Admin Center - Form Security - Permission Inheritance - Downgrading

Jonathan Hebert
Jonathan Hebert ✭✭✭
edited 10/10/23 in Smartsheet Basics

Hi everyone.

This question requires a somewhat urgent answer. Any help would be appreciated.

Will current sheets retain their higher security permissions, if I downgrade the global settings to less secure for future Sheets/Forms?

My concern is that if I reduce the global settings, all previously created Forms will now inherit the newer, less secure global security setting.

More specifically: In the "Smartsheet Admin Center (US)" I want to change "Form Permissions" from "Only people with a Smartsheet login" to "Anyone with the form link." I want all previously created Forms to retain their "Only people with a Smartsheet login" and require all newly created Forms to be secured through manual governance. We would instruct Form creators to manually secure their Forms **if they have any sensitive information in the Forms.** We have some Forms intended for internal users that have dropdown lists of sensitive information in them. We deal with other sensitive personal information of our customers and want to prevent any future Form dropdown lists (or even some of the plain text questions) to be revealed.

P.S. I did a bit of searching in the Help & Learning Center, as well as Google, but can't seem to find the answer I'm looking for. Maybe I'm not using the correct words in the correct sequence, or maybe the answer isn't out there yet.

TIA!

Best Answer

  • Genevieve P.
    Genevieve P. Employee
    Answer ✓

    Hey @Jonathan Hebert

    To answer your last question - yes, that's correct and what I was wondering about.

    Restricting it to people with a Smartsheet account still means anyone with a Smartsheet account could view the Form. The could create a free trial or be a part of a different plan and see your sensitive dropdown items.

    I would potentially suggest adding those sensitive forms as an embedded Web Content widget in a Dashboard. Then you can either just share the Dashboard directly to specific groups/people, or use the published Dashboard link that restricts it to users in your Domain.

    The embedded Form URL will only be accessible to users shared to the sheet or to the Dashboard with Admin permissions.


    For your first question, you're correct - there currently isn't a way to see a list of all forms in your organization from the Admin Center. You can download a Sheet Access Report which identifies all the sheets, but not forms.

    That said, you could use the Smartsheet API to List Sheets, then loop through the Sheet IDs to Get Sheets, with the parameter of include=publishedFormContainers . This would only get information for all the sheets that your specific account has access to, so if you're not shared to the sheet with the form it won't be included.

    If your orgnaization has Event Reporting you could get notified every time a new form was created as well.

    I hope that helps!

    Genevieve

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

Answers

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    I believe that anything already created will be unaffected by the change.


    @Genevieve P. Would you happen to know for sure?


  • Thanks for your quick response, Paul.

    I too believe that they'll hold their current permissions. I dislike making any global changes... even tests of global changes... without having a high level of confidence that it'll work. If Genevieve also believes it, but isn't 100% sure, I think the 3 of us (plus one of my Smartsheet "super-users") being pretty sure will be good enough to do a test of the change. ☺️

  • Hey @Jonathan Hebert (and thanks for the tag @Paul Newcome!)

    I'd like to get you a definitive answer on this... even though I have my "likely" guess. I know you noted this was urgent, but if you're able to wait until tomorrow morning I'll be able to test properly / connect with the proper resources to give you a certainty!

    Cheers,

    Genevieve

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

  • Thank you, Genevieve. 🙏 I appreciate it very much. I can wait until tomorrow.

  • Hey @Jonathan Hebert

    Thanks for waiting!

    So here's what I found in my tests:

    • If the default initially requires access then gets downgraded, any forms that previously required access would now allow anyone to access (default adjusted)
    • However, if any form had required the logged in user to also be in the safe sharing domain, they'd still require login and for the logged in user to be on the safe sharing domain.


    You noted in the first post that you have forms with sensitive dropdowns. Are those forms restricted to any Smartsheet account in general, or your safe sharing domain?

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

  • Thanks so much for all your work on this, Genevieve.

