API Access Tokens for non-licensed Users

2»

Comments

  • Genevieve P.
    Genevieve P. Employee Admin

    Side note - does "Company B" have a multi-user Smartsheet plan with licenses? If so, then I would suggest that the other company is the one that generates the Token, using their licensed account.

    Then all you need to do is share the sheets (in Smartsheet directly) with whoever needs access to those sheets. This then allows them to edit/update the content as you want them to, either directly in Smartsheet or using the API (up to them). This way you can keep your own security and directly share the only assets that require access with the permission level set as needed.

    Cheers,

    Genevieve

  • MHalvey
    MHalvey ✭✭✭✭✭
    edited 07/13/23

    @Paul Newcome @Genevieve P. You two are phenomenal!!!! Thank you both for clarifying and answering my questions. I know I keep saying this, but more knowledge I have on this the better in my opinion. This should be my final question. I hope!

    If Company A didn't want to use a license to just share the 2 sheets with and then generate the Raw API token. Could Company B, create a separate Smartsheet account (Not connected to Company A's account) and be a licensed user under that new account to generate their own API token? Then if Company A shared their 2 sheets, as Editor - Cannot Share permissions, with Company B with their account users email address, would Company B Raw API token work the same as the original case idea? Please let me know if this didn't make sense and I'll try to clarify greater.

    Thank you again,

    -Michael

    Michael Halvey

    "Strive for Progress, not Perfection."

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Genevieve P. - I didn't see we were on a Page 2 already! I missed this second post. This is EXACTLY what I just typed to you. That direction will be my goal for this. Thank you so much for your time and discussion. You two are amazing!

    -Michael

    Michael Halvey

    "Strive for Progress, not Perfection."

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    @Genevieve P. Would this mean that Company B must always be shared to those sheets then? I imagine that it may not work in instances where Company B was handing everything over to Company A to run/manage after the build was complete?

  • Genevieve P.
    Genevieve P. Employee Admin

    @MHalvey I'm glad I could help!

    @Paul Newcome Yes, you are correct. This is for if those other people will always be connected in to those sheets making updates in the future. If there's a point where you'll be removing Sharing access, then anything they built with the API would receive an error because they are no longer shared to the sheet.

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Genevieve P. - There was one additional question asked late Friday from my team members. So if Company B generated their own API token and Company A just shared the 2 assets with the Company B user.

    Then if Company B had other companies it wanted to bridge with their software into Smartsheet (C and D Companies) besides Company A. Could Company B use that same licensed user account / API token to bridge between Company B and C, D companies? And would there be any security risk to Company A?

    Example:

    Company A shared 2 sheets with Company B licensed user.

    Company C shared 2 sheets with Company B, same licensed user.

    Company D shared 2 sheets with Company B, same licensed user.

    All are through the one Raw API token generated from Company B's account or would that account from Company B make multiple Raw API tokens in the one account?

    Note: Company B is only using that account for API token and not creating or shared with anything else from Company B's side.


    Thank you,

    Michael

    Michael Halvey

    "Strive for Progress, not Perfection."

  • Genevieve P.
    Genevieve P. Employee Admin

    Hi @MHalvey

    If Company B's licensed user has access to all sheets (Company A, C, D) only 1 Access Token would be needed. The best way to think about Access Tokens really is to think of them as another way to "log in" to Smartsheet.

    Whatever that user is shared to in Smartsheet, the API can access as that user with that token.

    For your scenario, think of it this way:

    • Company A, user A = Michael
    • Company B, user B = Genevieve
    • Company C, user C = Paul

    Sharing Scenario:

    Michael, you and I are collaborating on something so you share 2 sheets with me as an Editor. I can now see those sheets and update content in the cells of those sheet.

    Paul and I are collaborating on a totally different project. He shares his 2 sheets with me as an Editor as well, but NOT with you, since you don't know each other.

