Hello All -
I am building a process to connect to Anaplan via REST APIs. I have an integration account and utilizing CA Cert for authentication for API authentication.
I have two workspaces, say WorkspaceA (with Model Model-A) and WorkspaceB (with Model-B). I have build a list in WorkspaceA/Model-A. My integration account has "Full Access" in both WorkspaceA and WorkspaceB.
I am trying to Import the list from WorkspaceA/Model-A into WorkspaceB/Model-B but getting the following error:
"You do not have access to the source workspace"
"task" : {
"taskId" : "7511C105589444B9A675E54ED16F",
"currentStep" : "Failed.",
"progress" : 0.0,
"result" : {
"details" : [ {
"localMessageText" : "You do not have access to the source workspace",
"occurrences" : 0,
"type" : "importFailedGeneralError",
"values" : [ "errorMessage", "You do not have access to the source workspace" ]
} ],
"failureDumpAvailable" : false,
"objectId" : "112000000717",
"successful" : false
},
"taskState" : "COMPLETE",
"creationTime" : 1578331886369
}
Question: Does Anaplan support connectivity between different workspaces when using CA Cert?
I have referenced the following doc https://help.anaplan.com/anapedia/Content/Import_and_Export/Import_Data_into_Models/Connect_to_a_Mod... which does not mention anything specific about CA Certs
Thanks in advance
Solved! Go to Solution.
Well, I can't dispute your experience with running integrations using a CA cert within a single workspace. If you say it works, then it works.
However, in my experience, the integration account must not be restricted to SSO only (which is what checking the SSO box does). I use an integration account associated with a CA certificate to run integrations across 3 production workspaces, with model-to-model, data uploads (from a warehouse extract), and data downloads (to be a data import back to the warehouse) on a nightly and intra-day cadence, and have been for years. The caveat is that I'm using AnaplanConnect and not the REST API, but I can't imagine authentication requirements for the integration account would be different across those two methods. That would seem cumbersome.
Please do post to let everyone know what Support says. I'd be interested to see what they say.
Thanks!
Stacey Gibbens
1: yes we can do cross workspace imports with a user that connects via certificate
2: it shouldn't be necessary but is the user a model builder in workspace A ?
Hi Nathan. Thanks for replying.
Yes, the batch account is a Workspace Admin in both Workspaces. I can connect to the Source and Target Workspace but still cannot trigger cross workspace imports.
below is my setup...heavily redacted version
The both account has "Full Access" and "Workspace Admin" in Source and Target workspaces.
Source:
Source User:
Target
Target User:
ERROR:
URL to execute: https://api.anaplan.com/2/0/workspaces/xxxx/models/xxx/imports/112000000025/tasks/0EF8B476761D4FD0B09291832375ECB5
[executeGetApi] responseCode: 200
{
"meta" : {
"schema" : "https://api.anaplan.com/2/0/models/xx/objects/task"
},
"status" : {
"code" : 200,
"message" : "Success"
},
"task" : {
"taskId" : "0EF8B476761D4FD0B09291832375ECB5",
"currentStep" : "Failed.",
"progress" : 0.0,
"result" : {
"details" : [ {
"localMessageText" : "You do not have access to the source workspace",
"occurrences" : 0,
"type" : "importFailedGeneralError",
"values" : [ "errorMessage", "You do not have access to the source workspace" ]
} ],
"failureDumpAvailable" : false,
"objectId" : "112000000025",
"successful" : false
},
"taskState" : "COMPLETE",
"creationTime" : 1578349287119
}
}
I removed my workspace id and model id.
I have no issue connecting to Anaplan and executing imports/exports/uploads/downloads/processes/action...We have already built a few PROD processes that utilizes these APIs.
The main issue now is cross workspace imports....This is failing as per the json i posted earlier.
Are the source and/or target workspaces normally secured with single sign-on? If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace.
Ben,
"Are the source and/or target workspaces normally secured with single sign-on?"
As per Firm policy, SSO must be enabled. Exception Users not allowed.
"If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace."
"identity endpoints" What do this mean? Different SSO logins? It was my understanding that Anaplan does not support multiple SAML configuration for the same tenancy.
To recap:
1. Source and Target workspaces are in the same tenancy.
2. The batch account [ batch@mycompany.com ] is added to both source and target workspaces.
3. The batch account is a Workspace Admin in source and target workspaces. SSO is enabled for both Source and Target
4. I establish a connection to Anaplan via REST API, utilizing CA Certs for Authentication as per https://anaplanauthentication.docs.apiary.io/#
Hi Damian,
My understanding is that when scripting integrations, the integration user must NOT be SSO. SSO does not use passwords or certificates, but instead a SAML server that is connected up on the back end between your firm and the Anaplan authentication servers which knows the user by their network credentials. Even if you have a network account that can be logged into that you can then use SSO into Anaplan with (when logged in as that user), that's not going to work for scripted integrations.
I understand your statement that it's firm policy to not have exceptions, however, that may need to be revisited with your management if you'd like to have scheduled integrations.
Good luck,
Stacey Gibbens
@Stacey_Gibbens I always learn something new when it comes to Anaplan.
@damianshameer2 I needed to learn more about SAML and I found this really good article and makes sense why SSO would use it.