Security levels
Security and navigation
SECURITY Administrator
NAVIGATION Setup > Security Levels
Security levels allow you to specify and limit the access users have when logged in to the Datto RMM Agent Browser and Web Portal. Users can have more than one security level and can change them as needed without having to log out. Security levels can be added, edited, or deleted only in the Datto RMM Web Portal. Changing security levels is possible in both the Agent Browser and the Web Portal.
IMPORTANT To be able to add, edit or delete a security level in the Web Portal, you must have Administrator access. For further information, refer to Users.
By default, Administrator security level is assigned to the user who registers the Datto RMM account and it is the only security level available to assign to new users until other security levels are created. The Administrator security level cannot be modified or edited in any way. Users who have this security level assigned have full and unlimited access to all Datto RMM functionality, and can see and connect to all devices in the Datto RMM account.
How to...
Add a security level
- In the Web Portal, click on the Setup tab.
- Click Security Levels.
- Click New Security Level on the left of the page.
- If you would like to copy an already existing security level to use it as a template, you can choose it from the Based On drop-down list. To create a new one, select New Security Level.
- Give the security level a Name and a Description.
- Click Save.
Configure the security level details
- On the Security Level Details page, select the options applicable to the new security level.
Expand each of these sections: Device Visibility, Permissions, Remote Control Tools, Membership.
See below for further details on each section.
- Click Apply and Save to finish creating the security level.
Security Level Details - Device Visibility
This section controls which devices the security level has access to.
Turn on the options to include specific Sites, Site Device Groups, Device Groups or Site Groups, and Include or Exclude certain sites or groups.
Security Level Details - Permissions
Turn on permissions for each area of the Web Portal (Account, Sites, Components, ComStore, Jobs, Reports, Setup), then check None, View or Manage permission for each section within those areas.
IMPORTANT Users will be unable to log in if None permission is selected for all options in their security level's Permissions section.
IMPORTANT The Account and Setup tabs will be grayed out if None permission is selected for all options within Account permissions or Setup permissions, respectively.
| ACCOUNT | None | View | Manage |
|---|---|---|---|
| Dashboard | The New UI is inaccessible. | The New UI is accessible. Depending on Sites permissions ("OFF" or otherwise), the information shown may be limited in scope. | Same as for View permission. |
| Audit | The Audit tab is not displayed. | The Audit tab is displayed and users can view account-level audit information. | Same as for View permission. |
| Manage | The Manage tab is not displayed. | The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies. |
The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data Security: view and create Security Management policies |
| Monitor | The Monitor tab is not displayed. | The Monitor tab is displayed. Users can view monitor alerts and job alerts that have been raised across sites the user has access to. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Job alerts cannot be resolved. Only users with Administrator security level can see suspended devices. |
Same as for View permission but users can also resolve and disable all alerts. |
| Support | The Support tab is not displayed. | The Support tab is displayed and users can see support tickets raised from the sites they have access to. | Same as for View permission. |
| Policies | The Policies tab is not displayed. New UI only: The Policies menu is not displayed. However, users with at least View permission for SITES > Policies will be able to see the Policies menu and a list of global policies along with a list of site policies but they will not be able to create new global policies or edit, delete, or copy existing ones. |
The Policies tab is displayed. Users can see what policies have been set on the sites they have access to, but not make new ones. Users can see which of their permitted devices are targeted, but not toggle policies. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. New UI only: The Policies menu is displayed. Users can see the details of global policies if they also have at least View permission for SITES > Policies. (Site and device visibility restrictions are respected.) However, users will not be able to create new global policies or edit, delete, or copy existing ones. |
Same as for View permission but users can also edit individual targets and configure new policies and overrides (for patch management). Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. New UI only: Same as for View permission for the New UI, however, users can now also create, edit, delete, or copy global policies. |
| Filters | Users will neither be able to see nor create their own account-level filters, being limited only to the Default Device Filters provided in various categories. New UI only: Users will not be able to see or create filters at the global level. |
Users can see filters created at the account level from all users. New UI only: Users can see filters created at the global level from all users. |
