User Access Management: Part 2 - This is how we do it

AnaplanOEG
AnaplanOEG
edited September 5 in Best Practices

At Anaplan, we are using Anaplan internally for many of our business processes; this is how we set up our User Access Management.

Note that the examples here leverage the Bulk API for adding new users to models. If you have enabled the tenant-level option to Manage users in Administration only, then you will need to leverage the SCIM API for adding users to models instead of the Bulk API.

Anaplan User Access overview

Unlike most enterprise software, Anaplan is extremely customizable.

Access happens at 3 levels:

  1. Page builders are provisioned at the tenant level
  2. Model builders or workspace administrators are provisioned at the workspace level
  3. User access is provisioned at the model level

Screen Shot 2021-11-02 at 10.26.11 AM.png

Terminology

Decentralized (“In-Model”)

Centralized

An in-model solution to manage user access exclusively in that model.

Pros:  

  • Ideal for single/limited use case Anaplan deployments 
  • Ideal in situations where an administrator is also a model builder/manager  

Cons:  

  • Administrator has visibility into all model data
  • Must manage users in multiple places for more Anaplan deployments involving 2+ use cases 

A stand-alone model to manage users across multiple models within a customer tenant.

Pros: 

  • Ideal for multi-use case Anaplan deployments, or customers who plan to expand use cases
  • Single place to manage user access across multiple models 
  • Limit administrator access to sensitive data outside of the user access management model 

Cons:  

  • More complex to deploy
  • Risk that spoke model and central model become unsynchronized 

 

Screen Shot 2021-11-02 at 12.54.11 PM.png

*IAM = Identity and Access Management

IAM Data-driven Provisioning Solution

Okta or Similar IAM Configuration

  • Set-up Applications to align with your Models (Anaplan.FP&A, Anaplan.SPM)
  • Create groups that align with Model Roles (Full Access, Executives, Analysts)

Anaplan Configuration

Centralized Provisioning Model:

  • Map Okta Applications to Anaplan Models (create saved view for each model)
  • Ensure Okta Model Roles align with Model Roles in each Anaplan Model

annejulie_0-1635876166104.png

 

In Spoke Model(s):

  • Create staging area for user access settings from the central model
  • Create import process in model to import user settings into native user settings

annejulie_1-1635876189015.png

 

Centralized Provisioning App:

  • Create a page to manage and provision model role access across multiple Models/Workspaces
  • Create a page for each model to provision Selective Access (if applicable) and run update process ad hoc

annejulie_2-1635876213306.png

 

HyperConnect (Informatica)

Schedule processes to run in sequence:

  1. Load IAM Data Into Hub
  2. Load IAM Hub Data into Centralized Provisioning Model
  3. Load Transformed User Access Settings into Respective Spoke Models

Ready for Part 3?

We have 1 more example to share!

 

Got feedback on this content? Let us know in the comments below.

Contributing authors: Paul Rosal, Becca Robertson, and Corey Jacoby.

Tagged:

Comments

  • AnyaS
    AnyaS

    Excellent (exemplary!) set of documentation on the app. Thank you!

Categories