# Connecting Smartsheet to Amazon Q Business
Smartsheet is an enterprise work management platform that lets users manage projects, programs and processes at scale using sheets, channels, and workspaces. You can connect your Smartsheet instance to Amazon Q Business—using either the AWS Management Console, CLI, or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q Business web experience.
Integrating Smartsheet as a data source in Amazon Q Business enables users to quickly get insights from project sheets. For example, users can ask questions like:
+ "Which project manager is responsible for Project Harpo?", where the answer comes from a Smartsheet row
+ "What are the requirements for the Create APIs task?", where the answer is fetched from a PDF attached to the row for Create APIs
+ "Who is the owner of the Individual Task Management workspace?", where the answer comes from workspace metadata
With the Amazon Q Business Smartsheet connector, you can solve the following kinds of use cases.
+ **Project status updates** – Get quick insights into project health without having to open Smartsheet with questions like:
+ "What's the status of the website redesign project?"
+ "Is the mobile app launch on track for the planned date?"
+ "Which projects are currently behind schedule in the Q3 Roadmap sheet?"
+ **Task management** – Find information about tasks and action items with questions like:
+ "What tasks are assigned to Mary Major?"
+ "Has the marketing plan document been completed?"
+ "What's the due date for the customer research presentation?"
The Amazon Q Business Smartsheet connector understands user access permissions and strictly enforces them at the time of the query. This ensures that users aren't able to see content they don't have access to.
**Note**
We recommend enabling [Cross-region inference for Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cross-region-inference.html) for your Amazon Q Business application connector to get the best customer experience with improved query response accuracy.
**Topics**
+ [Known limitations for the Smartsheet connector](smartsheet-limitations.md)
+ [Prerequisites for connecting Amazon Q Business to Smartsheet](smartsheet-prereqs.md)
+ [Connecting Amazon Q Business to Smartsheet using the console](smartsheet-console.md)
+ [Connecting Amazon Q Business to Smartsheet using APIs](smartsheet-api.md)
+ [How Amazon Q Business connector crawls Smartsheet ACLs](smartsheet-user-management.md)
+ [IAM role for Smartsheet connector](smartsheet-iam-role.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Known limitations for the Smartsheet connector
The Smartsheet connector has the following known limitations:
+ If you remove users’ access to a Smartsheet data source but not to Amazon Q Business, they will be able to receive responses from the data source when they query Amazon Q Business.
+ The Smartsheet connector will provide responses from the most applicable single sheet. That is, it will search across all sheets and find the sheet with the most relevant answer and provide that instead of aggregating data across multiple sheets. For example, it can't answer questions like: "Show me tasks that are past due across all my sheets."
+ For hierarchical sheets, Amazon Q Business accuracy can drop when queries are directly related to the hierarchical structure.
For example, if a sheet has hierarchical structure about high-level tasks and its subtasks, and a user asks "What's the amount of time needed to finish all tasks?" then Amazon Q Business might add up all times assigned to both high-level tasks and the sub-tasks. This calculation is wrong as the amount of time to finish the high-level task is just a sum up of the sub-tasks.
However, if the user asks a query such as "How many tasks are assigned to Mary Major?", they would get an accurate response.
+ For sheets with similar names—(for example, “Blockchain Integration - Project Plan” and “Blockchain Integration - Impact Tracker”)—if a query mentions just “Blockchain Integration” then you might not get an accurate response. To get accurate responses, we recommend:
+ providing clearer titles/descriptions of the sheets, or
+ providing more detailed questions to reduce ambiguity.
# Prerequisites for connecting Amazon Q Business to Smartsheet
Before you begin, make sure that you have completed the following prerequisites.
+ **In Smartsheet, make sure you have:**
+ Access to the Smartsheet Event Reporting API. Use the [Events API Access Request](https://app.smartsheet.com/b/form/5db2cf1b981f445cabaa22d9421cc19d) form to request access for your organization.
+ An Smartsheet system admin user or a licensed user for Smartsheet who can generate an access token. With this access token, your connector will have access to crawl all sheets and workspaces created by or shared with this user.
+ A Smartsheet access token. You need this to connect Smartsheet to Amazon Q Business. For information on how to generate this token in Smartsheet, see [Authentication and Access Tokens](https://smartsheet.redoc.ly/#section/API-Basics/Authentication-and-Access-Tokens) in the *Smartsheet API Reference*.
+ **In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Smartsheet authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Smartsheet using the console
The following procedure outlines how to connect Amazon Q Business to Smartsheet using the AWS Management Console.
**Note**
Before you begin adding your data source, make sure you've created an Amazon Q Business application, and added an index and retriever to it.
