Search

Administration: Access Control

As a Tenant Administrator for your organization, you can use the Access Control section of the Anaplan Administration app to view:

A Policy is a container for the privileges associated with a Role. An Assignment causes an individual user to have a Role. It's possible to assign a user to more than one role, however if you want to enforce separation of duties, assign a separate group of users to each role.

Assignments

To see which roles users have, click Access Control > Assignments.

As a Tenant Admin user, you can:

  • make a Standard user become a View Admin or Tenant Admin user
  • make a View Admin user become a Standard or Tenant Admin user
  • make a Tenant Admin user become a View Admin or Standard user
  • assign a user to the Tenant Auditor role
  • assign a user to the Tenant Security Admin role
  • assign a user to the Process Owner role
  • assign a user to the Page Builder role
  • view users assigned to the Workspace Admin role for the current tenant
  • get a list of Workspace Admin users for the current tenant
  • build your organization's Business Map
  • access the Business Map.
Note: If you are the only user in your tenant that has this role, you cannot remove it.

As a user with the View Administrator role, you can:

  • view users assigned the Workspace Admin role for the current tenant.
  • get a list of users with the Workspace Admin role for the current tenant.
  • access the Business Map.

To assign or remove roles:

  1. Click Access Control > Assignments.
  2. Select the user to whom you want to assign or remove a role.
  3. Select the checkboxes of the roles you want to assign and clear the checkboxes of the roles you want to remove.
  4. Click Save.
Note: You cannot assign the Workspace Administrator role in the Anaplan Administration app. The Workspace Administrator role is assigned at the workspace level.

Resource Types

Each role enables permissions for tenant configuration. Depending on the role, certain Create Read Update Delete (CRUD) permissions are enabled in these areas:

  • Applications
  • History
  • Metadata
  • Models
  • Pages
  • Policies
  • Role Membership
  • Roles
  • Task
  • Users
  • Widgets
  • Work
  • Workflow Cycle
  • Workflow Process
  • Workspaces

Access Control Roles

Role

Policy

Description

View Admin

View Admin

View administrators can view the configuration of a tenant, but cannot update anything.

Tenant Admin

Tenant Admin

Tenant administrators manage the configurations and settings at the tenant level. Tenant administrators:

  • Cannot access other tenants
  • Cannot access tenant data
  • Can access metadata

Tenant administrators have the Read permissions that the View administrator has. In addition, they can:

  • Assign process owners, tenant auditors, and other tenant admins
  • Create Role Membership for other tenant roles
  • Update Model Categories
  • Update Users
Note: If you are the only user in your tenant that has this role, you cannot remove it.
Tenant Security Admin Tenant Security Admin

Tenant security administrators manage the tenant’s security settings. They can:

  • access the Self-service feature in the Administration Console.
  • create a new identity provider (IdP) connection.
  • modify an existing IdP connection.
  • disable an existing IdP connection.

Encryption Admin

Encryption Admin Policy

Encryption administrators manage the BYOK encryption keys for their organization and handle the encryption of their workspaces. Encryption administrators can only see the workspaces and keys for the tenant to which they belong.

Encryption administrators can:

  • Create, Read and Update encryption keys.
  • Assign the Encryption Admin role.
  • Remove the Encryption Admin role.
Note: You cannot unassign yourself from this role. To be unassigned from the encryption administrator role, have another encryption admin unassign you.
Page Builder Page Builder

Page Builder can:

Process Owner Process Owner

In a future release, process owners can create, edit, update and delete Workflow processes for their tenant. Workflow processes consist of several tasks that the process owner assigns to users such as viewing and modifying information on dashboards and approving or rejecting those changes. In addition, process owners can start cycles of their workflow processes and can complete their own workflow tasks.

Notes: Administrators who have the Process Owner role can run tasks in any workflow process.
Your organization must be licensed for the Workflow feature to make use of the Process Owner role. If you don't have Workflow enabled, you can view and assign the Process Owner role, but process owners have no authorizations until Workflow is enabled.

Tenant Auditor

Tenant Auditor

Tenant Auditors can view audit information for their tenant. See Security - Audit.

Note: Your organization must be licensed for the Audit feature to make use of the tenant auditor role. If you don't have Audit enabled, you can view and assign the tenant auditor role, but tenant auditors have no authorizations until Audit is enabled.

Click Access Control > Roles to view each role, the policy to which it is associated, and the number of users assigned to that role.

Click each role to view the CRUD permissions that it grants.

Policies

To view the policies for a role, go to Access Control > Policies and then click the specific policy.

For example, when you click Policies > TENANT_ADMIN, you see the same table as when you click Roles > TENANT_ADMIN. In future releases, the relationship between Policies and Roles might be more complex and powerful.