作为Anaplan(AOA)团队Anaplan上的业务运营经理-an internal team, focused on bringing Connected Planning to life within Anaplan—I help to oversee our internal Anaplan model ecosystem and assist in the solutioning and development of Anaplan models across all of our functional business groups.
作为Anaplan最大的客户,我们必须解决的众多要求之一是用户访问和安全性。利用Anaplan的用户角色功能通常可以完成工作,以授予用户访问特定模型。有时,我们必须进一步走一步,并利用Anaplan的selective access特征。角色和选择性访问是强大的工具,并且几乎所有时间都满足我们的需求。但是,随着我们扩展自己对Anaplan的使用,我们已经开始遇到需要根据多个标准来提供用户访问列表的访问,而不仅仅是单个条件。
A real-life user provisioning challenge we’ve encountered is in our headcount planning model. As this model provides real-time reporting on our employees, there are inherent sensitivities and considerations around who can see information for specific employees—taking into consideration visibility to things like compensation and personally identifiable information (PII). We have multiple use cases built out within the model, including recruiting capacity and analysis, attrition reporting, hiring reporting, etc., and the access to specific employee data depends on the end user of the model.
在此示例模型中,我们包括完整的员工名册。如果人力资源伙伴访问该模型,我们希望他们只看到标记为他们支持的功能区域的员工(例如财务,销售)。此外,如果业务经理进入模型,他们只能在管理链上的经理或员工的员工或员工中查看信息。
But wait! If the HR business partner is in Europe, they shouldn’t be able to see PII fields for their employees. Do you see how this could get complicated quickly? Additionally, some dashboards that contain non-sensitive employee information are perfectly fine to open up broadly to all users, while others contain sensitive data we need to provision.
So, how do we handle this? We can’t provision access by roles because all of the aforementioned users need access to the same modules/dashboards as it relates to the employees they manage. Additionally, no single user should be able to see all data for all employees. Selective access could be considered as a solution, but given the levels of complexity and multiple logical drivers—as well as the requirement to not hide reporting of non-sensitive data for employees—that option also has limitations.
Enter动态单元访问(DCA)。由于DCA允许我们以公式逻辑为基础读取/写入访问,因此它使我们能够在决定是否应该能够在列表中的特定项目上读取或写入多个逻辑上的层层。这是动态的(谁会想到这个名字?), which means it adjusts live as data within the model changes. Additionally, it offers us the flexibility to apply the provisioning logic to the exact modules we want to, rather than blanket provision users across the model.
以下是如何利用DCA的力量的高级示例:
上述过程的令人难以置信的功能不仅是对用户提供的完全控制和能力,而且随着新的花名册数据被加载到Anaplan中,DCA会自动调整自身以说明更改。因此,如果有人更改了成本中心或员工的经理更改,我们上面设置的公式将引用新的员工元数据,并将自动调整DCA驱动程序,从而提供更多的可持续性,可持续性用户提供的方法。
我们发现使用这种方法论发现的另一个无意的好处是,Anaplan将由于DCA驱动因素为空白而是空白的细胞。因此,如果要基于上面的逻辑设置一个自动过滤员工为最终用户的仪表板-Blanks在您的仪表板上。然后,您将拥有一个基于用户的动态过滤器,该过滤器正在查看模型……漂亮!