    I can now see and update 4 sheets, both yours and Paul's, as a shared collaborator. I do this by signing in to Smartsheet with my Email and Password, then viewing the sheets.

    • You cannot see Paul's sheets (he did not share you to them).
    • Paul cannot see your sheets (you did not share him to them).
    • I am an Editor on all 4 sheets, so I can update and view all 4 sheets.


    Using the API:

    Today, instead of using my Email and Password to log in to make changes, I decide to use the API. I generate an Access Token to "log in" to Smartsheet. Through the API, I can use the PUT - Update Row request to make changes to rows in any sheet I have Editor access to: your sheets, Paul's sheets, and my own sheets because I'm at least an Editor.

    I do not need to log in more than once to see the different sheets: it's the same login (the same access Token) since the same email/account was shared to all items.


    Removing Access:

    You decide you no longer want me to see or update any of your data. In this instance, all you need to do is remove me from being shared to the sheet. If I can no longer see them in Smartsheet when I log in with my Password + Email, I am unable to update them via the API either.


    Security concerns:

    The security risk here is what Company B can do with your shared information. Ignore the API for a second and simply think about sharing your data. If you share me to a sheet, I can copy/paste that information and send that to Paul, or use "Save as New" and then share that new sheet (that I now own, with your copied data) to Paul. I can also send out rows as emails or download the sheet as an excel file. This is because I am directly shared to that sheet. However Paul himself cannot view any content in the sheet because he's not shared.

    It all comes down to sharing permissions: anything a shared user can do in Smartsheet directly they can do in the API.


    I would recommend reviewing the Sharing documentation if you want to test different scenarios:

    Cheers!

    Genevieve

  • Debbie Sawyer
    Debbie Sawyer ✭✭✭✭✭✭

    Yes, good thread!

    I work for a company that provides API Smartsheet Consultancy for clients. (So I would be Company B to your Company A example).

    I can verify that if you would like our code to do something to your sheets, then the API Access Token given to us from you, needs to be from a Licensed User that has Admin level access to the sheets involved in the API. It doesn't need to be from the owner of the sheets, just from someone at Admin level.

    We always recommend that the client (Company A) reserve a license for all API work (a generic account if you will) and use that. Quite often though we receive API tokens from "User A" (an actual person!) who has access; but then when User A leaves the company or changes role, it can cause complexities for the App to continue functioning. So if you do have enough licenses for a generic user to be used for all API code integrations, then that would be the best solution.

    I hope you don't mind me popping this in too!

    Kind regards

    Debbie Sawyer

    Chief Smartsheet Solutions Officer from Smarter Business Processes

  • Genevieve P.
    Genevieve P. Employee Admin

    Thanks, @Debbie Sawyer!

    Great insight, and good point about what happens if someone leaves a company.

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    @Debbie Sawyer That's the same thing I do with regular solution builds and how we have generally handled API builds as well. Company A creates an "Admin" type of generic account and that is the account that builds everything. On rare occasion we get a client that is not able to do that because of security issues with having "shared" log in info, but that isn't often.


    My misunderstanding (which was very clearly corrected by Genevieve) was that API access gave access to everything as opposed to the actual access which is more similar to a "log in".

  • Debbie Sawyer
    Debbie Sawyer ✭✭✭✭✭✭

    @Paul Newcome

    Yes, we do have to discuss these things with the clients as if they choose a generic account as the "Owner" of the workspace and all sheets within the build, then change their logins to SSO that too, can also cause complexities!

    So pro's and con's to each configuration! :D Such fun! Keeps us on our toes!

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Genevieve P. @Paul Newcome @Debbie Sawyer - Thank you all for your responses and information. I believe "fingers crossed" that answers all my questions. That final walkthrough @Genevieve P. was wonderful, thank you for taking the time to write that out.

    All - I hope you have a wonderful start to your week. 😁

    -Michael

    Michael Halvey

    "Strive for Progress, not Perfection."