Users can create, edit, and delete their own filters at the account level. New UI only: Users can create, edit, and delete their own filters at the global level. |
| Groups | Users will neither be able to see nor create their own account-level groups. New UI only: Users will not be able to see or create groups at the global level. |
Users can see groups created at the account level from all users. New UI only: Users can see groups created at the global level from all users. |
Users can see and edit groups created at the account level from all users. New UI only: Users can see and edit groups created at the global level from all users. |
| SITES | None | View | Manage |
| Sites | The Sites tab will be displayed, but users will be unable to access the list of sites when clicking on the tab. However, users will be able to view the permitted sites using the down arrow to the right of the Sites tab. It is recommended to hide sites individually, instead of hiding the Sites tab. |
Users will be able to view the list of all sites they have been permitted access to. Users will be unable to delete or edit sites, although they may be permitted group and filter access. New UI only: Users will be able to add a new device to the sites they have access to. Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Devices and Manage permission for SITES > Support. Refer to Creating a ticket - New UI. |
Same as for View permission but sites can now be deleted and edited. Groups cannot be created (this requires the Groups permission below). Quick jobs can also be run if components are available. New UI only: Users can edit the name, description, type, proxy settings, and security levels for the site. |
| Summary | Users will be unable to view a site's Summary page, however, the rest of the tools/actions (e.g. Audit, Manage, etc.) can be accessed through the context menu  . Refer to Site lists. |
Users are able to view a site's Summary page. Although the Notes section appears, no notes can be logged. Users must have at least View permission for SITES > Manage to be able to see the Patch Status pie chart. |
Same as for View permission but notes can now be saved. |
| Devices | The Devices tab is not displayed and individual device pages cannot be accessed. | The Devices tab can be accessed but the only actions that appear are Refresh and Export to CSV. On individual device pages, users are able to view device information but they cannot edit it. New UI only: Users will be able to add a new device to any site they have access to if they also have at least View permission for SITES > Sites. Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Sites and Manage permission for SITES > Support. Refer to Creating a ticket - New UI. |
Same as for View permission but, depending on the user's security level permissions, expanded actions to move or edit devices, and perform operations on them are shown on both the Devices tab and individual device pages. On individual device pages, users are able to edit device information if they have Manage permission for SITES > Summary as well. Users are able to delete devices if they also have Manage permission for SITES > Deleted Devices. New UI only: Users will be able to delete a device from any site they have access to if they also have at least View permission for SITES > Sites. |
| Audit | The Audit tab is not displayed at either the site or the device level. | The Audit tab is displayed and users can view site-level and device-level audit information. | Same as for View permission but users can also manage, move, and delete discovered devices, and request device audits. |
| Manage | The Manage tab is not displayed. | The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and device-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies. |
The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and device-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data. Security: view and create Security Management policies. |
| Monitor | At the site level, the Monitor tab is not displayed. At the device level, the Monitor tab is displayed but the list of alerts cannot be accessed. |
The Monitor tab is displayed. Users can view monitor alerts that have been raised for the site and devices in question. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Device-level monitors cannot be created. |
Same as for View permission but users can also resolve and disable monitor alerts. Device-level monitors can also be created. New UI only: Users will be able to create and end maintenance mode windows. Users will be able to create, enable, disable, and delete monitors in the Monitors card on the Device Summary page if they also have at least View permission for SITES > Sites. |
| Support | The Support tab is not displayed. | The Support tab is displayed and the support tickets can be viewed. | Same as for View permission but the support tickets can also be created and edited. New UI only: Users will be able to create a ticket in Autotask PSA if they also have at least View permission for SITES > Sites and SITES > Devices. Refer to Creating a ticket - New UI. |
| Filters | Site-level filters can neither be created nor viewed. | Users can see filters created at the site level from all users. | Users can create, edit, and delete their own filters at the site level. |
| Groups | Site-level groups can neither be created nor viewed. | Users can use groups that have already been defined, but devices cannot be added and group names cannot be changed. | Same as for View permission but users are now able to edit existing groups and move devices freely in and out. Groups can also be created or deleted. |
