Legacy Plan Changes Allowing External Users Able to Create Assets

Hi - can someone help me understand or get caught up on the changes to user capabilities under the legacy plan? I've opened up a support ticket about this.

I took over as the System Admin last year. In trying to clean up our user list, I discovered an external user on our User Type report but NOT on the User Management list in the Admin Center. Attempts to REVOKE access have failed because Smartsheet says they own assets that need to be transferred. This was odd.

I always thought external users NOT under our plan could NOT create or own assets that are under OUR plan. But Smartsheet support is tell me recent changes now allow external users with a license on another company's plan and is shared an asset with Admin permissions, they can create and own assets under our plan.

Attempts to request ownership of the assets have had no response because the request obviously goes to the owner (the external user). We haven't gotten a response to those requests from the asset owner (the external user) and we are waiting to find out if that person even works for that company anymore.

Can someone confirm this current change in the legacy plan is true and how this isn't a security risk?

Because until we can revoke access, this person can technically still log into his account tied to our plan and access these assets and there is NOTHING we can do about it.

Find more posts tagged with

licensed users

Owner Transfer

sheet owners

external users

Accepted answers

Paul Newcome

I am not 100% certain. I know that in the past I have been able to use my work account to build out assets in a client's workspace and was able to maintain my access until I transferred ownership to them.

I think it is unfortunately a risk that is customer (meaning SS customer) managed, and the only recourse now if you are unable to transfer ownership is to rebuild the assets, relink anything, then follow the previously outlined steps to move their assets elsewhere.

Have you tried removing their permissions from the workspace in general? I feel like then their assets would appear in their "sheets" folder, and they shouldn't have access to the rest of the workspace (potentially but not yet tested).

Genevieve P.

Hey @Trang Turtletraxx

You've touched on one of the core concepts and benefits to the new User Subscription Model!

You're absolutely correct: in the Legacy Collaborator model, a Licensed user on any plan could be shared to any workspace as Admin (regardless of plan) and create/own items within that Workspace. Emails could only have 1 license and be associated with 1 company/account, but that licensed granted "Ownership" and creation abilities regardless of where the Workspace was created/stored. This is not new or a change, but it is a difference between Legacy Collaborator and USM:

The old way of collaborating in Smartsheet did leave System Admins without management abilities over those external accounts.
In USM, System Admins have full control over who can create and own items within their plan/account (Members)!

What has changed in recent years is Asset Ownership being tied now to the Plan, instead of individuals (this aligns with what you would like!). If the Workspace is owned by someone in your plan, even on the Legacy Collaborator Model you can gain ownership of those items, since they were "created" under your plan.

Here's what the FAQ says in this Help Article:

https://help.smartsheet.com/articles/2483118-asset-ownership-overview#toc-plan-asset-admins

Previously, when a user's license was removed, all items they held Owner permissions on were deactivated. Now, Smartsheet transfers Owner permissions of these items to the plan itself rather than deactivating them. This ensures your processes remain functional, regardless of changes to a user's permissions, license, or Member status.

You should be able to simply remove that external collaborator from being shared to the Workspace and the items will stay in the Workspace, now owned by the current Workspace Owner instead.

Cheers,
Genevieve

All comments

Paul Newcome

Are the assets owned by this external user integral to a solution?

While not absolutely ideal, one option to maintain security until you are able to completely remove the external user would be to create a new workspace and share them to it with admin permissions. You would then move all of their assets to this new workspace and remove them from sharing permissions on all of your assets/workspaces.

This would limit their access to that one workspace with all of their assets but not allow them to see any of your internal assets.

Trang Turtletraxx

@Paul Newcome I don't know how those assets are tied to the workspace overall. I do know that workspace has multiple folders and subfolders and this particular user owns assets in various folders/subfolders. It's not clear just by viewing the workspace why he has access or owns all the assets.

Do you know if what Smartsheet support said is accurate? External users can create/own assets under our plan if they have a license under any plan? How are we supposed to manage those users if they never appear in our User Management list?

I always thought under the legacy plan only licensed users can create and own assets and since external users can not own a license under our plan they shouldn't be able to create or own assets. If this new process was implemented recently I was not aware of that and our company would have cut ties from Smartsheet. There is a significant security risk allows external users constant access to our assets without being able to remove or revoke them from our plan.

Paul Newcome

Trang Turtletraxx

Yes one of the Admins tried taking ownership and it continues to say the request will be sent to the Owner.

I have created solutions so to speak in other company plans, but the assets were already or are established by the PM with a license and I built and customized off those. I have never been able to create net new assets.

How can it be customer managed if there is no way to manage them? They don't appear on the User Management report, we can't revoke access because they own assets and we can't transfer ownership of their assets - yet they pretty much have free reign in our environment. We want to collaborate with this company so can't restrict the entire domain. Our policy doesn't allow for individual email addresses to be on the Safe Sharing sheets as exceptions. Either the domain is approved or not but even if we did we are stuck.

Genevieve P.

Hey @Trang Turtletraxx

You've touched on one of the core concepts and benefits to the new User Subscription Model!

The old way of collaborating in Smartsheet did leave System Admins without management abilities over those external accounts.
In USM, System Admins have full control over who can create and own items within their plan/account (Members)!

Here's what the FAQ says in this Help Article:

https://help.smartsheet.com/articles/2483118-asset-ownership-overview#toc-plan-asset-admins

Previously, when a user's license was removed, all items they held Owner permissions on were deactivated. Now, Smartsheet transfers Owner permissions of these items to the plan itself rather than deactivating them. This ensures your processes remain functional, regardless of changes to a user's permissions, license, or Member status.

You should be able to simply remove that external collaborator from being shared to the Workspace and the items will stay in the Workspace, now owned by the current Workspace Owner instead.

Cheers,
Genevieve

Trang Turtletraxx

@Genevieve P. Thank you for the detailed response. I had NO idea this was possible. I had always read licenses were plan specific and because of the fact external users could not hold licenses under our plan they couldn't then create/own assets. I'm shocked this hasn't been rectified until USM as this is a significant risk and issue not being able to manage these external users from accessing created assets.

Sign in to join the conversation!

Quick Links

Component react.discussion.discussions had an error.

ref must be one of: categoryID, siteSectionID, category, category/categoryID, category/name, category/description, category/url, category/allowedDiscussionTypes, locale, siteSection, siteSection/basePath, siteSection/contentLocale, siteSection/sectionGroup, siteSection/sectionID, siteSection/name, siteSection/description, siteSection/apps, siteSection/attributes, layoutViewType, discussionID, commentID, page, sort, discussion, discussion/name, tags, breadcrumbs, discussionApiParams, serverDraftID, serverDraft.