1. Administration and security
  2. Bring your own key (BYOK)
  3. Get Started with BYOK

If you're satisfied that BYOK meets your security needs, follow these steps to get started.

1) Choose an Encryption Administrator

Start by deciding who will serve as Encryption Administrator for your tenant. An Encryption Administrator manages encryption keys but has no access to workspaces or models. Choose someone who's responsible for IT security but doesn't use Anaplan as part of their role, including programmatically through the API. You must have at least one Encryption Administrator for your tenant.

2) Add the Encryption Administrator User to the Workspace


In the workspace to be encrypted, you must add the Encryption Administrator as a user without any access to models.

  1. In Anaplan, open any model in the workspace to be encrypted.
  2. Go to Settings > Users.
  3. Click Add User. The Add User dialog appears.
  4. Enter the new user's Email Address, First Name, and Last Name.
  5. To ensure a separation of duties, do not select Workspace Admin.
  6. From the Role list, select No Access.
  7. Click OK.

Repeat these steps for any other Encryption Administrators you want to designate.

If the chosen Encryption Administrator already exists as a user in a workspace to be encrypted, change their Model Role to "No Access".

For more details, see Users.

3) Request the Encryption Administrator Role

Contact your Anaplan support representative with details of the users you want to serve as Encryption Administrators. You must designate the initial Encryption Admin. Any other users you submit will appear in Access Control, but the initial Encryption Admin will need to assign them that role.

4) Access BYOK in Anaplan Administration


To Access BYOK in Anaplan Administration:

  1. Log in using your regular login details.
  2. To access BYOK:
    1. Paste this URL into the browser address bar: https://administration.anaplan.com/administration

    2. Click BYOK in the Anaplan Administration sidebar to expand BYOK menu, to show Workspaces and Keys:

    3. Click Workspaces or Keys depending on the option you want.
Note: If BYOK is not shown in the Anaplan Administration sidebar, the Encryption Administrator role might not have been assigned to your user.

You can return to the non-BYOK features by removing byok/workspaces from the end of the URL.

The Event Start and Event End columns show when a workspace encryption event started and when it completed. An encryption event starts when you assign an encryption key. When an encryption event ends, the workspace to which it relates is encrypted.


We may update our documentation occasionally, but will only do so in a way that does not negatively affect the features and functionality of the Anaplan service.