1: yes we can do cross workspace imports with a user that connects via certificate

2: it shouldn't be necessary but is the user a model builder in workspace A ?

Hi Nathan. Thanks for replying.

Yes, the batch account is a Workspace Admin in both Workspaces. I can connect to the Source and Target Workspace but still cannot trigger cross workspace imports.

below is my setup...heavily redacted version

The both account has  "Full Access" and "Workspace Admin" in Source and Target workspaces. 

Source: 

Source User:

Target

Target User:

ERROR:

URL to execute: https://api.anaplan.com/2/0/workspaces/xxxx/models/xxx/imports/112000000025/tasks/0EF8B476761D4FD0B09291832375ECB5 

[executeGetApi] responseCode: 200
{
  "meta" : {
    "schema" : "https://api.anaplan.com/2/0/models/xx/objects/task"
  },
  "status" : {
    "code" : 200,
    "message" : "Success"
  },
  "task" : {
    "taskId" : "0EF8B476761D4FD0B09291832375ECB5",
    "currentStep" : "Failed.",
    "progress" : 0.0,
    "result" : {
      "details" : [ {
        "localMessageText" : "You do not have access to the source workspace",
        "occurrences" : 0,
        "type" : "importFailedGeneralError",
        "values" : [ "errorMessage", "You do not have access to the source workspace" ]
      } ],
      "failureDumpAvailable" : false,
      "objectId" : "112000000025",
      "successful" : false
    },
    "taskState" : "COMPLETE",
    "creationTime" : 1578349287119
  }
}

I removed my workspace id and model id. 

I have no issue connecting to Anaplan and executing imports/exports/uploads/downloads/processes/action...We have already built a few PROD processes that utilizes these APIs.

The main issue now is cross workspace imports....This is failing as per the json i posted earlier.

Are the source and/or target workspaces normally secured with single sign-on? If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace.

Ben,

"Are the source and/or target workspaces normally secured with single sign-on?"

As per Firm policy, SSO must be enabled. Exception Users not allowed.

"If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace."

"identity endpoints" What do this mean? Different SSO logins? It was my understanding that Anaplan does not support multiple SAML configuration for the same tenancy.

To recap:

1. Source and Target workspaces are in the same tenancy. 

2. The batch account [ batch@mycompany.com  ] is added to both source and target workspaces.

3. The batch account is a Workspace Admin in source and target workspaces. SSO is enabled for both Source and Target

• SSO should not be a factor here since this is not a human account and access to Anaplan does not flow thru our IdP

4. I establish a connection to Anaplan via REST API, utilizing CA Certs for Authentication as per https://anaplanauthentication.docs.apiary.io/#

Hi Damian,

My understanding is that when scripting integrations, the integration user must NOT be SSO.  SSO does not use passwords or certificates, but instead a SAML server that is connected up on the back end between your firm and the Anaplan authentication servers which knows the user by their network credentials.  Even if you have a network account that can be logged into that you can then use SSO into Anaplan with (when logged in as that user), that's not going to work for scripted integrations.  

I understand your statement that it's firm policy to not have exceptions, however, that may need to be revisited with your management if you'd like to have scheduled integrations.    

Good luck,

Stacey Gibbens

@Stacey_Gibbens I always learn something new when it comes to Anaplan. 

@damianshameer2 I needed to learn more about SAML and I found this really good article and makes sense why SSO would use it.