Anaplan REST API with Cert Access: Connect to different Models

Hello All -

 

I am building a process to connect to Anaplan via REST APIs. I have an integration account and utilizing CA Cert for authentication for API authentication.

 

I have two workspaces, say WorkspaceA (with Model Model-A) and WorkspaceB (with Model-B). I have build a list in WorkspaceA/Model-A. My integration account has "Full Access" in both WorkspaceA  and WorkspaceB.

 

I am trying to Import the list from WorkspaceA/Model-A into WorkspaceB/Model-B but getting the following error:

 

"You do not have access to the source workspace"

 

 

 

  "task" : {
    "taskId" : "7511C105589444B9A675E54ED16F",
    "currentStep" : "Failed.",
    "progress" : 0.0,
    "result" : {
      "details" : [ {
        "localMessageText" : "You do not have access to the source workspace",
        "occurrences" : 0,
        "type" : "importFailedGeneralError",
        "values" : [ "errorMessage", "You do not have access to the source workspace" ]
      } ],
      "failureDumpAvailable" : false,
      "objectId" : "112000000717",
      "successful" : false
    },
    "taskState" : "COMPLETE",
    "creationTime" : 1578331886369
  }

 

 

 

Question: Does Anaplan support connectivity between different workspaces when using CA Cert? 

 

I have referenced the following doc https://help.anaplan.com/anapedia/Content/Import_and_Export/Import_Data_into_Models/Connect_to_a_Model_to_Import_Data.html which does not mention anything specific about CA Certs

 

Thanks in advance

@Fwolf 

 

 

Best Answer

  • @damianshameer2 

    Well, I can't dispute your experience with running integrations using a CA cert within a single workspace.  If you say it works, then it works.  

     

    However, in my experience, the integration account must not be restricted to SSO only (which is what checking the SSO box does).  I use an integration account associated with a CA certificate to run integrations across 3 production workspaces, with model-to-model, data uploads (from a warehouse extract), and data downloads (to be a data import back to the warehouse) on a nightly and intra-day cadence, and have been for years.  The caveat is that I'm using AnaplanConnect and not the REST API, but I can't imagine authentication requirements for the integration account would be different across those two methods.  That would seem cumbersome.  

     

    Please do post to let everyone know what Support says.  I'd be interested to see what they say.  

     

    Thanks!

    Stacey Gibbens 

Answers

  • 1: yes we can do cross workspace imports with a user that connects via certificate

    2: it shouldn't be necessary but is the user a model builder in workspace A ?

  • The user running the query is a workspace admin in both the target and source workspaces and their respective models - but he is still getting this access error. The action is testing the update of changing a user's access from 'x' to 'no access' - the process runs successfully when run manually in the respective models, however, when using the rest API, it is saying he doesn't have access - could it be something in his query?
  • Hi Nathan. Thanks for replying.

     

    Yes, the batch account is a Workspace Admin in both Workspaces. I can connect to the Source and Target Workspace but still cannot trigger cross workspace imports.

     

    below is my setup...heavily redacted version

     

    The both account has  "Full Access" and "Workspace Admin" in Source and Target workspaces. 

     

    Source: 

     

    damianshameer2_0-1578349589665.png

     

    Source User:

     

    image.png

     

    Target

     

    image.png

     

    Target User:

     

     

    ERROR:

     

     

    URL to execute: https://api.anaplan.com/2/0/workspaces/xxxx/models/xxx/imports/112000000025/tasks/0EF8B476761D4FD0B09291832375ECB5 

     

     

     

     

    [executeGetApi] responseCode: 200
    {
      "meta" : {
        "schema" : "https://api.anaplan.com/2/0/models/xx/objects/task"
      },
      "status" : {
        "code" : 200,
        "message" : "Success"
      },
      "task" : {
        "taskId" : "0EF8B476761D4FD0B09291832375ECB5",
        "currentStep" : "Failed.",
        "progress" : 0.0,
        "result" : {
          "details" : [ {
            "localMessageText" : "You do not have access to the source workspace",
            "occurrences" : 0,
            "type" : "importFailedGeneralError",
            "values" : [ "errorMessage", "You do not have access to the source workspace" ]
          } ],
          "failureDumpAvailable" : false,
          "objectId" : "112000000025",
          "successful" : false
        },
        "taskState" : "COMPLETE",
        "creationTime" : 1578349287119
      }
    }

     

     

     

  • the URL you are calling ends with ?xxxxx
    I've not seen this at the end of an API call before. Was it just added when you copied it ? are you calls actually executing with this ?

    https://api.anaplan.com/2/0/workspaces/xxxx/models/xxxx/imports/112000000025/tasks/xxxxxx?_ga=2.153346232.1261344247.1578293402-1432993212.1563844307
  • I removed my workspace id and model id. 

