Kaspersky Security Center Cloud Console
English

Contents

Configuring access rights to application features. Role-based access control

Kaspersky Security Center Cloud Console provides facilities for role-based access to the features of Kaspersky Security Center Cloud Console and of managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center Cloud Console users in one of the following ways:

  • By configuring the rights for each user or group of users individually.
  • By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Assigning access rights to specific objects

Assigning access rights to users and security groups

See also:

Scenario: Configuring network protection
Page top
[Topic 203717]

Access rights to application features

The table below shows the Kaspersky Security Center Cloud Console features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend granting these rights carefully and to a limited set of users who need them to perform their official duties.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area

Right

User action: right required to perform the action

Task

Report

Other

General features: Management of administration groups

Write
  • Add device to an administration group: Write
  • Delete device from an administration group: Write
  • Add an administration group to another administration group: Write
  • Delete an administration group from another administration group: Write

None

None

None

General features: Access objects regardless of their ACLs

Read

Get read access to all objects: Read

None

None

Access is granted regardless of other rights, even if they prohibit read access to specific objects.

General features: Basic functionality
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Device moving rules (create, modify, or delete) for the virtual Server: Write, Perform operations on device selections
  • Get Mobile (LWNGT) protocol custom certificate: Read
  • Set Mobile (LWNGT) protocol custom certificate: Write
  • Get NLA-defined network list: Read
  • Add, modify, or delete NLA-defined network list: Write
  • View Access Control List of groups: Read
  • View the Kaspersky Event Log: Read
  • "Download updates to the Administration Server repository"
  • "Deliver reports"
  • "Distribute installation package"
  • "Install application on secondary Administration Servers remotely"
  • "Report on protection status"
  • "Report on threats"
  • "Report on most heavily infected devices"
  • "Report on status of anti-virus databases"
  • "Report on errors"
  • "Report on network attacks"
  • "Summary report on mail system protection applications installed"
  • "Summary report on perimeter defense applications installed"
  • "Summary report on types of applications installed"
  • "Report on users of infected devices"
  • "Report on security issues"
  • "Report on events"
  • "Report on activity of distribution points"
  • "Report on Secondary Administration Servers"
  • "Report on Device Control events"
  • "Report on vulnerabilities"
  • "Report on prohibited applications"
  • "Report on Web Control"
  • "Report on encryption status of managed devices"
  • "Report on encryption status of mass storage devices"
  • "Report on file encryption errors"
  • "Report on blockage of access to encrypted files"
  • "Report on rights to access encrypted devices"
  • "Report on effective user permissions"
  • "Report on rights"

None

General features: Deleted objects
  • Read
  • Write
  • View deleted objects in the Recycle Bin: Read
  • Delete objects from the Recycle Bin: Write

None

None

None

General features: Event processing
  • Delete events
  • Edit event notification settings
  • Edit event logging settings
  • Write
  • Change events registration settings: Edit event logging settings
  • Change events notification settings: Edit event notification settings
  • Delete events: Delete events

None

None

Settings:

  • Virus outbreak settings: number of virus detections required to create a virus outbreak event
  • Virus outbreak settings: period of time for evaluation of virus detections
  • The maximum number of events stored in the database
  • Period of time for storing events from the deleted devices

General features: Kaspersky software deployment
  • Manage Kaspersky patches
  • Read
  • Write
  • Execute
  • Perform operations on device selections

Approve or decline installation of the patch: Manage Kaspersky patches

None
  • "Report on license key usage by virtual Administration Server"
  • "Report on Kaspersky software versions"
  • "Report on incompatible applications"
  • "Report on versions of Kaspersky software module updates"
  • "Report on protection deployment"

Installation package: "Kaspersky"

General features: License key management
  • Export key file
  • Write
  • Export key file: Export key file
  • Modify Administration Server license key settings: Write

None

None

None

General features: Enforced report management
  • Read
  • Write
  • Create reports regardless of their ACLs: Write
  • Execute reports regardless of their ACLs: Read

