Applies to

Smartsheet
  • Enterprise

For more information about plan types and included capabilities, see the Smartsheet Plans page.

Capabilities

Who can use this capability

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Set up and configure Enterprise Plan Manager

PLANS

  • Smartsheet
  • Enterprise

For more information about plan types and included capabilities, see the Smartsheet Plans page.

Permissions

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

Use Enterprise Plan Manager (EPM) to set security and governance policies for all plans across your organization’s validated domains. 

EPM creates a plan hierarchy with two levels:

  • Main plan: This plan sets the policies and adds plans to the family.
  • Managed plan: These plans inherit security and governance policies from the main plan. 

Contact your Smartsheet Customer Success Manager or Technical Account Manager to designate your main plan for EPM.

Once the main plan is set, follow the steps below. 

Validate your domains

  1. Select Add Domain and follow the instructions on the right panel. You must set up a public DNS record to verify your domains. Not sure how to do this? You can copy the instructions in the wizard to notify your public DNS admin and have them do it for you. 
  2. After you’ve entered all your information, select Verify

Learn more about domain validation

Once your domains are verified, any plans opened under that domain appear on the Manage Plans screen.  

Configure your authentication settings

This process ensures everyone in your organization uses the same sign-on method. Follow the instructions in the wizard; you may need to contact your Identity Provider to obtain the information you need. 

It’s best practice to use single-sign on (SSO) for authentication and to disable email/password. Before you apply this best practice, confirm your team’s SSO readiness. Give your team a heads up that you’re implementing centralized plan management. Let everyone know they will be added to the EPM family. Ask each plan admin to confirm people in their plan use SSO email addresses as their primary email addresses. The main plan Admin must leave email/password on at the main plan level until all managed plan admins have confirmed their SSO readiness.

If the managed plan admins don’t respond, the main plan admin may need to contact them to discuss that individual managed plan admins MAY have to run a User Merge to update primary email addresses to match SSO email addresses of any remaining users.

  • In Admin Center, select Configure authentication settings and follow the instructions on your screen. 

Need more on configuring your authentication settings? Read Manage authentication options for an Enterprise plan

Add managed plans to your family

 

  • On the Manage Plans screen, select the plans you want to work with and then select add. This will convert any independent plans to managed plans. They’ll automatically inherit the authentication and domain validation settings you created in the main plan. 

A message identifies any Ineligible plans. Contact the owner of the plan to find out if they’d like to merge their plan into an existing managed plan or upgrade to an Enterprise plan. Set a timeframe for enforcement (for example, activation of UAP) and communicate that to your team. After that, they will still be able to use their plan but they can't add new users.

Set User Auto-Provisioning (UAP) behavior. 

This section contains information relevant to both the Legacy Collaborator Model and the User Subscription Model. Not sure which model your plan uses? Check if there’s a Manage true-up page in Admin Center. If there is, your plan uses the User Subscription Model. See the User Subscription Model overview article for more information.

This setting will apply to all users on your validated domains by default. Once you've added specific domains, you can toggle UAP on and off for them. 

Non-Enterprise plans must upgrade or merge before you activate UAP. After you activate UAP, non-compliant plans can't add new users.

Learn more about user auto-provisioning.

  1. From the Admin Center menu, in Settings, select Auto-Provisioning.
  2. From the Auto-Provisioning Behavior dropdown select one of the following options: 
  • Off: The user won't be provisioned automatically.

  • On: Add as free user: The user will automatically be added as an unlicensed user.

    This option only applies to the Legacy Collaborator Model

  • On: Add as licensed user: The user will automatically be assigned a license (Legacy Collaborator Model) or Member designation (User Subscription Model).

Learn more about user types. 

Once UAP is set up, managed plans can add unlicensed users (Legacy Collaborator Model) from the main plan or invite people who don’t have Smartsheet accounts to join their plans.  If you use SAML for authentication, you can also set a user movement policy. Learn how to set a user movement policy

Inherited permissions

If you have multiple plans and one plan is the main plan under Enterprise Plan Manager, you can set publishing controls for reports, sheets, and dashboards in the main plan. All managed plans will inherit those controls.

You can also set safe sharing controls in the same way.

You can change these settings on the managed plan if you are an administrator on the main plan.

 

Was this article helpful?
YesNo