With Identity Provider (IdP) managed access, you can effectively control user access and permissions within Smartsheet using role-based groups defined in your IdP. This not only improves security but also simplifies access management, seamlessly integrating with your current IdP system.
Overview
Integrating role-based access management with an IdP allows for automatic updates to permissions when roles change within your company. This eliminates the need for the manual and time-consuming process of updating access to Smartsheet items when an employee moves to a different team.
For example, if an employee transitions from a finance role to a marketing role, your organization doesn't need to manually remove their access to finance-related items and grant access to marketing ones. This can often lead to security gaps, as any delay in removing access to the sensitive information of a previous role increases the risk of unauthorized access.
With IdP-managed access, user roles are automatically synchronized between IdP roles defined in your identity provider (such as Okta or Microsoft Entra ID) and IdP role-based groups in Smartsheet, ensuring a direct correspondence between roles in both systems.
Prerequisites
- Domain-level SAML setup: Security Assertion Markup Language (SAML) is necessary to assign access and permissions using domain-based IdP role-based groups. System Admins must ensure domain-level SAML SSO is set up to enable IdP-managed access. This is because when a user logs into Smartsheet using SAML login, SAML shares the user's IdP role from IdP to Smartsheet in real time.
- Specific IdP configuration: Depending on which IdP system you use, follow the instructions below to make sure that user roles in your IdP sync correctly with Smartsheet:
- Okta-specific instructions
- Entra ID-specific instructions (formerly known as Azure AD)
- Other IdPs
Keep these things in mind
- Enterprise plans: System Admins of plans where a domain has been validated can activate or deactivate IdP-managed access for their plans via Admin Center, allowing them to manage user access through their IdP role-based groups.
- EPM families: Only System Admins of the Enterprise Plan Manager (EPM) main plan have the ability to activate or deactivate this feature. System Admins of children plans in EPM families inherit settings from the main plan and have read-only access. They can’t create, edit, or remove IdP role-based groups in their plan.
Activate IdP-managed access
- In Admin Center, select the Menu icon in the upper-left corner.
Navigate to Settings > IdP Managed Access.
Brandfolder ImageTurn on the IdP Managed Access toggle.
Brandfolder Image
When you activate the IdP Managed Access feature, it automatically generates the IdP-managed access sheet and shares it to all current System Admins in the plan. If needed, System Admins may share it to other System Admins as they would with any other sheet.
You can also get to the IdP Managed Access page from the Security card on the Admin Center home page.
Deactivate IdP-managed access
- Turn off the IdP Managed Access toggle on the IdP Managed Access page.
Who can create IdP groups?
- System Admins of plans where the domain is activated.
- Group Admins of activated domains, if allowed by the System Admin.
- Group Admins from validated domains can request the creation of IdP groups.
Will my users be able to share to Smartsheet groups and IdP groups?
Yes. The domain name will be listed at the end (in the sharing modal) so users can recognize it's an IdP group.
What changes occur when I enable the feature for the first time in a plan where the domain is activated?
- A new sheet is created for IdP role and IdP group mappings.
- IdP group memberships are automatically created and updated when users log in.
- You can share Smartsheet items with IdP groups. Also, users will gain access based on their IdP role.
How does disabling the feature affect a plan where the domain is activated?
- The sheet is deleted, but all role mappings are retained in the database at the domain level for future use.
- Syncing of role and group memberships stops.
- Users can no longer share Smartsheet items with IdP groups, and group memberships are removed.
- Existing group memberships are deleted. Users will lose access to shared items through IdP groups.
What happens after I re-enable the feature in a plan with an activated domain?
- The sheet is re-created using the previous role mappings stored in the database.
- Synchronization of roles and group memberships resumes, updating users' group memberships.
- Item sharing with IdP groups becomes available again, restoring access for users with the appropriate roles.
How does domain deactivation impact IdP Managed Access when enabled?
- The sheet remains, but syncing stops for the deactivated domain.
- Existing role mappings and group memberships are retained, but no new updates are made.
- Users in deactivated domains will lose access to Smartsheet items shared through IdP groups.
What occurs when a domain is activated with an IdP role already defined in the sheet?
- If role mappings already exist, they’re synced to the sheet when the domain is activated.
- The system ensures that the correct data is available in the new or existing sheet, restoring user access.
How does enabling, disabling, or re-enabling the feature work in a plan where a domain is validated?
- There is no direct impact on the sheet, as the activated plan manages it.
- Group memberships are updated based on user logins but are removed when the feature is deactivated.
- Item sharing and group membership work as expected, similar to activated plans, but are managed through the main activated plan.
What is the effect of domain invalidation in a validated domain plan?
- Group memberships for users in the invalidated domain are removed.
- Users in these domains lose access to items shared with IdP groups.
Are there any particular cases I need to be aware of when dealing with domain deactivation or reactivation?
- When a domain is deactivated, the corresponding rows in the sheet are deleted, but role mappings are retained.
- If the last domain of a plan is deactivated, the sheet is deleted, and the feature is deactivated for the plan.
- If a domain is reactivated, any existing role mappings are re-synced to the sheet, and users will regain access.