Security levels
Security and navigation
SECURITY Administrator
NAVIGATION Setup > Security Levels
Security levels allow you to specify and limit the access users have when logged in to the Datto RMM user interface and the Datto RMM Agent Browser. Users can have more than one security level and can change them as needed without having to log out. Security levels can only be added, edited, or deleted in the Datto RMM Web Portal. Changing security levels is possible in both the Agent Browser and the Web Portal.
IMPORTANT To be able to add, edit, or delete a security level in the Web Portal, you must have Administrator access. For further information, refer to Users.
By default, Administrator security level is assigned to the user who registers the Datto RMM account and it is the only security level available to assign to new users until other security levels are created. The Administrator security level cannot be modified or edited in any way. Users who have this security level assigned have full and unlimited access to all Datto RMM functionality and can see and connect to all devices in the Datto RMM account.
How to...
Add a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Click New Security Level on the left-hand side of the page.
- If you would like to copy an already existing security level to use it as a template, you can choose it from the Based On drop-down list. To create a new one, select New Security Level.
- Give the security level a Name and a Description.
- Click Save.
Configure the security level details
- On the Security Level Details page, select the options applicable to the new security level.
Expand each of these sections: Device Visibility, Permissions, Remote Control Tools, and Membership.
See below for further details on each section.
- Click Apply and Save to finish creating the security level.
Security Level Details - Device Visibility
This section controls which devices the security level has access to.
Turn on the options to include specific Sites, Site Device Groups, Device Groups, or Site Groups, and include or exclude certain sites or groups.
Security Level Details - Permissions
Turn on permissions for Account, Sites, Components, ComStore, Jobs, Reports, and Setup, and then check None, View, or Manage permission for each section within those areas.
IMPORTANT Users will be unable to log in if None permission is selected for all options in their security level's Permissions section.
IMPORTANT The Account and Setup tabs will be grayed out in the Web Portal if None permission is selected for all options within Account permissions or Setup permissions, respectively.
| ACCOUNT | None | View | Manage |
|---|---|---|---|
| Dashboard | The New UI is inaccessible. | The New UI is accessible. Depending on Sites permissions ("OFF" or otherwise), the information shown may be limited in scope. | Same as for View permission. |
| Audit | The Audit tab is not displayed. | The Audit tab is displayed and users can view account-level audit information. | Same as for View permission. |
| Manage | The Manage tab is not displayed. | The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies. |
The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data Security: view and create Security Management policies |
| Monitor | The Monitor tab is not displayed. | The Monitor tab is displayed. Users can view monitor alerts and job alerts that have been raised across sites the user has access to. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Job alerts cannot be resolved. Only users with Administrator security level can see suspended devices. |
Same as for View permission but users can also resolve and disable all alerts. |
| Support | The Support tab is not displayed. | The Support tab is displayed and users can see support tickets raised from the sites they have access to. | Same as for View permission. |
| Policies | The Policies tab is not displayed. New UI only: The Policies menu is not displayed. However, users with at least View permission for SITES > Policies will be able to see the Policies menu and a list of global policies along with a list of site policies but they will not be able to create new global policies or edit, delete, or copy existing ones. |
The Policies tab is displayed. Users can see what policies have been set on the sites they have access to, but not make new ones. Users can see which of their permitted devices are targeted, but not toggle policies. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. New UI only: The Policies menu is displayed. Users can see the details of global policies if they also have at least View permission for SITES > Policies. (Site and device visibility restrictions are respected.) However, users will not be able to create new global policies or edit, delete, or copy existing ones. |
Same as for View permission but users can also edit individual targets and configure new policies and overrides (for patch management). Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. New UI only: Same as for View permission for the New UI, however, users can now also create, edit, delete, or copy global policies. The Best Practices button is displayed on the Policies page if users have Manage permission for COMSTORE > ComStore as well. |
| Filters | Users will neither be able to see nor create their own account-level filters, being limited only to the Default Device Filters provided in various categories. New UI only: Users will not be able to see or create filters at the global level. |
Users can see filters created at the account level from all users. New UI only: Users can see filters created at the global level from all users. |
Users can create, edit, and delete their own filters at the account level. New UI only: Users can create, edit, and delete their own filters at the global level. |
| Groups |
Global-level groups can neither be created nor viewed. |
Users can view groups created globally from all users. |
Users can view and edit groups created globally from all users. |
| SITES | None | View | Manage |
| Sites | The Sites tab will be displayed, but users will be unable to access the list of sites when clicking on the tab. However, users will be able to view the permitted sites using the down arrow to the right of the Sites tab. It is recommended to hide sites individually, instead of hiding the Sites tab. |
Users will be able to view the list of all sites they have been permitted access to. Users will be unable to delete or edit sites, although they may be permitted group and filter access. New UI only: Users will be able to add a new device to the sites they have access to. Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Devices and Manage permission for SITES > Support. Refer to Creating a ticket - New UI. |
