Former Employee access

KCS

Hi there,

I have an unusual question. A former employee (part of a layoff) went into her Smartsheet account and changed the alternate email address to her new job email address. Because her old email address is currently forwarded to her former supervisor, the notification of the Alternate email added came to us.

We checked the User Management section but her name/old email address isn't listed there and there is no license assigned to her. We couldn't find anywhere she might have access but I couldn't find a list of all people who have accessed our Smartsheets and we have 14 licenses and a variety of teams (non-licensed users) using the program.

So can anyone answer any of these questions?

1. Is there a list that I can download that shows every account that has access to my company's Smartsheets? (As one of the company Admins, I don't necessarily have (or need) access to every Smartsheet in the company.)
2. How do we remove/deactivate the old email address associated with this account?
3. Is it a security issue if we don't remove/deactivate the old email address?
4. I know that it is possible for some people to access some Smartsheets with a link. What setting(s) do we need to change in order to ensure that the only people who have access to our Smartsheets have permission?
5. Did I miss any security problem(s) associated with this issue?

Thank you in advance!

~KC

Genevieve P.

Hi @KCS

1. Yes! As a System Admin, you can generate a Sheet Access Report in the Admin Center for your organization to see all the sheets in your plan and who they are shared to. You can then search for this email address to see if there are any shared items with this user. See the bottom of this Help Article.
2. It sounds like this email may have already been removed as a Member of your account. Depending on how you removed this user, you may have also removed all sheet sharing access to this email address at the time. (See: Delete Users). In this instance, the user can log in to this Smartsheet account, but it would be "empty" and no longer associated with your company at all (a Free Collaborator account).
3. If the email was still set as a Member of your account, then you could re-set the password as an Admin to ensure they don't have access. However since they have been removed, you will not be able to make this adjustment. You can still search to ensure they are not shared to any items (question 1) and I would suggest having your IT team deactivate the associated email from having an Inbox. That said, if the old email isn't shared to any item, then there would be no information for that account to view. Does that make sense?
4. The link you are referencing here is a Published Link, which is different than a direct URL of a sheet. If the user is not shared to a sheet but has access to the direct URL, they will receive an error stating they don't have the correct permissions. Published Links have different levels of security. It sounds like you will want to ensure your Published sheets are set to only allow access to users in your company's account. You can set this as a global setting as well, see Admin Center: Manage Security & Controls
5. If you have any additional concerns, I would suggest reaching out to Smartsheet Support with more details (such as the user's email address) or you can reach out to Smartsheet's Security Team (see here).

As a final note, it's possible that the user was looking to change the email address on their account. In order to do so, they would first need to add a secondary email, then make it Primary, then delete your email. (See Update Email). I would recommend downloading the Sheet Access Report and searching for both emails to ensure nothing has been shared out to either address.

Cheers!

Genevieve

Genevieve P.

Hi @KCS

1. Yes! As a System Admin, you can generate a Sheet Access Report in the Admin Center for your organization to see all the sheets in your plan and who they are shared to. You can then search for this email address to see if there are any shared items with this user. See the bottom of this Help Article.
2. It sounds like this email may have already been removed as a Member of your account. Depending on how you removed this user, you may have also removed all sheet sharing access to this email address at the time. (See: Delete Users). In this instance, the user can log in to this Smartsheet account, but it would be "empty" and no longer associated with your company at all (a Free Collaborator account).
3. If the email was still set as a Member of your account, then you could re-set the password as an Admin to ensure they don't have access. However since they have been removed, you will not be able to make this adjustment. You can still search to ensure they are not shared to any items (question 1) and I would suggest having your IT team deactivate the associated email from having an Inbox. That said, if the old email isn't shared to any item, then there would be no information for that account to view. Does that make sense?
4. The link you are referencing here is a Published Link, which is different than a direct URL of a sheet. If the user is not shared to a sheet but has access to the direct URL, they will receive an error stating they don't have the correct permissions. Published Links have different levels of security. It sounds like you will want to ensure your Published sheets are set to only allow access to users in your company's account. You can set this as a global setting as well, see Admin Center: Manage Security & Controls
5. If you have any additional concerns, I would suggest reaching out to Smartsheet Support with more details (such as the user's email address) or you can reach out to Smartsheet's Security Team (see here).

As a final note, it's possible that the user was looking to change the email address on their account. In order to do so, they would first need to add a secondary email, then make it Primary, then delete your email. (See Update Email). I would recommend downloading the Sheet Access Report and searching for both emails to ensure nothing has been shared out to either address.

Cheers!

Genevieve