Centralized Identity Management (CIM) - Huge Step Forward

Misbah
Moderator

Centralized Identity Management (CIM) - Huge Step Forward

By the end of this month CIM will be rolled out - What does that mean for all of us?  I personally feel this is a huge step forward as an  additional security measure.

 

  1. Workspace admins will no longer be able to add or remove users from the "Users" section of Models.
  2. Workspace admins will only be able to assign Model roles to users and other model related permissions.
  3. If the Workspace admin needs an ability to add or remove other users, Tenant Admin has to set a new role "USER ADMIN" to that person.
  4. If the User is added to the Workspace the default access given to the user will be "No Access".

Probable Pictorial representation

Misbah_0-1614932813430.png

 

29 REPLIES 29
rob_marshall
Moderator

For more information on CIM, check out this link:

 

https://community.anaplan.com/t5/Releases/CIM-Phase-2-rollout-update/ba-p/105108

 

Rob

Misbah
Moderator

@rob_marshall 

 

Yes, read it yesterday as soon as the notification hit my inbox. Didn't understand the delaying part at all. Why the delay - Any theory behind it?

rob_marshall
Moderator

@Misbah 

 

You know I can't answer that in an open forum. 🙂

 

 

DaanishSoomar
Certified Master Anaplanner

Hmm @Misbah and @rob_marshall - this is an interesting development. 

 

I believe keeping WSA's role the same while adding User Admin almost makes both roles and their responsibilities a bit redundant. 

 

Are you able to help clarify the segregation of responsibilities that CIM will aim to create? Is there value behind making somone only a User Admin instead of Workspace Admin?

rob_marshall
Moderator

@DaanishSoomar 

 

I believe you are overthinking it a bit, but yes they will overlap a bit.  The first thought was to remove the ability to import users the way we currently do (using an action to either pull certain members from a different model or be able to upload a file).  There are many customers who are currently doing it this way and ripping the bandaid and removing this feature would have had a negative effect on them.  So, we will now have two ways of adding users, the old way as well as via CIM.  And if you do it the old way, there will be an API that updates CIM ensuring CIM is current.

 

Remember, the User Admin role only allows the user the ability to provision/remove a user from a workspace while a WSA has the ability to define the role of that user.  In the future, not all WSA's will have the ability to provision users.

 

Rob

DaanishSoomar
Certified Master Anaplanner

Got it thanks for the clarification @rob_marshall.

jean-francois_l
Occasional Contributor

Hello,

Thank you for all your feedback.
I have a question about a roadmap Anaplan of user management.
Will it be possible in the short term to create in batch, via import, directly in the administration console?

Thank you in advance for your clarification.

Misbah
Moderator

@jean-francois_l 

 

There was no communication on that whether bulk import feature will be available on Administration console or not. However as far as I know Import based user management will not impacted by CIM. 

 

Misbah

jean-francois_l
Occasional Contributor

@Misbah 

 

Thank you for this quick feedback.

 

Jean-François

jwu
Certified Master Anaplanner
Certified Master Anaplanner

Sorry, late to the game but here are my issues with this feature.

We have power users that we would like to give the ability to not only add or delete users but in essence, run the process/actions that update all the selective access in bulk.   Making a person a "User Admin" only allows them to add or remove users through tenet admin.  They still have to be a Work Space Admin in order to change selective access or write to the user list.  However, we don't want that person to be a WSA but just be able to run the process to update from a dashboard.  Hopefully, there will be other phases that will allow something like this?...or not?   We just haven't found any use for a person to just have access to only add or delete a user.