Unified Login with KaseyaOne

SECURITY  Administrator

NAVIGATION  Setup > Integrations > KaseyaOne

In Datto RMM, navigate to Setup > Integrations > KaseyaOne, and click Turn On. If you are not already logged in to KaseyaOne, you will be prompted to log in. This will register Datto RMM as a single sign-on (SSO) module in your KaseyaOne instance.

With this enabled, existing KaseyaOne users in your account will be able to log in to Datto RMM from KaseyaOne if their email address matches that of an active Datto RMM user. All users in your organization's KaseyaOne account will have the Datto RMM module shortcut added to their KaseyaOne dashboard. Refer to Logging in via KaseyaOne.

NOTE  If a user is using KaseyaOne to log in to Datto RMM, and they have multiple user accounts with the same email address, they will be logged in to the username that is first alphabetically. Once they log in, they will be able to change which account they are actively using. Refer to Switch User.

IMPORTANT  If you receive an error when enabling Unified Login, or you have more than one KaseyaOne account and the wrong one is linked to Datto RMM, please reach out to Support.

When KaseyaOne Unified Login is enabled, some additional configuration options will become available. Refer to the subsequent sections for details.

You can require users to use KaseyaOne Unified Login to log in to Datto RMM by turning on the Require Log In with KaseyaOne toggle. This allows you to more easily manage your internal Datto RMM users from the KaseyaOne portal.

Upon enabling this feature, you will see a pop-up notification reminding you that, by default, users will no longer be able to log in to Datto RMM via the Datto Partner Portal. Click Confirm to execute the action or Cancel to close out of the dialog box.

IMPORTANT  Once this option is enabled, any users that do not have a KaseyaOne account will no longer be able to log in to Datto RMM through the Datto Partner Portal unless you add them to User Exceptions. Refer to Exempt users from being required to log in with KaseyaOne.
The following error message will show if a user not added to User Exceptions attempts to log in:
 

Once the Require Log In with KaseyaOne feature is enabled, you will be able to add any existing users to the User Exceptions list.

Any users added to User Exceptions will still be able to log in using Datto Partner Portal authentication.

This option is useful if you have users that need to log in to Datto RMM for remote access or reporting, such as customer IT staff, but do not require KaseyaOne accounts.

NOTE  All Datto RMM users that are assigned the Administrator security level are automatically added to the User Exceptions list.

Enabling the Automatic User Creation feature allows users in KaseyaOne who have never logged in to Datto RMM to have a user account automatically created upon their first time logging in to Datto RMM. Their account will be assigned the security level you select in the default settings, unless the Access Groups setting is enabled, in which case they will be assigned to the security level mapped to their KaseyaOne Group. All new users created through this process will be assigned the Low (2) component level. Refer to Automatically assign access to Datto RMM based on KaseyaOne groups.

NOTE  While you are allowed to set Administrator as the default security level for automatic user creation, this is not recommended.

Users in KaseyaOne will not have a Datto RMM account created for them until they attempt to log in from KaseyaOne. Refer to Logging in via KaseyaOne.

NOTE  A warning will inform you that automatic user creation will not be enabled until you select a default security level.

The Access Groups setting replaces all users' security levels with security levels matching the KaseyaOne group names the users are assigned to. Existing security level assignments will still apply to a login authenticated via Datto AuthWeb (Datto Partner Portal).

IMPORTANT  Access group security levels will replace manually assigned security levels for login via KaseyaOne. Users with no valid security level will not be able to log in to Datto RMM.

NOTE  Users manually assigned to the default Administrator security level will always be able to log in via Datto AuthWeb (Datto Partner Portal) in addition to their access group permissions.

The Access Groups table will show the mappings between KaseyaOne groups and Datto RMM security levels. The mapping synchronizes nightly, but a manual sync can be requested using the Sync option.

Because this setting changes the way that Datto RMM security levels are assigned, it is recommended you go through the following best practice setup steps first: 

1. Start by creating user groups in KaseyaOne (or connect your third-party IdP to synchronize those user groups to KaseyaOne). Use a naming convention that defines the roles of your employees, make sure the groups have Datto RMM assigned, and add the appropriate users to each group.
2. Create new security levels in Datto RMM with matching names, or rename existing security levels to match the KaseyaOne group names (this is not case sensitive).
3. Click Sync in the Access Groups section to confirm all groups match to the intended Datto RMM security level. If the mappings match as expected, proceed to turn on the Enable Access Group toggle.
4. Use the Access Groups setting alongside Require Log In with KaseyaOne for standard employees to ensure they receive security levels based on their KaseyaOne groups. If they log in via Datto AuthWeb, they will still receive the manually assigned security levels.
5. Add external users to the Require Log In with KaseyaOne exception list to ensure they keep manually assigned security levels.

NOTE  Security level mapping will be recalculated and updated at the time of login. If changes leave a KaseyaOne access group without a matching security level, users assigned to that KaseyaOne group will receive the following error message when attempting to log in to Datto RMM:

If the Automatic User Deprovisioning toggle is turned on, when a user is deactivated or deleted in KaseyaOne, their corresponding Datto RMM user will be deactivated.

IMPORTANT   If this setting is enabled, even if a user is not required to log in via KaseyaOne, their Datto RMM user account will be deactivated when their KaseyaOne user account is deleted or deactivated.

To turn off KaseyaOne Unified Login, navigate to Setup > Integrations > KaseyaOne, and click Turn Off.

This action will break the link between KaseyaOne and Datto RMM for allusers in your Datto RMM account.

Turning off the integration will unregister Datto RMM from KaseyaOne, and the module shortcut on the KaseyaOne dashboard will disappear.