This article describes the security settings you can configure to grant or restrict user access to Customer Relationship Management (CRM) data in Autotask. It also documents the settings of the system security levels in your Autotask instance.
System security levels are not editable, but you can make copies and edit them to create custom security levels. Refer to:
Overview
This section enables you to configure user permissions to access data for organizations and contacts by organization Your Autotask instance may be configured to use one of the following terms instead: Account, Business Unit, Client Company, Customer, Site. type, configure object permissions for all CRM entities, configure feature access and opportunity checklist and other permissions, and the dashboard for individual organizations. You can designate view, add, or edit permissions on a per-object basis.
Settings
Organization & Contact Access
About this setting
The following settings apply to the CRM category's Organization & Contact Access section of the Security Levels page shown in the below image.
This section enables you to configure user permissions to access data for organizations and contacts by organization type, configure object permissions for all CRM entities, configure feature access and opportunity checklist and other permissions, and the dashboard for individual organizations. You can designate view, add, or edit permissions on a per-object basis.
NOTE Regardless of the settings you configure in this part of the application, be aware that LiveReports will always display at least the organization names. Access to other organization data is limited by the security level permissions of the logged-in user that runs or schedules the report.
The following options are available:
- All: This setting is the default for all security levels with access to Admin. It allows access to all organizations of this type and associated contacts.
- My Territories: This option includes all access allowed by Mine. It allows access to organizations of this type that are assigned to a territory with which the user is associated. It also allows access to the contacts of these organizations.
- Mine: This setting is the default for all security levels that do not have access to Admin. It allows access to organization data for only those organizations for which user is the Account Manager or a member of the Account Team. It also allows access to contact data for only contacts associated with these organizations.
- None: Users cannot access any organization data.
NOTE For the Co-managed Help Desk security level, Mine and None are the only available options.
The listed settings are enabled by default for the following system security levels:
Object Permissions
About this setting
The following settings apply to the CRM category's Object Permissions section of the Security Levels page shown in the image below. CRM object permissions apply only to objects associated with organizations that the user has permission to access. Review Organization & Contact Access, above.
Organizations
- View: Organization Type access permissions determine organization view permissions (Security Level).
- Add:
- Yes: Users can add organizations of the type(s) they have permission to access.
- No: Users cannot add any organizations.
- Edit or Delete:
- All: Users can complete the specified action on all organization types that they have permission to View.
- Mine: Users can complete the specified action on organizations that they have permission to view if they are the account manager or a member of the account team. If the security level permissions include My Territories access, the user can also complete the specified action for organizations assigned to territories to which the user is assigned.
- None: Users cannot complete the specified action on any organizations.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Organizations |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
Refer to Organization & Contact Access |
None | None | None |
|
Minimal Access |
Refer to Organization & Contact Access | None | None | None |
|
Time & Attendance |
Refer to Organization & Contact Access | None | None | None |
|
Team Member |
Refer to Organization & Contact Access | None | None | None |
|
Contractor |
Refer to Organization & Contact Access | None | None | None |
|
Private CRM |
Refer to Organization & Contact Access | Yes | Mine | None |
|
Sales |
Refer to Organization & Contact Access | Yes | Mine | None |
|
Service Desk User |
Refer to Organization & Contact Access | Yes | Yes | None |
|
Project Manager |
Refer to Organization & Contact Access | Yes | Yes | None |
|
Dashboard User |
Refer to Organization & Contact Access | None | None | None |
|
Manager |
Refer to Organization & Contact Access | Yes | Yes | None |
|
System Administrator, Full Access User |
Refer to Organization & Contact Access | Yes | Yes | Yes |
|
API User |
Refer to Organization & Contact Access | Yes | Yes | Yes |
Contacts
This attribute determines the user's ability to add organization contacts. It does not restrict the user's ability to view or edit contacts that have an association with account types that their Organization & Contact view permissions allow them to see.
- Yes: Users can add contacts.
- No: Users cannot add any contacts
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Contacts |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
Yes | |||
|
Minimal Access |
No | |||
|
Time & Attendance |
No | |||
|
Team Member |
Yes | |||
|
Contractor |
No | |||
|
Private CRM |
Yes | |||
|
Sales |
Yes | |||
|
Service Desk User |
Yes | |||
|
Project Manager |
Yes | |||
|
Dashboard User |
|
Yes |
|
|
|
Manager |
Yes | |||
|
System Administrator, Full Access User |
Yes | |||
|
API User |
Yes |
Opportunities & Quotes
Organization View permissions are determined by Organization Type access permissions (Security Level).
