Security levels - Legacy UI
Security and navigation
SECURITY Administrator
NAVIGATION Legacy UI > Setup > Security Levels
New UI instructions
Refer to Security levels.
About security levels
Security levels specify and limit the access users have when logged in to the Datto RMM web interface, the Agent Browser, or a Web Remote session or chat. Users can have more than one security level and change them as needed. Security levels can be added, edited, copied, and deleted in both the legacy UI and the New UI. Users can switch security levels in the legacy UI, the New UI, and the Agent Browser.
IMPORTANT You must have the Administrator security level to be able to add, edit, copy, or delete a security level. For further information, refer to Users - Legacy UI in the legacy UI and Users in the New UI.
Administrator security level
By default, the Administrator security level is assigned to the user who registers a Datto RMM account, and it is the only security level available to assign to new users until other security levels are created. The Administrator security level cannot be modified or edited in any way. Users who have this security level assigned have full and unlimited access to all Datto RMM functionality and can see and connect to all devices in the Datto RMM account.
How to...
Add a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Click New Security Level on the left-hand side of the page.
- If you would like to copy an already existing security level to use it as a template, you can choose it from the Based On drop-down list. To create a new one, select New Security Level.
- Give the security level a Name and a Description.
- Click Save.
Configure the security level details
- On the Security Level Details page, select the options applicable to the new security level.
Expand each of these sections: Device Visibility, Permissions, Remote Control Tools, and Membership.
See below for further details on each section.
- Click Apply and Save to finish creating the security level.
Security Level Details - Device Visibility
This section controls which devices the security level has access to.
Turn on the options to include specific Sites, Site Device Groups, Device Groups, or Site Groups, and include or exclude certain sites or groups.
IMPORTANT You can create a security level that grants remote takeover access in the New UI to devices within selected Device Groups without giving access to the devices' sites as well. Refer to Device Groups security level.
Security Level Details - Permissions
Turn on permissions for Account, Sites, Components, ComStore, Jobs, Reports, and Setup, and then check None, View, or Manage permission for each area. You can configure the same permission for each area within a section with one click in the top row of the table. When creating a new security level, permissions are set to View for all areas by default.
IMPORTANT Users will be unable to log in if None permission is selected for all areas in their security level's Permissions section.
IMPORTANT The Account and Setup tabs in the legacy UI will not be available if None permission is selected for all areas within Account (legacy UI) or Global (New UI) and Setup, respectively.
Account
| None | View | Manage | |
|---|---|---|---|
| Dashboard | Legacy UI:
The Account > Dashboard menu or tab is not displayed. |
Legacy UI:
The Account > Dashboard menu or tab is displayed. Depending on sites visibility (toggled OFF, for example), the information shown may be limited in scope. |
Legacy UI:
Same as for View permission. |
| New UI:
If the New UI is set as the default interface for a user, ensure that they have at least View permission for Global > Dashboard to prevent an Access denied error message when they log in to their account. |
|||
| Audit | Legacy UI:
The Account > Audit menu or tab is not displayed. |
Legacy UI:
The Account > Audit menu or tab is displayed. Users can view account-level audit information. |
Legacy UI:
Same as for View permission. |
| New UI:
The Global > Patches menu is not displayed. The Global > Software and Global > Hardware menus are not displayed. |
New UI:
The Global > Patches menu is displayed. Refer to Global and site-level patches summary lists. The Global > Software and Global > Hardware menus are displayed. Refer to Software and Hardware. |
New UI:
Same as for View permission. |
|
| Manage | Legacy UI:
The Account > Audit menu or tab is not displayed. |
Legacy UI:
The Account > Manage menu or tab is displayed. Patch Management: Refer to Account-level permissions. Software Management: Refer to Account-level permissions. (Deprecated) iOS App Management: Users can view iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Kaseya Community post. (Deprecated) Backup Management: Users can view Datto backup appliance data but they cannot add devices. IMPORTANT The Datto BCDR Integration is no longer available. It has been replaced by the Datto Continuity Integration in the New UI. Refer to Datto Continuity Integration. Therefore, the Datto RMM Backup Management functionality is also no longer available. Security Management: Users can view existing Security Management policies. |
Legacy UI:
The Account > Manage menu or tab is displayed. Patch Management: Refer to Account-level permissions. Software Management: Refer to Account-level permissions. (Deprecated) iOS App Management: Users can view and create iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Kaseya Community post. (Deprecated) Backup Management: Users can view and map Datto backup appliance data. IMPORTANT The Datto BCDR Integration is no longer available. It has been replaced by the Datto Continuity Integration in the New UI. Refer to Datto Continuity Integration. Therefore, the Datto RMM Backup Management functionality is also no longer available. Security Management: Users can view and create Security Management policies. |
