Applies to

Smartsheet
  • Enterprise

Configure Smartsheet roles for Okta groups

PLANS

  • Enterprise

Smartsheet supports unlicensed users so you can provision Smartsheet users without any roles as well.  

Any new unlicensed user provisioned through Okta doesn't appear in Smartsheet's Admin Center until they log in for the first time or are added to a Smartsheet group.

Smartsheet Roles

Mapping Values

Variable Names (Preferred)

Smartsheet Licensed User

LICENSED_USER

smartsheetLicensedUser

Smartsheet Group Admin

GROUP_ADMIN

smartsheetGroupAdmin

Smartsheet Resource Viewer

RESOURCE_VIEWER

smartsheetResourceViewer

Smartsheet System Admin

SYSTEM_ADMIN

smartsheetSystemAdmin

Use Okta groups to assign Smartsheet roles to users.  You can create brand new Okta groups which map to each Smartsheet role, or you can use existing Okta groups and assign roles based on existing Okta group membership.

Assign users to Okta groups

Set up an Okta group for each Smartsheet role and assign users to these role-based groups.

  1. Go to the Okta Directory Groups tab.
  2. Create a group for each role. Refresh the page if your Okta groups don't appear. 

Update Smartsheet role mappings in Okta

Update the mappings of Okta group memberships to Smartsheet roles.

  1. Go to Profile Editor and select the Smartsheet User profile created for this integration. The Smartsheet User profile will likely have a name that contains the application label you defined when adding the Smartsheet integration.  Four Smartsheet role attributes will be prepopulated:
    • Smartsheet Licensed User
    • Smartsheet Group Admin
    • Smartsheet Resource ViewerSmartsheet System Admin
  2. At the top of the Attributes pane, select Mappings and then select the Okta User to Smartsheet mappings.
  3. For each Smartsheet role mapping, add an expression, as shown below. Make sure that spelling and case are correct.
  • isMemberOfGroupName('Smartsheet US Licensed User') ? 'LICENSED_USER' : ''
  • isMemberOfGroupName('Smartsheet US Resource Viewer') ? 'RESOURCE_VIEWER' : ''
  • isMemberOfGroupName('Smartsheet US Group Admin') ? 'GROUP_ADMIN' : ''
  • isMemberOfGroupName('Smartsheet US System Admin') ? 'SYSTEM_ADMIN' : ''
Brandfolder Image
Okta user to Smartsheet mapping example

Expressions explained:

  • isMemberOfGroupName('Smartsheet US Licensed User')
    • This part of the expression checks if the user is a member of a group with the name ”Smartsheet US Licensed User”.  This results in true or false for the next part of the expression.
  • ? 'LICENSED_USER' : ''
    • If the previous part is true (the user is a member of the “Smartsheet US Licensed User” group), then we want to give the user the “LICENSED_USER” role.
    • If the previous part is false (the user is NOT a member of the “Smartsheet US Licensed User” group), then we don't want to give the user the “LICENSED_USER” role (hence the empty quotations ‘’).
  1. At the bottom left of the screen, select Preview to validate your mappings against existing users.

    For example, John Doe is a member of only the Smartsheet US Licensed User and the Smartsheet US Resource Viewer Okta groups. The preview shows John Doe will only be provisioned the Licensed User and Resource Viewer roles.
  2. Brandfolder Image
    Preview of the Okta to Smartsheet mapping
  3. If everything looks good, select Exit Preview and then select Save Mappings.
  4. Go back to the Okta groups you created for the Smartsheet roles and assign users to the groups they need Smartsheet roles for.
  5. Provision the Smartsheet US application to the overall set of users that need access to Smartsheet, regardless of roles. Determine if you want to use either an existing group or create a new group.

    Let’s say you want to give an existing group – IT Admins – access to Smartsheet. Select the group, select the Applications tab, Assign Application, and assign the Smartsheet application to that group.

    If there are users in this group that aren't part of any Smartsheet role groups, they are provisioned to Smartsheet as Unlicensed users.
  6. Leave all the Smartsheet fields blank, save, and go back to the Groups tab.
  7. If you have all users in the IT Admins group assigned to the correct Okta Smartsheet roles groups, your users will be fully provisioned in Smartsheet with the appropriate Smartsheet roles. You can view the Okta logs from the left rail. Select Reports > System Log to see if there were any issues with provisioning to Smartsheet.
Was this article helpful?
YesNo