View, Edit, or Delete:
- All: Users can complete the specified action on all opportunities and quotes associated with organizations that they have permission to View.
- Mine: Users can complete the specified action on opportunities and quotes associated with organizations that they have permission to view if they are the account manager. If the security level permissions include My Territories access, the user can also complete the specified action for organizations assigned to territories to which the user is assigned.
- None: Users cannot complete the specified action for opportunities and quotes associated with any organizations.
Add:
- Yes: Users can add opportunities and quotes for organizations of the type(s) they have permission to access.
- No: Users cannot add any opportunities or quotes to any organizations.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Opportunities & Quotes |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
None | None | None | None |
|
Minimal Access |
None | None | None | None |
|
Time & Attendance |
None | None | None | None |
|
Team Member |
None | None | None | None |
|
Contractor |
None | None | None | None |
|
Private CRM |
Mine | Yes | Mine | None |
|
Sales |
All | Yes | Mine | None |
|
Service Desk User |
All | Yes | Mine | None |
|
Project Manager |
All | Yes | Mine | None |
|
Dashboard User |
All |
None | None | None |
|
Manager |
All | Yes | All | All |
|
System Administrator, Full Access User |
All | Yes | All | All |
|
API User |
All | Yes | All | All |
Sales Orders
View or Edit:
- All: Users can complete the specified action on all sales orders associated with organization types that they have permission to View.
- Mine: Users can complete the specified action on sales orders associated with the organization types that they have permission to view if they are the account manager for the organization or a member of the account team. If the security level permissions include My Territories access, users can also complete the specified action for organizations assigned to territories to which users are assigned.
- None: Users cannot complete the specified action on sales orders for any organizations.
Add:
- Not applicable. Sales orders are not manually added.
Delete:
- All: Users can complete the specified action on all sales orders associated with organization types that they have permission to View.
- Mine: Users can complete the specified action on sales orders associated with the organization types that they have permission to view if they are the account manager for the organization or a member of the account team. If the security level permissions include My Territories access, users can also complete the specified action for organizations assigned to territories to which users are assigned.
- None: Users cannot complete the specified action on sales orders for any organizations.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Sales Orders |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
None | not applicable | None | None |
|
Minimal Access |
None | not applicable | None | None |
|
Time & Attendance |
None | not applicable | None | None |
|
Team Member |
None | not applicable | None | None |
|
Contractor |
None | not applicable | None | None |
|
Private CRM |
Mine | not applicable | Mine | None |
|
Sales |
All | not applicable | Mine | None |
|
Service Desk User |
All | not applicable | All | None |
|
Project Manager |
All | not applicable | All | None |
|
Dashboard User |
All | not applicable | None | None |
|
Manager |
All | not applicable | All | All |
|
System Administrator, Full Access User |
All | not applicable | All | All |
|
API User |
All | not applicable | All | None |
Devices & Subscriptions
View, Edit, or Delete:
- All: Users can complete the specified action for any items associated with an organization type that they have permission to view.
- None: Users cannot perform the specified action for any organization.
Add:
- Yes: Users can add devices Your Autotask instance may be configured to use one of the following terms instead:
Asset, Configuration Item, Installed Asset, Installed Product. and subscriptions for organizations of the type(s) they have permission to access.
- No: Users cannot add any devices or subscriptions.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Devices & Subscriptions |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
All | Yes | All | None |
|
Minimal Access |
None | not applicable | None | None |
|
Time & Attendance |
None | not applicable | None | None |
|
Team Member |
None | not applicable | None | None |
|
Contractor |
None | not applicable | None | None |
|
Private CRM |
All | Yes | All | None |
|
Sales |
All | Yes | All | None |
|
Service Desk User |
All | Yes | All | None |
|
Project Manager |
All | Yes | All | None |
|
Dashboard User |
All |
None | None | None |
|
Manager |
All | Yes | All | All |
|
System Administrator, Full Access User |
All | Yes | All | All |
|
API User |
All | Yes | All | All |
|
Device Notes |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
Mine | None | ||
|
Minimal Access |
None | None | ||
|
Time & Attendance |
None | None | ||
|
Team Member |
None | None | ||
|
Contractor |
None | None | ||
|
Private CRM |
Mine | None | ||
|
Sales |
Mine | Mine | ||
|
Service Desk User |
Mine | Mine | ||
|
Project Manager |
Mine | Mine | ||
|
Dashboard User |
|
|
None | None |
|
Manager |
All | All | ||
|
System Administrator, Full Access User |
All | All | ||
|
API User |
All | All |
Notes
View:
- If users cannot view any organization type, the permission is None.
