Applies to

Smartsheet
  • Enterprise

Capabilities

Who can use this capability

You must be a licensed System Admin to enable the Safe Sharing policy on your Smartsheet plan.

 

Configure security controls for an Enterprise Plan

As System Admin, you can configure security controls to manage how users work in Smartsheet.

PLANS

  • Smartsheet
  • Enterprise

Permissions

You must be a licensed System Admin to enable the Safe Sharing policy on your Smartsheet plan.

 

About the Safe Sharing policy

The Safe Sharing policy allows you to create an approved list of users and domains that assets can be shared with. You can use it for sheets, forms, reports, workflows, WorkApps, and dashboards. For example, you can block users' ability to share, email, or execute workflows tied to users who aren't in the Safe Sharing list.

You can also restrict unauthorized users from:

  • Sharing sheets and workspaces
  • Sending rows
  • Using the Send Link to Form option within the form link
  • Enabling assignment of a license
  • Adding users to groups

What to expect

After you activate the Safe Sharing policy in the Admin Center, two sheets become available to you:

  • One for the domain list
  • One for the user list (email addresses allowed)

These sheets are standard Smartsheet sheets that you can edit and share with other users. However, it's advisable to share them only with someone you trust to manage your Safe Sharing list. They contain eight auto-generated columns that are locked by default; it's recommended not to change them to avoid compromising existing permissions or workflows, and also to prevent issues with future enhancements to the feature:

  • Domains/Emails allowed to share
  • Exempt from Corporate Account Requirement
  • Exempt from MFA Requirement
  • Modified By
  • Modified On
  • Created By
  • Created
  • Notes

Additionally, a new Admin Settings workspace is automatically generated for you to store both sheets. Note that the data you enter in these sheets synchronizes with the Exempt list, which you use to manage external sharing. Learn more details about the Exempt list and the auto-generated columns.

 

Known limitations

  • Future System Admins added to Smartsheet don't automatically get access to the Safe Sharing list. An existing System Admin must share the Safe Sharing sheets (or workspace) with them.
  • After you modify the Safe Sharing policy, it may take up to three minutes for it to apply.
  • Both sheets only support up to 20,000 rows. You may notice slight delays during the policy enforcement if you're working with more than 20,000 entries. 
  • You can't use an API to enable or disable Safe Sharing, but you can use our API to automate changes to it.
  • Changes to the Safe Sharing sheets don't automatically trigger a notification, but you're encouraged to add a workflow to trigger a notification on changes to the sheets.

 

Other things to know

  • Users can't send emails from Smartsheet to restricted domains and email addresses.
  • You need to add subdomains to the allowlist individually. For instance, adding company.com to the allowlist doesn't add portal.company.com to the allowlist. You need to add both domains.
  • When enabled, Safe Sharing capabilities restrict who can receive notification emails.
  • You can audit your Safe Sharing list through the Sheet Access Report; you can also use the sheet activity log to check who made changes to the sheets.
  • Upon activation, all System Admins on the plan receive Admin permissions on the Safe Sharing list (both sheets). They also receive a notification when the policy is enabled or disabled.
     

Set up an approved domain-sharing list

Set up an allowlist to ensure that others can share assets only to people with a company email address. You can also restrict sharing by domain or by specific email addresses.

Ensure that you've added and validated at least one domain before you turn on Safe Sharing; otherwise, users won't be able to share with anyone else, including people in your own organization.


To set up the policy: 

  1. Go to the Admin Center and select the menu icon.
  2. Navigate to Governance Controls.
  3. Select Configure on the Safe Sharing Policy tile. 
  4. Slide the toggle to turn on the policy.

    Brandfolder Image
    Turn on the Safe Sharing policy

Enable requests for additional domains

When you activate Safe Sharing, you have the option to share a link to a form. This form allows members of your organization's plan to request System Admins to add extra domains or email addresses to the allowlist. You can use the Input URL here field for this purpose.

Your link will be presented in a Smartsheet window whenever users in your plan attempt to share or email an item from Smartsheet to someone whose email address falls outside the allowlist.

Your link can be:

  • A URL for an existing system your organization uses (such as an IT ticketing site)
  • A Smartsheet form

    Any Smartsheet items that you shared before enabling domain restrictions remain shared to anyone outside of the approved domains. You can generate a Sheet Access Report to see what items have been shared.

