Centralized Identity Management (CIM) - Huge Step Forward

david.edwards
New Contributor

Re: Centralized Identity Management (CIM) - Huge Step Forward

I'll second all of these concerns, as multiple of my clients and former employers will be impacted if the "add user through import" option is taken away. This is a pretty drastic change if so, and I feel that many customers will be blindsided by this.

JaredDolich
Moderator

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall 

Another question asked by one of Anaplan's major accounts.

 

Does this new USER ADMIN role have to be part of a Model Builder license – or can be done at the Enterprise user license level?


Jared Dolich
Misbah
Moderator

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall 

 

Now this is interesting. I would have Imagined all the imports into User section would stay as - is. People running the Import action would need to be User Admins if this is to work.  Since it is Anaplan it can be exact opposite to what I think. Looking forward to seeing some nice stuff next week.

rob_marshall
Moderator

Re: Centralized Identity Management (CIM) - Huge Step Forward

All,

 

So my bug bash for tomorrow got pushed out a week, but this is what I have found out so far without playing with it:

  • @saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users.  At this time, it is going to stay as is and there will be an API that will update Administration with the new users.  I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
  • @BrentOrr@JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them.  Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA.  Again, I am hoping to test this next week.
  • @JaredDolich - Does the new User Admin role have to be part of the Model Builder license.  From what I have found out, the answer would be no.  In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users).  Now, don't hold me to that as I am not a sales person, but this is what I have been told.  When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.

 

I think I hit the majority of questions, if not all, but if I missed a question, please let me know.

 

Rob

JaredDolich
Moderator

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall @Misbah @david.edwards @benjamin_audroi @saurabh.raheja 

Thanks Rob! Best 5 Kudos I've ever spent. Let me know if you discover anything different. I'd like to update the customers that have been asking.


Jared Dolich
johan_vangerwen
Frequent Contributor

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall do you have an update/some final answers regarding these 3 points?

rob_marshall
Moderator

Re: Centralized Identity Management (CIM) - Huge Step Forward

@johan_vangerwen 

 

Which three points specifically are you asking about?  I thought I had answered them in the above post.

 

Rob

johan_vangerwen
Frequent Contributor

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall Hi Rob, I mean (forget the last topic, your are not a sales person 😉 😞

  • @saurabh.raheja @benjamin_audroi @david.edwards @Misbah All of you asked about the bulk imports of users.  At this time, it is going to stay as is and there will be an API that will update Administration with the new users.  I believe, again I believe, this will be removed in the future, but presently, it will stay as is.
  • @BrentOrr@JaredDolich It is my understanding that a user will not have to be a WSA to add users, just have the User Administration role assigned to them.  Now, if you are doing a bulk import to users like the folks in the first bullet, then yes, they would have to be WSA.  Again, I am hoping to test this next week.
  • @JaredDolich - Does the new User Admin role have to be part of the Model Builder license.  From what I have found out, the answer would be no.  In order to for the User Admin role to be assigned to a user, that user would have to be either a Model Builder or a Connected Planning user (basic, professional, enterprise edition users).  Now, don't hold me to that as I am not a sales person, but this is what I have been told.  When CIM does come out, it would be best to circle back to your assigned BP to get an official answer.
alexpavel
Certified Master Anaplanner

Re: Centralized Identity Management (CIM) - Huge Step Forward

@rob_marshall  about the import actions which add a user. My hope is that the only change that CIM will bring is: if the import action will add a user, the user who launches the import user action is mandatory to be setup with "User Admin" role. 

 

There will be needed synchronization with CIM, but if this will be already implemented with Phase 2, I hope this will not be disabled in the future.

Why disable something that is already in place and make more difficult the adding of a user by obligating the current integrations to launch a specific REST API to add a user? 

I agree that, if the user who launches the import users action does not have the "User Admin" role, to be returned the error and the user should not be added. 

Adding a user through an import user's action is just the first step. More important with these import actions is the update of the security in that particular model. 

 

Other considerations:

CIM is definitely a big step forward in the segregation of roles between Model Builders (workspace admin) and Security administrators. This segregation is valid only for adding the users to a workspace. This will give control to Security admins on the active users on workspaces and licenses used. 

 

My impression is that this segregation should go further and be applied also in every model: to have the possibility of different users (Security admins) who are able to setup User roles, selective access, etc... from the Model Builders.  What do you think?

 

Alex

dsoomar002
Certified Master Anaplanner

Re: Centralized Identity Management (CIM) - Huge Step Forward

Thanks for the insight @Misbah! As @JaredDolich mentioned your explanations are always something I look forward to.

 

The feature I am most excited for is the 4. Users that get added automatically have “No Access”, I know there have been methods to do this in the past but there have been some flaws in this approach. 

Ultimately more security > less security.