     

    I have no issue connecting to Anaplan and executing imports/exports/uploads/downloads/processes/action...We have already built a few PROD processes that utilizes these APIs.

     

    The main issue now is cross workspace imports....This is failing as per the json i posted earlier.

  • Are the source and/or target workspaces normally secured with single sign-on? If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace.

  • @damianshameer2 

    I'm just following this conversation - I'm not an integration expert - and had three "shot in the dark" ideas:

    - Not sure if this is necessary or not, but I couldn't tell if your system ID in the target workspace is set as a workspace admin.

    - You are using selective access on that list and wondered if in the target the system ID is set similarly.

    - Lastly, the system ID in the target won't need a pwd (since you're using the cert) but it will need network access to the source of the file you're importing.

     

    Just some ideas. Anxious to see the solution.

  • Ben,

     

    "Are the source and/or target workspaces normally secured with single sign-on?"

     

    As per Firm policy, SSO must be enabled. Exception Users not allowed.

     

    "If they use different identity endpoints then this can happen, or if the user is not also marked as an exception user in the source workspace."

     

    "identity endpoints" What do this mean? Different SSO logins? It was my understanding that Anaplan does not support multiple SAML configuration for the same tenancy.

     

    To recap:

    1. Source and Target workspaces are in the same tenancy. 

    2. The batch account [ batch@mycompany.com  ] is added to both source and target workspaces.

    3. The batch account is a Workspace Admin in source and target workspaces. SSO is enabled for both Source and Target

    • SSO should not be a factor here since this is not a human account and access to Anaplan does not flow thru our IdP

    4. I establish a connection to Anaplan via REST API, utilizing CA Certs for Authentication as per https://anaplanauthentication.docs.apiary.io/#

     

     

     

  • Thanks for replying.

     

    - Not sure if this is necessary or not, but I couldn't tell if your system ID in the target workspace is set as a workspace admin.

     

    Yes, integration account is a workspace admin in both target and source workspaces

     

    - You are using selective access on that list and wondered if in the target the system ID is set similarly.

    There is no selective access on the Source Workspace. 

    image.png

     

    - Lastly, the system ID in the target won't need a pwd (since you're using the cert) but it will need network access to the source of the file you're importing.

     

    Not an issue since i am trying to import from a List and not a source file. 

     

    So basically, I have loaded my data to the the Data Hub, our central data Repo. I have uploaded the file successfully to the Anaplan Server. I have triggered a process to load my file into the required structure in the Data Hub.

     

    Now I need to pull this data into other workspaces hence the cross workspace import 

  • Hi Damian,

     

    My understanding is that when scripting integrations, the integration user must NOT be SSO.  SSO does not use passwords or certificates, but instead a SAML server that is connected up on the back end between your firm and the Anaplan authentication servers which knows the user by their network credentials.  Even if you have a network account that can be logged into that you can then use SSO into Anaplan with (when logged in as that user), that's not going to work for scripted integrations.  

    I understand your statement that it's firm policy to not have exceptions, however, that may need to be revisited with your management if you'd like to have scheduled integrations.    

     

    Good luck,

    Stacey Gibbens

     

     

  • @Stacey_Gibbens I always learn something new when it comes to Anaplan. 

    @damianshameer2 I needed to learn more about SAML and I found this really good article and makes sense why SSO would use it.

  • @JaredDolich  / @Stacey_Gibbens 

     

    Thank you both for replying.

     

    @Stacey_Gibbens your reply seems to indicate that i can only call the APIs when using an exception account (Non SSO enabled, not certificate)  however I have to respectfully disagree with this.

     

    The first process I wrote utilizing the Anaplan REST API connected to 6 separate Work-spaces (all within the same tenancy) via the CA Certs authentication mechanism (Account was SSO enabled and Workspace Admin) to execute several tasks such as Export, Process, Action, downloads etc..All without any issues. This process has been running in PROD daily for 3 months. My team also have several processes in development and testing which uploads, imports, and downloads data w. the same CA cert.

     

    We have previously imported data from model to model via the API but the models where all within the same workspace.

     

    This is the first time we are attempting to execute a cross workspace import via the REST APIs when connected via CA Cert.

     

    So the fundamental question is:

     

    Does Anaplan allow cross workspace imports when using connected via CA Certs?

  • @damianshameer2 ,

    The client I work with now uses a CA certificate and crosses multiple workspaces but they aren't using SSO but it seems to me that if you can get it to work with one workspace it should work with others within the same tenant.