| New UI:
The Global > Software Management menu is not displayed. |
New UI:
The Global > Software Management menu is displayed, but users cannot approve software updates unless they have Manage permission for Global > Policies. |
New UI:
Same as for View permission. |
|
| Monitor | Legacy UI:
The Account > Monitor menu or tab is not displayed. |
Legacy UI:
The Account > Monitor menu or tab is displayed. Users can view monitor alerts and job alerts that have been raised across sites they have access to; however, they cannot resolve alerts and they also cannot disable the monitors that raised the alerts. Users can run jobs from an individual alert page if they have Manage permission for Jobs > Active Jobs as well. Only users with the Administrator security level can see suspended devices. |
Legacy UI:
Same as for View permission but users can also resolve monitor and job alerts and disable the monitors that raised the alerts. |
| New UI:
The Global > Alerts menu is not displayed. |
New UI:
The Global > Alerts menu is displayed. Users that also have at least View permission for Sites > Sites and Sites > Devices can view and resolve a list of alerts and individual alerts for the sites they have access to. Users can run jobs from the Single Alert View page if they have Manage permission for Jobs > Active Jobs as well. |
New UI:
Same as for View permission. |
|
| Support | Legacy UI:
The Account > Support menu or tab is not displayed. |
Legacy UI:
The Account > Support menu or tab is displayed. Users can see support tickets raised from the sites they have access to. |
Legacy UI:
Same as for View permission. |
| New UI:
N/A |
New UI:
N/A |
|
|
| Policies | Legacy UI:
The Account > Policies menu or tab is not displayed. |
Legacy UI:
The Account > Policies menu or tab is displayed. Users can see what policies have been set in the sites they have access to but they cannot create new ones. Users can see which of their permitted devices are targeted but they cannot toggle policies. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. |
Legacy UI:
Same as for View permission but users can also edit individual targets and configure new policies and Patch Management policy overrides. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. |
| New UI:
The Global > Policies menu and the Policies menu are not displayed, and users cannot see the details of global policies, unless they have at least View permission for Sites > Sites as well as Sites > Policies. (Site and device visibility restrictions are respected.) Users cannot create new global policies or edit, delete, or copy existing ones. In the Policies card on the device summary page, users cannot click the name of a global policy. |
New UI:
The Global > Policies menu and the Policies menu are displayed, but users cannot see the details of global policies unless they have at least View permission for Sites > Sites as well as Sites > Policies. (Site and device visibility restrictions are respected.) Users cannot create new global policies or edit, delete, or copy existing ones. In the Policies card on the device summary page, users can click the name of a global policy if they also have at least View permission for Sites > Policies. Users can view Managed software on the device summary page. Refer to Software. |
New UI:
Same as for View permission, but users can also create, edit, delete, or copy global policies as well as export Monitoring policies. Users can enable or disable policies from the Policies card on the device summary page if they also have at least View permission for Sites > Policies. The Best Practices button is displayed on the Policies page and Sites > Policies page if users have Manage permission for ComStore > ComStore. The Import button is displayed on the Policies page and Sites > Policies page. Users can approve global Managed software updates. Refer to Software Management. |
|
| Filters | Legacy UI:
Users cannot access or create Custom Device Filters, and they cannot access Default Device Filters. |
Legacy UI and New UI:
Users can access Custom Device Filters created by anyone that has shared those filters with the users' assigned security level; however, users cannot create Custom Device Filters. Users can access Default Device Filters. |
Legacy UI:
Same as for View permission but users can also create and delete their own Custom Device Filters and those that have been shared with their assigned security level. Users can edit Custom Device Filters if they also have Manage permission for Sites > Filters. |
| New UI:
Users cannot access or create Custom Device Filters; however, they can access Default Device Filters. |
New UI:
Same as for View permission but users can also create, edit, and delete their own Custom Device Filters and those that have been shared with their assigned security level. |
||
| Groups | Legacy UI and New UI:
Users cannot view or create groups at the account/global level. |
Legacy UI and New UI:
Users can view groups created at the account/global level by any user that has shared the group with their assigned security level. |
Legacy UI and New UI:
Users can view, edit, and delete groups created at the account/global level. |
Sites
| None | View | Manage | |
|---|---|---|---|
| Sites | Legacy UI:
The Sites tab is displayed, but users cannot access the list of sites when clicking the tab. NOTE It is recommended to exclude sites individually instead of limiting access to the Sites tab. |
