Unified Login with KaseyaOne

SECURITY Administrator
NAVIGATION Setup > Integrations > KaseyaOne
About the integration
Datto RMM supports single sign-on with KaseyaOne, making user management and access easier across Kaseya modules. Using Unified Login provides a range of powerful user management tools.
Requirements
- A Datto RMM user account with the Administrator security level.
- Membership to a group in KaseyaOne that has the Datto RMM module assigned to it. For more information on managing KaseyaOne groups, refer to Manage KaseyaOne Groups in the KaseyaOne Help system.
How to...

To enable Log In with KaseyaOne for Datto RMM, do the following:
- Log in to Datto RMM in the usual way.
- Navigate to Setup > Integrations > KaseyaOne.
- In the Unified Login section, click Turn On.
- The KaseyaOne login page opens prompting you to log in. Enter your KaseyaOne credentials and then the verification code. This registers Datto RMM as a single sign-on(SSO) module in your KaseyaOne instance.
NOTE If you are already logged in to KaseyaOne, then you will not be prompted to log in again and your account association will be completed automatically. Wait for the serial redirects to process the load and you will be redirected back to ConnectBooster.
- After you have successfully logged in to KaseyaOne, you will be redirected back to the Datto RMM portal.
With this enabled, existing KaseyaOne users in your account will be able to log in to Datto RMM from KaseyaOne if their email address matches that of an active Datto RMM user. All users in your organization's KaseyaOne account will have the Datto RMM module shortcut added to their KaseyaOne dashboard. Refer to Logging in via KaseyaOne.
NOTE If a user is using KaseyaOne to log in to Datto RMM, and they have multiple user accounts with the same email address, they will be logged in to the username that is first alphabetically. Once they log in, they will be able to change which account they are actively using. Refer to Switch User.
IMPORTANT If you receive an error when enabling Unified Login, or you have more than one KaseyaOne account and the wrong one is linked to Datto RMM, please reach out to Support.
When KaseyaOne Unified Login is enabled, some additional configuration options will become available. Refer to the subsequent sections for details.

To enable Require Log In with KaseyaOne for Datto RMM, do the following:
- Log in to Datto RMM in the usual way and navigate to Setup > Integrations > KaseyaOne.
- Turn on the Require Log In with KaseyaOne toggle.
- Click Confirm on the pop-up notification message that appears reminding you that users will no longer be able to log in to Datto RMM through Datto Partner Portal.
- Under User Exceptions, click the drop-down arrow and select the users who will be exempt from this condition — that is, they will be able to log in using either Log In with KaseyaOne or Datto Partner Portal authentication
IMPORTANT Once this option is enabled, any users that do not have a KaseyaOne account will no longer be able to log in to Datto RMM through the Datto Partner Portal unless you add them to User Exceptions. Refer to Exempt users from being required to log in with KaseyaOne.
The following error message will show if a user not added to User Exceptions attempts to log in:

Once the Require Log In with KaseyaOne feature is enabled, you will be able to add any existing users to the User Exceptions list.
Any users added to User Exceptions will still be able to log in using Datto Partner Portal authentication.
This option is useful if you have users that need to log in to Datto RMM for remote access or reporting, such as customer IT staff, but do not require KaseyaOne accounts.
NOTE All Datto RMM users that are assigned the Administrator security level are automatically added to the User Exceptions list.

To enable Automatic User Provisioning for Datto RMM, do the following:
- Log in to Datto RMM in the usual way and navigate to Setup > Integrations > KaseyaOne.
- Turn on the Enable Automatic User Creation toggle to enable just-in-time provisioning for Datto RMM.
- A pop-up message appears informing you that Automatic User Creation will not be enabled until you select a default security level.
- Under Security Level, click the drop-down arrow and select the default access level to assign to new KaseyaOne users. For security reasons, select a lower level of access as the default.
Enabling the Automatic User Creation feature allows users in KaseyaOne who have never logged in to Datto RMM to have a user account automatically created upon their first time logging in to Datto RMM. Their account will be assigned the security level you select in the default settings, unless the Access Groups setting is enabled, in which case they will be assigned to the security level mapped to their KaseyaOne Group. All new users created through this process will be assigned the Low (2) component level. Refer to Automatically assign access to Datto RMM based on KaseyaOne groups.
Users in KaseyaOne will not have a Datto RMM account created for them until they attempt to log in from KaseyaOne. Refer to Logging in via KaseyaOne.

