Use Bring Your Own Key (BYOK) to manage encryption in workspaces.

If you're satisfied that BYOK meets your security needs, follow the steps below to begin. Keep in mind that it can be very complex to provision BYOK and to add new workspaces. The process incorporates both security and legal considerations. You'll need a minimum of two weeks after the BYOK request is approved. It may take longer when there are issues beyond our control, such as supply chain challenges. 

Decide who will be the Encryption Administrator for your tenant. This person manages encryption keys and does not have model or workspace access to workspaces or models. Choose someone who's responsible for IT security but who doesn't use Anaplan models or APIs. You must have at least one Encryption Administrator for your tenant. As a best practice, we recommend that you not add additional roles for your Encryption Administrator. 

Workspace Adminstrators only:

In the workspace to be encrypted, you must add the Encryption Administrator role as a user with no model access.

  1. In Anaplan, open any model in the workspace to be encrypted.
  2. Go to Settings > Users.
  3. Select Add User. The Add User dialog appears.
  4. Enter the new user's Email AddressFirst Name, and Last Name.
  5. To ensure a separation of duties, don't select Workspace Administrator.
  6. From the Role list, select No Access.
  7. Select OK.

Repeat these steps to assign any other Encryption Administrators.

If the chosen Encryption Administrator already exists as a user in a workspace to be encrypted, change their model role to No Access.

For more details, see Users.

Contact your Anaplan support representative with details of the users you want to serve as Encryption Administrators. You must designate the initial Encryption Administrator. 

Encryption Administrators only:

  1. Select in item in the BYOK in the sidebar navigation, for example Workspaces
The Anaplan menu with BYOK and Workspaces selected.

Note: BYOK will not display in the Anaplan Administration sidebar until setup is complete. This includes a person in the role of Encryption Administrator.