Admin Center - Form Security - Permission Inheritance - Downgrading

To answer your last question - yes, that's correct and what I was wondering about.

Restricting it to people with a Smartsheet account still means anyone with a Smartsheet account could view the Form. The could create a free trial or be a part of a different plan and see your sensitive dropdown items.

I would potentially suggest adding those sensitive forms as an embedded Web Content widget in a Dashboard. Then you can either just share the Dashboard directly to specific groups/people, or use the published Dashboard link that restricts it to users in your Domain.

The embedded Form URL will only be accessible to users shared to the sheet or to the Dashboard with Admin permissions.

For your first question, you're correct - there currently isn't a way to see a list of all forms in your organization from the Admin Center. You can download a Sheet Access Report which identifies all the sheets, but not forms.

That said, you could use the Smartsheet API to List Sheets, then loop through the Sheet IDs to Get Sheets, with the parameter of include=publishedFormContainers . This would only get information for all the sheets that your specific account has access to, so if you're not shared to the sheet with the form it won't be included.

If your orgnaization has Event Reporting you could get notified every time a new form was created as well.

I hope that helps!

Genevieve

All comments

Paul Newcome

I believe that anything already created will be unaffected by the change.

@Genevieve P. Would you happen to know for sure?

https://community.smartsheet.com/discussion/comment/399279#Comment_399279

Thanks for your quick response, Paul.

I too believe that they'll hold their current permissions. I dislike making any global changes... even tests of global changes... without having a high level of confidence that it'll work. If Genevieve also believes it, but isn't 100% sure, I think the 3 of us (plus one of my Smartsheet "super-users") being pretty sure will be good enough to do a test of the change. ☺️

Hey @Jonathan Hebert (and thanks for the tag @Paul Newcome!)

I'd like to get you a definitive answer on this... even though I have my "likely" guess. I know you noted this was urgent, but if you're able to wait until tomorrow morning I'll be able to test properly / connect with the proper resources to give you a certainty!

Cheers,

Genevieve

https://community.smartsheet.com/discussion/comment/399312#Comment_399312

Thank you, Genevieve. 🙏 I appreciate it very much. I can wait until tomorrow.

Thanks for waiting!

So here's what I found in my tests:

If the default initially requires access then gets downgraded, any forms that previously required access would now allow anyone to access (default adjusted)
However, if any form had required the logged in user to also be in the safe sharing domain, they'd still require login and for the logged in user to be on the safe sharing domain.

You noted in the first post that you have forms with sensitive dropdowns. Are those forms restricted to any Smartsheet account in general, or your safe sharing domain?

https://community.smartsheet.com/discussion/comment/399584#Comment_399584

Thanks so much for all your work on this, Genevieve.

Unfortunately, I don't know who else is using Forms at the moment, nor do I know if they were restricted to safe sharing domain. Therefore, I can't go and ask everyone to change every one of their Forms' individual permissions to prevent them from being shared with just "anyone." Is there a way to see, or run a report, of all Forms that people are using? I did some searching and can't find anything, so I assume the answer is no.

Therefore, I think we may have to address this concern from a risk management perspective.

A colleague brought up a good point: Our Form Permissions are currently set to "Only people with a Smartsheet login." If a bad actor somehow got the link to one of our sensitive forms, all they'd have to do is create a login with any public email address (BadActor123@gmail.com, Hacker123@yahoo.com, etc.), then voila, they can comb the form for any sensitive data to exploit. If we change the global setting to "Anyone with the link," all we're doing is removing the one small barrier of creating the free email address and creating the Smartsheet login.

Is that correct?

To answer your last question - yes, that's correct and what I was wondering about.

The embedded Form URL will only be accessible to users shared to the sheet or to the Dashboard with Admin permissions.

If your orgnaization has Event Reporting you could get notified every time a new form was created as well.

I hope that helps!

Genevieve

Hi Genevieve.

Thanks for all this wonderful information and guidance. It's really helpful.

I marked your last response as the Answer before I commented. I realize I should have quoted and commented on it before marking it as the answer. Whoops! 😆

The Dashboard URL option is pretty ingenious. However, by the way you described it, and the way the permissions are described in the screenshot, it seems that we would still need people to have an email address and Smartsheet login. We're trying to get this one, non-sensitive Form, out to the general public. It's all the other Forms which may be out there and contain sensitive data. As I think I said previously, I'm pretty sure there are already Forms with sensitive data in the drop downs, so those could potentially be exposed if we downgrade the permission. I think the risk and chance is extremely low, but in today's world, "Risk Management" seems to have tightened up to be "No Risk." A.k.a. "Zero Trust." So, I don't believe the Security folks would approve.

I marked your last post as the answer, as those other ideas are really great. ✅ I just don't think they'll work in time with everything else we have going on internally.

Thanks again, Genevieve!

If it's just one form that needs to bypass your security... what about using Smartsheet's connection with Google Forms to gather the data? That way you can keep your current security settings throughout the entire organization, but still gather content publicly through this one channel.

Here's more information: Smartsheet Sync Add-on for Google Forms

Data submitted through a synced Google Form will create new rows in a Smartsheet sheet. There are limitations to using this connection, and your account may have disabled third-party apps, but it's a thought.