Brandfolder Image
Request new email or domain to be added

Modify your allowlist

To edit the sheets:

  1. Go to the Admin Center and select the menu icon.
  2. Navigate to Governance Controls.
  3. Select Manage on the Safe Sharing Policy tile.
  4. Select Edit Sheet on the list you'd like to edit:
    • Domains allowed
    • Email addresses allowed
  5. Add, edit, remove domains or addresses from the list.

    If you've accidentally deleted your Safe Sharing list, you have 30 days to retrieve it from the recycle bin.

 

To deactivate Safe Sharing:

  1. Go to the Admin Center and select the menu icon.
  2. Navigate to Governance Controls.
  3. Select Manage on the Safe Sharing Policy tile.
  4. Slide the toggle to turn off the policy.

Note that disabling the Safe Sharing policy across your plan allows your users to share Smartsheet items with anyone outside of your organization.

Brandfolder Image
Turn off the Safe Sharing policy

Safe Sharing list and premium applications

Other premium applications may indirectly integrate with the Safe Sharing list or aren't necessary.

Premium ApplicationIntegration with Safe Sharing List
BrandfolderDepending on Admin settings, users can share assets privately or publicly as a link. There's no integration with the Safe Sharing list.
BridgeBridge supports the Safe Sharing list through modules in Bridge workflows.
CalendarCalendar supports the Safe Sharing list.
Control CenterThere's no integration with the Safe Sharing list.
DataMeshDataMesh inherits access permissions and the Safe Sharing list from the signed-in user. These are both adhered to when creating and transferring Data Mesh configurations.
Data ShuttleThere's no sharing model for Data Shuttle.
Data TablesYou can only share to other people within a company, and you don't need the Safe Sharing list.
Dynamic ViewThere's no integration with the Safe Sharing list.
PivotPivot only uses sheets which support the Safe Sharing list.
Resource ManagerYou can only share Resource Management reports to other licensed Resource Management users through a link. There's no integration with the Safe Sharing list.

Manage authentication options

All Smartsheet customers can log in using their email address and password, or they can choose from a number of single-sign-on options. System Admins can disable any of these login options as desired.

To modify how people sign in to Smartsheet:

  1. On the left Navigation Bar, select Account
  2. In the Account menu, select Admin Center
  3. Under Settings > Authentication, select the method you want to use.

Enable User Auto-Provisioning

User Auto Provisioning (UAP) automates adding users to an Enterprise account in Smartsheet. Rather than manually inviting users through the User Management screen, enable this capability to automatically add users to your account if they sign up for Smartsheet with an email address owned by your organization. You can choose to automatically add users to the account as licensed or non-licensed, depending on the access you'd like to provide.

Completing the process requires you to add records to your public Domain Name System (DNS), so you may need to loop in an internal technical resource for assistance. 


Apply security settings to forms

By default, all forms are anonymous and available to anyone with a link to the form. You can limit form access to people with a Smartsheet login or people on your Smartsheet account via the Safe Sharing List. 

When you select these settings in the Admin Center, they apply as the minimum permissions for all forms on your account, and you can't change them in the form builder.

 

If I turn this feature off and then back on, will it reference the original sheet, or will a new sheet be created?

It'll reference the original sheet.

How do I automate updating the Safe Sharing list?

The Safe Sharing list is a standard sheet, so you can use the sheet API to add and remove rows to the list. However, you can't use an API to activate or deactivate the feature.

Can I add workflows to the sheet?

Yes.

Can I add more columns to the Safe Sharing list?

We recommend you don't modify the columns in the sheet, including adding or removing columns, as doing this may break future enhancements. Never remove any auto-generated columns.

Can I bulk import a list for Safe Sharing?

Yes. You can add your list of trusted domains and emails in bulk by copying and pasting the list into the sheets.

Is the API support through our current API or is it separate?

Through our current sheet API.

What happens to my existing Safe Sharing list after I enable the policy?

Your existing Safe Sharing list will be automatically added to both sheets. Note that starting in February 2024, you have a six-month window to transition to the new Safe Sharing policy. After this period, we'll automatically migrate you to sheets.
 

Was this article helpful?
YesNo