User roles and permission boundaries

Kaseya SIEM uses role‑based and scope‑based controls to define who can access the platform, which organizations they can see, and what administrative actions they are allowed to perform.

These controls support separation of duties, least‑privilege access, and safe delegation across multiple organizations.

This article explains how access is structured, where it is configured, and how permission boundaries should be established before configuring organizations and monitoring behavior.

Common questions this article answers include:

• How do user roles and access work in Kaseya SIEM?

• How can I limit which organizations a technician can see?

• What is the difference between Group Access and MSP capability toggles?

• Do user roles affect how alerts are generated, investigated, or responded to in SIEM?

What access controls govern

User roles and permission boundaries in Kaseya SIEM determine:

• Organization visibility: Which organizations a user can see and work within

• Administrative capabilities: Which configuration or management actions a user is allowed to perform

• Delegated responsibilities: How limited administrative tasks can be assigned without granting full access

These controls affect access and authority, not how alerts are generated, investigated, or responded to.

Kaseya SIEM does not use predefined functional roles beyond MSP Admin. Access is determined through a combination of organization visibility and delegated capabilities.

Configuring access controls

Access controls are managed from two primary areas:

• Settings > User Privileges: Controls organization visibility and delegated administrative capabilities

  

• Settings > Users: Creates and manages user accounts, including MSP Admin designation and user-level authentication/provisioning options

To keep access governance clear, use these pages together as follows:

• Use Settings > User Privileges to define who can see which organizations and which capabilities are delegated.

• Use Settings > Users to create users and apply the access model during user setup.

Only users with the MSP Admin role can modify access boundaries and delegated capabilities.

Settings > User Privileges (organization visibility, groups, and capabilities)

Organization visibility (Group Access)

Organization visibility and user privilege boundaries are managed from Settings > User Privileges.

On this page you can:

• Turn Group Access on/off: Controls which organizations a user can see

  

• Create and manage Groups: Determines which organizations are visible to specific users

• Enable or disable capability toggles: Includes options such as Respond Access, Unify Access, and Fortify Access

  

How Group Access works

Group Access controls organization visibility using group membership.

• Groups define collections of organizations.

• Users are assigned to one or more groups.

• Visibility is scoped by group membership, not by individual permissions.

Group Access is an all‑or‑nothing visibility control:

• If Group Access is On, organization visibility is scoped by groups.

• If Group Access is Off, scoped visibility no longer applies.

  

Use Group Access when you need to:

• Limit which customers or environments different technicians can see

• Support specific organizations without exposing the full tenant

• Separate visibility by customer, business unit, or responsibility

Boundary: Group Access controls visibility only. It does not grant permission to perform actions.

Group Access behavior in practice

When Group Access is On:

• Users see only the organizations included in their assigned group or groups.

• Organization‑scoped areas of the platform are limited accordingly.

When Group Access is Off:

• Users revert to the default state where they can see all organizations.

• Existing group definitions may remain listed, but group scoping does not apply until Group Access is turned back on.

Group Access should be treated as an all‑or‑nothing visibility control. If it is disabled, scoped visibility disappears.

Groups: defining which organizations a user can access

Groups define which organizations are visible to specific users. Each group includes:

• A group name

• One or more organizations assigned to the group (including a Select all organizations option)

• One or more users assigned to the group (including Select all users when available)

The group configuration confirms the outcome: the selected group will see all selected organizations.

Creating a group

1. Go to Settings > User Privileges.

   

2. Select + Add New Group.

   

3. In the Add New Group dialog:

   • Enter a Group Name.

   • Under Assign organizations to the group, select one or more organizations, or select Select all organizations.

   • Under Assign users to the group, select one or more users, or Select all users.

4. Select Create New Group.

   

5. A confirmation message will be displayed.

   

After creation, users assigned to the group see only the organizations assigned to that group.

Editing a group

1. Go to Settings > User Privileges.

   

2. Select Edit group (pencil icon) for the group.

   

3. In the Edit Group dialog:

   • Update the Group Name as needed.

   • Update the organizations assigned to the group (including Select all organizations).

   • Update the users assigned to the group.

4. Select Update Group.

   

5. A confirmation message will be displayed.

   

Edits apply immediately to group‑scoped visibility.

