Kaspersky Next XDR Expert

About binding Administration Servers to tenants

You can bind Kaspersky Security Center Administration Servers to tenants. A link between a tenant and an Administration Server allows you to relate the assets managed by the Administration Server to the tenant.

You cannot bind virtual Administration Servers to tenants, only physical ones.

Tenants can have subtenants; therefore they are arranged into a tenant hierarchy. Administration Servers can have secondary Administration Servers; therefore they are arranged into a Server hierarchy. You cannot bind an arbitrary Server to an arbitrary tenant because this may lead to an illegal binding. For example, a user may not have access rights to a tenant in the tenant hierarchy, but the same user may have access rights to the devices of this tenant. This might happen if this user has access rights to the Administration Server 2 which is primary to the Administration Server 1 bound to the tenant. Therefore, by default, this user has inherited access rights to the Administration Server 1 and its managed devices. To eliminate such a situation, tenants and Administration Servers can only be bound to each other according to the binding rules.

There are two types of bindings:

  • Explicit binding

    This binding type is established when you select an Administration Server that you want to bind to a tenant.

  • Inherited binding

    When you establish explicit binding for an Administration Server that has secondary Administration Servers, the secondary Administration Servers are bound to the tenant through the inherited binding type. Therefore several Administration Servers may be bound to a tenant.

Binding rules:

  • The root Administration Server is always bound to the Root tenant, you cannot remove this binding.
  • A tenant may not have a bound Administration Server. Such a tenant can have subtenants, and Administration Servers can be bound to these subtenants.
  • You can bind two Administration Servers which are arranged into a hierarchy only to two tenants which are arranged into a hierarchy too, and only if the hierarchy of Administration Servers matches the hierarchy of tenants.
  • An Administration Server may be bound only to one tenant, explicitly or through the inherited binding type.
  • When you bind an Administration Server to a tenant explicitly:
    • If the Administration Server was bound to another tenant explicitly, this binding is automatically removed.
    • If the Administration Server has secondary Administration Servers, the secondary Administration Servers are bound to the new tenant through the inherited binding type excluding those Administration Servers that were bound to their tenants explicitly. Before this operation, Kaspersky Next XDR Expert checks whether or not all of the new bindings are legal. If they are not, the binding cannot be established.
  • When you remove an explicit binding between a tenant and an Administration Server (unbind Administration Server), the Administration Server and all of its secondary Administration Servers (if any) are automatically bound through the inherited binding type to the tenant to which the primary Administration Server of the selected Administration Server is bound. If some of the secondary Administration Servers are bound to their tenants explicitly, those Administration Servers keep their bindings.
  • When you add a new Administration Server to the hierarchy, the Administration Server is automatically bound through the inherited binding type to the tenant to which the Server's primary Administration Server is bound.
  • When you remove an Administration Server from the hierarchy and the Administration Server has an explicit binding to a tenant, this binding is removed.