None

None

None

General features: Hierarchy of Administration Servers

Configure hierarchy of Administration Servers

Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers

None

None

None

General features: User permissions

Modify object ACLs
  • Change Security properties of any object: Modify object ACLs
  • Manage user roles: Modify object ACLs
  • Manage internal users: Modify object ACLs
  • Manage security groups: Modify object ACLs
  • Manage aliases: Modify object ACLs

None

None

None

General features: Virtual Administration Servers
  • Manage virtual Administration Servers
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Get list of virtual Administration Servers: Read
  • Get information on the virtual Administration Server: Read
  • Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers
  • Move a virtual Administration Server to another group: Manage virtual Administration Servers
  • Set administration virtual Server permissions: Manage virtual Administration Servers

None

"Report on results of installation of third-party software updates"

None

General features: Encryption Key Management

Write

Import the encryption keys: Write

None

None

None

System management: Connectivity
  • Start RDP sessions
  • Connect to existing RDP sessions
  • Initiate tunneling
  • Save files from devices to the administrator's workstation
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Create desktop sharing session: The right to create desktop sharing session
  • Create RDP session: Connect to existing RDP sessions
  • Create tunnel: Initiate tunneling
  • Save content network list: Save files from devices to the administrator's workstation

None

"Report on device users"

None

System management: Hardware inventory
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Get or export hardware inventory object: Read
  • Add, set or delete hardware inventory object: Write

None
  • "Report on hardware registry"
  • "Report on configuration changes"
  • "Report on hardware"

None

System management: Network access control
  • Read
  • Write
  • View CISCO settings: Read
  • Change CISCO settings: Write

None

None

None

System management: Operating system deployment
  • Deploy PXE servers
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Deploy PXE servers: Deploy PXE servers
  • View a list of PXE servers: Read
  • Start or stop the installation process on PXE clients: Execute
  • Manage drivers for WinPE and operating system images: Write

"Create installation package upon reference device OS image"

None

Installation package: "OS Image"

System management: Vulnerability and patch management

 

 
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • View third-party patch properties: Read
  • Change third-party patch properties: Write
  • "Perform Windows Update synchronization"
  • "Install Windows Update updates"
  • "Fix vulnerabilities"
  • "Install required updates and fix vulnerabilities"

"Report on software updates"

None

System management: Remote installation
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • View third-party Vulnerability and patch management based installation package properties: Read
  • Change third-party Vulnerability and patch management based installation package properties: Write

None

None

Installation packages:

  • "Custom application"
  • "VAPM package"

System management: Software inventory
  • Read
  • Write
  • Execute
  • Perform operations on device selections

None

None
  • "Report on installed applications"
  • "Report on applications registry history"
  • "Report on status of licensed applications groups"
  • "Report on third-party software license keys"

None

See also:

Scenario: Configuring network protection
Page top
[Topic 203748]

Predefined user roles

User roles assigned to Kaspersky Security Center Cloud Console users provide them with sets of access rights to application features.

Users created on a virtual Server cannot be assigned a role on the Administration Server.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center Cloud Console can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center Cloud Console starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role

Comment

Auditor

Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.

Supervisor

Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Security Officer

Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Role

Description

Administration Server Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Event processing
    • Hierarchy of Administration Servers
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Grants the Read and Write rights in the General features: Encryption key management functional area.

Administration Server Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Auditor

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Deleted objects
  • Enforced report management

You can assign this role to a person who performs the audit of your organization.

Installation Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment
    • License key management
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Grants Read and Execute rights in the General features: Virtual Administration Servers functional area.

Installation Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment (also grants the Manage Kaspersky patches right in this area)
    • Virtual Administration Servers
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Kaspersky Endpoint Security Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Grants the Read and Write rights in the General features: Encryption key management functional area.

Kaspersky Endpoint Security Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Main Administrator

Permits all operations in functional areas, except for the following areas in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read and Write rights in the General features: Encryption key management functional area.

