Kaspersky Security Center Cloud Console Help

Users and user roles

Users and user roles

This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.

In this section

About user accounts

Adding an account of an internal user

About user roles

Configuring access rights to application features. Role-based access control

Assigning a role to a user or a security group

Creating a user role

Editing a user role

Editing the scope of a user role

Deleting a user role

Associating policy profiles with roles

Creating a security group

Editing a security group

Adding user accounts to an internal group

Deleting a security group

Configuring ADFS integration

Configuring integration with Microsoft Entra ID

Assigning a user as a device owner

Assigning a user as a Linux device owner after installation of Network Agent

Page top

About user accounts

Kaspersky Security Center Cloud Console allows you to manage user accounts and groups of accounts. The application supports two types of accounts:

Accounts of organization employees. Administration Server retrieves data of the accounts of those local users when polling the organization's network.
Accounts of internal users of Kaspersky Security Center Cloud Console. You can create accounts of internal users. These accounts are used only within Kaspersky Security Center Cloud Console.

To view tables of user accounts and security groups:

In the main menu, go to Users & roles → Users & groups.
Select the Users or the Groups tab.

The table of users or security groups opens. By default, the opened table is filtered by the Subtype and Has assigned roles columns. The table displays internal users or groups that have assigned roles.

If you want to view the table with only the accounts of local users, set the Subtype filter criteria to Local.

If you switch to a secondary Administration Server version 14.2 or earlier, and then open the list of users or security groups, the opened table will be filtered only by the Subtype column. The filter by the Has assigned roles column will not be applied by default. The filtered table will contain all internal users or security groups with the assigned role and without it.

Page top

Adding an account of an internal user

If you want, you can add internal users of your workspace on the portal. After you add an internal user, you can assign a role to him or her in the Kaspersky Security Center Cloud Console.

Page top

About user roles

A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups, Administration Servers, or at the level of specific objects.

If you manage devices through a hierarchy of Administration Servers that includes virtual Administration Servers, note that you can create, modify, or delete user roles only from a physical Administration Server. Then, you can propagate the user roles to secondary Administration Servers, including virtual ones.

You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.

A user role can be associated with users of devices in a specific administration group.

User role scope

A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Advantage of using roles

An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.

Differences from using policy profiles

Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.

Page top

Configuring access rights to application features. Role-based access control

Kaspersky Security Center Cloud Console provides facilities for role-based access to the features of Kaspersky Security Center Cloud Console and of managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center Cloud Console users in one of the following ways:

By configuring the rights for each user or group of users individually.
By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Assigning access rights to specific objects

