Welcome to the Smartsheet Forum Archives


The posts in this forum are no longer monitored for accuracy and their content may no longer be current. If there's a discussion here that interests you and you'd like to find (or create) a more current version, please Visit the Current Forums.

I need to restrict access to a web form to only a specific group, can I do that?

I am using Smartsheet as a project list and a web form as a work request system. I need to restrict access to the web form so only spefic people can file a request. is that possible?

Comments

  • Atus Bartal
    Atus Bartal ✭✭✭✭✭✭

    You can invite a specific group of people to fill the form by emailing the link of the form to them. You can set if they are required to sign in to Smartsheet for that or not. As far as I know, it is not possible to restrict the access to a form to a group, so anyone with the link will have the same rights.

    Atus

  • J. Craig Williams
    J. Craig Williams ✭✭✭✭✭✭

    To clarify what Atus said, under the WebForm Form Options, you can set the WebForm to allow anyone (that is anyone with the link) or to Smartsheet users. 

    I assume that means Smartsheet users in your account, but never thought to ask before.

    But you can't further sub-divide the users in your account.

     

    Craig

  • The "Smartsheet users" option will allow any Smartsheet user to fill out the form.

     

    You could embed the web form behind a password protected page on your web site and share that site with select users. 

  • J. Craig Williams
    J. Craig Williams ✭✭✭✭✭✭

    Excellent idea Greg!

     

     

  • Pardon the old post bump.  This only gives the appearance of securing the form.  Which can be more dangerous than users knowing it isn't secure and treating data as such.  If a user observers the source or network request via a developer console they can then find the link to the form (or someone happens to guess a 2^128 base64(md5 hash)) and share it with whomever.  Then submit without restriction, skew data used for BI, submit false data for phishing, submit attachments (if enabled on the form) with malware/viruses/trojans that user assume are from trusted sources because of your password site, etc.  

    Keeping the url server side, stripping the form components of the url and displaying everything else to the user, resubmitting to your server hosting your login page to process the form, and then passing it up to smartsheet (handling errors).  Doing this via server side code is better, but is still just security through obscurity as the actual form and submission have no security on them still and if someone does find the web url (say smart sheet ads a new line of code that has the url in it your code doesn't remove) they can submit as if it wasn't secured at all. 



    Allowing creators of the webform to specify smartsheet users/groups that have access would be the best/simplest way to secure web forms.  It also mimics functionality that already exists for viewing/editing in smartsheet and is probably functionality at the routing level and not per page functionality. This requires a code change by smartsheet however.

     

  • I'm a new user and trying to determine if this software is suitable for my needs. Has this ever been addressed? I don't see any way to secure the form to an access control list/group etc., that is disturbing to me. If you have the link and you are logged in you could use the form. This is as long as you don't forget to limit access to logged in users, otherwise, anyone with a link could use the form. That seems like a glaring security hole, if that is still true. This alone would preclude me from doing any serious work with forms. 

  • Is there an update to this request?  I need to restrict which smart sheet users can login, and cannot currently accomplish this.   I have an open support ticket, but any help would be appreciated.

This discussion has been closed.