| Policies | The Policies tab is not displayed. New UI only: The Policies menu is not displayed and users cannot create new site policies. However, users with at least View permission for ACCOUNT > Policies will be able to see the Policies menu but they will not be able to see a list of policies. |
The Policies tab is displayed and site-level policies can be viewed. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. New UI only: The Policies menu is displayed. Users can see the details of site policies if they also have at least View permission for ACCOUNT > Policies. However, users will not be able to create new site policies or edit, delete, or copy existing ones. |
Same as for View permission but users can now also create and edit policies. Filters and groups can be applied depending on the user's security settings for filters and groups. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. New UI only: Same as for View permission for the New UI, however, users can now also create, edit, delete, or copy site policies. |
| Settings | The Settings tab is not displayed. | The Settings tab is displayed and the settings for individual sites can be viewed but not changed. | Same as for View permission but the settings for individual sites can be configured. |
| Deleted Devices | The Manage Deletions option is displayed but users will be unable to access the Deleted Devices list when clicking Manage Deletions. | Users are able to access the Deleted Devices list by clicking the Manage Deletions. | Same as for View permission but users can now delete devices from the list if they also have Manage permission for SITES > Devices. |
| COMPONENTS | None | View | Manage |
| Components | The Components tab is displayed but users are not able to view the list of their components or select any components as part of jobs. | The Components tab is displayed and users are able to see and choose components as part of jobs but not export, edit, copy, or delete them. Component scripts can be viewed (and files downloaded) but edits cannot be saved. Components can be marked as favorites. The component level of components cannot be changed on the Component List page. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. |
Same as for View permission, but users are now able to export, edit, copy, and delete components, as well as change the component level of components on the Component List page. |
| User Tasks | Users are not able to see if a component in the Component Library has been marked as a User Task. | Same as for None permission. | Users are able to see if a component in the Component Library has been marked as a User Task and they can click the Toggle User Task icon to enable or disable a component as a User Task. |
| COMSTORE | None | View | Manage |
| ComStore | The ComStore tab is displayed but the list of components cannot be accessed. | The ComStore can be browsed, but the components on display cannot be added to the Component Library. | Same as for View permission but the components can now be added to the Component Library. |
| JOBS | None | View | Manage |
| Active Jobs | The Jobs tab is not displayed. Jobs and quick jobs cannot be scheduled and run. | The Jobs tab is displayed but the New Job option is not available. Active Jobs and Completed Jobs can be accessed but jobs and quick jobs cannot be scheduled, run, edited, or deleted. New UI only: Users with View access to Active Jobs are able to view jobs, but jobs and quick jobs cannot be scheduled, run, edited, retired, or deleted. |
Same as for View permission but the New Job option is now available, and jobs and quick jobs can be scheduled, run, edited, and deleted. New UI only: Users with Manage access to Active Jobs are able to view jobs. Jobs and quick jobs can also be scheduled, run, edited, retired, and deleted. |
| REPORTS | None | View | Manage |
| Active Reports | The Reports tab is not displayed. Reports and exports cannot be scheduled and run. | The Reports tab is displayed but the New Report option is not available. Active Reports and Completed Reports can be accessed but reports and exports cannot be scheduled, run, edited, or deleted. |
Same as for View permission but the New Report option is now available, and reports and exports can be scheduled, run, edited, and deleted. |
| SETUP | None | View | Manage |
| Billing | Billing is not displayed in the Setup menu. | Billing is displayed in the Setup menu. Users can request subscription increase. | Same as for View permission. |
| My Info | My Info is not displayed in the Setup menu. | My Info is displayed in the Setup menu. Users can configure their language and default security level. These changes do not apply to other users within the account. | Same as for View permission. |
| Messages | Messages is not displayed in the Setup menu. | Messages is displayed in the Setup menu. Users can view previously sent messages to devices they have access to. | Same as for View permission but users can now delete the messages. |
| Account Settings | Account Settings is not displayed in the Setup menu. | Account Settings is displayed in the Setup menu but users cannot configure them. | Account Settings can be fully configured. |
| Integrations | Integrations is not displayed in the Setup menu. | Integrations is displayed in the Setup menu but the integrations cannot be accessed. | The integrations can be viewed and configured. |
Security Level Details - Remote Control Tools
The Remote Control Tools section controls the access to each of the functions available within the Datto RMM Agent. When creating a new security level, all options are enabled by default.
