User roles
KUMA users may have the following roles:
- General administrator—this role is designed for users who are responsible for the core functionality of KUMA systems. For example, they install system components, perform maintenance, work with services, create backups, and add users to the system. These users have full access to KUMA.
- Tenant administrator—this role is for users responsible for the core functionality of KUMA systems owned by specific tenants.
- Tier 2 analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules.
- Tier 2 analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules. Users with this role have fewer privileges than Tier 2 analysts.
- Junior analyst—this role is for users dealing with immediate security threats of a specific tenant. A user with this role can see resources of the shared tenant through the REST API.
- Access to shared resources—this role is intended for managing the shared tenant. Users with this role have read access to shared resources. Only a user with the General administrator role can edit resources of a shared tenant.
- Interaction with NCIRCC—this role can be selected if the license includes the NCIRCC module. Users with this role receive notifications by default.
- Access to CII—this role can be selected if the license includes the NCIRCC module. Users with this role receive notifications by default.
User roles rights
Web interface section and actions
General administrator
Tenant administrator
Tier 2 analyst
Tier 1 analyst
Junior analyst
Access to shared resources
Access to NCIRCC
Access to CII
Comment
Reports
Create report template
yes
yes
yes
yes
no
no
no
no
View and edit templates and reports
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts and Tier 1 analysts can:
- View any templates and reports, their own and those of other users, provided that all tenants specified in the template are available for this role.
- Edit their own templates/reports.
Tier 2 analysts can edit predefined templates.
Specifying the user's email address in the template is no longer grounds for providing access to a report generated from that template. Such a report is available to the user for viewing if all tenants specified in the template are available for the user's role.
Generate reports
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts and Tier 1 analysts can generate any reports, their own and those of other users, provided that all tenants specified in the template are available for the role.
Tier 2 analysts and Tier 1 analysts cannot generate reports that were sent to the analyst by email.
Export generated reports
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts and Tier 1 analysts can download any reports, provided that all tenants specified in the template are available for the role.
Delete templates and generated reports
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts can delete their own templates and reports, as well as predefined templates.
Tier 2 analysts cannot delete reports that were sent to them by email.
General administrator, Tenant administrator, Tier 2 analyst can delete predefined templates and reports.
Edit the settings for generating reports
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts can edit the settings for generating predefined templates and reports, as well as their own templates and reports.
Tier 1 analysts can edit the settings for generating the reports they created.
Duplicate report template
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts and Tier 1 analysts can duplicate their own reports and predefined reports.
Open the generated report by email
yes
yes
yes
yes
yes
no
no
no
If a report is sent as a link, it is available to KUMA users only.
If a report is sent as an attachment, the report is available to the recipient if all tenants specified in the report template are available to the role of the recipient.
Dashboard
View data on the dashboard and change layouts
yes
yes
yes
yes
yes
no
yes
yes
Available if the user has full access. Full access means that the list of tenants defined at the dashboard level is identical to the list of tenants available to the user. Tenants in the toggle switch are also taken into account.
View the Universal layout
yes
yes
yes
yes
yes
no
yes
yes
Add layouts
yes
yes
yes
yes
no
no
no
no
This includes adding widgets to a layout.
Only the general administrator can add a universal layout.
Edit and rename layouts
yes
yes
yes
yes
no
no
no
no
This includes adding, editing, and deleting widgets.
Tier 2 analysts can change/rename predefined layouts and layouts that were created by their own account.
Tier 1 analysts can edit/rename layouts created by their own account.
Delete layouts
yes
yes
yes
yes
no
no
no
no
Tenant administrators may delete layouts in the tenants available to them.
Tier 2 analysts and Tier 1 analysts can delete layouts created by their own account.
General administrators, Tenant administrators, and Tier 2 analysts can delete predefined layouts.
When the kuma-core.service service is restarted, predefined layouts are restored to their original condition if they were previously deleted.
Enable and disable the TV mode
yes
yes
yes
yes
yes
no
yes
yes
Resources → Services and Resources → Services → Active services
View the list of active services
yes
yes
yes
yes
yes
no
yes
yes
Only the General Administrator can view and delete storage spaces.
Access rights do not depend on the tenants selected in the menu.
Tier 1 analysts and Tier 2 analysts can:
- See the storage service in the list of active services.
- Copy the ID of the storage and download the logs of the storage.
Access to viewing active services was added to the Junior analyst, Access to CII, Access to NCIRCC roles.
These roles have the following abilities:
- Viewing the Services section
- Viewing service logs
- Copying the service ID
- Refreshing the table
- Going to events
View the contents of the active list
yes
yes
yes
yes
no
no
no
no
Import/export/clear the contents of the active list
yes
yes
yes
yes
no
no
no
no
Tier 1 analysts can import data into any list or correlator table of an available tenant.
Create a set of resources for services
yes
yes
yes
no
no
no
no
no
Tier 2 analysts cannot create storages.
Create a service under Resources → Services → Active services
yes
yes
no
no
no
no
no
no
Only the general administrator can create a service.
Delete services
yes
yes
no
no
no
no
no
no
Restart services
yes
yes
no
no
no
no
no
no
Update the settings of services
yes
yes
yes
no
no
no
no
no
Reset certificates
yes
yes
no
no
no
no
no
no
Users with the Tenant administrator role can reset the certificates of services only in the tenants that are accessible to the user.
Resources → Resources
View the list of resources
yes
yes
yes
yes
no
yes
no
no
Tier 2 analysts and Tier 1 analysts cannot view the list of resources of secrets, but these resources are available to them when creating services.
Add resources
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts and Tier 1 analysts cannot add resources of secrets.
