Changes to asset Admin permissions and new Plan Asset Admin role, now generally available!
Answers
-
I don't see how the design for Plan Administrator is going to be useful in an Enterprise environment. If I understand correctly, as a System Admin, anyone that I grant the Plan Admin role to will be able to grant themselves access to anyone else's objects. So if I give someone in hospitality the Plan Admin role, they will have the ability to grant themselves access to sheets that belong to someone in HR? I think I understand that there will be an auditing feature, which I haven't seen yet, but this will be after-the-fact. and if it's like other Smartsheet so-called auditing functions it will fall short of the mark. Auditing functions, IMO, belong with the object owner/creator and not land on the System Admin. I believe that the Plan Admin role needs to be much more granular - like, everyone in a department, or a group, or some identifiable cohort and not just enterprise-wide. We will not be able to utilize this role as designed.
-
@Stu Benoff The Plan Asset Admin will be able to grant themselves access if they request access to the asset, and approve it. However, the request will go to the owner/admin of the asset and will only get to the Plan Asset Admin if the owner is deactivated and no admins are assigned to the asset. Each access approval is logged in Event Logging.
We are thinking of enabling the audit in other parts of the system and appreciate the feedback.
-
Isn't the point of this change that there won't be owners anymore? The plan is the owner. So when this change goes in and, John Doe owns an object, doesn't he become the creator? Then, who is the admin? Isn't there only an Admin if one was assigned by the owner? Maybe Smartsheet should notify all current owners that they own objects that don't have at least one admin assigned and "strongly recommend" that they assign one before they lose their owner role?
The point really is, in a large organization, we cannot assign a Plan Admin that can grant themselves access to an object that is not even in their "reporting line." Maybe if we had a Plan Admin for the finance group and one for x and one for Y where they could only grant access to objects under their purview and not corporate-wide - then maybe. But no way could we allow enterprise-wide self-granting access.
Event Reporting - IMO, Smartsheet needs to be provide this tool to all plans and not make us develop anything to track and manage the application.
Happy to discuss this in further detail.
-
I agree with @Stu Benoff on not allowing "Enterprise-Wide - Self Granting Access" as well. Since i had read that in the initial beginning of this topic, i had to go in to all our sheets and either remove or reassign the admin rights in order to prevent the wrong admins getting assigned. There are too many sheets for us to quickly address when this is rolled out which is why i had to start making early adjustments to our current sheets (which i DONT have time to be doing). Basically i am being forced to fix/address/change our current assets to prevent this new feature being applied to our assets the wrong way (at least until we / I have had a chance to test it once rolled out).
I really wish the Smartsheets Team (@QuanT & @Lekshmi Unnithan ) would provide a more detailed and explained process for each feature that will be released in order for us to provide our concerns/feedback.
Julie Becker ☠️
Construction Project Engineer / Coordinator & Software Program Oversight Mgr. 😉
Successful People Are Not Gifted; They Just Work Hard, Then Succeed On Purpose‼️
-
Just wondering what happens if we don't assign anyone to the role of Plan Asset Admin. Will the world end? Will it be required?
We already have a process in place to manage terminations and assets, but I can see where this might also be helpful.
-
@ker9 Without a Plan Admin, requests for access will go to the System Admin(s). Currently, I am one of them and right now I tell people I can't grant access request because, well, I can't. System Admins don't have this capability.
After this change, Systems Admins will have this "power" so when people mess up and the creator leaves and didn't assign anyone as an Admin, then the System Admin can fix it. great (sarcasm).
I would prefer Smartsheet allow fully licensed users the ability to run a sheet access report for their objects so that they can see what they have created and the permission levels and then assist those owners with making sure that they have Admins assigned because the people shared to the sheet have better knowledge as to who should have access and who shouldn't versus the System Admin.
I don't know where we stand size-wise to you all but we have >11,000 sheets. I can't automagically look through them, or the enterprise-wide sheet access report, to determine which sheets or workspaces don't have Admins. I truly feel that Smartsheet should help us with this analysis and not just turn on a feature without providing the backend support.
Again, no way can we use Plan Admin as designed. I can't give someone the power to give themselves access to any other objects across the enterprise. Who cares if it's audited after-the-fact when someone finds out everyone else's salary. I'll be fired in a heartbeat. This design works fine for small plans where everyone knows everyone else but not for an enterprise or other type of large wide spread plan.
-
We currently transfer ownership prior to deactivating - how will that change? Will we be able to do something similar to ensure that there is at lease one Admin level person attached that is appropriate for the asset?
I am still a bit confused about whether there will be an Owner or if the owner will become an Admin. The help article mentions Owner or Admin under Plan Asset Admin heading.
Another concern is deleted assets going to the folder of the person that deleted. On two separate occasions I had different people decide to delete anything they didn't want to see in their view without realizing that they deleted everything for everyone shared. Currently, owners can retrieve those, in the future I don't know how a situation like that will be handled.
Thank you.
-
We have 50,000 sheets, 1700 workspaces, 5000 reports, 76 dynamic views, and I don't know how many WorkApps, pivots, calendars. 2700 users (both licensed and not), 14 system admin. (We need to clean house, some of this stuff is old.)
