Register
Ask the Community

Centralized Identity Management (CIM) - Huge Step Forward

Misbah
<b>Moderator</b>
Moderator
‎03-05-2021 02:30 AM
‎03-05-2021 02:30 AM

Centralized Identity Management (CIM) - Huge Step Forward

By the end of this month CIM will be rolled out - What does that mean for all of us?  I personally feel this is a huge step forward as an  additional security measure.

 

  1. Workspace admins will no longer be able to add or remove users from the "Users" section of Models.
  2. Workspace admins will only be able to assign Model roles to users and other model related permissions.
  3. If the Workspace admin needs an ability to add or remove other users, Tenant Admin has to set a new role "USER ADMIN" to that person.
  4. If the User is added to the Workspace the default access given to the user will be "No Access".

Probable Pictorial representation

Misbah_0-1614932813430.png

 

Labels:
Reply
29 REPLIES 29
david.edwards
Certified Master Anaplanner
Certified Master Anaplanner
‎03-05-2021 08:02 AM
‎03-05-2021 08:02 AM

I'll second all of these concerns, as multiple of my clients and former employers will be impacted if the "add user through import" option is taken away. This is a pretty drastic change if so, and I feel that many customers will be blindsided by this.

Reply
JaredDolich
<b>Moderator</b>
Moderator
‎03-06-2021 12:00 PM
‎03-06-2021 12:00 PM

@rob_marshall 

Another question asked by one of Anaplan's major accounts.

 

Does this new USER ADMIN role have to be part of a Model Builder license – or can be done at the Enterprise user license level?


Jared Dolich
0 Kudos
Reply
Misbah
<b>Moderator</b>
Moderator
‎03-05-2021 08:08 AM
‎03-05-2021 08:08 AM

@rob_marshall 

 

Now this is interesting. I would have Imagined all the imports into User section would stay as - is. People running the Import action would need to be User Admins if this is to work.  Since it is Anaplan it can be exact opposite to what I think. Looking forward to seeing some nice stuff next week.

Reply
rob_marshall
<b>Moderator</b>
Moderator
‎03-09-2021 05:48 PM
‎03-09-2021 05:48 PM

All,

 

So my bug bash for tomorrow got pushed out a week, but this is what I have found out so far without playing with it:

  • @saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users.  At this time, it is going to stay as is and there will be an API that will update Administration with the new users.  I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
  • @BrentOrr@JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them.  Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA.  Again, I am hoping to test this next week.
  • @JaredDolich - Does the new User Admin role have to be part of the Model Builder license.  From what I have found out, the answer would be no.  In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users).  Now, don't hold me to that as I am not a sales person, but this is what I have been told.  When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.

 

I think I hit the majority of questions, if not all, but if I missed a question, please let me know.

 

Rob

Reply
JaredDolich
<b>Moderator</b>
Moderator
‎03-09-2021 05:57 PM
‎03-09-2021 05:57 PM

@rob_marshall @Misbah @david.edwards @benjamin_audroi @saurabh.raheja 

Thanks Rob! Best 5 Kudos I've ever spent. Let me know if you discover anything different. I'd like to update the customers that have been asking.


Jared Dolich
Reply
johan_vangerwen
Frequent Contributor
Frequent Contributor
‎03-23-2021 06:44 AM
‎03-23-2021 06:44 AM

@rob_marshall do you have an update/some final answers regarding these 3 points?

0 Kudos
Reply
rob_marshall
<b>Moderator</b>
Moderator
‎03-23-2021 07:25 AM
‎03-23-2021 07:25 AM

@johan_vangerwen 

 

Which three points specifically are you asking about?  I thought I had answered them in the above post.

 

Rob

0 Kudos
Reply
johan_vangerwen
Frequent Contributor
Frequent Contributor
‎03-23-2021 07:41 AM
‎03-23-2021 07:41 AM

@rob_marshall Hi Rob, I mean (forget the last topic, your are not a sales person 😉 😞

  • @saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users.  At this time, it is going to stay as is and there will be an API that will update Administration with the new users.  I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
  • @BrentOrr@JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them.  Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA.  Again, I am hoping to test this next week.
  • @JaredDolich - Does the new User Admin role have to be part of the Model Builder license.  From what I have found out, the answer would be no.  In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users).  Now, don't hold me to that as I am not a sales person, but this is what I have been told.  When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.
0 Kudos
Reply
alexpavel
Certified Master Anaplanner Certified Master Anaplanner
Certified Master Anaplanner
‎03-25-2021 04:40 AM
‎03-25-2021 04:40 AM

@rob_marshall  about the import actions which add a user. My hope is that the only change that CIM will bring is: if the import action will add a user, the user who launches the import user action is mandatory to be setup with "User Admin" role. 

 

There will be needed synchronization with CIM, but if this will be already implemented with Phase 2, I hope this will not be disabled in the future.

Why disable something that is already in place and make more difficult the adding of a user by obligating the current integrations to launch a specific REST API to add a user? 

I agree that, if the user who launches the import users action does not have the "User Admin" role, to be returned the error and the user should not be added. 

Adding a user through an import user's action is just the first step. More important with these import actions is the update of the security in that particular model. 

 

Other considerations:

CIM is definitely a big step forward in the segregation of roles between Model Builders (workspace admin) and Security administrators. This segregation is valid only for adding the users to a workspace. This will give control to Security admins on the active users on workspaces and licenses used. 

 

My impression is that this segregation should go further and be applied also in every model: to have the possibility of different users (Security admins) who are able to setup User roles, selective access, etc... from the Model Builders.  What do you think?

 

Alex

Reply
DaanishSoomar
Certified Master Anaplanner Certified Master Anaplanner
Certified Master Anaplanner
‎03-09-2021 07:46 PM
‎03-09-2021 07:46 PM

Thanks for the insight @Misbah! As @JaredDolich mentioned your explanations are always something I look forward to.

 

The feature I am most excited for is the 4. Users that get added automatically have “No Access”, I know there have been methods to do this in the past but there have been some flaws in this approach. 

Ultimately more security > less security. 

 

Reply