Description of the Feature: We are requesting the creation of a new, granular, read-only API OAuth scope (e.g., READ_ORG_USERS_ADMIN or similar) that allows third-party applications to retrieve complete organizational user details, groups, and event logs without requiring full administrative privileges.
Currently, to get comprehensive visibility via the /groups, /users, and /events endpoints, integrations are forced to use the ADMIN_USERS scope.
The Problem / Pain Point: Many enterprise customers (especially in highly regulated industries like finance) operate under strict "least privilege" security policies. These policies prevent them from granting full administrative/write scopes (like ADMIN_USERS) to third-party security, audit, or integration tools.
Because Smartsheet’s current standard read-only scopes do not provide the necessary level of visibility to evaluate user access, permissions, and activity across the entire organization, enterprise customers are forced to choose between:
- Violating their internal security protocols by granting overly broad Admin permissions.
- Severely reducing the functionality of their security posture management tools due to limited visibility.
The Solution:Introduce a dedicated read-only scope that allows API consumers to query /groups, /users, and /events for the entire organization. This would grant the visibility needed to audit access and security without providing the ability to modify users, alter permissions, or change organizational settings.
Business Impact:
- Unblocks Enterprise Integrations: Aligns Smartsheet’s API behavior with standard enterprise InfoSec requirements, unblocking deployments for security vendors (like AppOmni) and mutual enterprise clients.
- Enhances Customer Security: Allows customers to confidently audit their Smartsheet environments using third-party tools while strictly adhering to the principle of least privilege.