To enable Access Groups for Datto RMM, do the following:
- Log in to Datto RMM in the usual way and navigate to Setup > Integrations > KaseyaOne.
- Review the mapping rules in the Access Groups section under Automatic Mappings Found:
- Review the KaseyaOne group-to-Datto RMM security level mappings to make sure they are what you want. For example, each KaseyaOne group should map to a Datto RMM security level that has the same or similar level of user access.
- Click Sync to confirm all groups match to the intended Datto RMM security level.
- If the mappings match as expected, then proceed to the next step.
- Turn on the Enable Access Groups toggle to enable the feature.
The Access Groups setting replaces all users' security levels with security levels matching the KaseyaOne group names the users are assigned to. Existing security level assignments will still apply to a login authenticated via Datto AuthWeb (Datto Partner Portal).
IMPORTANT Access group security levels will replace manually assigned security levels for login via KaseyaOne. Users with no valid security level will not be able to log in to Datto RMM.
NOTE Users manually assigned to the default Administrator security level will always be able to log in via Datto AuthWeb (Datto Partner Portal) in addition to their access group permissions.
The Access Groups table will show the mappings between KaseyaOne groups and Datto RMM security levels. The mapping synchronizes nightly, but a manual sync can be requested using the Sync option.
Because this setting changes the way that Datto RMM security levels are assigned, it is recommended you go through the following best practice setup steps first:
- Start by creating user groups in KaseyaOne (or connect your third-party IdP to synchronize those user groups to KaseyaOne). Use a naming convention that defines the roles of your employees, make sure the groups have Datto RMM assigned, and add the appropriate users to each group.
- Create new security levels in Datto RMM with matching names, or rename existing security levels to match the KaseyaOne group names (this is not case sensitive).
- Click Sync in the Access Groups section to confirm all groups match to the intended Datto RMM security level. If the mappings match as expected, proceed to turn on the Enable Access Group toggle.
- Use the Access Groups setting alongside Require Log In with KaseyaOne for standard employees to ensure they receive security levels based on their KaseyaOne groups. If they log in via Datto AuthWeb, they will still receive the manually assigned security levels.
- Add external users to the Require Log In with KaseyaOne exception list to ensure they keep manually assigned security levels.
NOTE Security level mapping will be recalculated and updated at the time of login. If changes leave a KaseyaOne access group without a matching security level, users assigned to that KaseyaOne group will receive the following error message when attempting to log in to Datto RMM:

To enable Automatic User Deprovisioning for Datto RMM, do the following:
-
Log in to Datto RMM in the usual way and navigate to Setup > Integrations > KaseyaOne.
-
Turn on the Enable Automatic User Deprovisioning toggle to allow just-in-time user deprovisioning for Datto RMM.
If the Automatic User Deprovisioning toggle is turned on, when a user is deactivated or deleted in KaseyaOne, their corresponding Datto RMM user will be deactivated.
IMPORTANT Even if a user is not required to log in via KaseyaOne and this feature is enabled, their Datto RMM user account will be deleted or deactivated when their KaseyaOne user account is deleted or deactivated.

To turn off KaseyaOne Unified Login, navigate to Setup > Integrations > KaseyaOne, and click Turn Off.
This action will break the link between KaseyaOne and Datto RMM for allusers in your Datto RMM account.
Turning off the integration will unregister Datto RMM from KaseyaOne, and the module shortcut on the KaseyaOne dashboard will disappear.