Legacy UI:
Users can view the list of all sites they have access to. Users cannot create, edit, or delete sites, although they may have group and filter access. |
Legacy UI:
Same as for View permission but users can also create, edit, or delete sites. Groups cannot be created (this requires the Groups permission below). Quick jobs can also be run if components are available. |
| New UI:
The Sites menu is displayed but users cannot access the list of sites. |
New UI:
Users can view the list of all sites they have access to, but they cannot create, edit, or delete sites although they may have group and filter access. Users can add a new device to the sites they have access to. Users can access Network Discovery. Refer to Network Discovery. |
New UI: Same as for View permission but users can also delete sites. Users can create sites and access site settings if they also have Manage permission for Sites > Settings. |
|
| Summary | Legacy UI:
Users cannot view a site's Summary page; however, the rest of the tools/actions (for example, Audit, Manage, etc.) can be accessed. Refer to Site lists - Legacy UI. |
Legacy UI:
Users can view a site's Summary page. Although the Notes section appears, no notes can be logged. Users can only see the Patch Status pie chart if they also have at least View permission for Sites > Manage. |
Legacy UI:
Same as for View permission but users can also save notes. |
| Devices | Legacy UI:
A site's Devices menu or tab is not displayed, and individual device pages cannot be accessed. |
Legacy UI:
A site's Devices menu or tab can be accessed, but the only actions that appear are Export to CSV and Refresh. On individual device pages, users can view device information but they cannot edit it. |
Legacy UI:
Same as for View permission but, depending on the user's security level permissions for other areas, expanded actions to move or edit devices and perform operations on them are shown on both the Devices tab and individual device pages. On individual device pages, users can edit device information if they have Manage permission for Sites > Summary as well. Users can also delete devices if they have Manage permission for Sites > Deleted Devices as well. Users can change a device's device type if they also have Manage permission to Sites > Audit. Users can enable Privacy Mode for devices. |
| New UI:
The Devices menu is not displayed. Users with at least View permission for Sites > Sites can see the Devices menu and they can add a new device to any site they have access to; however, they cannot access any device. |
New UI:
The Devices menu is displayed, but users can only view devices if they also have at least View permission for Sites > Sites. Users can see device information but they cannot edit it or delete a device. Users can perform the Copy Device Information to Clipboard action. The users' ability to perform other device actions depends on their security level permissions for other areas of the web interface. Refer to the Security and navigation section in Device summary and Devices. Users can also approve software updates. Refer to Software. Users can also view and search for device-related activity in the Activity Log. Refer to Activity Log. |
New UI:
Same as for View permission but users can also edit device information and perform actions on a device if they also have at least View permission for Sites > Sites. Users can delete a device from any site they have access to if they also have at least View permission for Sites > Sites and Manage permission for Sites > Deleted Devices. Users can change a device's device type if they also have Manage permission to Sites > Audit. The users' ability to perform device actions may depend on their security level permissions for other areas of the web interface. Refer to the Security and navigation section in Device summary and Devices. |
|
| Audit | Legacy UI:
The Audit menu or tab is not displayed at either the site or the device level. |
Legacy UI:
The Audit tab is displayed at the site and device level. Users can view audit information. |
Legacy UI:
Same as for View permission but users can also manage, move, and delete discovered devices, and request device audits. Users can change a device's device type if they also have Manage permission to Sites > Devices. |
| New UI:
The Request Audit action button is not displayed on the device summary page and displayed but unavailable on device list pages. The Sites > Patches menu is not displayed. The Sites > Software and Sites > Hardware menus are not displayed. |
New UI:
The Request Audit action button is not displayed on the device summary page and displayed but unavailable on device list pages. The Sites > Patches menu is displayed if users have at least View permission for Sites > Sites. Refer to Global and site-level patches summary lists. The Sites > Software and Sites > Hardware menus are displayed if users have at least View permission for Sites > Sites. Refer to Software and Hardware. |
New UI:
Users can see the Request Audit action button on the device summary page and it is available on device list pages as well if they also have at least View permission for Sites > Sites and Sites > Devices. Users can request full and delta audits. The Sites > Patches menu is displayed if users have at least View permission for Sites > Sites. Refer to Global and site-level patches summary lists. The Sites > Software and Sites > Hardware menus are displayed if users have at least View permission for Sites > Sites. Refer to Software and Hardware. Users can change a device's device type if they also have Manage permission to Sites > Devices. |
