Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

You must be an Admin on the main plan to use Enterprise Plan Manager.

Set up and configure Enterprise Plan Manager

PLANS

  • Smartsheet
  • Enterprise

Permissions

You must be an Admin on the main plan to use Enterprise Plan Manager.

Use Enterprise Plan Manager (EPM) to set security and governance policies for all plans across your organization’s validated domains. 

EPM creates a plan hierarchy with two levels:

  • Main plan: This plan sets the policies and adds plans to the family.
  • Managed plan: These plans inherit security and governance policies from the main plan. 

Contact your Smartsheet Customer Success Manager or Technical Account Manager to designate your main plan for EPM.

Once the main plan is set, follow the steps below. 

Validate your domains

  1. Select Add Domain and follow the instructions on the right panel. You’ll need to set up a public DNS record to verify your domains. Not sure how to do this? You can copy the instructions in the wizard to notify your public DNS admin and have them do it for you. 
  2. After you’ve entered all your information, select Verify

Learn more about domain validation

Once your domains are verified, any plans opened under that domain appear on the Manage Plans screen.  

Configure your authentication settings

This process ensures everyone in your organization uses the same sign-on method. Follow the instructions in the wizard; you may need to contact your Identity Provider to obtain the information you need. 

It’s best practice to use single-sign on (SSO) for authentication and to disable email/password. Before you apply this best practice, confirm your team’s SSO readiness. Give your team a heads up that you’re implementing centralized plan management. Let everyone know they will be added to the EPM family. Ask each plan admin to confirm people in their plan use SSO email addresses as their primary email addresses. The main plan admin must leave email/password on at the main plan level until all managed plan admins have confirmed their SSO readiness.

If the managed plan admins don’t respond, the main plan admin may need to contact them to discuss that individual managed plan admins MAY have to run a User Merge to update primary email addresses to match SSO email addresses of any remaining users.

  • In Admin Center, select Configure authentication settings and follow the instructions on your screen. 

Need more on configuring your authentication settings? Read Manage authentication options for an Enterprise plan

Add managed plans to your family

 

  • On the Manage Plans screen, select the plans you want to work with and then click add. This will convert any independent plans to managed plans. They’ll automatically inherit the authentication and domain validation settings you created in the main plan. 

A message identifies any Ineligible plans. Contact the owner of the plan to find out if they’d like to merge their plan into an existing managed plan or upgrade to an Enterprise plan. Set a timeframe for enforcement (for example, activation of UAP) and communicate that to your team. After that, they will still be able to use their plan but they will not be able to add new users.

Set User Auto Provisioning (UAP)  behavior. 

By default, this setting will apply to all users on your validated domains. You can toggle UAP on and off for specific domains once you’ve added them. 

Non-Enterprise plans must upgrade or merge before you activate UAP. After you activate UAP, non-compliant plans will not be able to add new users.

Learn more about user auto-provisioning.

From the Admin Center menu, in Organization View, select Domains and UAP.

  1. From the UAP dropdown select one of the options: 
    Off: The user will not be provisioned automatically.
    On: Add as free user: The user will automatically be added as an unlicensed user.
    On: Add as licensed user: The user will automatically be assigned a license.

Learn more about user types. 

Once UAP is set up, managed plans can add unlicensed users from the main plan or invite people who don’t have Smartsheet accounts to join their plans.  If you use SAML for authentication, you can also set a User Movement Policy. Learn more

Inherited permissions

If you have multiple plans and one plan is the main plan under Enterprise Plan Manager, you can set publishing controls for reports, sheets, and dashboards in the main plan. All managed plans will inherit those controls.

You can also set safe sharing controls in the same way.

You can change these settings on the managed plan if you are an administrator on the main plan.

 

Was this article helpful?
YesNo