Rozmith — Connection Setup

Connect once. Refresh forever.

Fill in the credentials below for each platform you want the dashboard to pull from. Nothing is sent anywhere — values stay in your browser. Click Download .env when done. Your entries persist locally so you can come back and edit them.

Security & storage

Credentials are stored in your browser's localStorage for convenience. For shared workstations or production, prefer a vault (Azure Key Vault, 1Password CLI, doppler.com) and load the env file from there at runtime. The generated .env file is never transmitted — it's built locally and downloaded directly to your machine.

Rozmith Staff Roster

Employees who can sign in to the staff console · drives utilization and profitability

0 staff ▼

What this is

Add every Rozmith employee who will sign in to staff.rozmith.com.
Their email must match the address they use to sign in via Microsoft Entra ID.
Role determines what they can do — admins see everything, AMs manage clients, engineers work on assigned clients, SOC analysts handle security events.
Bill rate is what you bill the customer for their time. Cost rate is what they cost Rozmith (salary + benefits / billable hours). Both feed the profitability dashboard.
Skills are used to filter for project assignment — comma-separated tags like M365, Sentinel, Fortinet.

0 staff configured · $0/hr avg bill rate

Saved to your browser · also exported in the .env download for backend ingestion

Microsoft 365, Azure & Defender XDR

One Azure AD app registration covers Graph + Defender

0 / 3 ▼

How to get these credentials

Go to entra.microsoft.com → Identity → Applications → App registrations → New registration.
Name it Rozmith Client Dashboard. Single-tenant. No redirect URI needed.
Copy the Application (client) ID and Directory (tenant) ID from the Overview page.
Go to Certificates & secrets → New client secret. Copy the Value (you only see it once).
Go to API permissions, add the application permissions listed below, click Grant admin consent.

Required application permissions (admin consent):
Microsoft Graph: Reports.Read.All, SecurityEvents.Read.All, Policy.Read.All, Directory.Read.All, AuditLog.Read.All
Defender API: Machine.Read.All, Alert.Read.All, Incident.Read.All

Tenant ID * Directory (tenant) ID from Entra app overview.

Client (Application) ID * Application (client) ID from Entra app overview.

Client secret * show From Certificates & secrets. Only visible once at creation time.

python api_integrations.py --only m365

Microsoft Intune

Device compliance, MDM/MAM, app deployment, config profiles

0 / 3 ▼

How to get these credentials

You can re-use the same Azure AD app registration as Microsoft 365 — just add Intune permissions to it.
In entra.microsoft.com → your app → API permissions → Add a permission → Microsoft Graph → Application permissions.
Add the permissions listed below, then click Grant admin consent.
If you prefer a separate app for Intune (recommended for blast-radius isolation), create a new App Registration following the same steps from the M365 section above.

Required Microsoft Graph application permissions (admin consent):
DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementRBAC.Read.All

Tenant ID * Tip: leave blank to reuse the Microsoft 365 tenant.

Client (Application) ID *

Client secret * show

python api_integrations.py --only intune

Fortinet — FortiGate & FortiAnalyzer

FortiGate REST API for live device state, FortiAnalyzer for 30-day rollups

0 / 2 ▼

How to get these credentials

In FortiGate: System → Administrators → Create new → REST API Admin.
Username: rozmith-dashboard. Profile: read_only. Trusted hosts: your management subnet (e.g. 10.10.0.0/24).
Save — FortiGate displays the API key once. Copy it.
Multiple FortiGates: repeat for each and comma-separate the hostnames below.
For 30-day rollups, FortiAnalyzer is preferred. Create a read-only API user under System Settings → Admin.

FortiGate hostnames * Comma-separated. No protocol — HTTPS assumed.

FortiGate API token * show

FortiAnalyzer host optional

FortiAnalyzer user optional

FortiAnalyzer password optional show

python api_integrations.py --only fortinet

ConnectWise Manage (PSA)

Tickets, time entries, agreements, configurations

0 / 4 ▼

How to get these credentials

Sign in to your ConnectWise Manage instance as an admin.
Go to System → Members → API Members tab → + to create a new API member. Role: API-Reporting (read-only) or your equivalent role.
Open the new API member → API Keys tab → + to generate a key pair. Copy the Public Key and Private Key immediately (private only shows once).
Find your Company ID on the login page (3rd field, e.g. rozmith) and your Site URL (e.g. https://na.myconnectwise.net).
ConnectWise uses HTTP Basic auth with companyId+publicKey:privateKey — the script handles this for you.

Required ConnectWise security role permissions (Inquire-level):
Service Tickets, Time Entries, Agreements, Configurations, Companies, Members, Reports

Site URL * Region-specific. Common values: na, eu, aus.

Company ID * From your CW Manage login page.

Public Key *

Private Key * show

Client/Company filter in CW optional If this CW instance serves many clients, restrict to one.

python api_integrations.py --only connectwise

PSA — Help Desk system

HaloPSA / ConnectWise / Autotask — pulls tickets, SLA, CSAT

0 / 4 ▼

How to get these credentials

In your PSA admin portal, create a service account or API integration with read-only ticket access.
Generate an OAuth client ID + secret (HaloPSA: Configuration → API → Applications; ConnectWise: System → Members → API Members).
Note your PSA's API base URL (e.g. https://your-instance.halopsa.com).
Client filter limits which client's tickets are pulled — useful when one PSA serves many clients.

PSA platform *

API base URL *

Client ID *

Client secret * show

Client filter optional If your PSA serves multiple clients, restrict to one. Leave blank for all.

python api_integrations.py --only helpdesk

RMM — Patching & vulnerability data

NinjaOne / Datto RMM / N-able / Atera / Kaseya

0 / 4 ▼

How to get these credentials

NinjaOne / Datto / N-able / Atera / Kaseya: create a read-only API client with Client Credentials grant. Scope monitoring. Org ID lives in the client's org URL.
Tanium (Converged Endpoint): in Tanium console go to Administration → Permissions → API Tokens. Create a token with read-only role over the client's content set. The "Base URL" is your Tanium platform host (e.g. https://yourcompany.cloud.tanium.com). Put the token in the Client secret field; leave Client ID empty.
Tenable.io: go to Settings → My Account → API Keys → Generate. You get an Access Key and Secret Key. Put Access Key in Client ID and Secret Key in Client secret. Base URL = https://cloud.tenable.com.
Tenable.sc / Nessus Manager: create an API access key under Users → your user → Edit → API Keys. Same field mapping as Tenable.io.
Qualys / Rapid7: create a read-only service account; use Basic auth (username:password) — paste username in Client ID, password in Client secret.

RMM / Endpoint platform *

API base URL *

Client ID *

Client secret * show

Organization ID * The client's organization id in your RMM tenant.

python api_integrations.py --only patching

Client branding

Cosmetic — what shows up on the dashboard and PPTX cover

0 / 3 ▼

Client name *

Reporting period *

Engagement tier optional

Account manager *

setup complete

← Back to dashboard