Same as for View permission but sites can now be deleted and edited. Groups cannot be created (this requires the Groups permission below). Quick jobs can also be run if components are available. New UI only: Users can edit the name, description, type, proxy settings, and security levels for the site. |
| Summary | Users will be unable to view a site's Summary page, however, the rest of the tools/actions (e.g. Audit, Manage, etc.) can be accessed through the context menu  . Refer to Site lists. |
Users are able to view a site's Summary page. Although the Notes section appears, no notes can be logged. Users must have at least View permission for SITES > Manage to be able to see the Patch Status pie chart. |
Same as for View permission but notes can now be saved. |
| Devices | The Devices tab is not displayed and individual device pages cannot be accessed. | The Devices tab can be accessed but the only actions that appear are Refresh and Export to CSV. On individual device pages, users are able to view device information but they cannot edit it. New UI only: Users will be able to add a new device to any site they have access to if they also have at least View permission for SITES > Sites. Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Sites and Manage permission for SITES > Support. Refer to Creating a ticket - New UI. |
Same as for View permission but, depending on the user's security level permissions, expanded actions to move or edit devices, and perform operations on them are shown on both the Devices tab and individual device pages. On individual device pages, users are able to edit device information if they have Manage permission for SITES > Summary as well. Users are able to delete devices if they also have Manage permission for SITES > Deleted Devices. New UI only: Users will be able to delete a device from any site they have access to if they also have at least View permission for SITES > Sites. |
| Audit | The Audit tab is not displayed at either the site or the device level. New UI only: The Request Audit action button is not displayed on the Device Summary page. |
The Audit tab is displayed and users can view site-level and device-level audit information. New UI only: Same as for None permission. |
Same as for View permission but users can also manage, move, and delete discovered devices, and request device audits. New UI only: Users will be able to see the Request Audit action button on the Device Summary page if they also have at least View permission for SITES > Sites and SITES > Devices. Users can request a full audit of the device. |
| Manage | The Manage tab is not displayed. | The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and device-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies. |
The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and device-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data. Security: view and create Security Management policies. |
| Monitor | At the site level, the Monitor tab is not displayed. At the device level, the Monitor tab is displayed but the list of alerts cannot be accessed. |
The Monitor tab is displayed. Users can view monitor alerts that have been raised for the site and devices in question. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Device-level monitors cannot be created. |
Same as for View permission but users can also resolve and disable monitor alerts. Device-level monitors can also be created. New UI only: Users will be able to create and end maintenance mode windows. Users will be able to create, enable, disable, and delete monitors in the Monitors card on the Device Summary page if they also have at least View permission for SITES > Sites. |
| Support | The Support tab is not displayed. | The Support tab is displayed and the support tickets can be viewed. | Same as for View permission but the support tickets can also be created and edited. New UI only: Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Sites and SITES > Devices. Refer to Creating a ticket - New UI. |
| Filters | Site-level filters can neither be created nor viewed. | Users can see filters created at the site level from all users. | Users can create, edit, and delete their own filters at the site level. |
| Groups | Site-level groups can neither be created nor viewed. | Users can use groups that have already been defined, but devices cannot be added and group names cannot be changed. | Users can view, edit, or delete groups created at the site level. |
| Policies | The Policies tab is not displayed. New UI only: The Policies menu is not displayed and users cannot create new site policies. However, users with at least View permission for ACCOUNT > Policies will be able to see the Policies menu but they will not be able to see a list of policies. |
The Policies tab is displayed and site-level policies can be viewed. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. New UI only: The Policies menu is displayed. Users can see the details of site policies if they also have at least View permission for ACCOUNT > Policies. However, users will not be able to create new site policies or edit, delete, or copy existing ones. |
Same as for View permission but users can now also create and edit policies. Filters and groups can be applied depending on the user's security settings for filters and groups. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. New UI only: Same as for View permission for the New UI, however, users can now also create, edit, delete, or copy site policies. The Best Practices button is displayed on the Policies page if users have Manage permission for COMSTORE > ComStore as well. |
| Settings | The Settings tab is not displayed. New UI only: The Setup > Credentials menu is displayed; however users cannot view or create site-level credentials. |
The Settings tab is displayed and the settings for individual sites can be viewed but not changed. New UI only: On the Setup > Credentials page, users can view site-level credentials for the sites they have access to if they also have at least View permission for SITES > Sites. However, they cannot create, edit, or delete site-level credentials. |
Same as for View permission but the settings for individual sites can be configured. New UI only: On the Setup > Credentials page, users can view, create, edit, and delete site-level credentials for the sites they have access to if they also have Manage permission for SITES > Sites. |
| Deleted Devices | The Manage Deletions option is displayed but users will be unable to access the Deleted Devices list when clicking Manage Deletions. | Users are able to access the Deleted Devices list by clicking the Manage Deletions. | Same as for View permission but users can now delete devices from the list if they also have Manage permission for SITES > Devices. |