Assigning access rights to users and security groups

Page top

Access rights to application features

The table below shows the Kaspersky Security Center Cloud Console features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend granting these rights carefully and to a limited set of users who need them to perform their official duties.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area	Right	User action: right required to perform the action	Task	Report	Other
General features: Management of administration groups	Write	Add device to an administration group: Write Delete device from an administration group: Write Add an administration group to another administration group: Write Delete an administration group from another administration group: Write	None	None	None
General features: Access objects regardless of their ACLs	Read	Get read access to all objects: Read	None	None	Access is granted regardless of other rights, even if they prohibit read access to specific objects.
General features: Basic functionality	Read Write Execute Perform operations on device selections	Device moving rules (create, modify, or delete) for the virtual Server: Write, Perform operations on device selections Get Mobile (LWNGT) protocol custom certificate: Read Set Mobile (LWNGT) protocol custom certificate: Write Get NLA-defined network list: Read Add, modify, or delete NLA-defined network list: Write View Access Control List of groups: Read View the Kaspersky Event Log: Read	"Download updates to the Administration Server repository" "Deliver reports" "Distribute installation package" "Install application on secondary Administration Servers remotely"	"Report on protection status" "Report on threats" "Report on most heavily infected devices" "Report on status of anti-virus databases" "Report on errors" "Report on network attacks" "Summary report on mail system protection applications installed" "Summary report on perimeter defense applications installed" "Summary report on types of applications installed" "Report on users of infected devices" "Report on security issues" "Report on events" "Report on activity of distribution points" "Report on Secondary Administration Servers" "Report on Device Control events" "Report on vulnerabilities" "Report on prohibited applications" "Report on Web Control" "Report on encryption status of managed devices" "Report on encryption status of mass storage devices" "Report on file encryption errors" "Report on blockage of access to encrypted files" "Report on rights to access encrypted devices" "Report on effective user permissions" "Report on rights"	None
General features: Deleted objects	Read Write	View deleted objects in the Recycle Bin: Read Delete objects from the Recycle Bin: Write	None	None	None
General features: Event processing	Delete events Edit event notification settings Edit event logging settings Write	Change events registration settings: Edit event logging settings Change events notification settings: Edit event notification settings Delete events: Delete events	None	None	Settings: Virus outbreak settings: number of virus detections required to create a virus outbreak event Virus outbreak settings: period of time for evaluation of virus detections The maximum number of events stored in the database Period of time for storing events from the deleted devices
General features: Kaspersky software deployment	Manage Kaspersky patches Read Write Execute Perform operations on device selections	Approve or decline installation of the patch: Manage Kaspersky patches	None	"Report on license key usage by virtual Administration Server" "Report on Kaspersky software versions" "Report on incompatible applications" "Report on versions of Kaspersky software module updates" "Report on protection deployment"	Installation package: "Kaspersky"
General features: License key management	Export key file Write	Export key file: Export key file Modify Administration Server license key settings: Write	None	None	None
General features: Enforced report management	Read Write	Create reports regardless of their ACLs: Write Execute reports regardless of their ACLs: Read	None	None	None
General features: Hierarchy of Administration Servers	Configure hierarchy of Administration Servers	Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers	None	None	None
General features: User permissions	Modify object ACLs	Change Security properties of any object: Modify object ACLs Manage user roles: Modify object ACLs Manage internal users: Modify object ACLs Manage security groups: Modify object ACLs Manage aliases: Modify object ACLs	None	None	None
General features: Virtual Administration Servers	Manage virtual Administration Servers Read Write Execute Perform operations on device selections	Get list of virtual Administration Servers: Read Get information on the virtual Administration Server: Read Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers Move a virtual Administration Server to another group: Manage virtual Administration Servers Set administration virtual Server permissions: Manage virtual Administration Servers	None	"Report on results of installation of third-party software updates"	None
General features: Encryption Key Management	Write	Import the encryption keys: Write	None	None	None
System management: Connectivity	Start RDP sessions Connect to existing RDP sessions Initiate tunneling Save files from devices to the administrator's workstation Read Write Execute Perform operations on device selections	Create desktop sharing session: The right to create desktop sharing session Create RDP session: Connect to existing RDP sessions Create tunnel: Initiate tunneling Save content network list: Save files from devices to the administrator's workstation	None	"Report on device users"	None
System management: Hardware inventory	Read Write Execute Perform operations on device selections	Get or export hardware inventory object: Read Add, set or delete hardware inventory object: Write	None	"Report on hardware registry" "Report on configuration changes" "Report on hardware"	None
System management: Network access control	Read Write	View CISCO settings: Read Change CISCO settings: Write	None	None	None
System management: Operating system deployment	Deploy PXE servers Read Write Execute Perform operations on device selections	Deploy PXE servers: Deploy PXE servers View a list of PXE servers: Read Start or stop the installation process on PXE clients: Execute Manage drivers for WinPE and operating system images: Write	"Create installation package upon reference device OS image"	None	Installation package: "OS Image"
System management: Vulnerability and patch management	Read Write Execute Perform operations on device selections	View third-party patch properties: Read Change third-party patch properties: Write	"Perform Windows Update synchronization" "Install Windows Update updates" "Fix vulnerabilities" "Install required updates and fix vulnerabilities"	"Report on software updates"	None
System management: Remote installation	Read Write Execute Perform operations on device selections	View third-party Vulnerability and patch management based installation package properties: Read Change third-party Vulnerability and patch management based installation package properties: Write	None	None	Installation packages: "Custom application" "VAPM package"
System management: Software inventory	Read Write Execute Perform operations on device selections	None	None	"Report on installed applications" "Report on applications registry history" "Report on status of licensed applications groups" "Report on third-party software license keys"	None

Page top

Predefined user roles

User roles assigned to Kaspersky Security Center Cloud Console users provide them with sets of access rights to application features.

Users created on a virtual Server cannot be assigned a role on the Administration Server.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center Cloud Console can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center Cloud Console starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role	Comment
Auditor	Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.
Supervisor	Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.
Security Officer	Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Role	Description
Administration Server Administrator	Permits all operations in the following functional areas: General features: Basic functionality Event processing Hierarchy of Administration Servers Virtual Administration Servers System management: Connectivity Hardware inventory Software inventory Grants the Read and Write rights in the General features: Encryption key management functional area.
Administration Server Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Virtual Administration Servers System management: Connectivity Hardware inventory Software inventory
Auditor	Permits all operations in the following functional areas, in General features: Access objects regardless of their ACLs Deleted objects Enforced report management You can assign this role to a person who performs the audit of your organization.
Installation Administrator	Permits all operations in the following functional areas: General features: Basic functionality Kaspersky software deployment License key management System management: Operating system deployment Vulnerability and patch management Remote installation Software inventory Grants Read and Execute rights in the General features: Virtual Administration Servers functional area.
Installation Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Kaspersky software deployment (also grants the Manage Kaspersky patches right in this area) Virtual Administration Servers System management: Operating system deployment Vulnerability and patch management Remote installation Software inventory
Kaspersky Endpoint Security Administrator	Permits all operations in the following functional areas: General features: Basic functionality Kaspersky Endpoint Security area, including all features Grants the Read and Write rights in the General features: Encryption key management functional area.
Kaspersky Endpoint Security Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Kaspersky Endpoint Security area, including all features
Main Administrator	Permits all operations in functional areas, except for the following areas in General features: Access objects regardless of their ACLs Enforced report management Grants the Read and Write rights in the General features: Encryption key management functional area.
Main Operator	Grants the Read and Execute (where applicable) rights in all of the following functional areas: General features: Basic functionality Deleted objects Operations on Administration Server Kaspersky application deployment Virtual Administration Servers Mobile Device Management: General System management, including all features Kaspersky Endpoint Security area, including all features
Mobile Device Management Administrator	Permits all operations in the following functional areas: General features: Basic functionality Mobile Device Management: General
Mobile Device Management Operator	Grants the Read and Execute rights in the General features: Basic functionality functional area. Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area.
Security Officer	Permits all operations in the following functional areas, in General features: Access objects regardless of their ACLs Enforced report management Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. You can assign this role to an officer in charge of the IT security in your organization.
Senior Security Analyst	Grants the Read right in the General features: Basic functionality functional area. Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. Grants the access rights to the Kaspersky Endpoint Detection and Response Expert solution.
Self Service Portal User	Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later.
Supervisor	Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional area. You can assign this role to a security officer and other managers in charge of the IT security in your organization.
Vulnerability and patch management administrator	Permits all operations in the General features: Basic functionality and System management (including all features) functional areas.
Vulnerability and patch management operator	Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas.

Page top

Assigning access rights to specific objects

In addition to assigning access rights at the server level, you can configure access to specific objects, for example, to a specific task. The application allows you to specify access rights to the following object types:

Administration groups
Tasks
Reports
Device selections
Event selections

To assign access rights to a specific object:

Depending on the object type, in the main menu, go to the corresponding section:
- Assets (Devices) → Hierarchy of groups
- Assets (Devices) → Tasks
- Monitoring & reporting → Reports
- Assets (Devices) → Device selections
- Monitoring & reporting → Event selections
Open the properties of the object to which you want to configure access rights.
To open the properties window of an administration group or a task, click the object name. Properties of other objects can be opened by using the button on the toolbar.
In the properties window, open the Access rights section.
The user list opens. The listed users and security groups have access rights to the object. By default, if you use a hierarchy of administration groups or Servers, the list and access rights are inherited from the parent administration group or primary Server.
To be able to modify the list, enable the Use custom permissions option.
Configure access rights:
- Use the Add and Delete buttons to modify the list.
- Specify access rights for a user or security group. Do one of the following:
  - If you want to specify access rights manually, select the user or security group, click the Access rights button, and then specify the access rights.
  - If you want to assign a user role to the user or security group, select the user or security group, click the Roles button, and then select the role to assign.
Click the Save button.

The access rights to the object are configured.

Access rights to application features

Predefined user roles

Page top

Assigning access rights to users and security groups

You can give users and security groups access rights to use different features of Administration Server, for example, Kaspersky Endpoint Security for Linux.

To assign access rights to a user or a security group:

In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.
You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.
Configure the set of rights for the user or group:
1. Expand the node with features of Administration Server or other Kaspersky application.
2. Select the Allow or Deny check box next to the feature or the access right that you want.
  Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.
  
  Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.
After you configure the set of access rights, click OK.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

General features:
- Management of administration groups
- Access objects regardless of their ACLs
- Basic functionality
- Deleted objects
- Encryption Key Management
- Event processing
- Operations on Administration Server (only in the property window of Administration Server)
- Device tags
- Kaspersky application deployment
- License key management
- Application integration
- Enforced report management
- Hierarchy of Administration Servers
- User permissions
- Virtual Administration Servers
Mobile Device Management:
- General
- Self Service Portal
System Management:
- Connectivity
- Execute scripts remotely
- Hardware inventory
- Network Access Control
- Operating system deployment
- Vulnerability and patch management
- Remote installation
- Software inventory

If neither Allow nor Deny is selected for an access right, then the access right is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

User's own rights
Rights of all the roles assigned to this user
Rights of all the security group to which the user belongs
Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Page top

Assigning a role to a user or a security group

To assign a role to a user or a security group:

In the main menu, go to Users & roles → Users & groups, and then select the Users or the Groups tab.
Select the name of the user or the security group to whom to assign a role.
You can select multiple names.
On the menu line, click the Assign role button.
The Role assignment wizard starts.
Follow the instructions of the wizard: select the role that you want to assign to the selected users or security groups, and then select the scope of role.
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

The role with a set of rights for working with Administration Server is assigned to the user (or users, or the security group). In the list of users or security groups, a check box appears in the Has assigned roles column.

Page top

Creating a user role

To create a user role:

In the main menu, go to Users & roles → Roles.
Click Add.
In the New role name window that opens, enter the name of the new role.
Click OK to apply the changes.
In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
  You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
Click Save to save the changes.

The new role appears in the list of user roles.

Page top

Editing a user role

To edit a user role:

In the main menu, go to Users & roles → Roles.
Click the name of the role that you want to edit.
In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
  You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
Click Save to save the changes.

The updated role appears in the list of user roles.

Page top

Editing the scope of a user role

To add users, user groups, and administration groups to the scope of a user role, you can use either of the following methods:

Method 1:

In the main menu, go to Users & roles → Users & groups, and then select the Users or the Groups tab.
Select check boxes next to the users or user groups that you want to add to the user role scope.
Click the Assign role button.
The Role assignment wizard starts. Proceed through the wizard by using the Next button.
On the Select role step, select the user role that you want to assign.
On the Define scope step, select the administration group that you want to add to the user role scope.
Click the Assign role button to close the window.

The selected users or user groups and the selected administration group are added to the scope of the user role.

Method 2:

In the main menu, go to Users & roles → Roles.
Click the name of the role for which you want to define the scope.
In the role properties window that opens, select the Settings tab.
In the Role scope section, click Add.
The Role assignment wizard starts. Proceed through the wizard by using the Next button.
On the Define scope step, select the administration group that you want to add to the user role scope.
On the Select users step, select users and user groups that you want to add to the user role scope.
Click the Assign role button to close the window.
Close the role properties window.

The selected users or user groups and the selected administration group are added to the scope of the user role.

Method 3:

In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
On the Access rights tab, select the check box next to the name of the user or the security group that you want to add to the user role scope, and then click the Roles button.
You cannot select multiple users or security groups at the same time. If you select more than one item, the Roles button will be disabled.
In the Roles window, select the user role that you want to assign, and then click OK and save changes.
The selected users or security groups are added to the scope of the user role.

Page top

Deleting a user role

To delete a user role:

In the main menu, go to Users & roles → Roles.
Select the check box next to the name of the role that you want to delete.
Click Delete.
In the window that opens, click OK.

The user role is deleted.

Page top

Associating policy profiles with roles

You can associate user roles with policy profiles. In this case, the activation rule for this policy profile is based on the role: the policy profile becomes active for a user that has the specified role.

For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. In this case, you can assign a "Courier" role to its owner, and then create a policy profile allowing GPS navigation software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's device. Running GPS navigation software will still be prohibited on other devices in the same administration group.

To associate a role with a policy profile:

In the main menu, go to Users & roles → Roles.
Click the name of the role that you want to associate with a policy profile.
The role properties window opens with the General tab selected.
Select the Settings tab, and scroll down to the Policies & profiles section.
Click Edit.
To associate the role with:
- An existing policy profile—Click the chevron icon () next to the required policy name, and then select the check box next to the profile with which you want to associate the role.
- A new policy profile:
  1. Select the check box next to the policy for which you want to create a profile.
  2. Click New policy profile.
  3. Specify a name for the new profile and configure the profile settings.
  4. Click the Save button.
  5. Select the check box next to the new profile.
Click Assign to role.

The profile is associated with the role and appears in the role properties. The profile applies automatically to any device whose owner is assigned the role.

Page top

Creating a security group

To create a security group:

In the main menu, go to Users & roles → Users & groups, and then select the Groups tab.
Click New group.
In the New group window, specify the following settings for the new security group:
- Name
- Description
Click OK to save the changes.

A new security group is added to the security group list.

Page top

Editing a security group

To edit a security group:

In the main menu, go to Users & roles → Users & groups, and then select the Groups tab.
Click the name of the security group that you want to edit.
In the group settings window that opens, change the settings of the security group:
- On the General tab, you can change the Name and Description settings. These settings are available only for internal security groups.
- On the Users tab, you can add users to the security group. This setting is available only for internal users and internal security groups.
- On the Roles tab, you can assign a role to the security group.
Click Save to save the changes.

The changes are applied to the security group.

Page top

Adding user accounts to an internal group

You can add only accounts of internal users to an internal group.

To add user accounts to an internal group:

In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
Select check boxes next to user accounts that you want to add to a group.
Click the Assign group button.
In the Assign group window that opens, select the group to which you want to add user accounts.
Click the Assign button.

The user accounts are added to the group. You can also add internal users to a group by using the group settings.

Page top

Deleting a security group

You can delete only internal security groups.

To delete a user group:

In the main menu, go to Users & roles → Users & groups, and then select the Groups tab.
Select the check box next to the user group that you want to delete.
Click Delete, and then confirm the deletion in the opened window.

The user group is deleted.

Page top

Configuring ADFS integration

Expand all | Collapse all

To allow the users registered in Active Directory (AD) in your organization to sign in to Kaspersky Security Center Cloud Console, you must configure integration with Active Directory Federation Services (ADFS).

Kaspersky Security Center Cloud Console supports ADFS 3 (Windows Server 2016) or a later version. ADFS must be published and available on the internet. As the service communication certificate ADFS uses publicly trusted certificate.

To change ADFS integration settings, you must have the access right to change user permissions.

Before you proceed, make sure that you completed Active Directory polling.

To configure ADFS integration:

In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
On the General tab, select the ADFS integration settings section.
Copy the callback URL.
You will need this URL to configure the integration in ADFS Management Console.
In ADFS Management Console, add a new application group, and then add a new application by selecting the Server application template (the names of the Microsoft interface elements are provided in English.).
ADFS Management Console generates client ID for the new application. You will need the client ID to configure the integration in Kaspersky Security Center Cloud Console.
As a redirect URI, specify the callback URL that you copied in the Administration Server properties window.
Generate a client secret. You will need the client secret to configure the integration in Kaspersky Security Center Cloud Console.
Save the properties of the added application.
Add a new application to the created application group. This time select the Web API template.
On the Identifiers tab, to the Relying party identifiers list, add the client ID of the server application that you added before.
On the Client Permissions tab, in the Permitted scopes list, select the allatclaims and openid scopes.
On the Issuance Transform Rules tab, add a new rule by selecting the Send LDAP Attributes as Claims template:
1. Name the rule. For example, you can name it 'Group SID'.
2. Select Active Directory as an attribute store, and then map Token-Groups as SIDs as a LDAP attribute to 'Group SID' as an outgoing claim type.
On the Issuance Transform Rules tab, add a new rule by selecting the Send Claims Using a Custom Rule template:
1. Name the rule. For example, you can name it 'ActiveDirectoryUserSID'.
2. In the Custom rule field, type:
  c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);
In Kaspersky Security Center Cloud Console, open again the ADFS integration settings section.
Switch the toggle button to the ADFS integration Enabled position.
Click the Settings link, and then specify the file that contains the certificate or several certificates for the federation server.
Click the ADFS integration settings link, and then specify the following settings:
- Issuer URL
  The URL address of the federation server working in your organization.
  
  In particular, Kaspersky Security Center Cloud Console adds '/.well-known/openid-configuration' to the issuer URL address and tries to open the resulting URL address (issuer_URL/.well-known/openid-configuration) to discover the issuer configuration automatically.
- Client ID
  Client ID that the federation server generates to identify Kaspersky Security Center Cloud Console. You can find the Client ID in ADFS Management Console in the properties window of the server application that corresponds to Kaspersky Security Center Cloud Console.
- Client secret
  You generate a client secret in ADFS Management Console when you specify the properties of the server application that corresponds to Kaspersky Security Center Cloud Console.
- Domain to authenticate users from
  The members of the domain that you select will be able to sign in to Kaspersky Security Center Cloud Console with their domain account credentials. The domain names appear in the list after you complete the network polling.
- Field name for user SID in ID token
  Name of the field that refers to the user SID in the ID token. The field name is required to identify the user in Kaspersky Security Center Cloud Console. By default, this field in the ID token is called 'primarysid'.
- Field name for array of SIDs of user's groups in ID token
  Name of the field that refers to the array of SIDs of Active Directory security groups in which the user is included. By default, this field in the ID token is called 'groupsid'.
Click the Save button.

The integration with ADFS is complete. To sign in to Kaspersky Security Center Cloud Console with an AD account credentials, use the link provided in the ADFS integration settings section (Login link to Kaspersky Security Center Cloud Console with ADFS).

When you sign in to Kaspersky Security Center Cloud Console through ADFS for the first time, the console might respond with a delay.

Page top

Configuring integration with Microsoft Entra ID

You have to configure integration with Microsoft Entra ID to allow the users in your organization to sign in to Kaspersky Security Center Cloud Console with their Microsoft Entra ID account credentials.

Integration with Microsoft Entra ID is available for the primary Administration Server only. You cannot configure the integration for secondary or virtual Administration Servers.

To configure integration with Microsoft Entra ID:

In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
On the General tab, select the Microsoft Entra ID section.
Turn on the Microsoft Entra ID integration toggle button.
Copy the links from the following fields:
- Callback URL
- Front-channel logout URL
  You will need these URLs to register Kaspersky Security Center Cloud Console in the Microsoft Entra ID tenant.
- Login URL
  You will need this URL to allow users to sign in to the Kaspersky Security Center Cloud Console workspace with their Microsoft Entra ID credentials after the integration with Microsoft Entra ID is complete.
Sign in to the Microsoft Entra admin center, and then select the tenant of your organization.
You must have the Global administrator or the Application administrator role in the tenant.
In the main menu, go to Identity → Applications → App registrations, and then click the New registration button.
In the window that opens, do the following:
- Specify a name for the Kaspersky Security Center Cloud Console application.
- In the Supported account types section, select the Accounts in this organizational directory only (<tenant_name> only - Single tenant) option.
- In the Redirect URI section, select Web from the drop-down list, and then enter the callback URL that you copied from Kaspersky Security Center Cloud Console at step 4.
Click the Register button.
The Kaspersky Security Center Cloud Console application is registered in Microsoft Entra ID, and the application overview page opens.
If necessary, add Kaspersky Security Center Cloud Console to the list of applications.
The users will be able to open Kaspersky Security Center Cloud Console by clicking its name in the list of applications in My Apps and Office 365 Launcher, without using the login URL.
Copy the Application (client) ID and the Directory (tenant) ID, and save them in any convenient way.
You will need these IDs when filling in the mandatory fields in Kaspersky Security Center Cloud Console at step 14.
In the menu of the Kaspersky Security Center Cloud Console application, go to the Authentication section, and then enter the URLs that you copied from Kaspersky Security Center Cloud Console at step 4:
- In the Web section, click the Add URI button, and then enter the login URL.
- In the Front-channel logout URL section, enter the front-channel logout URL.
In the menu of the Kaspersky Security Center Cloud Console application, go to the Certificates & secrets section, and then do the following:
1. Go to the Client secrets tab, and then click the New client secret button.
2. In the window that opens, specify any description for the client secret, and then select the period after which the secret expires.
We recommend that you copy the date after which the secret expires, in any convenient way, to rotate the secrets in a timely manner.
1. Click the Add button.
  The created secret is displayed on the Client secrets tab.
2. Copy the information from the Value column.
  We strongly recommend that you copy the information immediately after creating the client secret.
In the menu of the Kaspersky Security Center Cloud Console application, go to the Token configuration section, and then do the following:
- Add the onprem_sid optional claim:
  1. Click the Add optional claim button.
  2. In the window that opens, select the ID token type, and then in the Claim column, select the check box next to the onprem_sid.
  3. Click the Add button.
  The onprem_sid optional claim is displayed on the Optional claims page.
- Add the preferred_username optional claim:
  1. Click the Add optional claim button.
  2. In the window that opens, select the Access token type, and then in the Claim column, select the check box next to the preferred_username.
  3. Click the Add button.
  The preferred_username optional claim is displayed on the Optional claims page.
In the menu of the Kaspersky Security Center Cloud Console application, go to the API permissions section, and then add the permissions:
- User.Read.All
- User.Export.All
- GroupMember.Read.All
- Directory.Read.All
To add a permission, do the following:
1. Click the Add a permission button, and then select the Microsoft APIs tab.
2. Select Microsoft Graph → Application permissions, and then select the permission you want to add.
3. Click the Add permission button.
  The four permissions are added and displayed on the Configured permissions page.
4. Click the Grant admin consent for <tenant_name> button, and then in the window that opens, click Yes to confirm the granting of consent for the permissions you added.
Go back to Kaspersky Security Center Cloud Console, and on the General tab, fill in the following mandatory fields:
- Tenant ID. The Directory (tenant) ID that you copy at step 10.
- Client ID. The Application (client) ID that you copy at step 10.
- Client secret. The value that you copy at step 12.
Click the Check connection button to check if the settings are correct, and then after the Connected status is displayed, click the Save button.

The integration settings are saved, and the integration with Microsoft Entra ID is configured.

After you configure the integration with Microsoft Entra ID, you have to do the following:

In the Kaspersky Security Center Cloud Console main menu, go to Users & roles → Users & groups to make sure that the users and groups from Microsoft Entra ID are added to Kaspersky Security Center Cloud Console.
If the users and groups in your Microsoft Entra ID tenant are synchronized from the Active Directory of your organization, and Active Directory polling is configured, then the users and groups are already added to Kaspersky Security Center Cloud Console as a result of Active Directory polling.

Otherwise, you have to enable and run Microsoft Entra ID polling to add the users and groups from your Microsoft Entra ID tenant to Kaspersky Security Center Cloud Console.
Assign necessary roles to the users and groups.
When assigning roles to a user on a virtual Administration Server, in the main menu, go to Users & roles → Users & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.
Send the login URL that you copied at step 4 to the users. They will enter this URL to sign in to the Kaspersky Security Center Cloud Console workspace by using their Microsoft Entra ID credentials.
When a user signs out of the Microsoft Entra ID account that was used for authentication in Kaspersky Security Center Cloud Console, and Kaspersky Security Center Cloud Console is open on a different tab or window of the same browser, the session also ends for Kaspersky Security Center Cloud Console and the user signs out of the console automatically.

If Kaspersky Security Center Cloud Console is open in a different browser or on different devices, the session continues when the user signs out of the Microsoft Entra ID account.

To sign in to Kaspersky Security Center Cloud Console with Microsoft Entra ID account credentials, users must be able to sign in to their Microsoft Entra ID account.

Page top

Enabling Microsoft Entra ID polling

You have to enable Microsoft Entra ID polling to add the users from your Microsoft Entra ID to Kaspersky Security Center Cloud Console.

To enable Microsoft Entra ID polling:

In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
On the General tab, select the Microsoft Entra ID section.
In the User discovery section, turn on the Microsoft Entra ID polling toggle button.
If you want to change the default polling schedule, click the Schedule settings button, specify the polling frequency and time in the window that opens, and then click the Save button.
Microsoft Entra ID polling will run according to the schedule that you configure.
If you want to run Microsoft Entra ID polling immediately, click the Run now button.
The users are loading. When the users are loaded, the Microsoft Entra ID polling is finished.
Click the Save button.

The Microsoft Entra ID polling is complete, and the users from your Microsoft Entra ID are added to Kaspersky Security Center Cloud Console.

Page top

Adding Kaspersky Security Center Cloud Console to the list of applications

You can allow users to open Kaspersky Security Center Cloud Console by clicking its name in the list of applications, without entering the login URL. The application list is available in My Apps and Office 365 Launcher.

To add Kaspersky Security Center Cloud Console to the list of applications:

In the Microsoft Entra admin center main menu, go to Identity → Applications → App registrations, and then on the All applications tab, select the Kaspersky Security Center Cloud Console application that you have previously registered in Microsoft Entra ID.
In the menu of Kaspersky Security Center Cloud Console, select the Branding & properties section, and then do the following:
1. In the Home page URL field, enter the login URL.
2. If necessary, in the Upload new logo field, add an image that will be used as the application icon in the list of applications.
3. Click the Save button.
In the Microsoft Entra admin center main menu, go to Identity → Applications → Enterprise applications, and then select Kaspersky Security Center Cloud Console.
The application overview page opens.
In the menu of Kaspersky Security Center Cloud Console, select the Properties section, and then do the following:
1. Set the following options to Yes:
  - Enabled for users to sign-in?
    This action is necessary only if the option is not set to Yes by default.
  - Visible to users?
2. Click the Save button.
In the menu of Kaspersky Security Center Cloud Console, select the Users and groups section, and then do the following:
1. Click the Add user/group button, and then click the link below Users and groups.
2. In the window that opens, select users and groups, and then click the Save button.
  The window is closed.
3. Click the Assign button.

Kaspersky Security Center Cloud Console is available in My Apps and Office 365 Launcher for the selected users. The users can open Kaspersky Security Center Cloud Console by clicking its name in the list, without entering the login URL.

Page top

Assigning a user as a device owner

For information about assigning a user as a mobile device owner, see Kaspersky Security for Mobile Help.

To assign a user as a device owner:

If you want to assign an owner of a device connected to a virtual Administration Server, first switch to the virtual Administration Server:
1. In the main menu, click the chevron icon () to the right of the current Administration Server name.
2. Select the required Administration Server.
In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
A user list opens. If you are currently connected to a virtual Administration Server, the list includes users from the current virtual Administration Server and the primary Administration Server.
Click the name of the user account that you want to assign as a device owner.
In the user settings window that opens, select the Devices tab.
Click Add.
From the device list, select the device that you want to assign to the user.
Click OK.

The selected device is added to the list of devices assigned to the user.

You can perform the same operation at Assets (Devices) → Managed devices, by clicking the name of the device that you want to assign, and then clicking the Manage device owner link.

Page top

Assigning a user as a Linux device owner after installation of Network Agent

To allow the user to register as a Linux device owner:

In the Kaspersky Security Center Cloud Console, go to Discovery & deployment → Deployment & assignment → Installation packages.
The list of installation packages opens.
Click on the installation package of Network Agent.
The properties window of the installation package opens.
In the installation package properties window, click Settings → Advanced.
In the User registration as a device owner (Linux only) section, turn on the Allow running the user registration utility after Network Agent installation option and click Save.

The utility for registering the user as a device owner can be run via the command line on the client device.

To register a user as a Linux device owner on the client device:

Execute the following command in the command line on the client device:
$ /opt/kaspersky/klnagent64/bin/nagregister -set_owner
Enter the login and password, if prompted.
If the login and the password are included in the answer file or installation package of Network Agent, execute the following command in the command line on the client device:
$ /opt/kaspersky/klnagent64/bin/nagregister -set_owner -unattended

If the user is included in an internal security group, the login must contain the user name.

If the user is included in an Active Directory security group, the login must contain the user name and domain name.

The user will be registered as a device owner.

Page top

Contents

Users and user roles

About user accounts

Adding an account of an internal user

About user roles

Configuring access rights to application features. Role-based access control

Access rights to application features

Predefined user roles

Assigning access rights to specific objects

Assigning access rights to users and security groups

Assigning a role to a user or a security group

Creating a user role

Editing a user role

Editing the scope of a user role

Deleting a user role

Associating policy profiles with roles

Creating a security group

Editing a security group

Adding user accounts to an internal group

Deleting a security group

Configuring ADFS integration

Configuring integration with Microsoft Entra ID

Enabling Microsoft Entra ID polling

Adding Kaspersky Security Center Cloud Console to the list of applications

Assigning a user as a device owner

Assigning a user as a Linux device owner after installation of Network Agent