Managing security in Autotask
Datto is committed to helping ensure the security of our partners and their customers. This best practices guide provides at-a-glance access control recommendations that will help you keep your Autotask environment secure. Because your company's data is hosted by Datto and accessed by your resources through a browser, you should use the information provided below to configure Autotask with strong security and least-privilege access rules that will keep your data secure.
Security best practices
To access Autotask, users must authenticate with their username and password. Additionally, Datto requires all Autotask users to use either single sign-on (SSO) or two-factor authentication (2FA). Refer to Configuring single sign-on using the OpenID Connect standard and Managing two-factor authentication for a resource.
To increase log in security even more, do one or more of the following:
- Require users to use strong passwords. Refer to Strong password requirements.
- Enable a system setting that will lock users out after the number of unsuccessful log in attempts that you specify. Refer to System settings for site setup and Unlocking a resource.
- Configure a list of recipients that receive email notifications when security-related changes are made that could affect what resources can see or do. Refer to Security event notification recipients.
Access to features and data in Autotask is controlled by the security level assigned to the user. Autotask includes a set of system security levels intended for typical roles in an MSP organization. Refer to System security levels.
If you grant access to your Autotask instance to external IT resources (either customers or contractors), use the Co-managed Help Desk (system) security level and set up a co-managed help desk.
You can assign system security levels to users, but we recommend that you make copies and customize the copies to best match your workflow. Refer to Creating or editing a custom security level. System security levels and any custom levels you create are managed from the Security Levels page. Refer to Managing security levels.
User-defined fields for devices and organizations can be flagged as 'protected.' You can then grant access to view and/or edit these 'protected' fields to individual users. This access will override system and custom security levels. Refer to Viewing protected data.
It is a best practice is to set up a separate API user account, and maybe even a separate API User (system) (API-only) or API User (system) Can't Read Costs (API-only) security level, for each integration with which your developers are working. Doing so enables you to tailor the security permissions to the areas required by each integration.
For partner integrations that appear on the Integration Center page, you can add API users right from the page. Refer to Integration Center.
To learn more about configuring API users, refer to Adding or editing an API user.
To ensure that your resources have access to only the reports and data that they need, Datto recommends reviewing our report security best practices. Then, review your company's security level settings for report and data access, along with the publish settings for LiveReports, and make adjustments as needed.
Our best practices guide, which you can find in the Online Help at Report security > Best practices, will help you make informed decisions about appropriate report security configurations for your environment.