Applies to
- Enterprise
Capabilities
Who can use this capability
- Group Admin
- System Admin
Admin Center: Manage IdP role-based groups
Once IdP-managed access is turned on for your Smartsheet plan, Group Admins and System Admins can create and manage IdP role-based groups in Admin Center. This allows them to control user access and permissions within Smartsheet based on existing role-based groups in your Identity Provider (IdP) system.
Who can use this?
Plans:
- Enterprise
Permissions:
- Group Admin
- System Admin
Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.
Overview
- System Admins of Enterprise plans where the domain is activated and validated can view, create, edit, and delete IdP role-based groups for validated and activated domains in their plans.
- System Admins of validating plans are only allowed to view what IdP groups are available. They can’t create, edit, or remove IdP role-based groups.
- In Enterprise Plan Manager (EPM) families, only System Admins of the EPM main plan can create, edit, or delete IdP-managed groups
- System Admins can also allow Group Admins in their plan or EPM main plan to create IdP roles or IdP groups via the Group Management screen. However, this is only possible for the domain the Group Admin belongs to.
IdP role-based groups created for a validated and activated domain are available to all Enterprise plans that validated the same domain.
Create an IdP role-based group
- In Admin Center, select the Menu icon in the upper-left corner.
- Navigate to Settings > IdP Managed Access.
Select Add roles. The IdP Managed Access sheet will open up in a new tab within Smartsheet.
You can also access the IdP Managed Access page via the Security card on the Admin Center home page.
About the IdP-managed access sheet
Turning on the IdP Managed Access feature automatically generates the IdP-managed access sheet and shares it to all existing System Admins in the plan.
Using the linked Smartsheet sheet, System Admins and Group Admins (if allowed) can add roles that correspond to roles in the customer’s IdP and are associated with activated domains. Note that only activated domains in the plan will be listed for selecting and creating IdP role-based groups.
Edit IdP role-based groups
In the IdP Managed Access page in Admin Center, select Edit roles.
Allow Group Admins to create IdP role-based groups
In the IdP Managed Access page in Admin Center, turn on the toggle to allow Group Admins to create IdP role-based groups from the Group Management page.
Allow requests for additional IdP role-based groups
System Admins who haven't allowed Group Admins to create IdP role-based groups can instead share a link to a Smartsheet form or another resource. This enables Group Admins with activated domains to request the creation of additional IdP role-based groups.
Create IdP role-based groups in Group Management
Group Admins and System Admins of activating plans or the EPM main plan can create IdP role-based groups within the Group Management page in Admin Center if permitted by a System Admin of their plan. However, Group Admins can only create IdP role-based groups for the domain they belong to.
- In Admin Center, select the Menu icon in the upper-left corner.
- Navigate to Group Management and select Create IdP role-based group. A panel will appear on the right side of the screen.
- Choose a name for the IdP role-based groups and enter them in the text box. Then, follow the instructions in the panel to complete the process.
Request the creation of IdP groups
Group Admins from validated domains or EPM children plans can’t add new IdP role-based groups. However, if the System Admin of the activating plan or EPM main plan has provided a submission link, they can request their creation via Group Management.
In the Group Management page, select Create IdP role-based group > Start your request.
Brandfolder Image
Will IdP role-based groups recognize role changes as soon as they happen?
IdP role changes don’t take effect immediately. For example, if a user's role changes while their Smartsheet session is active, the role change will only apply after that user logs out and then back in from both Smartsheet and their IdP system.
Can I create roles that are different from the ones in my IdP?
No. You won’t be able to create roles that aren’t already present in your identity (IdP) system.
Is this sheet created automatically by the feature? If so, is it automatically shared with all System Admins in the plan?
Yes. Once IdP-managed access is activated, the IdP-managed access sheet is automatically shared to all existing System Admins in the plan. If needed, System Admins can then share it to other System Admins like any other sheet.
Can I rename the sheet? If so, does this break the functionality?
Yes. Renaming the sheet doesn’t disrupt or break its functionality.
Can I change the sheet's location? If so, does this break the functionality?
Yes, changing the sheet's location can break its functionality. When the sheet is created, it goes into a workspace shared to Admins. Therefore, it’s advisable to avoid modifying the sheet's location.
Can I delete the sheet?
Yes, but doing this will break the functionality.
If the IdP-managed access sheet is deleted and removed from deleted items, is there a way to recover it?
Yes. Turning the feature off and then back on recreates the sheet with data from the plan's currently activated domains.
What happens to existing group roles if the sheet is modified or deleted?
It won’t impact the sharing experience, but System Admins will no longer be able to manage or modify IdP groups.
Can I revert any accidental changes to the sheet?
Yes. System Admins can turn the feature off and then back on again, which will recreate the sheet.
Are there any specific permissions required to modify or delete this sheet?
Yes, the user must hold Editor or above permissions on the sheet.