| COMPONENTS | None | View | Manage |
| Components | The Components tab is displayed but users are not able to view the list of their components or select any components as part of jobs. New UI only: The Component Library is not displayed and the list of components cannot be accessed. |
The Components tab is displayed and users are able to see and choose components as part of jobs but not export, edit, copy, or delete them. Component scripts can be viewed (and files downloaded) but edits cannot be saved. Components can be marked as favorites. The component level of components cannot be changed on the Component List page. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. New UI only: The Component Library is displayed and users are able to view components in the list, view individual component details including component scripts, search for components, and view component groups. Users can create jobs with selected components if they also have Manage permission for JOBS > Active Jobs. |
Same as for View permission, but users are now able to export, edit, copy, and delete components, as well as change the component level of components on the Component List page. New UI only: Same as for View permission, but users are now able to create, edit, and delete components, add components to and remove components from groups, create new component groups, set components as user tasks, and update components. |
| User Tasks | Users are not able to see if a component in the Component Library has been marked as a User Task. New UI only: Users can see if a component in the Component Library has been set as a User Task. |
Same as for None permission. |
Users are able to see if a component in the Component Library has been marked as a User Task and they can click the Toggle User Task icon to enable or disable a component as a User Task. New UI only: Same as for None and View permission, but users are now able to set or unset components as a User Task. |
| COMSTORE | None | View | Manage |
| ComStore | The ComStore tab is displayed but the list of components cannot be accessed. New UI only: The ComStore page is not displayed, the list of components cannot be accessed, and components from the ComStore cannot be added to jobs. |
The ComStore can be browsed, but the components on display cannot be added to the Component Library. New UI only: The ComStore page is displayed but the list of components cannot be accessed. Components from the ComStore cannot be added to jobs. |
Same as for View permission but the components can now be added to the Component Library. New UI only: The ComStore page is displayed and components can be browsed, searched for, and added to the Component Library. Users creating jobs can add components from the ComStore. The Best Practices button is displayed on the Policies page and users can add and configure ComStore policies if they have Manage permission for ACCOUNT > Policies (for global policies) and SITES > Policies (for site policies) as well. |
| JOBS | None | View | Manage |
| Active Jobs | The Jobs tab is not displayed. Jobs and quick jobs cannot be scheduled and run. | The Jobs tab is displayed but the New Job option is not available. Active Jobs and Completed Jobs can be accessed but jobs and quick jobs cannot be scheduled, run, edited, or deleted. New UI only: Users with View access to Active Jobs are able to view jobs, but jobs and quick jobs cannot be scheduled, run, edited, retired, or deleted. |
Same as for View permission but the New Job option is now available, and jobs and quick jobs can be scheduled, run, edited, and deleted. New UI only: Users with Manage access to Active Jobs are able to view jobs. Jobs and quick jobs can also be scheduled, run, edited, retired, and deleted. Users creating jobs can add Components from the ComStore if they also have Manage access to ComStore. |
| REPORTS | None | View | Manage |
| Active Reports | The Reports tab is not displayed. Reports and exports cannot be scheduled and run. | The Reports tab is displayed but the New Report option is not available. Active Reports and Completed Reports can be accessed but reports and exports cannot be scheduled, run, edited, or deleted. |
Same as for View permission but the New Report option is now available, and reports and exports can be scheduled, run, edited, and deleted. |
| SETUP | None | View | Manage |
| Billing | Billing is not displayed in the Setup menu. A banner is displayed if the license limit has been exceeded. New UI only: The Licenses page is not displayed in the Setup menu. |
Billing is displayed in the Setup menu. Users can request subscription increase. A banner is displayed if the license limit has been exceeded. New UI only: The Licenses page is displayed in the Setup menu. Users can view their license count and usage but they cannot add licenses or enable Ransomware Detection. A banner is not displayed if the license limit has been exceeded. |
Same as for View permission. New UI only: The Licenses page is displayed in the Setup menu. Users can view their license count and usage and they can also add licenses and enable Ransomware Detection. A banner is displayed if the license limit has been exceeded. |
| My Info | My Info is not displayed in the Setup menu. | My Info is displayed in the Setup menu. Users can configure their language and default security level. These changes do not apply to other users within the account. | Same as for View permission. |
| Messages | Messages is not displayed in the Setup menu. | Messages is displayed in the Setup menu. Users can view previously sent messages to devices they have access to. | Same as for View permission but users can now delete the messages. |
| Account Settings | Account Settings is not displayed in the Setup menu. New UI only: The Setup > Credentials menu is displayed; however users cannot view or create global credentials. |
Account Settings is displayed in the Setup menu but users cannot configure them. New UI only: Users can view global credentials on the Setup > Credentials page; however, they cannot create, edit, or delete global credentials. |
Account Settings can be fully configured. New UI only: Users can view, create, edit, and delete global credentials on the Setup > Credentials page. |
| Integrations | Integrations is not displayed in the Setup menu. | Integrations is displayed in the Setup menu but the integrations cannot be accessed. | The integrations can be viewed and configured. |
Security Level Details - Remote Control Tools
The Remote Control Tools section controls the access to each of the functions available within the Datto RMM Agent. When creating a new security level, all options are enabled by default.