We worked out a process for terminations long ago. No one leaves without their assets going somewhere. The problems is with assets we can't see, like WorkApps. Prior to deactivating, we transfer ownership. I don't know how this will work going forward.
I have two separate accounts specifically for administration of SS (in addition to my own account) and am the default if we can't find someone else to take over (rarely happens). I'll be a Plan Asset Admin; it remains to be seen how many of us there will be.
In multiple workspaces totaling ~8000 sheets we have over 500 people at the admin level. Sharing requests going to everyone are going to be ignored or worse.
-
Nice - an even better example.
We have a process to transfer ownership when people leave as well, only, with the changes, users won't own the sheets - the plan will - so there will be no need or a reason to transfer. Ownership won't be the issue. Access will be. When the owner leaves only users with Admin or an Editor - can share rights will be able to control access to those sheets. If none of them exist, then the Plan Admin can grant access. If there's no Plan Admin, then the System Admin gets to control access permissions.
Right, Workapps, Pivots, Dynamic Views, etc. Wonder how they will work. What about published items? Who owns them?
In an organization as large as yours do you think you'll be able to assign Plan Admins that can, theoretically, grant access to any object to any user? Is that acceptable from an audit and compliance perspective?
Maybe someday we could talk through how you handle My Smartsheet Contacts. Another best and worst feature.
Thanks.
-
@ker9 The Plan Asset Admin role is optional.
@Stu Benoff Appreciate the examples, hoping we can discuss further.
@Julie Becker Also appreciate all the feedback. Let me try to find time for us to discuss further as well.
-
We currently transfer ownership prior to deactivating - how will that change?
Will we be able to do something similar to ensure that there is at least one Admin level person attached that is appropriate for the asset?
I can't own and manage 50,000 sheets as Plan Admin - I need to be able to assign an Admin during deactivation if there isn't an admin on the asset. We have a process in place and I know who to assign it to.
-
I still have some clients that are worried about this change. Are you able to facilitate a live Q&A webinar where clients that are concerned can ask their questions?
Or maybe set up a Smartsheet Form and share the link, so that clients can ask their questions direct and have a proper answer to their concerns?
The ones I put on this thread haven't really been answered.
Thank you!
-
Can someone please give us the future roadmap of this new process? The enhancement we have been asking for over a couple of years is the need for a Super Admin role where Super Admins can see every asset created under our enterprise organization. Our parent company is putting tremendous pressure on us to move to a software that offers us full transparency of all assets created under our organizational name. I know the current Plan Asset Admin document states that Plan Asset Admins will have visibility to "all assets" but we have been told repeatedly this is not the case, it is still only assets that have been shared with us.
My team has been tasked with creating a Data Index of all data collections under the company name. We cannot complete this tasks if we cannot see (and access) all assets created. If the asset was created on company time and the result of a company task, the asset legally belongs to the company, not the individual staff member who created it.
We have also been told it is not possible to grant Super Admins access to all assets because of HIPPA/FERPA violations. Ultimately, it is the responsibility of our organization to ensure compliancy with HIPPA/FERPA and our organization cannot ensure compliance if we cannot see the asset being created.
We just had an instance of employees reaching out, who had the link to a form, but no one could locate the owner of the sheet. It took 5 people and a total of 2 hours and the help of Smartsheet support to find the sheet the form belonged to so we could get ownership transferred to the necessary individual. That was 2 hours of 5 people's time wasted because our organization does not have access to the assets created under the organization's name.
Thanks!
-
I was a lot more excited about this feature before I realized it only applies to assets owned by a deactivated account. I was looking forward to not having to have several back-and-forth e-mails with someone to confirm what the sheet name is or who owns a sheet before I can begin to address their question with the sheet. Yesterday it was five e-mails and two Sheet Access Reports to confirm that the person asking the question only had “editor cannot share” authority to a sheet and sent the link to someone and that’s why the recipient could not see the sheet. If system admins could activate a role to see all enterprise assets, I could have confirmed that at step one.
-
I'm looking to understand this change from the help article. Asset ownership updates | Smartsheet Learning Center. If anyone has seen answers for my below question, please feel free to quote them to me.
My questions are:
1 - It says "on the asset" so does that mean asset level Admin only sharing and not Workspace level Admin sharing will receive the access request emails?
2 - Is it for Licensed and non-licensed users? Since a non-licensed user can be made an Admin on an asset or Workspace level, will they receive the access request alerts?
3 - If you have User Groups shared as Admins, and that group has 30 people in it, they ALL will receive an access request to the asset? If one approves it, what happens to the 29 other requests? Will it show in the activity report who shared the asset?
4 - My organization is under 100 people but for these larger companies, I can't imagine how you will navigate improper approvals of sharing permissions or access now that the alert goes to ALL Admins and not just the asset Owner. I can't tell you how many people in my company don't read approvals requests or alerts and just hit approve or next buttons. Sure, it's company training but this change will cause so many more improper sharing mistakes. Does anyone have any suggestions for this case? Can we change the default Sharing Permissions from Editor - Can Share to Viewer in the Admin Center?
5 - Can this be switched off? Maybe allow the Plan Asset Admin control over it all? There needs to be a single user managing the access of an asset, not a group of 30+ or more.
Thank you for your time,
Michael
Michael Halvey
"Strive for Progress, not Perfection."
