Security levels

1. In the Web Portal, click on the Setup tab.
2. Click Security Levels.
3. Click New Security Level on the left of the page.
   

4. If you would like to copy an already existing security level to use it as a template, you can choose it from the Based On drop-down list. To create a new one, select New Security Level.
   

5. Give the security level a Name and a Description.
6. Click Save.

1. On the Security Level Details page, select the options applicable to the new security level.
   Expand each of these sections: Device Visibility, Permissions, Remote Control Tools, Membership.
   See below for further details on each section.

2. Click Apply and Save to finish creating the security level.

This video tutorial demonstrates how to create a security level for technical support engineers allowing them to use only the remote takeover functionality in the Agent Browser and access to the Web Portal.

Security Level Details - Device Visibility

This section controls which devices the security level has access to.
Turn on the options to include specific Sites, Site Device Groups, Device Groups or Site Groups, and Include or Exclude certain sites or groups.

Security Level Details - Permissions

Turn on permissions for each area of the Web Portal (Account, Sites, Components, ComStore, Jobs, Reports, Setup), then check None, View or Manage permission for each section within those areas.

Users will be unable to log in if None permission is selected for all options in their security level's Permissions section.

The Account and Setup tabs will be grayed out if None permission is selected for all options within Account permissions or Setup permissions, respectively.

