Get started with BYOK

If you're satisfied that BYOK meets your security needs, follow the steps below to begin. Keep in mind that it can be very complex to provision BYOK and to add new workspaces. The process incorporates both security and legal considerations. You'll need a minimum of two weeks after the BYOK request is approved. It may take longer when there are issues beyond our control, such as supply chain challenges. 

Stage 1: Choose an Encryption Administrator

Decide who will be the Encryption Administrator for your tenant. This person manages encryption keys and does not have model or workspace access to workspaces or models. Choose someone who's responsible for IT security but who doesn't use Anaplan models or APIs. You must have at least one Encryption Administrator for your tenant. As a best practice, we recommend that you not add additional roles for your Encryption Administrator. 

Stage 2: Add the Encryption Administrator to the workspace

Workspace Adminstrators only:

In the workspace to be encrypted, you must add the Encryption Administrator role as a user with no model access.

1. In Anaplan, open any model in the workspace to be encrypted.
2. Go to Settings > Users.
3. Select Add User. The Add User dialog appears.
4. Enter the new user's Email Address, First Name, and Last Name.
5. To ensure a separation of duties, don't select Workspace Administrator.
6. From the Role list, select No Access.
7. Select OK.

Repeat these steps to assign any other Encryption Administrators.

If the chosen Encryption Administrator already exists as a user in a workspace to be encrypted, change their model role to No Access.

For more details, see Users.

Stage 3: Request the Encryption Administrator role

Contact your Anaplan support representative with details of the users you want to serve as Encryption Administrators. You must designate the initial Encryption Administrator. 

Stage 4: Access BYOK in Anaplan Administration

Encryption Administrators only:

1. Select BYOK in the sidebar navigation.

Note: BYOK will not display in the Anaplan Administration sidebar until setup is complete. This includes a person in the role of Encryption Administrator.