@Stacey_Gibbens your reply seems to indicate that i can only call the APIs when using an exception account (Non SSO enabled, not certificate) however I have to respectfully disagree with this.
The first process I wrote utilizing the Anaplan REST API connected to 6 separate Work-spaces (all within the same tenancy) via the CA Certs authentication mechanism (Account was SSO enabled and Workspace Admin) to execute several tasks such as Export, Process, Action, downloads etc..All without any issues. This process has been running in PROD daily for 3 months. My team also have several processes in development and testing which uploads, imports, and downloads data w. the same CA cert.
We have previously imported data from model to model via the API but the models where all within the same workspace.
This is the first time we are attempting to execute a cross workspace import via the REST APIs when connected via CA Cert.
So the fundamental question is:
Does Anaplan allow cross workspace imports when using connected via CA Certs?
The client I work with now uses a CA certificate and crosses multiple workspaces but they aren't using SSO but it seems to me that if you can get it to work with one workspace it should work with others within the same tenant.
Some suggestions for you:
It might be time to reach out to firstname.lastname@example.org and get some data integration SME's to help you out.
You can also reach out to your Anaplan business partner - they will definitely get you the help you need.
I just noticed that maybe the selective access is turned on for that list. Here's the screenshot you provided. Make sure that's not holding you up. Look at Org L1.
If you do work with support, I hope you'll post the answer. I'm sure others will encounter the same issue.
Well, I can't dispute your experience with running integrations using a CA cert within a single workspace. If you say it works, then it works.
However, in my experience, the integration account must not be restricted to SSO only (which is what checking the SSO box does). I use an integration account associated with a CA certificate to run integrations across 3 production workspaces, with model-to-model, data uploads (from a warehouse extract), and data downloads (to be a data import back to the warehouse) on a nightly and intra-day cadence, and have been for years. The caveat is that I'm using AnaplanConnect and not the REST API, but I can't imagine authentication requirements for the integration account would be different across those two methods. That would seem cumbersome.
Please do post to let everyone know what Support says. I'd be interested to see what they say.
I will update the thread once Anaplan Support replies.
To be honest, having SSO disabled is a huge risk....Basically it means, as you are aware, a person can log into the workspace outside of the organization's control. I understand not all orgs will have a federated identify provider but making this a mandatory setting to do cross workspace communcation seems to be step back.
Re: Anaplan REST API with Cert Access: Connect to different Models
Yes, We have gotten a response back from Anaplan.
The behavior you have described was correct where SSO must be disabled at the Source Model in order from cross workspace imports to work. SSO does not have to disabled when all the Models are within the same workspace. We have a data hub in a separate workspace so this limitation is a huge blocker for us at the present moment.
There are several concerns with SSO being disabled in any workspace for my org so it was can escalated to Anaplan and we are waiting for response and remediation.
I will go back to the replies and accept your response.