Turning off any of the options in this section will inactivate that tool in the Agent Browser for the user who has been assigned that security level. Changes to the Agent Browser tools options will only come into effect once the Agent Monitor application on the endpoint device has been exited and restarted.
Detailed information about how to access the tools can be found in the Agent Browser tools topic. To learn more about each tool and which device types they are available for, click the referenced sections in the table below.
| Field | Description |
|---|---|
| Toggle all options | Enabled by default for new accounts. Toggle to turn OFF/ON all options listed below. |
| Screenshot | Refer to Screenshot. |
| Services | Refer to Windows Services. |
| Screen Share | Allows you to use Splashtop and VNC in the Agent Browser. Refer to Splashtop and VNC. |
| RDP | Refer to RDP. |
| Command Shell | Refer to Command Shell. |
| Restart/Shutdown | Refer to Restart and Shut Down. |
| Thumbnail Screen | Refer to Thumbnail Screen. |
| Chat | Refer to Chat. |
| Drive Information | Refer to Drive Information. |
| SSH/Telnet | Refer to Connect (Telnet/SSH). |
| PowerShell | Refer to PowerShell. |
| LAN Deploy | Refer to Agent Deployment. |
| Task Manager | Refer to Task Manager. |
| File Manager | Refer to File Management. |
| Registry Editor | Refer to Registry Editor. |
| Quick Jobs | Refer to Quick Jobs. |
| Event Viewer | Refer to Event Viewer. |
| Notes | Refer to Notes. |
| Wake-On-Lan | Refer to Wake Up. |
| HTTP | Refer to Connect (HTTP). |
| Custom Connection | Refer to Connect (Custom Tunnel). |
| Web Remote | Refer to Web Remote. |
Security Level Details - Membership
You can specify which users you would like to assign this security level to. Select your users and move them to the Include or Exclude column accordingly.
Use the Search field above either the Include or Exclude column to search for users. As you type, the search results are narrowed to match your search string.
Test a security level
When you set up a new security level, we recommend that you assign it to yourself first to see if it restricts or allows everything you want it to. Testing a security level is important to ensure that users with that security level are able to access the tools or information they require to perform their daily tasks. It is also equally important to ensure that they don't have access to anything they shouldn't. To learn how you can switch between security levels to test them, refer to Change your security level.
IMPORTANT If you give access to the system to third-party users, such as your customers, ensure that the security level restrictions meet your internal data security requirements.
Edit a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Click the name of the security level you wish to edit.
- Edit the Security Level details.
- Click Apply and Save.
Delete a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Hover over the name of the security level you wish to delete.
- Click Delete this security level.
- Confirm security level deletion. If the security level you are deleting is linked to any existing jobs or policy targets, it will need to be replaced with another of the available security levels.
NOTE While you can replace the security level used in existing jobs or policy targets, be aware that it is possible to delete the only security level associated with a user.
- Click Delete.
Change your security level
Users who have more than one security level assigned can change it on the fly in both the Datto RMM Agent and the Web Portal.
Agent
- On the local device where Datto RMM is installed, right-click on the Datto RMM Agent icon in the system tray and click Open.
- Log in with your credentials and click on the first menu option in the top left corner.
- Hover over Security Level and select the required security level from the list.
- You will be logged out of the Agent automatically.
- Log back in to be able to use the selected security level.
Web Portal
- In the top right corner, click on your current security level to see a list of available security levels.
- Select the required security level.
- The page will automatically refresh and the selected security level will be applied.
