Kaspersky Security Center 14 Windows
14
English

Contents

Configuring access rights to application features. Role-based access control

Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:

  • By configuring the rights for each user or group of users individually.
  • By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Assigning access rights to users and security groups

See also:

Scenario: Configuring network protection
Page top
[Topic 203717]

Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area

Right

User action: right required to perform the action

Task

Report

Other

General features: Management of administration groups

Modify
  • Add device to an administration group: Modify
  • Delete device from an administration group: Modify
  • Add an administration group to another administration group: Modify
  • Delete an administration group from another administration group: Modify

None

None

None

General features: Access objects regardless of their ACLs

Read

Get read access to all objects: Read

None

None

None

General features: Basic functionality
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Device moving rules (create, modify, or delete) for the virtual Server: Modify, Perform operations on device selections
  • Get Mobile (LWNGT) protocol custom certificate: Read
  • Set Mobile (LWNGT) protocol custom certificate: Write
  • Get NLA-defined network list: Read
  • Add, modify, or delete NLA-defined network list: Modify
  • View Access Control List of groups: Read
  • View the Kaspersky Event Log: Read
  • "Download updates to the Administration Server repository"
  • "Deliver reports"
  • "Distribute installation package"
  • "Install application on secondary Administration Servers remotely"
  • "Report on protection status"
  • "Report on threats"
  • "Report on most heavily infected devices"
  • "Report on status of anti-virus databases"
  • "Report on errors"
  • "Report on network attacks"
  • "Summary report on mail system protection applications installed"
  • "Summary report on perimeter defense applications installed"
  • "Summary report on types of applications installed"
  • "Report on users of infected devices"
  • "Report on incidents"
  • "Report on events"
  • "Report on activity of distribution points"
  • "Report on Secondary Administration Servers"
  • "Report on Device Control events"
  • "Report on vulnerabilities"
  • "Report on prohibited applications"
  • "Report on Web Control"
  • "Report on encryption status of managed devices"
  • "Report on encryption status of mass storage devices"
  • "Report on file encryption errors"
  • "Report on blockage of access to encrypted files"
  • "Report on rights to access encrypted devices"
  • "Report on effective user permissions"
  • "Report on rights"

None

General features: Deleted objects
  • Read
  • Modify
  • View deleted objects in the Recycle Bin: Read
  • Delete objects from the Recycle Bin: Modify

None

None

None

General features: Event processing
  • Delete events
  • Edit event notification settings
  • Edit event logging settings
  • Modify
  • Change events registration settings: Edit event logging settings
  • Change events notification settings: Edit event notification settings
  • Delete events: Delete events

None

None

Settings:

  • Virus outbreak settings: number of virus detections required to create a virus outbreak event
  • Virus outbreak settings: period of time for evaluation of virus detections
  • The maximum number of events stored in the database
  • Period of time for storing events from the deleted devices

General features: Operations on Administration Server
  • Read
  • Modify
  • Execute
  • Modify object ACLs
  • Perform operations on device selections
  • Specify ports of Administration Server for the network agent connection: Modify
  • Specify ports of Activation Proxy launched on the Administration Server: Modify
  • Specify ports of Activation Proxy for Mobile launched on the Administration Server: Modify
  • Specify ports of the Web Server for distribution of standalone packages: Modify
  • Specify ports of the Web Server for distribution of MDM profiles: Modify
  • Specify SSL ports of the Administration Server for connection via Kaspersky Security Center Web Console: Modify
  • Specify ports of the Administration Server for mobile connection: Modify
  • Specify the maximum number of events stored in the Administration Server database: Modify
  • Specify the maximum number of events that can be sent by the Administration Server: Modify
  • Specify time period during which events can be sent by the Administration Server: Modify
  • "Backup of Administration Server data"
  • "Databases maintenance"

None

None

General features: Kaspersky software deployment
  • Manage Kaspersky patches
  • Read
  • Modify
  • Execute
  • Perform operations on device selections

Approve or decline installation of the patch: Manage Kaspersky patches

None
  • "Report on license key usage by virtual Administration Server"
  • "Report on Kaspersky software versions"
  • "Report on incompatible applications"
  • "Report on versions of Kaspersky software module updates"
  • "Report on protection deployment"

Installation package: "Kaspersky"

General features: Key management
  • Export key file
  • Modify
  • Export key file: Export key file
  • Modify Administration Server license key settings: Modify

None

None

None

General features: Enforced report management
  • Read
  • Modify
  • Create reports regardless of their ACLs: Write
  • Execute reports regardless of their ACLs: Read

None

None

None

General features: Hierarchy of Administration Servers

Configure hierarchy of Administration Servers

Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers

None

None

None

General features: User permissions

Modify object ACLs
  • Change Security properties of any object: Modify object ACLs
  • Manage user roles: Modify object ACLs
  • Manage internal users: Modify object ACLs
  • Manage security groups: Modify object ACLs
  • Manage aliases: Modify object ACLs

None

None

None

General features: Virtual Administration Servers
  • Manage virtual Administration Servers
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Get list of virtual Administration Servers: Read
  • Get information on the virtual Administration Server: Read
  • Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers
  • Move a virtual Administration Server to another group: Manage virtual Administration Servers
  • Set administration virtual Server permissions: Manage virtual Administration Servers

None

"Report on results of installation of third-party software updates"

