Users and user roles

This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.

About user roles

A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups.

You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.

A user role can be associated with users of devices in a specific administration group.

User role scope

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Advantage of using roles

An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.

Differences from using policy profiles

Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.

Configuring access rights to application features. Role-based access control

Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:

• By configuring the rights for each user or group of users individually.
• By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Predefined user roles

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Assigning access rights to users and security groups

You can give users and security groups access rights to use different features of Administration Server, for example, Kaspersky Endpoint Security for Linux.

To assign access rights to a user or a security group:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.

   You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.

3. Configure the set of rights for the user or group:
   1. Expand the node with features of Administration Server or other Kaspersky application.
   2. Select the Allow or Deny check box next to the feature or the access right that you want.

      Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.

      Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.

4. After you configure the set of access rights, click OK.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

• General features:
  • Management of administration groups
  • Access objects regardless of their ACLs
  • Basic functionality
  • Deleted objects
  • Event processing
  • Operations on Administration Server (only in the property window of Administration Server)
  • Kaspersky software deployment
  • License key management
  • Application integration
  • Enforced report management
  • Hierarchy of Administration Servers
  • User permissions
  • Virtual Administration Servers
• Mobile Device Management:
  • General
  • Self Service Portal
• System Management:
  • Connectivity
  • Hardware inventory
  • Network Access Control
  • Operating system deployment
  • Vulnerability and Patch Management
  • Remote installation
  • Software inventory

If neither Allow nor Deny is selected for an access right, then the access right is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

• User's own rights
• Rights of all the roles assigned to this user
• Rights of all the security group to which the user belongs
• Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Adding an account of an internal user

To add a new internal user account to Kaspersky Security Center:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click Add.
3. In the New entity window that opens, specify the settings of the new user account:
   • Keep the default option User.
   • Name.
   • Password for the user connection to Kaspersky Security Center.

     The password must comply with the following rules:

     • The password must be 8 to 16 characters long.
     • The password must contain characters from at least three of the groups listed below:
       • Uppercase letters (A-Z)
       • Lowercase letters (a-z)
       • Numbers (0-9)
       • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
     • The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

     To see the characters that you entered, click and hold the Show button.

     The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".

     If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.

   • Full name
   • Description
   • Email address
   • Phone
4. Click OK to save the changes.

The new user account appears in the list of users and security groups.

Creating a security group

To create a security group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click Add.
3. In the New entity window opens, select Group.
4. Specify the following settings for the new security group:
   • Group name
   • Description
5. Click OK to save the changes.

The new security group appears in the list of users and security groups.

Editing an account of an internal user

To edit an internal user account in Kaspersky Security Center:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the user account that you want to edit.
3. In the user settings window that opens, on the General tab, change the settings of the user account:
   • Description
   • Full name
   • Email address
   • Main phone
   • Set new password for the user connection to Kaspersky Security Center.

     The password must comply with the following rules:

     • The password must be 8 to 256 characters long.
     • The password must contain characters from at least three of the groups listed below:
       • Uppercase letters (A-Z)
       • Lowercase letters (a-z)
       • Numbers (0-9)
       • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
     • The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

     To see the entered password, click and hold the Show button.

     The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts; however, for security reasons, we do not recommend that you decrease this number. If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.

   • If necessary, switch the toggle button to Disabled to prohibit the user from connecting to the application. You can disable an account, for example, after an employee leaves the company.
4. On the Authentication security tab, you can specify the security settings for this account.
5. On the Groups tab, you can add the user to security groups.
6. On the Devices tab, you can assign devices to the user.
7. On the Roles tab, you can assign roles to the user.
8. Click Save to save the changes.

The updated user account appears in the list of users and security groups.

Editing a security group

You can edit only internal groups.

To edit a security group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the security group that you want to edit.
3. In the group settings window that opens, change the settings of the security group:
   • Name
   • Description
4. Click Save to save the changes.

The updated security group appears in the list of users and security groups.

Adding user accounts to an internal group

You can add only accounts of internal users to an internal group.

To add user accounts to an internal group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select check boxes next to user accounts that you want to add to a group.
3. Click the Assign group button.
4. In the Assign group window that opens, select the group to which you want to add user accounts.
5. Click the Assign button.

The user accounts are added to the group.

Assigning a user as a device owner

For information about assigning a user as a mobile device owner, see Kaspersky Security for Mobile Help.

To assign a user as a device owner:

1. In the main menu, go to USERS & ROLES → USERS.
2. Click the name of the user account that you want to assign as a device owner.
3. In the user settings window that opens, select the Devices tab.
4. Click Add.
5. From the device list, select the device that you want to assign to the user.
6. Click OK.

The selected device is added to the list of devices assigned to the user.

You can perform the same operation at DEVICES → MANAGED DEVICES, by clicking the name of the device that you want to assign, and then clicking the Manage device owner link.

Deleting a user or a security group

You can delete only internal users or internal security groups.

To delete a user or a security group:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select the check box next to the user or the security group that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.

The user or the security group is deleted.

