Configure Smartsheet roles for Okta groups

APPLIES TO

  • Enterprise

RELATED CAPABILITIES

Who can use this capability?

  • System Admin

Use Okta groups to assign Smartsheet roles to users. You can create brand new Okta groups which map to each Smartsheet role, or you can use existing Okta groups and assign roles based on existing Okta group membership. 
 

Okta's Group Priority concept may require you to use the Force Sync feature in Okta after updating a user's group membership to ensure that the role changes are synced to Smartsheet. If a user is added to or removed from a group with lower priority than their existing groups, the update will not be automatically pushed to the application

Configure Smartsheet roles for Okta groups

APPLIES TO

  • Enterprise

RELATED CAPABILITIES

Who can use this capability?

  • System Admin

Overview

This article discusses information relevant to both the Legacy Collaborator Model and the User Subscription Model. If you're unsure about your model type, learn how to determine the model your plan is on.

  • In Legacy Collaborator Model plans, Smartsheet supports unlicensed users so you can also provision Smartsheet users without any roles. Any new unlicensed user provisioned through Okta doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.
  • In User Subscription Model plans, all new users provisioned through Okta are designated as Provisional Members upon creation. The only exception to this rule is the System Admin role, which can be provisioned as a non-Member user. Additionally, upgrading or downgrading existing users is only supported through the Manage True-up page in Admin Center.
Smartsheet rolesMapping valuesVariable names (preferred)
Smartsheet Licensed UserLICENSED_USERsmartsheetLicensedUser
Smartsheet Group AdminGROUP_ADMINsmartsheetGroupAdmin
Smartsheet Resource ViewerRESOURCE_VIEWERsmartsheetResourceViewer
Smartsheet System AdminSYSTEM_ADMINsmartsheetSystemAdmin

Expressions explained

  • isMemberOfGroupName('Smartsheet US Licensed User')
    • This part of the expression checks if the user is a group member named ”Smartsheet US Licensed User.”  This results in the next part of the expression being true or false.
  • ? 'LICENSED_USER' : ''
    • If the previous part is true, which means the user is a member of the “Smartsheet US Licensed User” group, then we want to give the user the “LICENSED_USER” role.
    • If the previous part is false, which means the user is NOT a member of the “Smartsheet US Licensed User” group, then we don't want to give the user the “LICENSED_USER” role (hence the empty quotations).

Assign users to Okta groups

Set up an Okta group for each Smartsheet role and assign users to these role-based groups.

  1. Go to the Okta Directory Groups tab.
  2. Create a group for each role.
  3. Refresh the page if your Okta groups don't appear. 

Update Smartsheet role mappings in Okta

To update the mappings of Okta group memberships to Smartsheet roles:

  1. Go to Profile Editor and select the Smartsheet User profile created for this integration. The Smartsheet User profile will likely have a name that contains the application label you defined when adding the Smartsheet integration. Four Smartsheet role attributes will auto-populate:
    • Smartsheet Licensed User
    • Smartsheet Group Admin
    • Smartsheet Resource Viewer
    • Smartsheet System Admin
  2. At the top of the Attributes pane, select Mappings and then select the Okta User to Smartsheet mappings.
  3. For each Smartsheet role mapping, add an expression as shown below. Make sure that spelling and case are correct.
    • isMemberOfGroupName('Smartsheet US Licensed User') ? 'LICENSED_USER' : ''
    • isMemberOfGroupName('Smartsheet US Resource Viewer') ? 'RESOURCE_VIEWER' : ''
    • isMemberOfGroupName('Smartsheet US Group Admin') ? 'GROUP_ADMIN' : ''
    • isMemberOfGroupName('Smartsheet US System Admin') ? 'SYSTEM_ADMIN' :

      Brandfolder Image
      Okta user to Smartsheet mapping example
  4. At the bottom left of the screen, select Preview to validate your mappings against existing users.
    • For example, John Doe is a member of only the Smartsheet US Licensed User and the Smartsheet US Resource Viewer Okta groups. The preview shows John Doe will only be provisioned the Licensed User and Resource Viewer roles.

      Brandfolder Image
      Preview of the Okta to Smartsheet mapping
  5. If everything looks good, select Exit Preview and then select Save Mappings.
  6. Return to the Okta groups you created for the Smartsheet roles and assign users to the groups for which they need Smartsheet roles.
  7. Provision the Smartsheet US application to the overall set of users who need access to Smartsheet, regardless of roles. Determine whether you want to use an existing group or create a new group.
    • Let’s say you want to give an existing group (IT Admins) access to Smartsheet. Select the group, select the Applications tab, Assign Application, and assign the Smartsheet application to that group.

      If users in this group aren't part of any Smartsheet role groups, they’re provisioned to Smartsheet as unlicensed users.

  8. Leave all the Smartsheet fields blank, save, and return to the Groups tab.
  9. If all users in the IT Admins group are assigned to the correct Okta Smartsheet roles groups, your users will be fully provisioned with the appropriate Smartsheet roles in Smartsheet.
  10. You can view the Okta logs from the left rail. Select Reports > System Log to see if there were any issues with provisioning to Smartsheet.