**Connecting Amazon Q to Smartsheet**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Smartsheet** data source to your Amazon Q application.
1. Then, on the **Smartsheet** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **User type** – Choose the user type in your Smartsheet account. You can choose between **System Admin** and **Non-System Admin**. System Admins can ingest sheets, folders, and workspaces into Amazon Q Business. Non-System Admins can ingest only sheets.
1. **Authentication** – Enter the following information for your **AWS Secrets Manager secret**.
1. **Secret name** – A name for your secret.
1. For **Smartsheet API access token** – Enter the value for the access token you created in your Smartsheet account.
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/smartsheet-connector.html#smartsheet-iam).
1. In **Sync scope**, enter the following information:
1. In **Select specific sheets, folders, and workspaces**, for **ID type** – Select content to sync using a specific **Sheet ID**, **Folder ID**, and **Workspace ID**.
1. For **Select attachments and conversations**, select from the following options:
+ **All attachments** – Select to include all attachments.
+ **All conversations** – Select to include all conversations.
1. In **Additional configuration – *optional*, select from the following options:**
+ **Sheet and folder regex patterns** – Choose to include or exclude specific sheet and folder names using regex patterns.
+ **Attachment regex patterns** – Choose to include or exclude specific files by name and type using regex patterns.
1. For **Maximum file size** – Specify the file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**.
To extract audio transcriptions and video content, enable processing for the following file types:
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. For **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default.
+ **Full sync**—Sync all content regardless of the previous sync status.
+ **New, modified, or deleted content sync**—Sync only new, modified, and deleted documents.
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run).
**Note**
The Amazon Q Business Smartsheet connector doesn't support hourly syncs. For optimal performance, choose to sync your data during a time window outside of 11am UTC to 11pm UTC.
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields. Add the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Smartsheet using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## JSON schema
The following is the Smartsheet JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"authType": {
"type": "string",
"enum": [
"APIToken"
]
}
},
"required": [
"authType"
]
}
},
"required": [
"repositoryEndpointMetadata"
]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"sheet": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"sheetAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"sheetConversation": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"sheetConversationAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"rowAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"rowConversation": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"rowConversationAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
}
}
},
"additionalProperties": {
"type": "object",
"properties": {
"workspaceIds": {
"type": "array",
"items": {
"type": "string"
},
"maxItems": 20
},
"sheetIds": {
"type": "array",
"items": {
"type": "string"
},
"maxItems": 20
},
"folderIds": {
"type": "array",
"items": {
"type": "string"
},
"maxItems": 20
},
"fieldForUserId": {
"type": "string"
},
"userType": {
"type": "string"
},
"isCrawlAcl": {
"type": "boolean"
},
"isCrawlSheets": {
"type": "boolean"
},
"isCrawlSheetAttachments": {
"type": "boolean"
},
"isCrawlSheetConversations": {
"type": "boolean"
},
"isCrawlSheetConversationAttachments": {
"type": "boolean"
},
"isCrawlRows": {
"type": "boolean"
},
"isCrawlRowAttachments": {
"type": "boolean"
},
"isCrawlRowConversations": {
"type": "boolean"
},
"isCrawlRowConversationAttachments": {
"type": "boolean"
},
"isCrawlRowProofs": {
"type": "boolean"
},
"isMetadataAppended": {
"type": "boolean"
},
"isConversationAppended": {
"type": "boolean"
},
"inclusionAttachmentTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionAttachmentTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionAttachmentNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionAttachmentNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFolderNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFolderNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionSheetNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionSheetNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"enableDeletionProtection": {
"type": "boolean",
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
},
"not": {
"properties": {
"workspaceIds": { "maxItems": 0 },
"sheetIds": { "maxItems": 0 },
"folderIds": { "maxItems": 0 }
}
}
},
"enableIdentityCrawler": {
"type": "boolean"
},
"syncMode": {
"type": "string",
"enum": [
"FULL_CRAWL",
"FORCED_FULL_CRAWL",
"CHANGE_LOG"
]
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"type": {
"type": "string",
"pattern": "SMARTSHEET"
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
}
},
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"syncMode",
