Centralized Identity Management (CIM) - Huge Step Forward

By the end of this month CIM will be rolled out - What does that mean for all of us?  I personally feel this is a huge step forward as an  additional security measure.

 

  1. Workspace admins will no longer be able to add or remove users from the "Users" section of Models.
  2. Workspace admins will only be able to assign Model roles to users and other model related permissions.
  3. If the Workspace admin needs an ability to add or remove other users, Tenant Admin has to set a new role "USER ADMIN" to that person.
  4. If the User is added to the Workspace the default access given to the user will be "No Access".

Probable Pictorial representation

Misbah_0-1614932813430.png

 

Tagged:

Answers

  • Thanks @Misbah I always count on your explanation of the new features. This helps a lot!

  • Hello

     

    Will the option to add users using import actions still continue to be available?

     

    Thanks

    Saurabh

  • @saurabh.raheja 

     

    Yes, but not in the same way as you currently do now.  Instead of importing directly into a model, you will be loading the users into Administration.  I will play with this next week as well as ask this question and get back to you because you are not the only one that this impacts.

     

    Rob

  • @rob_marshall 

     

    Thanks for getting back! Yeah, I guessed it would impact a lot of people and the way we manage entitlements within Anaplan right now. 

     

    I will be looking forward to your response and further developments in this space.

     

    Saurabh

     

    @prakashnishtala 

  • @saurabh.raheja 

     

    I am supposed to play with this Wednesday of next week, so if I don't get back to you by Thursday, please feel free to ping me again (I will try to save this thread, but it might get lost in the shuffle).

     

    Rob

  • @rob_marshall @Misbah 

    Question posed by @BrentOrr is can you assign someone the User Admin role that IS NOT a workspace admin? Meaning, there only job in Anaplan is to add/delete users?

  • @JaredDolich 

     

    That is my understanding, but will confirm next week.  There will be a new role created (User Administration) and you would assign people that role.

     

    Rob

  • I think it's a great addition and it makes more sense to centralize this feature. 

     

    However, it will indeed change our user management processes by import actions.

    @rob_marshall I am also curious to see how that will be handled next thursday. 

     

    Do you happen to know when our current processes to add users to a model/workspace will not work anymore ? 

     

    Thank you, 

  • @benjamin_audroi 

     

    To be perfectly honest, no, I don't but it will not be at the end of this month.  It is my understanding this will be more of a phased approach, so no ripping of the bandaid.  Again, let me get more details and I will get back to you.

     

    Rob

  • I'll second all of these concerns, as multiple of my clients and former employers will be impacted if the "add user through import" option is taken away. This is a pretty drastic change if so, and I feel that many customers will be blindsided by this.

  • @rob_marshall 

     

    Now this is interesting. I would have Imagined all the imports into User section would stay as - is. People running the Import action would need to be User Admins if this is to work.  Since it is Anaplan it can be exact opposite to what I think. Looking forward to seeing some nice stuff next week.

  • @rob_marshall 

    Another question asked by one of Anaplan's major accounts.

     

    Does this new USER ADMIN role have to be part of a Model Builder license – or can be done at the Enterprise user license level?

  • @rob_marshall @Misbah @david.edwards @benjamin_audroi @saurabh.raheja 

    Thanks Rob! Best 5 Kudos I've ever spent. Let me know if you discover anything different. I'd like to update the customers that have been asking.

  • Thanks for the insight @Misbah! As @JaredDolich mentioned your explanations are always something I look forward to.

     

    The feature I am most excited for is the 4. Users that get added automatically have “No Access”, I know there have been methods to do this in the past but there have been some flaws in this approach. 

    Ultimately more security > less security. 

     

  • @rob_marshall do you have an update/some final answers regarding these 3 points?

  • @johan_vangerwen 

     

    Which three points specifically are you asking about?  I thought I had answered them in the above post.

