Governance policies for external collaborators

What's an external collaborator?

A user who's invited to collaborate on a sheet or workspace, but who isn't a member of the organization or domain that owns the sheet or workspace.

These policies ensure your external collaborators use a secure method to login —and one that passively validates that they're still employed by the organization you intend to collaborate with.

When an external collaborator who hasn't logged in with SSO/MFA tries to access an asset that requires SSO/MFA, the user sees a prompt instructing them that they must log in via SSO to access the asset.

While Require Corporate Account is set up on a plan-level,  Require MFA can be applied either account wide or on specific workspaces. System Admins can enable Workspace Admins to decide if they want to apply the additional security layer to specific workspaces they own.

The policies govern sheets, reports, and dashboards —all items that can be associated with a workspace.

Require Corporate Account

Require Corporate Account is a plan-level policy that guarantees access to Smartsheet is restricted to users with corporate-authenticated credentials (SSO), thereby reducing the risk of potential unauthorized access.

Supported methods

• Azure work account
• Google work account
• SAML SSO

Require MFA

This policy requires external collaborators to authenticate via Multi-Factor Authentication (MFA), enhancing security for them with an additional layer of verification. This ensures that, even if a password is compromised, unauthorized access can be thwarted by the MFA functionality.

• To activate this policy, you must first enable the Require Corporate Account policy.

• If an external collaborator's Identity Provider (IdP) doesn't support MFA or fails to communicate the MFA completion status with Smartsheet, our proprietary email-based MFA serves as a backup.

   

Supported methods

• SAML (Okta, Azure, AD FS)
• Microsoft work account

• Email one-time password

   

Email-based MFA

This is a one-time, time-limited password mechanism (OTP) provided via email. It's designed to address scenarios where standard MFA through the collaborator's IdP isn't possible.

If the system can't determine that the external collaborator has completed MFA on an asset where the policy applies, an email is sent to their account as soon as they click on the asset.

If the user enters the verification code incorrectly three consecutive times, they must wait 30 minutes to try again.

About the mobile app

• Currently, the mobile app automatically restricts external collaborators' access to assets when System Admins enforce one or both of the policies on the asset.
• External collaborators who meet the SSO policy get access to secured assets through the mobile app.

System Admins

To activate the Require Corporate Account policy:

1. Go to the Admin Center.
2. Select the menu icon and navigate to Settings > Secure External Access.

3. Slide the Require corporate accounts toggle to turn on the policy.

   If the internal sign-in option doesn't have SSO enabled, the Require Corporate Account policy will be automatically disabled.

To activate the Require MFA policy:

1. Go to the Admin Center.
2. Select the menu icon and navigate to Settings > Secure External Access.
3. Slide the Require MFA toggle to turn on the policy.
   • To allow Workspace Admins to apply the policy on specific workspaces, select the Workspace opt-in button.
   • To enforce the policy on all plan assets, select Enforce on all plan assets.

Brandfolder Image

Workspace Admins

• Workspace Admins can't set up the plan-level Require Corporate Account policy. The configuration is required by a System Admin.
• If a System Admin enables Workspace opt-in, Workspace Admins can enforce the Require MFA policy on specific workspaces.

To activate MFA for workspace access:

1. Go to the workspace and select Share in the top right corner. 
2. Select Set up from the top of the sharing window. 
3. Slide the Require MFA toggle to turn on the feature. Settings apply to all items in the workspace, not to individual items.

Brandfolder Image

Exempt list

The Exempt list (also known as the Trusted Domain list) allows System Admins to specify domains and individual email addresses that are exempt from the policies.

Enabling an exempt list initiates the creation of a sheet with specific columns. All System Admins have access to this sheet.

To create an Exempt list:

1. Go to the Admin Center.
2. Select the menu icon and navigate to Settings > Secure External Access. 
3. Under Advanced Settings, select Create sheet on either of the following:
   • Exempt domains
   • Exempt email addresses
4. To add new domains or email addresses to the Exempt list, enter them in the Domains/Emails allowed to share column and use the checkbox columns to indicate if the entity is exempt from the policies.

Exempt list sheet

System Admins can only add, edit, and delete rows on the sheet. The sheet contains the following columns:

• Domains/Emails allowed to share: Lists the domains/email addresses that are allowed to share content with.
• Exempt from Corporate Account Requirement: A checkbox that, when marked, exempts the domain/email address from requiring corporate account credentials to access shared content.
• Exempt from MFA Requirement: A checkbox that, when marked, exempts the domain/email address from the requirement to use MFA for accessing shared content.
• Modified By: Indicates the last user who made changes to the row.
• Modified On: Shows the date and time when the last modification was made to the row.
• Created By: Identifies the user who originally created the entry in the sheet.
• Created: Displays the date and time when the entry was created.
• Notes: An open field for any additional information or comments behind the domain/email address status.

Brandfolder Image

API calls

External collaborators using public API calls to access shared Smartsheet assets that are protected by Require Corporate Account or Require MFA policies can only gain access to those assets via Smartsheet API if their domain or email address is on the Exempt list, or if it's a validated domain of the plan.

If your external collaborators encounter issues accessing their shared assets, they should reach out to the System Admin of the plan to which those assets belong.

Other things to know

• These policies apply to users who aren't part of any validated domain in the plan that enabled the policy, or any domain/email address mentioned in the Exempt list for these policies.
• Issued OTPs have a lifespan of ten minutes. Post-expiration, users must generate a new one.
• If a System Admin turns off the Require Corporate Account policy while the Require MFA policy is on, an alert message will display advising them that disabling the Require Corporate Account policy automatically disables the Require MFA policy.
• Existing System Admins are responsible for granting access to the Exempt list sheet to new or future System Admins.
• Updates (new exemption entries) to the Exempt list may take up to three minutes to apply.