We have the same problem, my company makes sure that at any point of time, PROD data cannot be accessed from DEV and TEST. All DEV /TEST data [in Anaplan] are anonymized. We are working with French lawyers, so my company handle their data as highly secured / confidential. This was the rationale behind building separate workspaces: a DEV /TEST user cannot access PROD, and vice-versa. This is also why we use 2 distinct Azure Tenants, with 2 separate IDP settings. No account is created in Azure, all accounts in Azure result from a synchronisation (AD Connect) with our active directory on premise. Users have separate accounts for TEST & DEV on one hand, and PROD accounts on the other hand. Some users have only Test/Dev accounts, others only PROD accounts, and some have both type of accounts; in the case of a person having access to both TEST/DEV and PROD, he/she has 2 separate accounts in Azure (see diagram below). The Anaplan partner users currently connect exclusively to the DEV/TEST workspaces, authenticating through the ADN Azure DEV Tenant. They do not have access to PROD; their access may be considered at a later stage (through the PROD Azure Tenant). The fact to activate 2 sso connections prevents the import and synchonization of models. We have to detach the workspaces of the sso connection (stop the production) to workaround and after reattach the sso connection. This is cumbersome and time-consuming.
... View more