Set up and configure Enterprise Plan Manager

Use Enterprise Plan Manager (EPM) to establish security and governance policies for all plans across your organization’s validated domains. 

Who can use this?

Plans:

  • Enterprise

Permissions:

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

EPM creates a plan hierarchy with two levels:

  • Main plan: This plan sets the policies and adds plans to the family.
  • Managed plan: These plans inherit security and governance policies from the main plan. 

Contact your Smartsheet Customer Success Manager or Technical Account Manager to designate your main plan for EPM. Once you set the main plan, follow the steps below. 

Validate your domains

  1. Go to Admin Center.
  2. Select the Menu icon in the upper-left corner and navigate to Domain Management.

  3. Select Add Domain and follow the instructions on the right panel. To verify your domains, you must set up a public DNS record.

    If you're unsure how to do this, copy the instructions in the wizard to notify your public DNS admin and ask them to do it for you. 

  4. After you've entered all your information, select Verify

Once you verify your domains, any plans opened under that domain appear on the Manage Plans screen. Learn more about domain management.

Configure your authentication settings

This process ensures everyone in your organization uses the same sign-on method. Follow the instructions in the wizard; you might need to contact your Identity Provider (IdP) to obtain the information you need. 

  • It's recommended that you use single-sign-on (SSO) for authentication and deactivate email/password. Before you apply this best practice, confirm your team’s SSO readiness.
  • Give your team a heads-up that you're implementing centralized plan management and inform everyone that they're being added to the EPM family.
  • Ask each plan Admin to confirm whether people in their plan use SSO email addresses as their primary email addresses. The main plan Admin must leave the email/password on at the main plan level until all managed plan admins have confirmed their SSO readiness.
  • If the managed plan admins don't respond, the main plan admin may need to contact them to discuss that individual managed plan admins might have to run a User Merge to update primary email addresses so they match the SSO email addresses of any remaining users.

Need more on configuring your authentication settings? Check out Admin Center: Manage authentication options

Add managed plans to your family

  1. On the Manage Plans screen, select the plans you want to work with.
  2. Select add. This converts any independent plans to managed plans. They automatically inherit the authentication and domain validation settings you created in the main plan. 

A message identifies any ineligible plans. Contact the plan owner to find out if they'd like to merge their plan into an existing managed plan or upgrade to an Enterprise plan.

Set a timeframe for enforcement (for example, activation of UAP) and communicate that to your team. After that, they can still use their plan, but they can't add new users.

Set User Auto-Provisioning (UAP) behavior

This setting applies to all users on your validated domains by default. Once you've added specific domains, you can toggle UAP on and off for them. 

Non-Enterprise plans must upgrade or merge before you activate UAP. After you activate UAP, non-compliant plans can't add new users. Learn more about User Auto-Provisioning.

  1. From the Admin Center menu, navigate to Settings and select User Auto-Provisioning.
  2. From the Auto-Provisioning Behavior dropdown, select one of the following options: 

If you use SAML for authentication, you can also set a user movement policy. Learn how to set a user movement policy

Inherited permissions

If you have multiple plans and one plan is the main plan under Enterprise Plan Manager, you can set publishing controls for reports, sheets, and dashboards in the main plan. All managed plans inherit those controls.

You can also set safe sharing controls in the same way. You can change these settings on the managed plan if you're an administrator on the main plan.

EPM creates a plan hierarchy with two levels:

  • Main plan: This plan sets the policies and adds plans to the family.
  • Managed plan: These plans inherit security and governance policies from the main plan. 

Contact your Smartsheet Customer Success Manager or Technical Account Manager to designate your main plan for EPM. Once you set the main plan, follow the steps below. 

Validate your domains

  1. Go to Admin Center.
  2. Select the Menu icon in the upper-left corner and navigate to Domain Management.

  3. Select Add Domain and follow the instructions on the right panel. To verify your domains, you must set up a public DNS record.

    If you're unsure how to do this, copy the instructions in the wizard to notify your public DNS admin and ask them to do it for you. 

  4. After you've entered all your information, select Verify

Once you verify your domains, any plans opened under that domain appear on the Manage Plans screen. Learn more about domain management.

Configure your authentication settings

This process ensures everyone in your organization uses the same sign-on method. Follow the instructions in the wizard; you might need to contact your Identity Provider (IdP) to obtain the information you need. 

  • It's recommended that you use single-sign-on (SSO) for authentication and deactivate email/password. Before you apply this best practice, confirm your team’s SSO readiness.
  • Give your team a heads-up that you're implementing centralized plan management and inform everyone that they're being added to the EPM family.
  • Ask each plan Admin to confirm whether people in their plan use SSO email addresses as their primary email addresses. The main plan Admin must leave the email/password on at the main plan level until all managed plan admins have confirmed their SSO readiness.
  • If the managed plan admins don't respond, the main plan admin may need to contact them to discuss that individual managed plan admins might have to run a User Merge to update primary email addresses so they match the SSO email addresses of any remaining users.

Need more on configuring your authentication settings? Check out Admin Center: Manage authentication options

Add managed plans to your family

  1. On the Manage Plans screen, select the plans you want to work with.
  2. Select add. This converts any independent plans to managed plans. They automatically inherit the authentication and domain validation settings you created in the main plan. 

A message identifies any ineligible plans. Contact the plan owner to find out if they'd like to merge their plan into an existing managed plan or upgrade to an Enterprise plan.

Set a timeframe for enforcement (for example, activation of UAP) and communicate that to your team. After that, they can still use their plan, but they can't add new users.

Set User Auto-Provisioning (UAP) behavior

This setting applies to all users on your validated domains by default. Once you've added specific domains, you can toggle UAP on and off for them. 

Non-Enterprise plans must upgrade or merge before you activate UAP. After you activate UAP, non-compliant plans can't add new users. Learn more about User Auto-Provisioning.

  1. From the Admin Center menu, navigate to Settings and select User Auto-Provisioning.
  2. From the Auto-Provisioning Behavior dropdown, select one of the following options: 
    • Off: The user doesn't receive automatic provisioning.
    • On: Add as free user: The user gets automatically added as an unlicensed user.
    • On: Add as licensed user: The user automatically receives a license.

Once you set up UAP, managed plans can add unlicensed users from the main plan or invite people who don't have Smartsheet accounts to join their plans. If you use SAML for authentication, you can also set a user movement policy. Learn how to set a user movement policy

Inherited permissions

If you have multiple plans and one plan is the main plan under Enterprise Plan Manager, you can set publishing controls for reports, sheets, and dashboards in the main plan. All managed plans inherit those controls.

You can also set safe sharing controls in the same way. You can change these settings on the managed plan if you're an administrator on the main plan.