ACCOUNT	None	View	Manage
Dashboard	The Dashboard is not displayed.	The Dashboard is displayed. Depending on Sites permissions ("OFF" or otherwise), the information shown may be limited in scope.	Same as for View permission.
Audit	The Audit tab is not displayed.	The Audit tab is displayed and users can view Account-level audit information.	Same as for View permission.
Manage	The Manage tab is not displayed.	The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies.	The Manage tab is displayed. Patching: refer to Account-level permissions. Software: refer to Account-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data Security: view and create Security Management policies
Monitor	The Monitor tab is not displayed.	The Monitor tab is displayed. Users can view monitor alerts and job alerts that have been raised across sites the user has access to. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Job alerts cannot be resolved. Only users with Administrator security level can see suspended devices.	Same as for View permission but users can also resolve and mute all alerts.
Support	The Support tab is not displayed.	The Support tab is displayed and users can see support tickets raised from the sites they have access to.	Same as for View permission.
Policies	The Policies tab is not displayed.	The Policies tab is displayed. Users can see what policies have been set on the sites they have access to, but not make new ones. Users can see which of their permitted devices are targeted, but not toggle policies. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions.	Same as for View permission but users can also edit individual targets and configure new policies and overrides (for patch management). Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions.
Filters	Users will neither be able to see nor create their own Account-level filters, being limited only to the Default Device Filters provided in various categories.	Users can see filters created at the Account level from all users.	Users can create and edit their own filters at the Account level.
Groups	Users will neither be able to see nor create their own Account-level groups.	Users can see groups created at the Account level from all users.	Users can see and edit groups created at the Account level from all users.
SITES	None	View	Manage
Sites	The Sites tab will be displayed but users will be unable to access the permitted sites when clicking on the tab. However, users will be able to view the permitted sites using the down arrow to the right of the Sites tab. It is recommended to hide sites individually, instead of hiding the Sites tab.	Users will be able to view the list of sites they have been permitted access to. Users will be unable to delete or edit sites, although they may be permitted group and filter access.	Same as for View permission but sites can now be deleted and edited. Groups cannot be created (this requires the Groups permission below). Quick jobs can also be run if components are available.
Summary	Users will be unable to view a site's Summary page, however, the rest of the tools/actions (e.g. Audit, Manage, etc.) can be accessed through the context menu . Refer to Site lists.	Users are able to view a site's Summary page. Although the Notes section appears, no notes can be logged. Users must have at least View permission for SITES > Manage to be able to see the Patch Status pie chart.	Same as for View permission but notes can now be saved.
Devices	The Devices tab is not displayed and individual device pages cannot be accessed.	The Devices tab can be accessed but the only actions that appear are Refresh and Export to CSV. On individual device pages, users are able to view device information but they cannot edit it.	Same as for View permission but, depending on the user's security level permissions, expanded actions to move or edit devices, and perform operations on them are shown on both the Devices tab and individual device pages. On individual device pages, users are able to edit device information if they have Manage permission for SITES > Summary as well.
Audit	The Audit tab is not displayed at either the Site or the Device level.	The Audit tab is displayed and users can view Site- and Device-level audit information.	Same as for View permission but users can also manage, move, and delete discovered devices, and request device audits.
Manage	The Manage tab is not displayed.	The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and Device-level permissions. iOS Apps: view iOS App Management policies. Backup: view Datto backup appliance data, but not add devices. Security: view existing Security Management policies.	The Manage tab is displayed. Patching: refer to Site-level permissions and Device-level permissions. Software: refer to Site- and Device-level permissions. iOS Apps: view and create iOS App Management policies. Backup: view and map Datto backup appliance data. Security: view and create Security Management policies.
Monitor	At the Site level, the Monitor tab is not displayed. At the Device level, the Monitor tab is displayed but the list of alerts cannot be accessed.	The Monitor tab is displayed. Users can view monitor alerts that have been raised for the site and devices in question. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well. Device-level monitors cannot be created.	Same as for View permission but users can also resolve and mute monitor alerts. Device-level monitors can also be created.
Support	The Support tab is not displayed.	The Support tab is displayed and the support tickets can be viewed.	Same as for View permission but the support tickets can also be edited.
Filters	Site-level filters can neither be created nor accessed.	Users can see filters created at the Site level from all users.	Users can create and edit their own filters at the Site level.
Groups	Site-level groups can neither be created nor accessed.	Users can use groups that have already been defined, but devices cannot be added newly and group names cannot be changed.	Same as for View permission but users are now able to edit existing groups and move devices freely in and out. Groups can be created or deleted at will.
Policies	The Policies tab is not displayed.	The Policies tab is displayed and Site-level policies can be viewed. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and Device-level permissions.	Same as for View permission but users can now also create policies. Filters and groups can be applied depending on the user's security settings for filters and groups. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and Device-level permissions.
Settings	The Settings tab is not displayed.	The Settings tab is displayed and the settings for individual sites can be viewed but not changed.	Same as for View permission but the settings for individual sites can be configured.
Deleted Devices	The Manage Deletions option is displayed but users will be unable to access the list of Deleted Devices when clicking on Manage Deletions.	Users are able to access the list of Deleted Devices by clicking on the Manage Deletions option.	Same as for View permission but users can now delete devices from the list.
COMPONENTS	None	View	Manage
Components	The Components tab is displayed but users are not able to view the list of their components or select any components as part of jobs.	The Component tab is displayed and users are able to see and choose components as part of jobs but not export, edit, copy, or delete them. Component scripts can be viewed (and files downloaded) but edits cannot be saved. Components can be marked as favorites. The component level of components cannot be changed on the Component List page. Users can run jobs if they have Manage permission for JOBS > Active Jobs as well.	Same as for View permission, but users are now able to export, edit, copy, and delete components, as well as change the component level of components on the Component List page.
User Tasks	Users are not able to see if a component in the Component Library has been marked as a User Task.	Same as for None permission.	Users are able to see if a component in the Component Library has been marked as a User Task and they can click the Toggle User Task icon to enable or disable a component as a User Task.
COMSTORE	None	View	Manage
ComStore	The ComStore tab is displayed but the list of components cannot be accessed.	The ComStore can be browsed, but the components on display cannot be added to the Component Library.	Same as for View permission but the components can now be added to the Component Library.
JOBS	None	View	Manage
Active Jobs	The Jobs tab is not displayed. Jobs and quick jobs cannot be scheduled and run.	The Jobs tab is displayed but the New Job option is not available. Active Jobs and Completed Jobs can be accessed but jobs and quick jobs cannot be scheduled, run, edited, or deleted.	Same as for View permission but the New Job option is now available, and jobs and quick jobs can be scheduled, run, edited, and deleted.
REPORTS	None	View	Manage
Active Reports	The Reports tab is not displayed. Reports and exports cannot be scheduled and run.	The Reports tab is displayed but the New Report option is not available. Active Reports and Completed Reports can be accessed but reports and exports cannot be scheduled, run, edited, or deleted.	Same as for View permission but the New Report option is now available, and reports and exports can be scheduled, run, edited, and deleted.
SETUP	None	View	Manage
Billing	Billing is not displayed in the Setup menu.	Billing is displayed in the Setup menu. Users can request subscription increase.	Same as for View permission.
My Info	My Info is not displayed in the Setup menu.	My Info is displayed in the Setup menu. Users can configure their language, default security level and 2FA settings, and change their password. These changes do not apply to other users within the account.	Same as for View permission.
Messages	Messages is not displayed in the Setup menu.	Messages is displayed in the Setup menu. Users can view previously sent messages to devices they have access to.	Same as for View permission but users can now delete the messages.
Account Settings	Account Settings is not displayed in the Setup menu.	Account Settings is displayed in the Setup menu but users cannot configure them.	Account Settings can be fully configured.
Integrations	Integrations is not displayed in the Setup menu.	Integrations is displayed in the Setup menu but the integrations cannot be accessed.	The integrations can be viewed and configured.