- If the permission is Yes, users can view notes for any organizations of a type that they can view. It is not possible to edit this field.
Add:
- Yes: Users can add a CRM note to any object for any organization that users can view.
- No: Users cannot add any CRM notes.
Edit or Delete:
- All: Users can complete the specified action on all notes associated with organizations that they can access.
- Mine: Users can complete the specified action on notes assigned to them.
- None: Users cannot complete the specified action on any notes.
To-dos
View:
- If users cannot view any organization type, permission is None.
- If permission is Yes, users can view to-dos for any organization that they can view. It is not possible to edit this field.
Add:
- Yes: Users can add a to-do for any organization that users can view.
- No: Users cannot add any to-dos.
Edit or Delete:
- All: Users can complete the specified action on all to-dos associated with organizations that they can access.
- Mine: Users can complete the specified action on to-dos assigned to them.
- None: Users cannot complete the specified action on any to-dos.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Notes, To-Dos |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
Yes | Yes | Mine | None |
|
Minimal Access |
No | No | None | None |
|
Time & Attendance |
No | None | None | None |
|
Team Member |
Yes | Yes | Mine | None |
|
Contractor |
No | No | None | None |
|
Private CRM |
Yes | Yes | Mine | None |
|
Sales |
Yes | Yes | Mine | Mine |
|
Service Desk User |
Yes | Yes | Mine | Mine |
|
Project Manager |
Yes | Yes | Mine | Mine |
|
Dashboard User |
Yes |
None | None | None |
|
Manager |
Yes | Yes | All | All |
|
System Administrator, Full Access User |
Yes | Yes | All | All |
|
API User |
Yes | Yes | All | All |
Attachments
CRM attachment security applies to attachments on organizations, opportunities, sales orders, and devices. Users must have permission to access the parent item to access the associated attachments.
View:
- All: Users can view all attachments added to organizations, opportunities, sales orders, and devices that they can access.
- None: Users cannot view any CRM attachments.
Add:
- Yes: Users can add attachments to organizations, opportunities, sales orders, and devices that they can access.
- No: Users cannot add CRM attachments.
Edit:
- All: Users can edit any attachment added to organizations, opportunities, sales orders, and devices that they can access.
- Mine: Users can only edit organization, opportunity, sales order, and device attachments that they added.
- None: Users cannot edit any CRM attachments.
Delete:
- All: Users can delete any attachment added to organizations, opportunities, sales orders, and devices that they can access.
- Mine: Users can only delete organization, opportunity, sales order, and device attachments that they added.
- None: Users cannot delete any CRM attachments.
The listed settings are enabled by default for the following system security levels:
| Security Level | ||||
|---|---|---|---|---|
|
Attachments |
View | Add | Edit | Delete |
|
Co-managed Help Desk |
None | Yes | None | None |
|
Minimal Access |
None | No | None | None |
|
Time & Attendance |
None | No | None | None |
|
Team Member |
None | Yes | None | None |
|
Contractor |
None | No | None | None |
|
Private CRM |
All | Yes | None | None |
|
Sales |
All | Yes | None | Mine |
|
Service Desk User |
All | Yes | None | Mine |
|
Project Manager |
All | Yes | None | None |
|
Dashboard User |
All |
None |
None | None |
|
Manager |
All | Yes | None | All |
|
System Administrator, Full Access User |
All | Yes | None | All |
|
API User |
All | Yes | None | All |
Feature Access
The following settings apply to the CRM category's Feature Access section of the Security Levels page shown below.
Contact
Group Manager
About this setting
This option enables you to configure user access to Contact Groups features and management pages. Users with these settings cleared have no access to Contact Group management. To learn more, refer to The Contact Group Manager.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
access Export features in CRM section (requires CRM standard reports
permission)
About this setting
Selecting this option will provide users with this security level AND Reports permission access to the CRM category and the Exports section on the 
> Reports > Report Categories > CRM tab. Refer to Report security settings to learn more.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Device
Discovery Wizard
About this setting
This setting grants users access to the Device Discovery Wizard. Without this permission, users have no access to the feature. For more information, review our Launching the Device Discovery Wizard article.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
Manage Quote Templates and Quote Email Messages Outside of Admin
About this setting
This setting empowers users to access and manage quote templates and quote email message templates. This setting does not affect users' ability to change templates assigned to quotes. That permission is controlled by users' Edit permission for the CRM objects Opportunities and Quotes.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
Request RMA
About this setting
Select this option to allow users with this security level to initiate an RMA request from the Device page and Device tables.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Opportunity Checklist Permissions
About this setting
These permissions empower you to define the level of checklist management permissions to which your user groups have access. The following options are available.
