Administration: Access Control

As a Tenant Administrator for your organization, you can use the Access Control section of the Anaplan Administration console to view:

A Policy is a container for the privileges associated with a Role. An Assignment causes an individual user to have a Role. It's possible to assign a user to more than one role, however if you want to enforce separation of duties, assign a separate group of users to each role.


As a tenant administrator, you can use the Assignments tab in the Administration console to:

  • view a list of all users in your tenant and their assigned roles in that tenant
  • sort the view by first name, last name, role, or email address
  • assign a new role (except for the Workspace Admin and Encryption Admin roles)
  • export a list of users who are assigned roles in the tenant

As an encryption administrator, you can use the Assignments tab to:

  • assign a new Encryption Admin role.

If you're a view administrator, you can view users who are assigned roles in your tenant.

  • To display which roles users have, navigate to Access Control > Assignments.

Assign or remove roles

To assign or remove roles:

  1. In the Administration console, navigate to Access Control > Assignments.
  2. Select the user to whom you want to assign to, or remove from, a role.
  3. Select the checkboxes of the roles you want to assign and clear the checkboxes of the roles you want to remove.
  4. Click Save.
  • You can assign the workspace administrator role at the workspace level, rather than through the Administration console.
  • Only an encryption administrator can assign the Encryption Admin role. To assign your initial Encryption Admin role, see Get Started with BYOK.

Export a list of assigned roles

You can export a CSV file containing a list of all assignment information in your tenant.

To export your assignments:

  1. In the Administration console, navigate to Access Control > Assignments.
  2. Click Export.
  3. Save the CSV file to your device.

The exported file contains an entry for each user with a role assignment in the tenant. Each entry contains the user’s:

  • user ID
  • first name
  • last name
  • email address
  • assigned role.
    If the user is assigned to multiple roles, the roles display in a comma-delimited list.

Note that the export file does not list standard users (users who have not been assigned a role in Anaplan).

Resource Types

Each role enables permissions for tenant configuration. Depending on the role, certain Create Read Update Delete (CRUD) permissions are enabled in these areas:

  • Applications
  • History
  • Metadata
  • Models
  • Pages
  • Policies
  • Role Membership
  • Roles
  • Task
  • Users
  • Widgets
  • Work
  • Workflow Cycle
  • Workflow Process
  • Workspaces

Access Control Roles




View Admin

View Admin

View administrators can view the configuration of a tenant, but cannot update anything.

Tenant Admin

Tenant Admin

Tenant administrators manage the configurations and settings at the tenant level. Tenant administrators:

  • Cannot access other tenants
  • Cannot access tenant data
  • Can access metadata

Tenant administrators have the Read permissions that the View administrator has. In addition, they can:

  • Assign process owners, tenant auditors, and other tenant admins
  • Create Role Membership for other tenant roles
  • Update Model Categories
  • Update Users
Note: If you are the only user in your tenant that has this role, you cannot remove it.
Tenant Security Admin Tenant Security Admin

Tenant security administrators manage the tenant’s security settings. They can:

  • access the Self Service SAML feature in the Administration Console (via the SSO tab).
  • create a new identity provider (IdP) connection.
  • modify an existing IdP connection.
  • disable an existing IdP connection.

Encryption Admin

Encryption Admin Policy

Encryption administrators manage the BYOK encryption keys for their organization and handle the encryption of their workspaces. Encryption administrators can only see the workspaces and keys for the tenant to which they belong.

Encryption administrators can:

  • create, read and update encryption keys.
  • assign the encryption admin role.
  • remove the encryption admin role.
Note: You cannot unassign yourself from this role. To be unassigned from the encryption administrator role, have another encryption admin unassign you.
Integration Admin Integration Admin

The Integration Admin role enables you to access the Integration Framework feature to:

  • create, edit, and delete a connection
  • create, edit, and delete an integration
Page Builder Page Builder

A Page Builder can:

Process Owner Process Owner

In a future release, process owners can create, edit, update and delete Workflow processes for their tenant. Workflow processes consist of several tasks that the process owner assigns to users such as viewing and modifying information on dashboards and approving or rejecting those changes. In addition, process owners can start cycles of their workflow processes and can complete their own workflow tasks.

Notes: Administrators who have the Process Owner role can run tasks in any workflow process.
Your organization must be licensed for the Workflow feature to make use of the Process Owner role. If you don't have Workflow enabled, you can view and assign the Process Owner role, but process owners have no authorizations until Workflow is enabled.

Tenant Auditor

Tenant Auditor

Tenant Auditors can view audit information for their tenant. See Security - Audit.

Note: Your organization must be licensed for the Audit feature to make use of the tenant auditor role. If you don't have Audit enabled, you can view and assign the tenant auditor role, but tenant auditors have no authorizations until Audit is enabled.

Click Access Control > Roles to view each role, the policy to which it is associated, and the number of users assigned to that role.

Click each role to view the CRUD permissions that it grants.


To view the policies for a role, go to Access Control > Policies and then click the specific policy.

For example, when you click Policies > TENANT_ADMIN, you see the same table as when you click Roles > TENANT_ADMIN. In future releases, the relationship between Policies and Roles might be more complex and powerful.