System Admins on Enterprise plans have access to configure Security Controls to manage the way their users are working in Smartsheet. System Admins can:
- Set up an Approved Domain Sharing List to prevent sheets from being shared or sent to unauthorized email addresses
- Limit Group Membership Options to only include users on the account
- Choose which Authentication Options are allowed for users
- Enable User Auto Provisioning to automatically add new users to the account if they sign up for Smartsheet using an email address owned by the organization
To manage these settings, click Account > Account Admin, and then click Security Controls on the left panel of the Account Administration form.
Set Up an Approved Domain Sharing List
This feature enables System Admins of Enterprise plans to restrict sharing by domain or by specific email addresses, by setting up a white list. For example, the System Admin can ensure that sheets are shared only to people with a company email address.
NOTES:
- Users will also be prevented from sending emails from Smartsheet to restricted domains and email addresses.
- Subdomains will need to be whitelisted individually, as they aren't included when you whitelist a domain. For instance, whitelisting "company.com" will not whitelist "portal.company.com" as well. (You'll need to whitelist both domains.)
- From the upper-left corner of the Smartsheet window, click Account > Account Admin > Security Controls.
- In the Approved Domain Sharing section, click Edit.
The Approved Domain Sharing List form appears:
- Select the Enable sharing in Smartsheet only to the domains and email addresses listed below checkbox.
- In the Approved domains box, type in each email domain (for example: companydomain.com) that users will be allowed to share to. Each domain must appear on a separate line.
If there are any specific email address that users should be able to share to that fall outside of the allowed domains, enter them in the Approved email addresses box.
You can also provide a URL to a form for members of your organization's plan to make a request for System Admins to include additional domains or email addresses in the white list. Your link will be presented in a Smartsheet window whenever users in your plan attempt to share or email an item from Smartsheet to someone whose email address falls outside of the whitelist.
Your link can be:- A URL for an existing system your organization uses (such as an IT ticketing site)
- A Smartsheet form (check out our article on Forms for more information)
- Click OK.
Once you enable the Approved Domain & Address Sharing feature, people in your account must use email addresses with approved domains when they do the following:
- Share sheets and workspaces
- Send rows
- Use form links
- Manually or automatically send any alerts or requests (alerts, reminders, update requests, approval requests)
Smartsheet items that were shared before domain restrictions were enabled will remain shared to anyone outside of the approved domains. You can generate a Sheet Access Report to see what items have been shared with whom, details on this are available here.
To change the list:
- Click the Edit button on the Security Controls form.
- Add, edit, remove domains/addresses from the list, and click OK.
To disable the feature, click the Edit button, uncheck the Enabled checkbox, and click OK.
Change Group Options
System Admins on Enterprise plans can restrict the type of users who can be added to a group by Group Admins. You can limit this to only users on the account or allow all users and external contacts in groups.
- Click Account (in the upper-left corner) > Account Admin > Security Controls.
- Click on the Edit button in the Group Membership Options section.
The Group Management Options form appears: - Select whether to have group membership Limited to Account Users Only. When this option is selected, only users shown in the User Management screen can be added to groups by Group Admins.
To learn more about creating and managing groups, check out our Managing Groups article.
Manage Authentication Options
All Smartsheet users are able to log in using their email address and Smartsheet password, or they can single-sign on to our application from Google or Microsoft Office 365 for work or school. System Admins have the ability to disable any of these log in options if desired. Learn more about this in our article on Managing Authentication Options.
We also provide SAML (Security Assertion Markup Language) integration for our Enterprise customers to enable a single sign-on experience with Smartsheet from their local network. Smartsheet currently supports SAML 2 for SSO, and the following SAML 2 compliant identity providers: OneLogin, ADFS 2.0, Shibboleth, PingIdentity, and Okta.
To set up SSO with SAML2, please review detailed instructions in our article on Managing Authentication Options. The instructions will require assistance from a technical professional who is familiar with SAML and has access to the Identity Provider that will be configured for use with Smartsheet.com. It will walk you through both configuring your Identity Provider for SAML with Smartsheet, and configuring Smartsheet which requires System Admin access to the account.
Enable User Auto Provisioning
User Auto Provisioning automates the process of adding users to an Enterprise account in Smartsheet. Rather than manually inviting users through the User Management screen, enable this feature to automatically add users to your account if they sign up for Smartsheet with an email address owned by your organization. You can choose to automatically add users to the account as licensed or non-licensed, depending on the access you'd like to provide.
Review our help article on User Auto Provisioning for detailed instructions. Completing the process will require you to add record(s) to your Domain Name System (DNS), so you may need to loop in an internal technical resource for assistance.