Smartsheet Admin and Security
How comfortable are you with your organisation’s Smartsheet security settings? When did you last check them? And are you ready if a key person moves role?
Smartsheet’s out-of-the-box admin settings are fine when you’re just getting started and your environment contains few assets. However, as you start collaborating and bringing more users into the platform, it’s important to continuously review them to ensure you always remain in control.
For business plans upwards, Smartsheet offers authentication options such as MFA and SSO, along with a safe sharing policy that can be enforced. There are also a range of controls around asset publishing, API token expiry and who can access forms. For enterprise plans, data retention and egress policies are also available.
Prodactive can advise on the most appropriate settings to configure for your organisation, but why not first take our diagnostic to get a quick assessment of how things are looking.
Smartsheet Admin & Security Diagnostic
Five questions. Three minutes. A clear read on whether your Smartsheet environment is configured the way you think it is – and where the gaps are most likely to be.
Has anyone in your organisation ever done a deliberate review of what's actually in your Smartsheet environment?
Single select — this is the question most organisations find hardest to answer honestly.
Terminology
Sheet access report — an Admin Centre report showing every sheet in your organisation and who has access to it, available to System Admins. The starting point for any access review. Published content — sheets, reports, and dashboards made publicly accessible via a URL, viewable without a Smartsheet login. Orphaned assets — sheets, automations, and workflows owned by users who have since left the organisation. These don't disappear when someone is offboarded — they remain in the environment, often breaking silently or retaining access they shouldn't.
Which of these best describes how your organisation controls access to Smartsheet?
Single select — choose the option that most honestly reflects your current setup.
Terminology
SSO (Single Sign-On) — lets users log in to Smartsheet through your organisation's identity provider (e.g. Microsoft Entra, Okta, Google Workspace) rather than a separate Smartsheet password. Domain registration — claiming ownership of your company email domain within Smartsheet, which prevents users creating personal free accounts with your company address and unlocks advanced provisioning controls. Domain strict mode — restricts access so only users with your verified company domain can be provisioned into the environment. Session controls — admin-level settings governing how long a Smartsheet session stays active before requiring re-authentication.
Think about how users join and leave your Smartsheet environment — and what happens to their work when they go.
Single select — be honest. This is where most environments have their biggest hidden risk.
Terminology
System Admin — the highest permission level in Smartsheet, with full access to the Admin Centre including billing, security controls, and all user management. Group Admin — can manage user groups but has more limited Admin Centre access. Orphaned assets — sheets, automations, and workflows that remain in the environment after their owner leaves, often breaking silently or continuing to run without anyone aware they exist. Asset transfer — the process of reassigning ownership of a departing user's sheets and solutions to another licensed user before their account is removed.
Which of the following apply to your Smartsheet environment today?
Select all that apply — or select the last option if none have been formally reviewed.
Terminology
Publishing — Smartsheet allows sheets, reports, and dashboards to be published as publicly accessible URLs, viewable by anyone without a Smartsheet login. This can be enabled per item by any licensed user unless restricted at admin level. API access tokens — credentials allowing external applications or scripts to interact with Smartsheet data programmatically. Unreviewed tokens can represent persistent access risk if the associated user has left or the integration is no longer in use. External collaborators — users outside your organisation who can be shared onto sheets as viewers or editors without holding a paid licence. Safe sharing — an Admin Centre setting that restricts which domains licensed users can share content with.
Which of these sounds most like how your Smartsheet environment is actually owned and managed?
Single select — this is the question that separates organisations that are configured from organisations that are governed.
Terminology
Admin Centre — the central control panel in Smartsheet (Business and Enterprise plans) where System Admins manage users, authentication, security settings, and sharing policies. Baseline configuration — a documented record of your Admin Centre settings that serves as the reference point for reviews and audits. Review cadence — a regular, scheduled process for checking that your configuration remains correct, intentional, and up to date as your organisation and Smartsheet's feature set evolve.
Wherever this diagnostic placed you, the gap is rarely about effort – it’s about attention. If anything here gave you pause, the next step is a 30-minute conversation with Phil Robbins, our Head of Delivery. No pitch, just a structured look at your environment and what good would mean for it.
Or try out our Admin and Security Health Check – it will provide a full list of governance recommendations, both immediate and ongoing, to ensure your Smartsheet environment remains in good health as you scale.
Try our Smartsheet System Admin quizzes to see how well you know the various features and responsibilities of a System Admin:
