About user roles

Access to Kaspersky Container Security functionality through the graphical interface and the public API is provided to the user in accordance with the user's role. A role is a permission set for managing a solution. When a role is assigned to a user, the user is added to the corresponding role group. Revoking a role removes the user from the corresponding role group.

Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments. By default, the solution offers the following system roles:

The Access administrator role is intended for users that are responsible for deploying and supporting the infrastructure and system software that the solution needs (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.
In the web interface, this role is called kcsadm.
The Information Security Administrator role is intended for users that are responsible for creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, agents and outputs, and configuring assurance policies.
In the web interface, this role is called isadm.
The Information Security Auditor role is intended for users that view resources and the list of solution users, and monitor the results of scans and compliance checks.
In the web interface, this role is called isaud.
The Information Security Officer role is intended for users that view and manage assurance policies, connect public image registries, and view the runtime container analysis results for projects in which these users are directly involved.
In the web interface, this role is called isoff.
The Developer role is intended for users that perform compliance checks and can view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.
In the web interface, this role is called dev.

During the initial installation of Kaspersky Container Security, an admin user account is created and the isadm role is automatically assigned to it.

You can assign system roles to user accounts when creating or viewing these user accounts.

Multiple user roles can be assigned to a user.

If a specific system role is not needed, you can delete it.

However, you cannot delete the last active system role that has permissions to manage other roles.

If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.

When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:

To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.

You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.

When assigning the scopes to roles, you must take into account that a security policy can be implemented within a specific scope only if this scope is assigned to one of your roles.

If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.

Page top