Setup User Access without Admin Rights
As a model builder with hundreds of users, I need to be able to allow users to setup access for other users without having workspace admin rights. A workspace admin license is very expensive within Anaplan and we limit our workspace admin licenses to model builders. A model builder spending several hours per week managing user access is losing out on valuable development time. It would be nice to have a role that is not a workspace admin, but that can still setup new users and modify access (e.g Role and selective list access) for existing users.
An additional note about this: we have created end user facing boards that can be used to get a user's access setup...however without workspace admin rights there is no way to allow the user to run the process that actually adds a new user to the users list. A role allowing someone to write to the user list would alleviate this problem.
Comments
-
Hi,
Current workaround for users not being able to run the process which populates Users list using module editable by normal users is to use some integration tool (Anaplan Connect, custom connector using Anaplan API or 3rd party integration), which will be launching such process on behalf of some Workspace Admin. If you set it up to run the process with high frequency (even having this process run once every hour, all day, would still be generally quicker than asking some WS Admin or person with the role you described to run such process), this should be enough. One thing you probably still will have to manage is deleting dormant users from workspace.
But I agree, it would be good to divide current WS Admin role into Model Builder (who can build and manage models) and Users Admin (which should be cheaper, and would allow only for access management). This would be more functional, allow for higher security and better segregation of duties.
0 -
Hi,
I feel this will lead to security problems to split user access, we can integrate the user access with 3rd party tools so better not to split it. If we split both model builders and user access i think we then not at all require WSA access itslef which then will be used for just model creation, deletion and changing modes.
0 -
It wouldn't be advisable to provide users the right to setup the access without admin rights. When we speak of governance and audit of access, if the number of people who have the right to setup the roles/access are more it would complicate the process and also create security issues. It would be best if the access is handled by admin with relevant approvals in the process, that way we know who has been added / updated for access recently.
But on a side note, may be Anaplan can come up with a role to help sort this workload where a role with selected users have a right to setup the access and it should be handled through the TENANT ADMIN portal (like how we provide PAGE BUILDER access.) This should help ease the burden. Only if there is a provision for such a role to be monitored by the TENANT ADMIN portal then it would be within the framework of governance and audit principles.
0 -
Second this :
1) provide a new role (user admin ?) Assignment that allow to manage users access rights (no access, full access or custom roles) at model level from the tenant admin console.
2) remove the ability for model builder x ws admin to assign users access to models.
The issue as now if that the users access rights and the model buildings rights are currently held under the same role of "workspace admin".
It would be great to split roles into model builder features on one side and user admin features on the other side.
0 -
I think that the CIM program is helping to alleviate some of this issue, where you don't need to be a Workspace Admin to be the user setup person.
0 -
Alas, that is not the case currently : Model builder and workspace admin are still mixed together regarding users rights management.
CIM allows to create a new user, but you still need to be a model builder to set up access to the requested models for your new user ^^
0
Get Started with Idea Exchange
See our Submission Guidelines and Idea Evaluation Criteria, then start posting your own ideas and showing support for others!