None

Mobile device management: General

  • Connect new devices
  • Send only information commands to mobile devices
  • Send commands to mobile devices
  • Manage certificates
  • Read
  • Modify
  • Get Key Management Service restore data: Read
  • Delete user certificates: Manage certificates
  • Get user certificate public part: Read
  • Check if Public Key Infrastructure is enabled: Read
  • Check Public Key Infrastructure account: Read
  • Get Public Key Infrastructure templates: Read
  • Get Public Key Infrastructure templates by Extended Key Usage certificate: Read
  • Check if Public Key Infrastructure certificate is revoked: Read
  • Update user certificate issuance settings: Manage certificates
  • Get user certificate issuance settings: Read
  • Get packages by application name and version: Read
  • Set or cancel user certificate: Manage certificates
  • Renew user certificate: Manage certificates
  • Set user certificate tag: Manage certificates
  • Run generation of MDM installation package; cancel generation of MDM installation package: Connect new devices

None

None

None

System management: Connectivity
  • Start RDP sessions
  • Connect to existing RDP sessions
  • Initiate tunneling
  • Save files from devices to the administrator's workstation
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Create desktop sharing session: The right to create desktop sharing session
  • Create RDP session: Connect to existing RDP sessions
  • Create tunnel: Initiate tunneling
  • Save content network list: Save files from devices to the administrator's workstation

None

"Report on device users"

None

System management: Hardware inventory
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Get or export hardware inventory object: Read
  • Add, set or delete hardware inventory object: Write

None
  • "Report on hardware registry"
  • "Report on configuration changes"
  • "Report on hardware"

None

System management: Network access control
  • Read
  • Modify
  • View CISCO settings: Read
  • Change CISCO settings: Write

None

None

None

System management: Operating system deployment
  • Deploy PXE servers
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Deploy PXE servers: Deploy PXE servers
  • View a list of PXE servers: Read
  • Start or stop the installation process on PXE clients: Execute
  • Manage drivers for WinPE and operating system images: Modify

"Create installation package upon reference device OS image"

None

Installation package: "OS Image"

System management: Vulnerability and patch management

 

 
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • View third-party patch properties: Read
  • Change third-party patch properties: Modify
  • "Perform Windows Update synchronization"
  • "Install Windows Update updates"
  • "Fix vulnerabilities"
  • "Install required updates and fix vulnerabilities"

"Report on software updates"

None

System management: Remote installation
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • View third-party Vulnerability and Patch Management based installation package properties: Read
  • Change third-party Vulnerability and Patch Management based installation package properties: Modify

None

None

Installation packages:

  • "Custom application"
  • "VAPM package"

System management: Software inventory
  • Read
  • Modify
  • Execute
  • Perform operations on device selections

None

None
  • "Report on installed applications"
  • "Report on applications registry history"
  • "Report on status of licensed applications groups"
  • "Report on third-party software license keys"

None

See also:

Scenario: Configuring network protection
Page top
[Topic 203748]

Predefined user roles

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role

Comment

Auditor

Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.

Supervisor

Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Security Officer

Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Role

Description

Administration Server Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Event processing
    • Hierarchy of Administration Servers
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Administration Server Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Auditor

Permits all operations in the functional areas, in General features:

  • Access objects regardless of their ACLs
  • Deleted objects
  • Enforced report management

You can assign this role to a person who performs the audit of your organization.

Installation Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment
    • License key management
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Grants the Read and Execute rights in the General features: Virtual Administration Servers functional area.

Installation Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment (also grants the Manage Kaspersky patches right in this area)
    • Virtual Administration Servers
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Kaspersky Endpoint Security Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Kaspersky Endpoint Security Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Main Administrator

Permits all operations in functional areas, except for the following areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Main Operator

Grants the Read and Execute (where applicable) rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Deleted objects
    • Operations on Administration Server
    • Kaspersky software deployment
    • Virtual Administration Servers
  • Mobile Device Management: General
  • System management, including all features
  • Kaspersky Endpoint Security area, including all features

Mobile Device Management Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Mobile Device Management: General

Mobile Device Management Operator

Grants the Read and Execute rights in the General features: Basic functionality functional area.

Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area.

Security Officer

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read, Modify, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area.

You can assign this role to an officer in charge of the IT security in your organization.

Self Service Portal User

Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version.

Supervisor

Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas.

You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Vulnerability and Patch Management Administrator

Permits all operations in the General features: Basic functionality and System management (including all features) functional areas.

Vulnerability and Patch Management Operator

Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas.

See also:

Scenario: Configuring network protection
Page top
[Topic 203750]

Assigning access rights to users and security groups

You can give users and security groups access rights to use different features of Administration Server, for example, Kaspersky Endpoint Security for Linux.

To assign access rights to a user or a security group:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.

    The Administration Server properties window opens.

  2. On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.

    You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.

  3. Configure the set of rights for the user or group:
    1. Expand the node with features of Administration Server or other Kaspersky application.
    2. Select the Allow or Deny check box next to the feature or the access right that you want.

      Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.

      Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.

  4. After you configure the set of access rights, click OK.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

  • General features:
    • Management of administration groups
    • Access objects regardless of their ACLs
    • Basic functionality
    • Deleted objects
    • Event processing
    • Operations on Administration Server (only in the property window of Administration Server)
    • Kaspersky software deployment
    • License key management
    • Application integration
    • Enforced report management
    • Hierarchy of Administration Servers
    • User permissions
    • Virtual Administration Servers
  • Mobile Device Management:
    • General
    • Self Service Portal
  • System Management:
    • Connectivity
    • Hardware inventory
    • Network Access Control
    • Operating system deployment
    • Vulnerability and Patch Management
    • Remote installation
    • Software inventory

If neither Allow nor Deny is selected for an access right, then the access right is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

  • User's own rights
  • Rights of all the roles assigned to this user
  • Rights of all the security group to which the user belongs
  • Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Page top
[Topic 256412]