How to provide access to specific sheets using a Smartsheet API access token?
What's the best approach to share a Smartsheet access token, generated through a service account, in a manner that restricts the recipient's access to all my sheets while ensuring the token has permission to access specific sheets?
Regards,
Klin
Answers
-
Hi @klin
I would never share my Smartsheet access token. If someone gets your access token, the person can do whatever you can, even delete all sheets!
Share the sheets, not the token approach.
So, the safest way is to share the item that you want the person to perform work using API, with just enough permission. For example, if you add some columns to your sheet, you could give the person view-only permission and ask the person to copy the sheet, do the add columns work, and share the new sheet with you with admin privilege so that you can request the ownership.
Even with this method, the person can access the information in the original sheet. So, to get extra security, create a copy of the sheet with no data and share the sheet, in this case, with higher privilege, even the admin share.
Create an account and give access to limited access to the account
If you can afford to add an account for this purpose, add an account and provide access to the account with minimum contents with minimum access level.
For example, if you want a service provider to update the dropdown list based on the value in a master sheet, give access to only the sheet that needs to update the dropdown list and the master sheet.
Even with this approach, giving access to the account with OAuth is safer. (If the account belongs to your company domain, the service provider can create some Smartsheet contents that belong to your organization, such as a dashboard. If this dashboard misled someone, you could held responsible for giving the third party access to your company domain.)
OAuth approach
Generally, when a third party provides API service, you will see the "Allow Access?" panel like this. Read the description carefully. In the case of this image, the third party can update the sheet (delete all rows, for example) and update attachments (delete all attachments, for instance).
Even if the Allow Access says "Read or View sheets," you have to be prepared for all the sheets' information you can view and get exposed to the world.
So, when you click "Allow," make sure the third party is a trustworthy organization.
https://smartsheet.redoc.ly/#section/OAuth-Walkthrough/OAuth-Flow