|
| Manage | Legacy UI:
The Manage menu or tab is not displayed at the site level. The Manage menu or tab is displayed at the device level but it cannot be accessed. |
Legacy UI:
The Manage menu or tab is displayed and can be accessed at the site and device level. Patch Management: Refer to Site-level permissions and Device-level permissions. Software Management: Refer to Site- and device-level permissions. (Deprecated) iOS App Management: Users can view iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Kaseya Community post. (Deprecated) Backup Management: Users can view Datto backup appliance data but they cannot add devices. IMPORTANT The Datto BCDR Integration is no longer available. It has been replaced by the Datto Continuity Integration in the New UI. Refer to Datto Continuity Integration. Therefore, the Datto RMM Backup Management functionality is also no longer available. Security Management: Users can view existing Security Management policies. |
Legacy UI:
The Manage menu or tab is displayed and can be accessed at the site and device level. Patch Management: Refer to Site-level permissions and Device-level permissions. Software Management: Refer to Site- and device-level permissions. (Deprecated) iOS App Management: Users can view and create iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Kaseya Community post. (Deprecated) Backup Management: Users can view and map Datto backup appliance data. IMPORTANT The Datto BCDR Integration is no longer available. It has been replaced by the Datto Continuity Integration in the New UI. Refer to Datto Continuity Integration. Therefore, the Datto RMM Backup Management functionality is also no longer available. Security Management: Users can view and create Security Management policies. |
|
New UI:
|
New UI:
|
New UI:
|
|
| Monitor | Legacy UI:
The Monitor menu or tab is not displayed at the site level. The Monitor menu or tab is displayed at the device level, but the list of alerts cannot be accessed. |
Legacy UI:
The Monitor menu or tab is displayed and can be accessed at the site and device levels. Users can view monitor alerts, but they cannot resolve them. Users can run jobs from an individual alert page if they have Manage permission for Jobs > Active Jobs, as well. Users cannot create device-level monitors. |
Legacy UI:
Same as for View permission, but users can also resolve and disable monitor alerts. Users can also create device-level monitors. |
| New UI:
The Alerts menu is not displayed at the site level. At the device level, users can view a list of alerts and monitors if they also have at least View permission for Sites > Sites and Sites > Devices. However, they cannot resolve alerts, create or edit monitors, or perform actions on monitors. Users can run jobs from the Single Alert View page if they have Manage permission for Jobs > Active Jobs, as well. |
New UI:
The Alerts menu is displayed at the site level, and users can view and resolve a list of alerts and individual alerts. At the device level, same as for None permission, but users can resolve alerts. |
New UI:
Same as for View permission, but users can also create, edit, enable, disable, and delete monitors from the Monitors card on the device summary page as long as they also have Manage permission for Sites > Policies. Users can create and edit webhooks. Users can create and end maintenance mode windows. |
|
| Support | Legacy UI:
The Support menu or tab is not displayed at the site level. The Support menu or tab is displayed at the device level but it cannot be accessed. |
Legacy UI:
The Support menu or tab is displayed at the site and device level. Users can view support tickets. |
Legacy UI:
Same as for View permission but users can also create and edit support tickets. |
|
New UI:
|
New UI:
|
|
|
| Filters | Legacy UI and New UI:
Users cannot access or create Site Device Filters. |
Legacy UI and New UI:
Users can access Site Device Filters created by anyone that has shared those filters with the users' assigned security level; however, users cannot create Site Device Filters. |
Legacy UI and New UI:
Same as for View permission but users can also create, edit, and delete their own Site Device Filters and those that have been shared with their assigned security level. |
| Groups | Legacy UI and New UI:
Users cannot view or create site-level groups. |
Legacy UI and New UI:
Users can use site-level groups that have already been defined, but they cannot add devices to the group and change group names. |
Legacy UI and New UI:
Users can view, edit, or delete groups created at the site level. |
| Policies | Legacy UI:
The Policies menu or tab is not displayed at either the site or the device level. |
Legacy UI:
The Policies menu or tab is displayed at the site and device level. Users can view site-level policies. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. |
Legacy UI:
Same as for View permission but users can also create and edit policies. Filters and groups can be applied depending on the user's security level permissions for filters and groups. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. |
| New UI:
Policies at the site level are not displayed. On the device summary page, the Policies card is not displayed. Users cannot create new site policies. |
New UI:
Policies at the site level and the Policies menu are displayed. On the device summary page, the Policies card is displayed. Users can view details of site policies with Global > Policies permission set to None, but they cannot click on global policies. Users can click on and view details of global policies as well if they also have at least View permission for Global > Policies. Users cannot create new site policies or edit, delete, or copy existing ones. Users can enable or disable policies from the Policies card on the device summary page if they also have Manage permission for Global > Policies. Users can view Managed software on the device summary page. Refer to Software. |
New UI:
Same as for View permission, but users can also create, edit, delete, or copy site policies as well as export Monitoring policies. Users can also create, edit, enable, disable, and delete monitors from the Monitors card on the device summary page as long as they also have Manage permission for Sites > Monitor. Users can enable or disable policies from the Policies card on the device summary page. The Best Practices button is displayed on the Policies page and Sites > Policies page if users have Manage permission for ComStore > ComStore. The Import button is displayed on the Policies page and Sites > Policies page. Users can approve site-level Managed software updates. Refer to Software Management. |
|
| Settings | Legacy UI:
A site's Settings menu or tab is not displayed. |
Legacy UI:
A site's Settings menu or tab is displayed. Users can view the settings of individual sites but they cannot configure them. |
Legacy UI:
Same as for View permission but users can configure the settings of individual sites. |
| New UI:
Users cannot view site settings. The Setup > Credentials menu is displayed; however, users cannot view or create site-level credentials. |
New UI:
Users can view site settings if they also have Manage permission for Sites > Sites; however, they cannot edit or delete these settings. On the Setup > Credentials page, users can view site-level credentials for the sites they have access to if they also have at least View permission for Sites > Sites; however, they cannot create, edit, or delete site-level credentials. |
New UI:
NOTE Non-administrator users will only be able to add security levels they are members of to sites they create. On the Setup > Credentials page, users can view, create, edit, and delete site-level credentials for the sites they have access to if they also have Manage permission for Sites > Sites. |
|
| Deleted Devices | Legacy UI and New UI:
Users cannot delete devices or access the Deleted Devices page in the New UI even if they have Manage permission for Sites > Devices. NOTE The Sites > Manage Deletions option in the legacy UI is only displayed for users with the Administrator security level. |
Legacy UI and New UI:
Users cannot delete devices even if they have Manage permission for Sites > Devices. Users can view the Deleted Devices page in the New UI if they have at least View permission for Sites > Sites. |
Legacy UI and New UI:
Users can delete devices if they have Manage permission for Sites > Devices as well. Users can view the Deleted Devices page in the New UI if they have at least View permission for Sites > Sites. NOTE The Sites > Manage Deletions option in the legacy UI is only displayed for users with the Administrator security level. |
Components
| None | View | Manage | |
|---|---|---|---|
| Components | Legacy UI:
The Components tab is displayed, but users cannot view the list of their components or select any components as part of jobs. |
Legacy UI:
The Components tab is displayed. Users can see and choose components as part of jobs but they cannot export, edit, copy, or delete them. Users can view component scripts (and download files), but they cannot edit the scripts. Users can mark components as favorites. Users cannot change the component level of components on the Component List page. Users can run jobs if they have Manage permission for Jobs > Active Jobs as well. |
Legacy UI:
Same as for View permission but users can also export, edit, copy, and delete components. Users can also change the component level of components on the Component List page. |
| New UI:
The Component Library is not displayed, and the list of components cannot be accessed. |
New UI:
The Component Library is displayed. Users can view components in the list, view individual component details including component scripts, search for components, and view component groups. Users can create jobs with selected components if they also have Manage permission for Jobs > Active Jobs. |
New UI:
Same as for View permission but users can also create, edit, update, copy, import, export, and delete components, add components to and remove components from groups, create new component groups, set components as User Tasks, and control the visibility of components in the Agent Browser. The Update needed category is displayed on the Component Library page. |
|
| User Tasks | Legacy UI:
Users cannot see if a component in the Component Library has been marked as a User Task. |
Legacy UI:
Same as for None permission. |
Legacy UI:
Users can see if a component in the Component Library has been marked as a User Task, and they can click the Toggle User Task icon to enable or disable a component as a User Task. |
| New UI:
Users can see if a component in the Component Library has been set as a User Task. |
New UI:
Same as for None permission. |
New UI:
Same as for None and View permission but users can also set or unset components as a User Task if they also have Manage permission for Components > Components. |
ComStore
| None | View | Manage | |
|---|---|---|---|
| ComStore | Legacy UI:
The ComStore tab is displayed, but the list of components cannot be accessed. |
Legacy UI:
The ComStore tab is displayed. Users can browse the ComStore and search for components, but they cannot add the components on display to the Component Library. |