Deleting a group

1. Go to Settings > User Privileges.

   

2. Select Delete group (trash can icon) for the group.

   

3. In the Delete Group dialog, use Assign user to group if reassignment is required.

4. Select Delete.

   

Group deletion is permanent and cannot be undone.

Group list navigation tools

The Groups area supports operational use at scale, including:

• A search field to filter group records

• Pagination controls and a rows‑per‑page selector

• A summary count of results

MSP capability toggles: delegating limited platform access

Below the Groups table on Settings > User Privileges, Kaseya SIEM provides capability toggles that delegate limited operational access, including:

• Respond Access: Allows MSP users to manage Respond connections

• Unify Access: Allows MSP users to manage Unify features

• Fortify Access: Allows MSP users to manage Fortify

When Fortify Access is enabled, an additional checkbox is available to limit access to connections only.

These toggles delegate access to specific feature areas without expanding organization visibility. They control whether MSP users can manage functionality related to Respond, Unify, or Fortify within the organizations they can already see. For more information about what each feature includes, see the Using the Respond module, Unify configuration and context association, and Setting up Fortify.

Important boundary

• Group Access controls which organizations users can see.

• Capability toggles control which limited administrative actions users can take.

They work together, but they do not control the same thing.

NOTE  Group Access applies to MSP users. MSP Admin users are not subject to organization visibility restrictions.

Common access patterns (recommended)

Scenario	Use this control	Why
You have multiple organizations and need to limit what different technicians can see	Group Access	Restricts organization visibility so users see only the organizations assigned to their group, rather than the full tenant list
You want users to support specific customers without exposing all organizations	Group Access	Allows access to be scoped by customer or responsibility without creating separate tenants.
You need technicians to manage specific operational areas (for example, connection or feature management)	MSP capability toggles	Delegates specific administrative capabilities without expanding organization visibility or granting full administrative access
You want to temporarily remove scoped organization visibility for all users	Disable Group Access	Restores full organization visibility while preserving existing group definitions for later re‑enablement
You want to delegate tasks without exposing sensitive configuration or full access	Group Access + MSP capability toggles	Separates organization visibility from limited action permissions

IMPORTANT  Disabling Group Access removes organization‑level visibility restrictions for all users. Use this option intentionally and only when full organization visibility is required.

Settings > Users (user creation, group assignment, and user‑level options)

User administration and visibility assignment

User account administration is handled under Settings > Users.

This is where administrators can:

• Invite users and manage user status

• Assign the MSP Admin designation (when applicable)

• Assign Group Access membership during user creation

• Configure user‑level options such as Single Sign‑On and Enable Automatic User Creation

User assignment: applying group visibility during user setup

Group scoping is applied to users through Settings > Users. This page provides:

• A user list including user status and role information

• A Group column to reflect group assignment

• Buttons for Add New User and Export All Users

User invitation and group assignment

1. Go to Settings > Users.

2. Select + Add New User.

   

3. In the Add MSP User dialog:

   • Enter the user’s email address and license scope.

   • Select MSP Admin when applicable.

   • Under User Privileges, use the Group Access drop-down menu to assign group membership.

   • Use Add/Edit Groups to manage groups if needed.

4. Select Send User Invite.

   

The dialog confirms the access outcome: the user will see all organizations associated with the selected group or groups.

User‑level access options

The Users page also includes a Single Sign‑On section with the following options:

• Allow Users to Log in with KaseyaOne (user login method configuration)

• Require Login with KaseyaOne (enforces KaseyaOne as the required login method; available when KaseyaOne login is enabled)

• Enable Automatic User Creation (user provisioning behavior; available when KaseyaOne login is enabled)

These options affect how users are created and authenticated and should be configured according to your organization’s access and provisioning requirements. For more information, see Unified Login with KaseyaOne and Setting up automatic user creation.

Related articles

• Managing organizations: Describes how organizations define security and configuration boundaries that access controls are applied against

• Setting up automatic user creation: Explains how user accounts can be provisioned automatically through authentication without assigning permissions

• Global defaults and organization‑level behavior: Explains how configuration scope, inheritance, and overrides work across Settings and why behavior can differ by organization