Set a user movement policy for EPM

Automatically route users to the right managed plan based on their SAML attributes.

Plans:

Enterprise

Permissions:

System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

If your main plan uses plan-level SAML for authentication, you can define a user movement policy (UMP) to automatically assign users to the most appropriate managed plan. For example, any user with a SAML attribute of department = finance moves to the Finance managed plan on their next sign-in.

The user movement policy only supports plan-level SAML. It’s incompatible with domain-level SAML. If you configure a UMP, switching to domain-level SAML afterward isn’t possible.

How the user movement policy works

The policy evaluates every user sign-in.
If a user's SAML attributes match a managed plan rule, they move to that plan. They keep access to items from their previous plan.
If no rule matches, and the user gets removed from their current plan, they return to the main plan on their next sign-in.
The policy applies to non-Members only (unlicensed users in the legacy model). Members (licensed users in the legacy model) don’t move automatically.

Set up a user movement policy

In Admin Center, navigate to Menu > Enterprise Plan Management.
The Enterprise plan manager page displays.
Select Manage Enterprise plan family.
Select Configure user movement policy.

Brandfolder Image
Use the template to define rules for each managed plan. Each rule specifies a SAML attribute and the value that triggers the move.
Save your policy.

If this is your first time configuring a UMP, a pre-filled template with a section for each managed plan appears. Set up SAML attribute claims in your identity provider before or after configuring the policy. Both must be in place for movement to occur.

Supported SAML attributes

Add attributes

Variable	Schema name	Name formats supported
Title	http://schemas.smartsheet.com/ws/2021/01/identity/claims/title	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Department	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Cost center	http://schemas.smartsheet.com/ws/2021/01/identity/claims/costcenter	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Primary phone number	http://schemas.smartsheet.com/ws/2021/01/identity/claims/primaryphone	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Mobile phone	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Manager	http://schemas.smartsheet.com/ws/2021/01/identity/claims/manager	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Company	http://schemas.smartsheet.com/ws/2021/01/identity/claims/company	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Country	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Job role	http://schemas.microsoft.com/ws/2008/06/identity/claims/jobrole	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Given name	givenname	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Surname	surname	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic

Use custom attributes

Variable	Schema name	Name formats supported
customField1	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield1	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField2	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield2	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField3	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield3	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField4	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield4	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField5	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield5	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField6	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield6	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField7	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield7	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField8	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield8	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField9	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield9	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic
customField10	http://schemas.smartsheet.com/ws/2021/01/identity/claims/customfield10	urn:oasis:names:tc:SAML:2.0:attrname-format:uri urn:oasis:names:tc:SAML:2.0:attrname-format:basic

You can map custom attributes to any of the ten custom field slots. Users with no matching rule are placed in the main plan.

USM Content