Legacy UI:
Same as for View permission but users can also add components to the Component Library. |
| New UI:
The Automation > ComStore menu is not displayed, and the list of components in the ComStore cannot be accessed. Users cannot add components from the ComStore to jobs. |
New UI:
The Automation > ComStore menu is displayed. Users can browse the ComStore and search for components, but they cannot add the components on display to the Component Library. Users cannot add components from the ComStore to jobs. |
New UI:
Same as for View permission but users can also add components from the ComStore to the Component Library and to jobs. The Best Practices button is displayed on the Policies page, and users can add and configure ComStore policies if they also have Manage permission for Global > Policies (for global policies) and Sites > Policies (for site policies). |
Jobs
| None | View | Manage | |
|---|---|---|---|
| Active Jobs | Legacy UI:
The Jobs tab is displayed, but jobs and quick jobs cannot be accessed, scheduled, or run. |
Legacy UI:
The Jobs tab is displayed, but the New Job option is not available. Users can access Active Jobs and Completed Jobs, but they cannot schedule, run, edit, retire, or delete jobs and quick jobs. |
Legacy UI:
Same as for View permission but the New Job option is also available. Users can schedule, run, edit, retire, and delete jobs and quick jobs. When viewing the results of a job, users can select one or more devices and schedule a job, run a quick job, rerun a job, add the devices to a group, export StdOut (standard output) and StdErr (standard error) messages, and resend the run job message. |
| New UI:
The Automation > Jobs menu is not displayed, and jobs and quick jobs cannot be accessed, scheduled, or run. |
New UI:
The Automation > Jobs menu is displayed. Users can view jobs, but they cannot schedule, run, edit, copy, retire, or delete jobs and quick jobs. |
New UI:
Same as for View permission but users can also schedule, run, edit, copy, retire, and delete jobs and quick jobs. When viewing the results of a job, users can select one or more devices and schedule a job, run a quick job, rerun a job, add or remove the devices to or from a group, create a new Device Group, and export StdOut (standard output) and StdErr (standard error) messages. Users can add components from the ComStore to jobs if they also have Manage permission for ComStore > Comstore. On the device summary page and in device lists (where applicable), users can perform the Quick Job, Create a Job, Patch Now, Schedule Reboot, Isolate, and Revert Isolation actions if they also have at least View permission for Sites > Sites and Sites > Devices. |
Reports
| None | View | Manage | |
|---|---|---|---|
| Active Reports | Legacy UI:
The Reports tab is displayed, but reports and exports cannot be accessed, scheduled, or run. |
Legacy UI:
The Reports tab is displayed, but the New Report option is not available. Users can access Active Reports and Completed Reports, but they cannot schedule, run, edit, or delete reports and exports. |
Legacy UI:
Same as for View permission but the New Report option is also available. Users can schedule, run, edit, and delete reports and exports. |
| New UI:
The Analytics > Reports menu is not displayed. The Quick Report action button cannot be accessed on the device summary page and on device list pages. |
New UI:
The Analytics > Reports menu is displayed. The Quick Report action button cannot be accessed on the device summary page and on device list pages. On the Reports page, users cannot create new reports. Users can access Active Reports and Completed Reports; however, they cannot edit or delete existing reports. |
New UI:
Same as for View permission but users can also create, edit, and delete reports. The Quick Report action button can also be accessed on the device summary page and on device list pages. |
Setup
| None | View | Manage | |
|---|---|---|---|
| Billing | Legacy UI:
Billing is not displayed in the Setup tab. A banner is displayed if the license limit has been exceeded. |
Legacy UI:
Billing is not displayed in the Setup tab unless the Datto RMM account is expired or suspended. A banner is displayed if the license limit has been exceeded. |
Legacy UI:
Same as for View permission but users can request subscription increase. |
| New UI:
The Setup > Licenses menu is not displayed. A banner is not displayed if the license limit has been exceeded. |
New UI:
The Setup > Licenses menu is displayed. Users can view their Managed device, Ransomware Detection, Datto Endpoint Detection and Response (EDR), and OnDemand license count and usage, but they cannot add licenses. Users can click Protect Devices in the Datto EDR license card if they also have Manage permission for Global > Policies and/or Sites > Policies. A banner is not displayed if the Managed device or Ransomware Detection license limit has been exceeded. |
New UI:
Same as for View permission but users can also add Managed device and Ransomware Detection licenses. A banner is displayed if the Managed device or Ransomware Detection license limit has been exceeded. |
|
| My Info | Legacy UI:
The Setup > My Info menu is displayed but it cannot be accessed. |
Legacy UI:
The Setup > My Info menu can be accessed. In the My Info section, users can configure the language of the web interface and their default security level. These changes do not apply to other users within the account. In the Security Settings section, users with a Datto Partner Portal account can click Datto Portal User Settings to open the User Settings page in Datto Partner Portal. |