"additionalProperties",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| `connectionConfiguration` | Configuration details for connecting to the data source. | `object` | Yes |
| `connectionConfiguration.repositoryEndpointMetadata` | Metadata for the repository endpoint. | `object` | Yes |
| `connectionConfiguration.repositoryEndpointMetadata.authType` | The authentication type. | `string` The only allowed value is: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/smartsheet-api.html) | Yes |
| `repositoryConfigurations` | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. | `object` | Yes |
| `repositoryConfigurations.sheet` | Configuration for Smartsheet sheets. | `object` | No |
| `repositoryConfigurations.sheet.fieldMappings` | Field mappings for Smartsheet sheets. | `array` of `object` | Yes (if sheet is present) |
| `repositoryConfigurations.sheetAttachment` | Configuration for Smartsheet sheet attachments. | `object` | No |
| `repositoryConfigurations.sheetConversation` | Configuration for Smartsheet sheet conversations. | `object` | No |
| `repositoryConfigurations.sheetConversationAttachment` | Configuration for Smartsheet sheet conversation attachments. | `object` | No |
| `repositoryConfigurations.row` | Configuration for Smartsheet rows. | `object` | No |
| `repositoryConfigurations.rowAttachment` | Configuration for row attachments. | `object` | No |
| `repositoryConfigurations.rowConversation` | Configuration for Smartsheet row conversations. | `object` | No |
| `repositoryConfigurations.rowConversationAttachment` | Configuration for Smartsheet row conversation attachments. | `object` | No |
| `repositoryConfigurations.proofAttachment` | Configuration for Smartsheet proof attachments. | `object` | No |
| `repositoryConfigurations.proofConversation` | Configuration for Smartsheet proof conversations. | `object` | No |
| `repositoryConfigurations.proofConversationAttachment` | Configuration for Smartsheet proof conversation attachments. | `object` | No |
| `additionalProperties` | Additional configuration options for your content in your data source. | `object` | Yes |
| `additionalProperties.workspaceIds` | List of Smartsheet workspace IDs to crawl. | `array` of `string` | No |
| `additionalProperties.sheetIds` | List of Smartsheet sheet IDs to crawl. | `array` of `string` | No |
| `additionalProperties.folderIds` | List of Smartsheet folder IDs to crawl. | `array` of `string` | No |
| `additionalProperties.fieldForUserId` | Field for user ID. | `string` | No |
| `additionalProperties.userType` | User type. | `string` | Yes |
| `additionalProperties.isCrawlAcl` | Whether to crawl ACL. | `boolean` | No |
| `additionalProperties.isCrawlSheets` | Whether to crawl Smartsheet sheets. | `boolean` | No |
| `additionalProperties.isCrawlSheetAttachments` | Whether to crawl Smartsheet sheet attachments. | `boolean` | No |
| `additionalProperties.isCrawlSheetConversations` | Whether to crawl Smartsheet sheet conversations. | `boolean` | No |
| `additionalProperties.isCrawlSheetConversationAttachments` | Whether to crawl Smartsheet sheet conversation attachments. | `boolean` | No |
| `additionalProperties.isCrawlRows` | Whether to crawl Smartsheet rows. | `boolean` | No |
| `additionalProperties.isCrawlRowAttachments` | Whether to crawl Smartsheet row attachments. | `boolean` | No |
| `additionalProperties.isCrawlRowConversations` | Whether to crawl Smartsheet row conversations. | `boolean` | No |
| `additionalProperties.isCrawlRowConversationAttachments` | Whether to crawl Smartsheet row conversation attachments. | `boolean` | No |
| `additionalProperties.isCrawlRowProofs` | Whether to crawl Smartsheet row proofs. | `boolean` | No |
| `additionalProperties.isMetadataAppended` | Whether to append Smartsheet metadata. | `boolean` | No |
| `additionalProperties.isConversationAppended` | Whether to append Smartsheet conversations. | `boolean` | No |
| `additionalProperties.inclusionAttachmentTypePatterns` | Patterns for including Smartsheet attachment types. | `array` of `string` | No |
| `additionalProperties.exclusionAttachmentTypePatterns` | Patterns for excluding Smartsheet attachment types. | `array` of `string` | No |
| `additionalProperties.inclusionAttachmentNamePatterns` | Patterns for including Smartsheet attachment names. | `array` of `string` | No |
| `additionalProperties.exclusionAttachmentNamePatterns` | Patterns for excluding Smartsheet attachment names. | `array` of `string` | No |
| `additionalProperties.inclusionFolderNamePatterns` | Patterns for including Smartsheet folder names. | `array` of `string` | No |
| `additionalProperties.exclusionFolderNamePatterns` | Patterns for excluding Smartsheet folder names. | `array` of `string` | No |
| `additionalProperties.inclusionSheetNamePatterns` | Patterns for including Smartsheet sheet names. | `array` of `string` | No |
| `additionalProperties.exclusionSheetNamePatterns` | Patterns for excluding Smartsheet sheet names. | `array` of `string` | No |
| `additionalProperties.enableDeletionProtection` | Whether to enable deletion protection. To learn more, see [Document deletion safeguard](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#document-deletion-safeguard). | `boolean` | No |
| `additionalProperties.deletionProtectionThreshold` | Threshold for deletion protection. To learn more, see [Document deletion safeguard](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#document-deletion-safeguard) | `string` | No |