NOTE Users without CRM Admin permission can access the Checklist Library from > Admin > Application-wide (Shared) Features.
Can add/edit Library Checklists
Users with this permission have access to the Checklist Library. They can do the following:
- Save checklists to the library from an opportunity or form template
- Create or edit opportunity checklists in the Checklist Library
Users with this permission have access to the Checklist Library. They can do the following:
- Delete opportunity checklists from the Checklist Library
Can add/edit items
Users with this permission can add and edit checklists for opportunities to which they have Edit permissions. They can:
- Add items to an opportunity checklist
- Edit items in the checklist
- Reorder and copy items within the checklist
Can delete/uncomplete items
Users with this permission can:
- Uncomplete checklist items completed by anyone
- Delete items from the checklist on an opportunity
The listed settings are enabled by default for the following system security levels:
| Opportunity Checklist Permissions | Can add/edit Library Checklists | Can delete Library Checklists | Can add/edit items | Can delete/uncomplete items |
|---|---|---|---|---|
|
Co-managed Help Desk |
|
|||
|
Minimal Access |
||||
|
Time & Attendance |
||||
|
Team Member |
|
|
||
|
Contractor |
||||
|
Private CRM |
|
|
||
|
Sales |
|
|
||
|
Service Desk User |
|
|
|
|
|
Project Manager |
|
|||
|
Dashboard User |
|
|
|
|
|
Manager |
|
|
|
|
|
System Administrator, Full Access User |
|
|
|
|
|
API User |
|
|
|
|
Other Permissions
Can
modify Account Manager (reassign Organizations)
About this setting
The users for whom you enable this setting can change an organization's Account Manager, which reassigns the organization to a new owner.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
modify Opportunity Owner (reassign Opportunities)
About this setting
Users who have this feature enabled will be able to change the Opportunity Owner on the Edit Opportunity page, which reassigns the opportunity to a new owner.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
access Device Mapping
About this setting
This setting determines if a user can see the Device Mapping section (and its content) in > CRM, as well as the Go to Device Mapping button on the Device widget drill-in table. It also controls page-level security on the Device Mapping page.
This check box is enabled by default for all security levels that have access to CRM and for whom the Datto RMM Integration or the Advanced Datto Integration is active.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Display
ALL organizations in organization picklists and data selectors
About this setting
Enable this feature to allow users to see all organizations in organization picklists and data selectors. Doing so will allow users to search for and create organization-related items for organizations that they do not have permission to view.
IMPORTANT Do not check this setting if you are creating or editing a restricted security level. Users with this setting selected will be able to see the names, addresses, and phone numbers of all organizations in your Autotask instance.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
|
Can
erase (redact) Contacts
About this setting
Resources with this security level will see the Erase (Redact) section on the Edit Contact page, and they will be able to redact contacts that they can edit. For more on this feature, refer to Erasing (redacting) contacts and resources.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
|
|
Minimal Access |
|
|
Time & Attendance |
|
|
Team Member |
|
|
Contractor |
|
|
Private CRM |
|
|
Sales |
|
|
Service Desk User |
|
|
Project Manager |
|
|
Dashboard User |
|
|
Manager |
|
|
System Administrator, Full Access User |
|
|
API User |
Dashboard Display
About this setting
Use this setting to define which data should be available to display on the CRM dashboard tabs. The options are: None, Mine (data for the assigned resource), My Territories (all resources in the assigned resource's territory), and All.
The listed settings are enabled by default for the following system security levels:
| Security Level | Permission |
|---|---|
|
Co-managed Help Desk |
Mine |
|
Minimal Access |
Mine |
|
Time & Attendance |
Mine |
|
Team Member |
Mine |
|
Contractor |
Mine |
|
Private CRM |
Mine |
|
Sales |
My Territories |
|
Service Desk User |
Mine |
|
Project Manager |
Mine |
|
Dashboard User |
All |
|
Manager |
Mine |
|
System Administrator, Full Access User |
All |
|
API User |
All |
Additional Resources
- Contract security settings
- CRM security settings
- Inventory security settings
- Project security settings
- Service Desk security settings
- Knowledge Base and Documents security settings
- Timesheet security settings
- Report security settings
- Admin security settings
- Other security settings
- Web Services API security settings
