The Smartsheet system administrator will probably receive an email similar to the image below. I have organized the contents of this email and will report it here.
Key points
- User after deactivationChanged reactivation processand introduce a seven-day limit on reactivation to strengthen security.
- Transition to a plan-level asset ownership model. Move ownership from individual to plan level for improved system administration and user experience.
- enterprise planabout,Migrate login policy to domain level,New safe share listSecurity enhancement measures for the implementation of
There are four points in content, which are as follows.
1. Changes to user reactivation process after deactivation
2. Change in asset ownership (move to plan-level asset ownership model)
3.Replace Delete User label with Remove User
4. Change "Sheet (Owned)" column to "Sheet (Created)" in User Report
Changes to user reactivation process after deactivation
To prevent inadvertent reactivation of deactivated users, you can reactivate users (via the admin center or API) after seven consecutive days of deactivation. Limited ability to reactivateWe are planning to impose. This means that the system administrator will not be able to reactivate these users after his 8th day.
What is user deactivation?
For example, if a user leaves the company, is seconded, or an external collaborator leaves the project, you have the following options: (For the differences, see below.Help articlePlease refer to. Deletion requires manual migration of assets and groups owned by the user. )
- Delete share
- Make user inactive
- Delete user
Deactivate, a deactivated user can no longer sign in to their company's Smartsheet account, but items they created are still available. Deactivation returns that user's license and you can continue to access that user's assets and profile, and reassign ownership of content and groups as needed.
What does the 7-day reactivation period mean?
Reactivation can cause various security problems, as, for example, a user who has left the company will be able to access the Smartsheet content again. On the other hand, if you accidentally deactivate it, you also need a way to recover by reactivating it. However, I think this means it's only for one week.
Without this feature, if your organization uses a business plan or an enterprise plan that allows you to log in using an email address and password, SysAdmin may accidentally reactivate your account months or even years later. If you do this, users who are completely unrelated to your organization will be able to log in and access Smartsheet sheets, etc. So this is a very beneficial change from a security perspective.
Change in asset ownership (move to plan-level asset ownership model)
Currently, SmartsheetCore assets (sheets, reports, forms, dashboards, etc.) is built and owned by an individual within the plan. However, the current ownership model can create friction when key stakeholders or asset owners leave the Smartsheet plan or organization. To address this, we will improve the experience for system administrators and their end users by moving ownership of assets such as sheets from the individual to the plan level.
What will change with the move to a plan-based asset ownership model?
Currently, when a user is deleted, system administrators have a 30-day grace period to transfer the deleted user's assets to another user. Otherwise you risk permanently deleting sheets etc. This occurs because Smartsheet assets are currently tied to individual users rather than plans.
To prevent loss of valuable assets and associated data, we are moving the ownership model for core Smartsheet assets (sheets, reports, dashboards, etc.) from individual users to plans. To facilitate this transition, newplan asset managerrole and redefine the privileges of asset managers.
The new Plan Asset Administrator role will have owner-level permissions on all assets in the plan. With this change, access requests such as when an asset owner is absent or has left the organization will be sent to the plan asset administrator.
plan asset manager
Plan asset managerAssigned by system administrator from licensed userMasu. Plan asset administrators receive access request notifications if an asset does not have an owner or administrator defined.
If no owners or managers are added to the asset, or if no plan asset administrator is assigned, the plan's system administrator receives an access request notification. In other words, if the plan asset administrator is not set, the system administrator will have that role.
The plan asset administrator will be responsible for all assets within the plan.Owner-level permissions, such as renaming, deleting assets, and assigning permissionsYou will have several. However, unless Asset Administrator privileges are also granted for specific assets such as sheets, other asset administrator/user privileges such as sorting columns, locking/unlocking rows, creating forms, adding dependencies, etc. No owner-level permissions are granted.
However, for example, if the system administrator is not set as a plan asset administrator, the system administrator has the authority to grant viewing authority, editing authority, etc. to a specific sheet, etc. It also becomes possible to access sheets that contain personnel data, etc. that it is inappropriate to display. In this regard, Smartsheet offers ways to ensure that such changes are recorded and auditable, or that they are separated into separate plans if that is necessary to limit them as well.Help articleIt is explained in. (English only)
I'm concerned that system administrators can now assign permissions to anything. What should I do with sensitive data that shouldn't be accessible to system administrators?
Assets are managed by your company and, by default, system administrators cannot open and view them.When a system administrator assigns permissions to an asset, the event is logged and auditable.
To prevent existing system administrators from accessing certain assets,Teams with special confidentiality needs may consider using a separate plan that they manage themselves and not giving access to other users.
Replace Delete User label with Remove User
We plan to replace the term "Delete User" with "Remove User" in the User Management screen of the Admin Center. This adjustment makes it clear that the user is not removed from her Smartsheet platform, but simply removed from the organization.
Change "Sheet (Owned)" column to "Sheet (Created)" in User Report
With plan-level asset ownership adjustments, individuals are no longer designated as owners of core assets in Smartsheet, such as sheets. Therefore, in user reports created via Admin Center, change the "Sheets (Owned)" column to "Sheets (Created)" to accurately represent the number of sheets created by the user.
Email to SysAdmins for Enterprise Plan
In addition to the above, the following two points have been communicated to Enterprise Plan system administrators.
3. Move login policy to domain level
4. New Safe Sharing
Migrate login policy to domain level
The first phase of this change, aimed at increasing the security of user authentication, will allow system administrators toDefine SAML configuration at domain levelIt can be so. SAML policies established at the domain level apply to all users within that domain, regardless of their specific plan.
This featureEnterprise onlyis. Policies configured by your system administrator apply to your plan regardless of plan type.Applies to all Smartsheet users in the domainwill be done. That is, a uniform process is guaranteed for all employees belonging to that domain, regardless of their department or the specific Smartsheet plan they use. As a result, domain-level configuration also eliminates the need for individual settings at the plan level, contributing to improved security and management efficiency. (For more informationSee help article. English only. )
New safe share list(Sheet-based)
Enhance existing secure sharing interfaces. Updated systems require a valid license for system administrators to enable or modify the secure share list. Also, thisEnabling the policy creates two sheets: one for domain management and one for email.and each sheet is limited to 20,000 rows. (Translation of email content)
safe share list
For added security, Enterprise plans allow you to restrict sharing by domain or specific email addresses. For example, you can share a sheet only to people with company email addresses. Therefore, even if a user with sharing privileges tries to share a sheet, for example, with a user outside the company or his/her own personal email address, if the user is not on the safe list, the sharing will not be possible, improving security.
Specifying domains and email addresses using sheets
As shown in the translation above, the current domain and email address here are edited and managed in the admin center, which suggests that it will be possible to edit and manage domains and email addresses in the sheet using the sheet. I am. This is likely to be an attractive feature for organizations that share content to many external users. I will report again once I know the details.