Adding new users to Datto EDR and Datto AV
NAVIGATION 
> Admin > Users & Tokens
PERMISSIONS Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access
BEFORE YOU BEGIN The type of subscription you have may define the features available to you on this page. For a comprehensive overview of features available to Datto EDR and Datto AV customers, refer to Datto EDR and Datto AV access control.
User roles in Datto EDR and Datto AV define the level of access and permissions each user has within the platform, ensuring that administrators can control who can view data, perform actions, and configure settings across the environment.
When adding a new user, you must assign a role. There are three available roles:
- Admin (Administrator): Authorized to access and configure all areas of the platform.
- Analyst: Has fewer configuration permissions than an Admin but has the same visibility across all agents, locations, and policies.
- External Analyst: Similar to an Analyst but limited to specific assigned organizations. Can view and act only within those organizations.
The table below lists specific actions and whether each role is authorized, unauthorized, or not available to perform the action. Not available means the action does not appear in the platform for that particular role.
IMPORTANT For any External Analyst actions labeled Authorized, that authorization applies only within their assigned scope. External Analysts cannot perform these actions on devices outside their assigned organizations.
| Action | Admin | Analyst | External Analyst |
|---|---|---|---|
| Refresh dashboard | Authorized | Unauthorized | Not available |
| Alert responses | Authorized | Authorized | Authorized |
| Acknowledge alerts | Authorized | Authorized | Authorized |
| Create suppression rules | Authorized | Authorized | Not available |
| Publish detection/suppression rules | Authorized | Unauthorized | Not available |
| Create any policy | Authorized | Not available | Not available |
| View any policy | Authorized | Authorized | Not available |
| Edit any policy | Authorized | Unauthorized | Not available |
| Create Universal AV exclusions | Authorized | Unauthorized | Not available |
| Create Datto AV file submissions | Authorized | Unauthorized | Not available |
| Alert export | Authorized | Authorized | Authorized |
| Alert comments | Authorized | Authorized | Authorized |
| Assign policy | Authorized | Unauthorized | Not available |
| Create location | Authorized | Authorized | Not available |
| Disable policy | Authorized | Unauthorized | Not available |
| Move devices | Authorized | Authorized | Not available |
| Uninstall devices | Authorized | Authorized | Not available |
| Delete devices | Authorized | Unauthorized | Not available |
| Assign/unassign licenses | Authorized | Not available | Not available |
| Isolate devices | Authorized | Authorized | Not available |
| Edit device group automatic assignment | Authorized | Unauthorized | Not available |
| Edit device group details (name/description) | Authorized | Unauthorized | Not available |
| Delete/restore quarantined files | Authorized | Unauthorized | Authorized |
| Create reports | Authorized | Authorized | Not available |
| Create scheduled reports | Authorized | Authorized | Not available |
| Export responses/queued responses | Authorized | Authorized | Not available |
| Perform search queries | Authorized | Authorized | Not available |
| Export search results | Authorized | Authorized | Not available |
| Filter search results | Authorized | Authorized | Not available |
| Refresh analyze | Authorized | Authorized | Not available |
| Acknowledge/unacknowledge system notifications | Authorized | Authorized | Not available |
| Submit product feedback | Authorized | Authorized | Authorized |
| Access Help system | Authorized | Authorized | Authorized |
| Access Help videos | Authorized | Authorized | Authorized |
| Access onboarding tasks | Authorized | Authorized | Authorized |
| Set personal email notifications | Authorized | Authorized | Not available |
| Create API tokens | Authorized | Limited to role | Not available |
| Create registration keys | Authorized | Authorized | Not available |
| Assign registration keys to location | Authorized | Authorized | Not available |
| Delete registration keys from location | Authorized | Authorized | Not available |
| Add file flag | Authorized | Unauthorized | Not available |
| Change file flag weight | Authorized | Unauthorized | Not available |
| Edit file flag color | Authorized | Unauthorized | Not available |
Adding a user
- Within the EDR platform, navigate to
> Admin > Users & Tokens. - Click Add User.
- The Add User modal will open.
- Complete the Email field.
- Select the user's Role.
If you select External Analyst:- In the Select Organization list box, select the organization to assign to the external analyst.
- Click Add.
- To assign another organization to the external analyst, repeat steps 5a and 5b.
- Click Save.
The user is listed in the Users table.
If the user has never been added to an EDR instance, they'll receive a welcome email with a temporary password that enables them to log in for the first time. Once they've entered their credentials at the login screen, they must set a new password. This password will be used to access all future instances to which they are added.
If you add an existing user to a new instance, they will not receive a new temporary password. They will receive a notification that they've been added to a new instance along with a link to the login page.