Turning off any of the options in this section will inactivate that tool in the Agent Browser for the user who has been assigned that security level.
NOTE Changes to the Agent Browser tools options will only come into effect once the Agent Monitor application on the endpoint device has been exited and restarted.
Detailed information about how to access the tools can be found in the Agent Browser tools topic. To learn more about each tool and which device types they are available for, click the referenced sections in the table below.
| Field | Description |
|---|---|
| Toggle all options | Enabled by default for new accounts. Toggle to turn OFF/ON all options listed below. |
| Screenshot | Refer to Screenshot. |
| Services | Refer to Windows Services. |
| Screen Share | Allows you to use Splashtop and VNC in the Agent Browser. Refer to Splashtop and VNC. |
| RDP | Refer to RDP. |
| Command Shell | Refer to Command Shell. |
| Restart/Shutdown | Refer to Restart and Shut Down. |
| Thumbnail Screen | Refer to Thumbnail Screen. |
| Chat | Refer to Chat. |
| Drive Information | Refer to Drive Information. |
| SSH/Telnet | Refer to Connect (Telnet/SSH). |
| PowerShell | Refer to PowerShell. |
| LAN Deploy | Refer to Agent Deployment. |
| Task Manager | Refer to Task Manager. |
| File Manager | Refer to File Management. |
| Registry Editor | Refer to Registry Editor. |
| Quick Jobs | Refer to Quick Jobs. |
| Event Viewer | Refer to Event Viewer. |
| Notes | Refer to Notes. |
| Wake-On-Lan | Refer to Wake Up. |
| HTTP | Refer to Connect (HTTP). |
| Custom Connection | Refer to Connect (Custom Tunnel). |
| Web Remote | Refer to Web Remote. |
Security Level Details - Membership
You can specify to which users you would like to assign this security level. Select your users and move them to the Include or Exclude column accordingly.
Use the Search field above either the Include or Exclude column to search for users. As you type, the search results are narrowed to match your search string.
If you want to exclude one or more users from an existing security level that is the users' default security level, a dialog box will be displayed where you can confirm the security level replacement. From the drop-down menu, select a new default security level for all affected users and click Change.
Alternatively, click Edit in the dialog box to replace the default security level for each user individually. Click the radio button next to the security level you want to set as the new default security level and then click Next to configure each affected user account.
Test a security level
When you set up a new security level, we recommend that you assign it to yourself first to see if it restricts or allows everything you want it to. Testing a security level is important to ensure that users with that security level are able to access the tools or information they require to perform their daily tasks. It is also equally important to ensure that they don't have access to anything they shouldn't. To learn how you can switch between security levels to test them, refer to Switch security levels.
IMPORTANT If you give access to the system to third-party users, such as your customers, ensure that the security level restrictions meet your internal data security requirements.
Edit a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Click the name of the security level you wish to edit.
- Edit the security level details. Refer to Configure the security level details.
- Click Apply and Save.
Delete a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Hover over the name of the security level you wish to delete and click Delete this security level.
- From the drop-down menu in the Confirm Security Level Deletion dialog box, select a new security level to replace the one you are about to delete.
- To proceed, click Delete. This will delete the security level and additionally, the following actions will be performed:
- Any existing jobs or policy targets currently linked to the security level you are deleting will be assigned to the replacement security level.
- Any users that are currently a member of the security level you are deleting will be added as members to the replacement security level.
If you do not wish to proceed, click Cancel. To learn how to configure the security levels of the linked users individually, refer to Edit a security level or Edit a user.
Switch security levels
Users who have more than one security level assigned can change it on the fly in both the Datto RMM Agent and the Web Portal (current UI).
Agent
- On the local device where Datto RMM is installed, right-click the Datto RMM Agent icon in the system tray and click Open.
- Log in with your credentials and click the first menu option in the top left corner.
- Hover over Security Level and select the required security level from the list.
- You will be logged out of the Agent automatically.
- Log back in to be able to use the selected security level.
Web Portal (current UI)
- In the top right corner, click your current security level to see a list of available security levels.
- Select the required security level.
- The page will automatically refresh and the selected security level will be applied.