Creating a user role

To create a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click Add.
3. In the New role name window that opens, enter the name of the new role.
4. Click OK to apply the changes.
5. In the role properties window that opens, change the settings of the role:
   • On the General tab, edit the role name.

     You cannot edit the name of a predefined role.

   • On the Settings tab, edit the role scope and policies and profiles associated with the role.
   • On the Access rights tab, edit the rights for access to Kaspersky applications.
6. Click Save to save the changes.

The new role appears in the list of user roles.

Editing a user role

To edit a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role that you want to edit.
3. In the role properties window that opens, change the settings of the role:
   • On the General tab, edit the role name.

     You cannot edit the name of a predefined role.

   • On the Settings tab, edit the role scope and policies and profiles associated with the role.
   • On the Access rights tab, edit the rights for access to Kaspersky applications.
4. Click Save to save the changes.

The updated role appears in the list of user roles.

Editing the scope of a user role

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

To add users, security groups, and administration groups to the scope of a user role, you can use either of the following methods:

Method 1:

1. In the main menu, go to USERS & ROLES → USERS.
2. Select check boxes next to the users and security groups that you want to add to the user role scope.
3. Click the Assign role button.

   The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.

4. On the Select role step, select the user role that you want to assign.
5. On the Define scope step, select the administration group that you want to add to the user role scope.
6. Click the Assign role button to close the Wizard.

The selected users or security groups and the selected administration group are added to the scope of the user role.

Method 2:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role for which you want to define the scope.
3. In the role properties window that opens, select the Settings tab.
4. In the Role scope section, click Add.

   The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.

5. On the Define scope step, select the administration group that you want to add to the user role scope.
6. On the Select users step, select users and security groups that you want to add to the user role scope.
7. Click the Assign role button to close the Wizard.
8. Close the role properties window.

The selected users or security groups and the selected administration group are added to the scope of the user role.

Method 3:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Access rights tab, select the check box next to the name of the user or the security group that you want to add to the user role scope, and then click the Roles button.

   You cannot select multiple users or security groups at the same time. If you select more than one item, the Roles button will be disabled.

3. In the Roles window, select the user role that you want to assign, and then click OK and save changes.

   The selected users or security groups are added to the scope of the user role.

Deleting a user role

To delete a user role:

1. In the main menu, go to USERS & ROLES → Roles.
2. Select the check box next to the name of the role that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.

The user role is deleted.

Associating policy profiles with roles

You can associate user roles with policy profiles. In this case, the activation rule for this policy profile is based on the role: the policy profile becomes active for a user that has the specified role.

For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. In this case, you can assign a "Courier" role to its owner, and then create a policy profile allowing GPS navigation software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's device. Running GPS navigation software will still be prohibited on other devices in the same administration group.

To associate a role with a policy profile:

1. In the main menu, go to USERS & ROLES → Roles.
2. Click the name of the role that you want to associate with a policy profile.

   The role properties window opens with the General tab selected.

3. Select the Settings tab, and scroll down to the Policies & Profiles section.
4. Click Edit.
5. To associate the role with:
   • An existing policy profile—Click the chevron icon () next to the required policy name, and then select the check box next to the profile with which you want to associate the role.
   • A new policy profile:
     1. Select the check box next to the policy for which you want to create a profile.
     2. Click New policy profile.
     3. Specify a name for the new profile and configure the profile settings.
     4. Click the Save button.
     5. Select the check box next to the new profile.
6. Click Assign to role.

The profile is associated with the role and appears in the role properties. The profile applies automatically to any device whose owner is assigned the role.

Propagating user roles to secondary Administration Servers

By default, the lists of user roles of the primary and secondary Administration Servers are independent. You can configure the application to automatically propagate the user roles created on the primary Administration Server to all of the secondary Administration Servers. The user roles can also be propagated from a secondary Administration Server to its own secondary Administration Servers.

To propagate user roles from the primary Administration Server to the secondary Administration Servers:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens with the General tab selected.

2. Go to the Hierarchy of Administration Servers section.
3. Enable the Relay list of roles to secondary Administration Servers option, and then click the Save button.

The application copies the user roles of the primary Administration Server to the secondary Administration Servers.

When the Relay list of roles to secondary Administration Servers option is enabled and the user roles are propagated, they cannot be edited or deleted on the secondary Administration Servers. When you create a new role or edit an existing one on the primary Administration Server, the changes are automatically copied to the secondary Administration Servers. When you delete a user role on the primary Administration Server, this role remains on the secondary Administration Servers afterward, but it can be edited or deleted.

The roles that are propagated to the secondary Administration Server from the primary Server are displayed with green check marks (). You cannot edit these roles on the secondary Administration Server.

If you create a role on the primary Administration Server, and there is a role with the same name on its secondary Administration Server, the new role is copied to the secondary Administration Server with the index added to its name, for example, ~~1, ~~2 (the index can be random).

If you disable the Relay list of roles to secondary Administration Servers option, all the user roles remain on the secondary Administration Servers, but they become independent from those on the primary Administration Server. After becoming independent, the user roles on the secondary Administration Servers can be edited or deleted.