     

    Rob

  • @rob_marshall Hi Rob, I mean (forget the last topic, your are not a sales person 😉 😞

    • @saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users.  At this time, it is going to stay as is and there will be an API that will update Administration with the new users.  I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
    • @BrentOrr@JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them.  Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA.  Again, I am hoping to test this next week.
    • @JaredDolich - Does the new User Admin role have to be part of the Model Builder license.  From what I have found out, the answer would be no.  In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users).  Now, don't hold me to that as I am not a sales person, but this is what I have been told.  When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.
  • @rob_marshall  about the import actions which add a user. My hope is that the only change that CIM will bring is: if the import action will add a user, the user who launches the import user action is mandatory to be setup with "User Admin" role. 

     

    There will be needed synchronization with CIM, but if this will be already implemented with Phase 2, I hope this will not be disabled in the future.

    Why disable something that is already in place and make more difficult the adding of a user by obligating the current integrations to launch a specific REST API to add a user? 

    I agree that, if the user who launches the import users action does not have the "User Admin" role, to be returned the error and the user should not be added. 

    Adding a user through an import user's action is just the first step. More important with these import actions is the update of the security in that particular model. 

     

    Other considerations:

    CIM is definitely a big step forward in the segregation of roles between Model Builders (workspace admin) and Security administrators. This segregation is valid only for adding the users to a workspace. This will give control to Security admins on the active users on workspaces and licenses used. 

     

    My impression is that this segregation should go further and be applied also in every model: to have the possibility of different users (Security admins) who are able to setup User roles, selective access, etc... from the Model Builders.  What do you think?

     

    Alex

  • @rob_marshall 

     

    Yes, read it yesterday as soon as the notification hit my inbox. Didn't understand the delaying part at all. Why the delay - Any theory behind it?

  • @Misbah 

     

    You know I can't answer that in an open forum. 🙂

     

     

  • Hmm @Misbah and @rob_marshall - this is an interesting development. 

     

    I believe keeping WSA's role the same while adding User Admin almost makes both roles and their responsibilities a bit redundant. 

     

    Are you able to help clarify the segregation of responsibilities that CIM will aim to create? Is there value behind making somone only a User Admin instead of Workspace Admin?

  • @DaanishSoomar 

     

    I believe you are overthinking it a bit, but yes they will overlap a bit.  The first thought was to remove the ability to import users the way we currently do (using an action to either pull certain members from a different model or be able to upload a file).  There are many customers who are currently doing it this way and ripping the bandaid and removing this feature would have had a negative effect on them.  So, we will now have two ways of adding users, the old way as well as via CIM.  And if you do it the old way, there will be an API that updates CIM ensuring CIM is current.

     

    Remember, the User Admin role only allows the user the ability to provision/remove a user from a workspace while a WSA has the ability to define the role of that user.  In the future, not all WSA's will have the ability to provision users.

     

    Rob

  • Got it thanks for the clarification @rob_marshall.

  • Hello,

    Thank you for all your feedback.
    I have a question about a roadmap Anaplan of user management.
    Will it be possible in the short term to create in batch, via import, directly in the administration console?

    Thank you in advance for your clarification.

  • @jean-francois_l 

     

    There was no communication on that whether bulk import feature will be available on Administration console or not. However as far as I know Import based user management will not impacted by CIM. 

     

    Misbah

  • @Misbah 

     

    Thank you for this quick feedback.

     

    Jean-François

  • Sorry, late to the game but here are my issues with this feature.

    We have power users that we would like to give the ability to not only add or delete users but in essence, run the process/actions that update all the selective access in bulk.   Making a person a "User Admin" only allows them to add or remove users through tenet admin.  They still have to be a Work Space Admin in order to change selective access or write to the user list.  However, we don't want that person to be a WSA but just be able to run the process to update from a dashboard.  Hopefully, there will be other phases that will allow something like this?...or not?   We just haven't found any use for a person to just have access to only add or delete a user.