Legacy UI:
Same as for View permission but with the exception of Username and Email Address, all fields in the My Info section are editable. |
| New UI:
The Setup > My Settings menu is displayed but only the fields in the Preferences section are visible and editable. Users with a Datto Partner Portal account can click the View in Partner Portal button to open the User Settings page in Datto Partner Portal. |
New UI:
Same as for None permission but both the Preferences section and the Details section are visible. However, only the fields in the Preferences section are editable. |
New UI:
Same as for View permission but with the exception of Username and Email address, all fields in the Details section are also editable. |
|
| Messages | Legacy UI:
Messages is not displayed in the Setup tab. The Send a message to the selected devices action bar icon is not displayed on device list pages, the device summary page, and the Device Audit page. |
Legacy UI:
Same as for None permission. |
Legacy UI:
Messages is displayed in the Setup tab. Users can view and delete previously sent messages to devices they have access to if they also have at least View permission for Sites > Devices. The Send a message to the selected devices action bar icon is displayed on device list pages, the device summary page, and the Device Audit page. |
| New UI:
The Send Message action button is not displayed on the device summary page and displayed but unavailable on device list pages. |
New UI:
Same as for None permission. |
New UI:
Users can see the Send Message action button on the device summary page and it is available on device list pages as well if they also have at least View permission for Sites > Sites and Sites > Devices. |
|
| Account Settings / Global Settings |
Legacy UI:
Account Settings is not displayed in the Setup tab. |
Legacy UI:
Account Settings is displayed in the Setup tab and can be accessed, but users cannot configure the settings. |
Legacy UI:
Account Settings can be accessed, and users can configure all settings. |
| New UI:
The Setup > Global Settings menu is not displayed. The Setup > Credentials menu is displayed, but users cannot view or create global credentials. |
New UI:
The Setup > Global Settings menu is displayed. Users can view global settings, but they cannot configure the settings. The Setup > Credentials menu is displayed, and users can view global credentials, but they cannot create, edit, or delete global credentials. |
New UI:
Same as for View permission but users can also configure all settings on the Global Settings page and view, create, edit, and delete global credentials on the Credentials page. |
|
| Integrations | Legacy UI:
Integrations is not displayed in the Setup tab. |
Legacy UI:
Integrations is displayed in the Setup tab, but the integrations cannot be accessed. |
Legacy UI:
Same as for View permission but users can access and configure the integrations. |
| New UI:
The Setup > Integrations menu is not displayed. |
New UI:
Same as for None permission. |
New UI:
The Setup > Integrations menu is displayed. Users can access and configure the integrations. |
SaaS Protection
The Datto SaaS Protection Integration is available only in the New UI. Turn on this toggle in either UI to enable visibility of all Datto SaaS Protection data for the security level you are configuring.
A user with Manage permission for Setup > Integrations must enable the integration for the account from the Integrations page in the New UI. For instructions, refer to Datto SaaS Protection Integration.
NOTE Unlike the other options in the Permissions section, the Datto SaaS Protection permissions are not tiered. If this toggle is off, the permissions are equivalent to None (no visibility of Datto SaaS Protection data in Datto RMM). If this toggle is on, the permissions are equivalent to Manage (full visibility of Datto SaaS Protection data in Datto RMM).
Microsoft 365
The Microsoft 365 Integration is available only in the New UI. Security level permissions for the integration can be configured from either UI.
A user with Manage permission for both Setup > Integrations and Microsoft 365 > Microsoft 365 must enable the integration for the account from the Integrations page in the New UI. For instructions, refer to Enable the Microsoft 365 Integration.
| None | View | Manage | |
|---|---|---|---|
| Microsoft 365 | New UI:
The Microsoft 365 menu is not displayed. |
New UI:
The Microsoft 365 menu and data are displayed, but Microsoft 365 actions on the All Users page and user details pages are not available. |
New UI:
The Microsoft 365 menu and data are displayed, and Microsoft 365 actions on the All Users page and user details pages are available. |
Device Approvals
Enabling this setting allows assigned users to approve or deny devices that are new, or have had their encryption key changed. For more information on device approvals, refer to New device approval - Legacy UI.
Security Level Details - Remote Control Tools
This section controls access to remote tools available in the web interface and the Agent Browser, or in Web Remote sessions and chats. When creating a new security level, all tools listed in the table below are enabled by default. The table specifies which tools are available in the web interface and the Agent Browser, and via Web Remote. Disabling any of the tools will inactivate that tool for the user who is a member of the security level.
NOTE Changes made in this section will only come into effect once the Agent Monitor application on the remote device has been exited and restarted.
