Unintended Admin Privileges When Provisioning Projects in Control Center

LeoNatanian

Hello All!

We are encountering an unexpected behavior when provisioning projects through the Control Center in Smartsheet. Upon setting up a new project with the intended permission level of "Editor - can share" for the Project Manager (Mario), we've noticed that Control Center is unintentionally granting Admin privileges on individual assets within the project.

This behavior violates our principle of least privilege, which is concerning. In the example provided (referencing an image attached), Mario should only have Editor access to the asset in question, but they currently has Admin-level permissions, which is not intended.

My hypothesis is that this may stem from a hidden requirement within the Control Center blueprint—specifically, it might be related to WorkApp functionality where the owner of the WorkApp needs Admin privileges to add Dashboards or other functionalities. This seems to override our defined permission settings.

We are seeking guidance or insights from the Smartsheet community on how to prevent this unintended behavior. Is there a known workaround or setting within Control Center that can ensure that asset-level permissions align with the workspace-level permissions? Any advice would be greatly appreciated!

Thank you in advance for your expertise.

kowal

hi @LeoNatanian,

when you create the blueprint the last page before you go to "save" button is always showing the permission to who is admin etc. are you sure it' not configured there who shall be the admin of the provisioned projects?

LeoNatanian

@kowal
Thank you for your helpful feedback! It’s a great reminder to double-check the permissions in the Blueprint. As shown in the attached screenshot, only program leads and a specific admin group should have Admin access to assets. No other users or groups should be granted elevated permissions beyond these settings.

kowal

@LeoNatanian and you also checked that Mario is not admin already on the templates or is already having permission on the workplace where the projects are provisioned?

LeoNatanian

@kowal

Correct, I've also confirmed that Mario isn't an admin on the toolkit templates. The only common thread we've identified so far between users who experience elevated privileges and those who don’t is whether they hold a paid Smartsheet license. In contrast, users without a paid license receive the intended "Editor - can share" permissions.

When a Project Manager has a paid Smartsheet license, we observe:

1. The PM correctly owns their respective Project WorkApps.
2. They're granted Admin access to all assets within the project workspaces—something not anticipated.
3. This higher-level permission allows them to modify underlying assets, which on occasion has inadvertently broken our portfolio reporting logic. We've encountered this issue a few times so far.

kowal

@LeoNatanian I am out of ideas why Mario is added to your workspaces automatically without reason?

maybe someone created a Bridge workflow for that?