Set up and configure Enterprise Plan Manager

Overview

EPM creates a plan hierarchy with two levels:

• Main plan: This plan sets the policies and adds plans to the family.
• Managed plan: These plans inherit security and governance policies from the main plan. 

Contact your Smartsheet Customer Success Manager or Technical Account Manager to designate your main plan for EPM. Once the main plan is set, follow the steps below. 

Validate your domains

1. Go to Admin Center.
2. Select the Menu icon in the upper-left corner and navigate to Domain Management.

3. Select Add Domain and follow the instructions on the right panel. You must set up a public DNS record to verify your domains.

   Not sure how to do this? Copy the instructions in the wizard to notify your public DNS admin and have them do it for you. 

4. After you've entered all your information, select Verify. 

Once your domains are verified, any plans opened under that domain appear on the Manage Plans screen. Learn more about domain management.

Configure your authentication settings

This process ensures everyone in your organization uses the same sign-on method. Follow the instructions in the wizard; you may need to contact your Identity Provider (IdP) to obtain the information you need. 

• It’s best practice to use single-sign-on (SSO) for authentication and to deactivate email/password. Before you apply this best practice, confirm your team’s SSO readiness.
• Give your team a heads-up that you’re implementing centralized plan management. Let everyone know they will be added to the EPM family.
• Ask each plan admin to confirm people in their plan use SSO email addresses as their primary email addresses. The main plan Admin must leave email/password on at the main plan level until all managed plan admins have confirmed their SSO readiness.
• If the managed plan admins don’t respond, the main plan admin may need to contact them to discuss that individual managed plan admins may have to run a User Merge to update primary email addresses to match SSO email addresses of any remaining users.

Need more on configuring your authentication settings? Check out Admin Center: Manage authentication options. 

Add managed plans to your family

1. On the Manage Plans screen, select the plans you want to work with
2. Select add. This will convert any independent plans to managed plans. They’ll automatically inherit the authentication and domain validation settings you created in the main plan. 

A message identifies any ineligible plans. Contact the plan owner to find out if they’d like to merge their plan into an existing managed plan or upgrade to an Enterprise plan. Set a timeframe for enforcement (for example, activation of UAP) and communicate that to your team. After that, they'll still be able to use their plan, but they can't add new users.

Set User Auto-Provisioning (UAP) behavior

This section contains information relevant to both the Legacy Collaborator Model and the User Subscription Model. If you're unsure about your model type, see Determine the model your plan is on.

This setting will apply to all users on your validated domains by default. Once you've added specific domains, you can toggle UAP on and off for them. 

Non-Enterprise plans must upgrade or merge before you activate UAP. After you activate UAP, non-compliant plans can't add new users. Learn more about User Auto-Provisioning.

1. From the Admin Center menu, in Settings, select User Auto-Provisioning.
2. From the Auto-Provisioning Behavior dropdown select one of the following options: 

• Off: The user won't be provisioned automatically.

• On: Add as free user: The user will automatically be added as an unlicensed user.

  This option only applies to the Legacy Collaborator Model

• On: Add as licensed user: The user will automatically be assigned a license (Legacy Collaborator Model) or Member designation (User Subscription Model).

Learn more about user types. 

Once UAP is set up, managed plans can add unlicensed users (Legacy Collaborator Model) from the main plan or invite people who don’t have Smartsheet accounts to join their plans.  If you use SAML for authentication, you can also set a user movement policy. Learn how to set a user movement policy. 

Inherited permissions

If you have multiple plans and one plan is the main plan under Enterprise Plan Manager, you can set publishing controls for reports, sheets, and dashboards in the main plan. All managed plans will inherit those controls.

You can also set safe sharing controls in the same way. You can change these settings on the managed plan if you're an administrator on the main plan.