Please add admin ability to force password resets

Jesse Van Atta

Forcing the reset of a user's password is critical to the security and efficiency of any user management system. Every other web service I can think of that uses an admin/multi-user structure has such a feature. Here are some examples where a forced password reset would be not only useful but dramatically affect the effectiveness of responding to a security issue:

1. A user has decided to act maliciously and is causing damage to company data hosted in Smartsheet. One of the best ways to mitigate further damage would be to reset the user's password and forcefully log them out of active sessions. Neither of these things are possible as far as I am aware.
2. A user has forgotten their Smartsheet password and doesn't have access to their email account, or their associated email account is already compromised in addition to their Smartsheet account.

Deletion of the user in either of these instances is not really a practical or correct response. It's like using a sledgehammer to drive a thumbtack. Please add this feature as it is needed to begin establishing a baseline confidence in your platform's security. more security requests incoming.......I sincerely hope these types of features are not locked behind enterprise or higher licensing, just like the ONLY available MFA options......cough......absurd.......cough.........

Bassam Khalil

Hi @Jesse Van Atta

Hope you are fine, am agree with you but Unfortunately, this feature is not currently available. You can submit Smartsheet Product Enhancement Requests using this form.

Genevieve P.

Hi @Jesse Van Atta

System Admins on both Business and Enterprise accounts are able to change the email address associated with members of their plans, and can send a password re-set email to these accounts.

This means that for scenario 1, you could change the email for that account and reset the password as the Admin, locking the other user out of Smartsheet and all their previous sheets without deleting the entire account.

For scenario 2, once this user has a new email address you can change the account to be associated with this other, un-compromised email instead, and send the password re-set email to the new address. This way nothing changes in the account other than how to access it. (See: Admin Center: Add, Edit, and Delete Individual Users with User Management.)

I hope this helps!

Genevieve

Kimberly Loveless

@Genevieve P. to my understanding though sending the password resent link doesn't lock the account until the link is clicked... at least this is what I was told when I was looking into ways to temporarily disable an account for someone going on leave.

@Bassam Khalil I and my director have also put in multiple enhancement requests for a way to at least give system admins the option to enable the feature to force a password reset.

I am also having a hard time finding information about an MFA for Smartsheet, especially without using an SSO.

Genevieve P.

Hi @Kimberly Loveless

You're correct, which is why you would need the additional step of changing what email address is associated with that account, so you could click the email on their behalf.