Security Level Details - Remote Control Tools

The Remote Control Tools section controls the access to each of the functions available within the Datto RMM Agent. When creating a new security level, all options are enabled by default.

Turning off any of the options in this section will inactivate that tool in the Agent Browser for the user who has been assigned that security level. Changes to the Agent Browser tools options will only come into effect once the Agent Monitor application on the endpoint device has been exited and restarted.

Detailed information about how to access the tools can be found in the Agent Browser tools topic. To learn more about each tool and which device types they are available for, click the referenced sections in the table below.

Tool/Field	Description
Toggle all options	Enabled by default for new accounts. Toggle to turn OFF/ON all options listed below.
Screenshot	Refer to Screenshot.
Services	Refer to Windows Services.
Screen Share	Allows you to use Splashtop and VNC in the Agent Browser. Refer to Splashtop and VNC.
RDP	Refer to RDP.
Command Shell	Refer to Command Shell.
Restart/Shutdown	Refer to Restart and Shut Down.
Thumbnail Screen	Refer to Thumbnail Screen.
Chat	Refer to Chat.
Drive Information	Refer to Drive Information.
SSH/Telnet	Refer to Connect (Telnet/SSH).
PowerShell	Refer to PowerShell.
LAN Deploy	Refer to Agent Deployment.
Task Manager	Refer to Task Manager.
File Manager	Refer to File Management.
Registry Editor	Refer to Registry Editor.
Quick Jobs	Refer to Quick Jobs.
Event Viewer	Refer to Event Viewer.
Notes	Refer to Notes.
Wake-On-Lan	Refer to Wake Up.
HTTP	Refer to Connect (HTTP).
Custom Connection	Refer to Connect (Custom Tunnel).

Security Level Details - Membership

You can specify which users you would like to assign this security level to. Select your users and move them to the Include or Exclude column accordingly.
Use the Search field above either the Include or Exclude column to search for users. As you type, the search results are narrowed to match your search string.

When you set up a new security level, we recommend that you assign it to yourself first to see if it restricts or allows everything you want it to. Testing a security level is important to ensure that users with that security level are able to access the tools or information they require to perform their daily tasks, and it's equally important to ensure that they don't see anything that they shouldn't. To learn how you can switch between security levels to test them, refer to Change your security level.

If you give access to the system to third party users, such as your customers, make sure that the security level restrictions meet your internal data security requirements.

1. In the Web Portal, click on the Setup tab.
2. Click Security Levels.
3. Click on the name of the security level you wish to edit.
4. Edit the Security Level Details.
5. Click Apply and Save.

1. In the Web Portal, click on the Setup tab.
2. Click Security Levels.
3. Hover over the name of the security level you wish to delete.
4. Click Delete this security level.
   

5. Confirm security level deletion. If the security level you are deleting is linked to any existing jobs or policy targets, it will need to be replaced with another of the available security levels.
   

While you can replace the security level used in existing jobs or policy targets, be aware that it is possible to delete the only security level associated with a user.

6. Click Delete.

Users who have more than one security level assigned can change it on the fly in both the Datto RMM Agent and the Web Portal.

Agent

1. On the local device where Datto RMM is installed, right-click on the Datto RMM Agent icon in the system tray and click Open.
2. Log in with your username and password.
3. Click on the first menu option in the top left corner.
4. Hover over Security Level and select the required security level from the list.
   

5. You will be logged out of the Agent automatically.
6. Log back in to be able to use the selected security level.

Web Portal

1. In the top right corner, click on your current security level to see a list of available security levels.
   

2. Select the required security level.
3. The page will automatically refresh and the selected security level will be applied.