Main Operator

Grants the Read and Execute (where applicable) rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Deleted objects
    • Operations on Administration Server
    • Kaspersky application deployment
    • Virtual Administration Servers
  • Mobile Device Management: General
  • System management, including all features
  • Kaspersky Endpoint Security area, including all features

Mobile Device Management Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Mobile Device Management: General

Mobile Device Management Operator

Grants the Read and Execute rights in the General features: Basic functionality functional area.

Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area.

Security Officer

 

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area.

You can assign this role to an officer in charge of the IT security in your organization.

Senior Security Analyst

Grants the Read right in the General features: Basic functionality functional area.

Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area.

Grants the access rights to the Kaspersky Endpoint Detection and Response Expert solution.

Self Service Portal User

Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later.

Supervisor

Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional area.

You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Vulnerability and patch management administrator

Permits all operations in the General features: Basic functionality and System management (including all features) functional areas.

Vulnerability and patch management operator

Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas.

See also:

Scenario: Configuring network protection
Page top
[Topic 203750]

Assigning access rights to specific objects

In addition to assigning access rights at the server level, you can configure access to specific objects, for example, to a specific task. The application allows you to specify access rights to the following object types:

  • Administration groups
  • Tasks
  • Reports
  • Device selections
  • Event selections

To assign access rights to a specific object:

  1. Depending on the object type, in the main menu, go to the corresponding section:
    • Assets (Devices) → Hierarchy of groups
    • Assets (Devices) Tasks
    • Monitoring & reporting Reports
    • Assets (Devices) → Device selections
    • Monitoring & reporting Event selections
  2. Open the properties of the object to which you want to configure access rights.

    To open the properties window of an administration group or a task, click the object name. Properties of other objects can be opened by using the button on the toolbar.

  3. In the properties window, open the Access rights section.

    The user list opens. The listed users and security groups have access rights to the object. By default, if you use a hierarchy of administration groups or Servers, the list and access rights are inherited from the parent administration group or primary Server.

  4. To be able to modify the list, enable the Use custom permissions option.
  5. Configure access rights:
    • Use the Add and Delete buttons to modify the list.
    • Specify access rights for a user or security group. Do one of the following:
      • If you want to specify access rights manually, select the user or security group, click the Access rights button, and then specify the access rights.
      • If you want to assign a user role to the user or security group, select the user or security group, click the Roles button, and then select the role to assign.
  6. Click the Save button.

The access rights to the object are configured.

See also:

Configuring access rights to application features. Role-based access control

Access rights to application features

Predefined user roles
Page top
[Topic 237474]

Assigning access rights to users and security groups

You can give users and security groups access rights to use different features of Administration Server, for example, Kaspersky Endpoint Security for Linux.

To assign access rights to a user or a security group:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.

    The Administration Server properties window opens.

  2. On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.

    You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.

  3. Configure the set of rights for the user or group:
    1. Expand the node with features of Administration Server or other Kaspersky application.
    2. Select the Allow or Deny check box next to the feature or the access right that you want.

      Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.

      Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.

  4. After you configure the set of access rights, click OK.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

  • General features:
    • Management of administration groups
    • Access objects regardless of their ACLs
    • Basic functionality
    • Deleted objects
    • Encryption Key Management
    • Event processing
    • Operations on Administration Server (only in the property window of Administration Server)
    • Device tags
    • Kaspersky application deployment
    • License key management
    • Application integration
    • Enforced report management
    • Hierarchy of Administration Servers
    • User permissions
    • Virtual Administration Servers
  • Mobile Device Management:
    • General
    • Self Service Portal
  • System Management:
    • Connectivity
    • Execute scripts remotely
    • Hardware inventory
    • Network Access Control
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

If neither Allow nor Deny is selected for an access right, then the access right is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

  • User's own rights
  • Rights of all the roles assigned to this user
  • Rights of all the security group to which the user belongs
  • Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Page top
[Topic 256412]