     

    Some suggestions for you:

    • It might be time to reach out to support@anaplan.com and get some data integration SME's to help you out.
    • You can also reach out to your Anaplan business partner - they will definitely get you the help you need.
    • I just noticed that maybe the selective access is turned on for that list. Here's the screenshot you provided. Make sure that's not holding you up. Look at Org L1.

    If you do work with support, I hope you'll post the answer. I'm sure others will encounter the same issue.

     

    Selective Access.png

     

     

     

  • Does Anaplan allow cross workspace imports when using connected via CA Certs?

    They are, but:

    1. The API user must have single sign-on switched off (so are exception users if the workspace is SSO-enabled) in both source and target workspaces

    2. The workspaces must both be associated with the same SSO server (IDP) or no SSO server.

     

    The ability to access SSO workspaces at all through the v2.0 API may be restricted to exception users in the future, but that will require a period of transition.

  • @ben_speight 

     

    1. The API user must have single sign-on switched off (so are exception users if the workspace is SSO-enabled) in both source and target workspaces

     

    attached below is a snaphot of my PROD workspace and integration account...note SSO is enabled..I have a few process running against this workspace to extract data daily without any issue

     

    image.png

     

    2. The workspaces must both be associated with the same SSO server (IDP) or no SSO server.

     

    We have a single IdP config...I did this config for my Org and Anaplan so this is not an issue.

     

    I have raised this to Anaplan Support to lets see what they say

  • @JaredDolich 

     

    Yes, I have raised this to Support...I was told the ticket is sitting with the API team

     

    Selective access is not an issue (we test several variations) 

     

    Thanks,Damian

  • @Stacey_Gibbens 

     

    I will update the thread once Anaplan Support replies.

     

    To be honest, having SSO disabled is a huge risk....Basically it means, as you are aware, a person can log into the workspace outside of the organization's control. I understand not all orgs will have a federated identify provider but making this a mandatory setting to do cross workspace communcation seems to be  step back.

     

     

     

  • Hi @damianshameer2 

     

    1. Are you able using batch@mycompany.com  user to connect normally in Anaplan and successfully launch the import action from the Target model?

    2. I am a beginner in using CA Certificate, but as per my knowledge, the CA Certificate is associated to an e-mail address. Is this e-mail address the same as batch@mycompany.com

  • @damianshameer2 

     

    Did you get a reply from Support on this issue yet?  I'm curious what happened....   🙂

  • Hi,

     

    Yes, We have gotten a response back from Anaplan.

     

    The behavior you have described was correct where SSO must be disabled at the Source Model  in order from cross workspace imports to work. SSO does not have to disabled when all the Models are within the same workspace. We have a data hub in a separate workspace so this limitation is a huge blocker for us at the present moment. 

     

    There are several concerns with SSO being disabled in any workspace for my org so it was can escalated to Anaplan and we are waiting for response and remediation.

     

    I will go back to the replies and accept your response.

     

    Thanks for your help.

     

  • We ran into similar issue while updating a list when running process or imports across model in different workspace... Any resolution on your end?

    We're reaching out to them & copied this thread for reference.

  • I assume you are importing data from a Model in a different Workspace

     

    Source Data:  Workspace A | Model B

     

    You must do the following:

    1. Ensure the integration account has the proper access on Model B to access the data
    2. You must DISABLE SSO (uncheck the SSO box) in Model A  (the source)
      1. Disabling SSO is a big deal w/r/t to security so ensure you integration account ID and Pass or Certs are fully secure

    I recommend you use a dedicated access Account for API access so there are clear segregation of duties (give this account only the access it needs and not FULL ACCESS). As noted above, you will want to ensure the credentials are secure since there is a possibility they can be used to access Access off prem

     

    See the post from @Stacey_Gibbens  in this thread.

     

    Lastly, we had a conversation with Anaplan last week and we were informed they are working to address this config

  • Hi All

     

    Today was the first time I tried to import Model to Model (different workspace) using Anaplan Connect and encountered the error described in this thread.

    The solution was of course to remove the SSO, but I believe this is a temporary work around.

    Any update from Anaplan team on trying to address this issue?

     

    Thanks

    Kudi

  • The next core release will allow imports across workspaces regardless of SSO status using the API when authenticated using a CA certificate.

  • @ben_speight Is that just across workspaces or will that work for all API calls  i.e., SSO can be on or off.

    Also, does this mean I can "push" data to a model?

  • The change in behavior applies specifically to running cross-workspace imports via the 2.0 API authenticating with a CA-signed certificate, and should reflect the access currently applied to other API requests bearing that certificate. Imports remain "pull" ie executed on the target model.