,

"Are the source and/or target workspaces normally secured with single sign-on?"

As per Firm policy, SSO must be enabled. Exception Users not allowed.

"If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace."

"identity endpoints" What do this mean? Different SSO logins? It was my understanding that Anaplan does not support multiple SAML configuration for the same tenancy.

To recap:

1. Source and Target workspaces are in the same tenancy.

2. The batch account [ batch@mycompany.com ] is added to both source and target workspaces.

3. The batch account is a Workspace Admin in source and target workspaces. SSO is enabled for both Source and Target

SSO should not be a factor here since this is not a human account and access to Anaplan does not flow thru our IdP

4. I establish a connection to Anaplan via REST API, utilizing CA Certs for Authentication as per https://anaplanauthentication.docs.apiary.io/#

Stacey_Gibbens · ‎01-07-2020

Hi Damian,

My understanding is that when scripting integrations, the integration user must NOT be SSO. SSO does not use passwords or certificates, but instead a SAML server that is connected up on the back end between your firm and the Anaplan authentication servers which knows the user by their network credentials. Even if you have a network account that can be logged into that you can then use SSO into Anaplan with (when logged in as that user), that's not going to work for scripted integrations.

I understand your statement that it's firm policy to not have exceptions, however, that may need to be revisited with your management if you'd like to have scheduled integrations.

Good luck,

Stacey Gibbens

JaredDolich · ‎01-07-2020

@Stacey_Gibbens I always learn something new when it comes to Anaplan.

@damianshameer2 I needed to learn more about SAML and I found this really good article and makes sense why SSO would use it.

Jared Dolich

Anaplan REST API with Cert Access: Connect to different Models

Anaplan REST API with Cert Access: Connect to different Models