    Unfortunately, I don't know who else is using Forms at the moment, nor do I know if they were restricted to safe sharing domain. Therefore, I can't go and ask everyone to change every one of their Forms' individual permissions to prevent them from being shared with just "anyone." Is there a way to see, or run a report, of all Forms that people are using? I did some searching and can't find anything, so I assume the answer is no.

    Therefore, I think we may have to address this concern from a risk management perspective.

    A colleague brought up a good point: Our Form Permissions are currently set to "Only people with a Smartsheet login." If a bad actor somehow got the link to one of our sensitive forms, all they'd have to do is create a login with any public email address (BadActor123@gmail.com, Hacker123@yahoo.com, etc.), then voila, they can comb the form for any sensitive data to exploit. If we change the global setting to "Anyone with the link," all we're doing is removing the one small barrier of creating the free email address and creating the Smartsheet login.

    Is that correct?

  • Genevieve P.
    Genevieve P. Employee
    Answer ✓

    Hey @Jonathan Hebert

    To answer your last question - yes, that's correct and what I was wondering about.

    Restricting it to people with a Smartsheet account still means anyone with a Smartsheet account could view the Form. The could create a free trial or be a part of a different plan and see your sensitive dropdown items.

    I would potentially suggest adding those sensitive forms as an embedded Web Content widget in a Dashboard. Then you can either just share the Dashboard directly to specific groups/people, or use the published Dashboard link that restricts it to users in your Domain.

    The embedded Form URL will only be accessible to users shared to the sheet or to the Dashboard with Admin permissions.


    For your first question, you're correct - there currently isn't a way to see a list of all forms in your organization from the Admin Center. You can download a Sheet Access Report which identifies all the sheets, but not forms.

    That said, you could use the Smartsheet API to List Sheets, then loop through the Sheet IDs to Get Sheets, with the parameter of include=publishedFormContainers . This would only get information for all the sheets that your specific account has access to, so if you're not shared to the sheet with the form it won't be included.

    If your orgnaization has Event Reporting you could get notified every time a new form was created as well.

    I hope that helps!

    Genevieve

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

  • Hi Genevieve.

    Thanks for all this wonderful information and guidance. It's really helpful.

    I marked your last response as the Answer before I commented. I realize I should have quoted and commented on it before marking it as the answer. Whoops! 😆

    The Dashboard URL option is pretty ingenious. However, by the way you described it, and the way the permissions are described in the screenshot, it seems that we would still need people to have an email address and Smartsheet login. We're trying to get this one, non-sensitive Form, out to the general public. It's all the other Forms which may be out there and contain sensitive data. As I think I said previously, I'm pretty sure there are already Forms with sensitive data in the drop downs, so those could potentially be exposed if we downgrade the permission. I think the risk and chance is extremely low, but in today's world, "Risk Management" seems to have tightened up to be "No Risk." A.k.a. "Zero Trust." So, I don't believe the Security folks would approve.

    I marked your last post as the answer, as those other ideas are really great. ✅ I just don't think they'll work in time with everything else we have going on internally.

    Thanks again, Genevieve!

  • Hey @Jonathan Hebert

    If it's just one form that needs to bypass your security... what about using Smartsheet's connection with Google Forms to gather the data? That way you can keep your current security settings throughout the entire organization, but still gather content publicly through this one channel.

    Here's more information: Smartsheet Sync Add-on for Google Forms

    Data submitted through a synced Google Form will create new rows in a Smartsheet sheet. There are limitations to using this connection, and your account may have disabled third-party apps, but it's a thought.

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

  • Hello again Genevieve.

    Thanks for this additional suggestion. Unfortunately, we don't use Google for anything, so this won't work. I'm aware of a similar connector to the cloud hosting we use, but the connector was not allowed by the security team. I don't have any further information about that, only that we can't use it for some reason.

    Thanks again for the additional effort. Much appreciated!