| `enableIdentityCrawler` | Whether to enable the identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to certain documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | `boolean` | No |
| `syncMode` | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. | `string` The allowed values are: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/smartsheet-api.html) | Yes |
| `secretArn` | The ARN of the secret containing the Smartsheet credentials required to connect Amazon Q Business to Smartsheet. | `string` The minimum length is 20 and the maximum length is 2,048 characters. | Yes |
| `type` | The type of the data source. | `string` The only allowed value is: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/smartsheet-api.html) | Yes |
| `version` | The version of the template that's currently supported. | `string` Must match the pattern "1.0.0". | No |
# How Amazon Q Business connector crawls Smartsheet ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
Smartsheet organizes its data into several entities, including Workspaces, Sheets, Rows, Columns, Attachments, and Comments. Workspaces serve as hierarchical containers that hold folders and individual sheets. Connectors support crawling ACL and identity information where applicable based on the data source. When you connect a Smartsheet data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Smartsheet instance. The Smartsheet connector does not allow disabling ACLs, so you must always inforce permissions. ACL information can be used to filter chat responses based your end users' document access level.
**Roles/Permissions**: Users and groups can be assigned various roles including Admin, Editor, and Viewer. Permissions can be managed at different levels, including Workspaces, Sheets, and individual Rows. Smartsheet enforces an Allow Mode for ACLs, meaning permissions are granted explicitly without an explicit deny option. Sheets and Workspaces can be shared via links with different permission levels (View or Edit), but public link sharing is not supported. In addition, Smartsheet allows setting sheets as either searchable or non-searchable, and the connector ensures that this setting is honored when ingesting Smartsheet data. The minimum permission required to read a sheet or workspace is "Viewer". Proper mapping between Smartsheet ACLs and Amazon Q ACL definitions is essential to ensure security and permission consistency.
**Identity Crawling**: Smartsheet supports both local and federated users/groups, but the connector does not support federated. Usernames in Smartsheet are case-insensitive and allow special characters. This system ensures that two users can have the same name but must have unique email addresses. In addition, group names must be unique, because Smartsheet does not allow duplicate group names with mixed case. This prevents identity collisions, ensuring that permissions and access remain properly assigned. If an identity is deleted and later recreated, it does not automatically inherit previous permissions. Smartsheet does not have a suspended user concept, if a user is removed from the user library, they still appear in shared lists for sheets where they previously had access.
**Permission Inheritance**: Permissions in Smartsheet follow an inheritance model, where Workspaces act as the top-most entity. If no explicit ACL is set at the sheet or folder level, permissions are inherited from the parent Workspace. Inherited permissions typically operate as an intersection of parent permissions, unless explicitly modified. However, sheets can have their own ACLs that override inherited permissions. Document-level permissions can include options such as "View Sheet" or "Edit Sheet".
**Change Management**: Change Log Mode in Amazon Q Business enables incremental updates by capturing modifications made to content in Smartsheet. It indexes only newly added, updated, or deleted items since the last crawl, onstead of re-indexing all documents. Any changes to user or group access permissions are also recorded, ensuring accurate and up-to-date indexing.
**Failure handling**: The connector follows a fail-close approach, meaning if there are permission-related issues or API failures, affected documents are skipped from ingestion rather than being made publicly accessible. This prevents unauthorized access while maintaining data integrity.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
# IAM role for Smartsheet connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowsAmazonQToGetS3Objects",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:QBusiness-Smartsheet-Example-Secret"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:111122223333:key/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": "arn:aws:qbusiness:us-west-2:111122223333:application/312ba974-4afc-8b7a-3180-6aec1db0d57c/index/e2a71750-c4fd0-b34a-bf23-ddcce192d11d"
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:us-west-2:111122223333:application/312ba974-4afc-8b7a-3180-6aec1db0d57c",
"arn:aws:qbusiness:us-west-2:111122223333:application/312ba974-4afc-8b7a-3180-6aec1db0d57c/index/e2a71750-c4fd0-b34a-bf23-ddcce192d11d",
"arn:aws:qbusiness:us-west-2:111122223333:application/312ba974-4afc-8b7a-3180-6aec1db0d57c/index/e2a71750-bf23-4fd0-b34a-192d11dddcce/data-source/*"
]
}
]
}
```
------
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id"
}
}
}
]
}
```
------
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).