Detailed information about how to access the tools can be found in the following topics:
- Device lists - Legacy UI (legacy UI)
- Action buttons (New UI)
- Agent Browser tools
- Web Remote
To learn more about each tool and which device types they are available for, click the referenced sections in the table below.
| Field | Description | Web Interface | Agent Browser | Web Remote |
|---|---|---|---|---|
| Toggle all options | Enabled by default for new accounts. Toggle to turn OFF/ON all options listed below. |
|
||
| Screenshot | Refer to Screenshot. |
|
|
|
| Services | Refer to Windows Services. |
|
|
|
| Screen Share | Refer to VNC. |
|
|
|
| RDP | Allows you to use RDP and Splashtop. Refer to RDP and Splashtop Remote Screen Share Integration. IMPORTANT The RDP tool must be enabled for the Agent Browser device action button to be available in the New UI. Refer to Action buttons. |
|
|
|
| Command Shell | Refer to Command Shell. |
|
|
|
| Restart/Shutdown | Refer to Restart and Shut Down. |
|
|
|
| Thumbnail Screen | Refer to Thumbnail Screen. |
|
|
|
| Chat | For the Agent Browser, refer to Chat. For Web Remote, refer to Initiate a Web Remote chat. |
|
|
|
| Drive Information | Refer to Drive Information. |
|
|
|
| SSH/Telnet | Refer to Connect (Telnet/SSH). |
|
|
|
| PowerShell | For the Agent Browser, refer to PowerShell. For Web Remote, refer to Initiate a Web Remote PowerShell session. |
|
|
|
| LAN Deploy | Refer to Agent Deployment. |
|
|
|
| Task Manager | Refer to Task Manager. |
|
|
|
| File Manager | For the Datto RMM Agent, refer to File Management. For Web Remote, refer to File Transfer. This option must be enabled for users, including users with support access enabled, to download a device's Agent logs. Refer to Download Agent Logs. IMPORTANT The File Manager tool requires SYSTEM permissions to any file or folder you wish to take actions against. Refer to How do I enable SYSTEM access to files or folders?. |
|
|
|
| Registry Editor | Refer to Registry Editor. |
|
|
|
| Quick Jobs | Refer to Quick Jobs. |
|
|
|
| Event Viewer | Refer to Event Viewer. |
|
|
|
| Notes | Refer to Notes. |
|
|
|
| Wake-on-Lan | Refer to Wake Up. |
|
|
|
| HTTP | Refer to Connect (HTTP). |
|
|
|
| Custom Connection | Refer to Connect (Custom Tunnel). |
|
|
|
| Web Remote | Refer to Web Remote. |
|
|
Security Level Details - Membership
You can specify to which users you would like to assign this security level. Select your users and move them to the Include or Exclude column accordingly.
Use the Search field above either the Include or Exclude column to search for users. As you type, the search results are narrowed to match your search string.
If you want to exclude one or more users from an existing security level that is the users' default security level, a dialog box will be displayed where you can confirm the security level replacement. From the drop-down menu, select a new default security level for all affected users and click Change.
Alternatively, click Edit in the dialog box to replace the default security level for each user individually. Click the radio button next to the security level you want to set as the new default security level and then click Next to configure each affected user account.
Test a security level
When you create a new security level, we recommend that you assign it to yourself first to see if it restricts or allows everything you want it to. Testing a security level is important to ensure that users with that security level are able to access the tools or information they require to perform their daily tasks. It is also equally important to ensure that they don't have access to anything they shouldn't. To learn how you can change security levels to test them, refer to Switch security levels.
IMPORTANT If you give third-party users (such as your customers) access to the account, ensure that the security level restrictions meet your internal data security requirements.
Edit a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Click the name of the security level you wish to edit.
- Edit the security level details. Refer to Configure the security level details.
- Click Apply and Save.
Delete a security level
- In the Web Portal, click the Setup tab.
- Click Security Levels.
- Hover over the name of the security level you wish to delete and click Delete this security level.
- From the drop-down menu in the Confirm Security Level Deletion dialog box, select a new security level to replace the one you are about to delete.
- To proceed, click Delete. This will delete the security level and, additionally, the following actions will be performed:
- Any existing jobs or policy targets currently linked to the security level you are deleting will be assigned to the replacement security level.
- Any users that are currently a member of the security level you are deleting will be added as members to the replacement security level.
If you do not wish to proceed, click Cancel. To learn how to configure the security levels of the linked users individually, refer to Edit a security level or Edit a user.
Switch security levels
If a user has more than one security level assigned, they can change their security level in the web interface or in the Agent Browser.
Legacy UI
- In the upper-right corner of the Web Portal, click your current security level to see a list of available security levels.
- Select the required security level.
- The page will automatically refresh and the selected security level will be applied.
Switching your security level will only apply to your current session. Your default security level will be used the next time you log in to your account.
New UI
Refer to Current Security Level in My Settings.
Agent Browser
- On the local device where Datto RMM is installed, right-click the Datto RMM Agent icon in the system tray and click Open.
- Log in with your credentials.
- Click the first menu option in the upper-left corner of the Agent Browser.
- Hover over Security Level and select the required security level from the list.
- You will be logged out of the Agent automatically.
- Log back in to be able to use the selected security level.