Duplicate resources
yes
yes
yes
yes
no
no
no
no
Tier 1 analysts can duplicate a resource created by other users, including the resource set of a service. However, Tier 1 analysts cannot change the dependent resources in the copy of the set of service resources.
Edit resources
yes
yes
yes
yes
no
no
no
no
Tier 1 analysts can edit only resources they created.
Delete resources
yes
yes
yes
yes
no
no
no
no
Tier 2 analysts cannot delete resources of secrets.
Tier 1 analysts can delete only resources they created.
Import resources
yes
yes
yes
yes
no
no
no
no
Only the general administrator can import resources to a shared tenant.
View the repository, import the resources from the repository
yes
yes
yes
no
no
no
no
no
The Shared tenant's dependent resources are imported into the Shared tenant. A special right to the Shared tenant is not required; only the right to import in the target tenant is checked.
Export resources
yes
yes
yes
yes
no
yes
no
no
This includes resources from a shared tenant.
Source status → List of event sources
View sources of events
yes
yes
yes
yes
yes
no
yes
yes
Change sources of events
yes
yes
yes
no
no
no
no
no
Delete sources of events
yes
yes
yes
no
no
no
no
no
Source status → Monitoring policies
View monitoring policies
yes
yes
yes
yes
yes
yes
yes
yes
Create monitoring policies
yes
yes
yes
no
no
no
no
no
Edit monitoring policies
yes
yes
yes
no
no
no
no
no
Only the general administrator can edit the predefined monitoring policies.
Delete monitoring policies
yes
yes
yes
no
no
no
no
no
Predefined policies cannot be removed.
Assets
View assets and asset categories
yes
yes
yes
yes
yes
yes
yes
yes
This includes shared tenant categories.
Add/edit/delete asset categories
yes
yes
yes
yes
no
no
no
no
Within the tenant available to the user.
Add asset categories in a shared tenant
yes
no
no
no
no
no
no
no
This includes editing and deleting shared tenant categories.
Link assets to an asset category of the shared tenant
yes
yes
yes
yes
no
no
no
no
Add assets
yes
yes
yes
yes
no
no
no
no
Edit assets
yes
yes
yes
yes
no
no
no
no
Delete assets
yes
yes
yes
yes
no
no
no
no
Import assets from Kaspersky Security Center
yes
yes
yes
yes
no
no
no
no
Start tasks on assets in Kaspersky Security Center
yes
yes
yes
yes
no
no
no
no
Run tasks on assets in Kaspersky Endpoint Detection and Response
yes
yes
yes
yes
no
no
no
no
Confirm updates to fix the asset vulnerabilities and accept the licensing agreements
yes
yes
no
no
no
no
no
no
Editing CII categorization in the asset card
yes
no
no
no
no
no
no
yes
Editing custom fields of the assets (Settings → Assets)
yes
yes
yes
yes
no
no
no
no
Alerts
View the list of alerts
yes
yes
yes
yes
yes
no
yes
yes
Change the severity of alerts
yes
yes
yes
yes
yes
no
yes
yes
Open the details of alerts
yes
yes
yes
yes
yes
no
yes
yes
Assign responsible users
yes
yes
yes
yes
yes
no
yes
yes
Close alerts
yes
yes
yes
yes
yes
no
yes
yes
Add comments to alerts
yes
yes
yes
yes
yes
no
yes
yes
Attach an event to alerts
yes
yes
yes
yes
yes
no
yes
yes
Detach an event from alerts
yes
yes
yes
yes
yes
no
yes
yes
Edit and delete someone else's filters
yes
yes
no
no
no
no
no
no
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources.
Incidents
View the list of incidents
yes
yes
yes
yes
yes
no
yes
yes
Create blank incidents
yes
yes
yes
yes
yes
no
Manually create incidents from alerts
yes
yes
yes
yes
yes
no
Change the severity of incidents
yes
yes
yes
yes
yes
no
yes
yes
Open the incident details
yes
yes
yes
yes
yes
no
yes
yes
Incident details display data from only those tenants to which the user has access.
Assign executors
yes
yes
yes
yes
yes
no
yes
yes
Close incidents
yes
yes
yes
yes
yes
no
yes
yes
Add comments to incidents
yes
yes
yes
yes
yes
no
yes
yes
Attach alerts to incidents
yes
yes
yes
yes
yes
no
yes
yes
Detach alerts from incidents
yes
yes
yes
yes
yes
no
yes
yes
Edit and delete someone else's filters
yes
yes
no
no
no
no
no
no
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources.
Export incidents to NCIRCC
yes
no
no
no
no
no
yes
no
The functions are always available to the General administrator. Other users can use the functions if the "Can interact with NCIRCC" check box is selected in their profile.
Send files to NCIRCC
yes
no
no
no
no
no
yes
no
Download files sent to NCIRCC
yes
no
no
no
no
no
yes
no
Export additional incident data to NCIRCC upon request
yes
no
no
no
no
no
yes
no
Send messages to NCIRCC
yes
no
no
no
no
no
yes
no
View messages from NCIRCC
yes
no
no
no
no
no
yes
no
View incident data exported to NCIRCC
yes
no
no
no
no
no
yes
no
Events
View the list of events
yes
yes
yes
yes
yes
no
yes
yes
Search events
yes
yes
yes
yes
yes
no
yes
yes
Open the details of events
yes
yes
yes
yes
yes
no
yes
yes
Open statistics
yes
yes
yes
yes
yes
no
yes
yes
Perform a retroscan
yes
yes
yes
no
no
no
no
no
Export events to a TSV file
yes
yes
yes
yes
yes
no
yes
yes
Edit and delete someone else's filters
yes
yes
no
no
no
no
no
no
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources.
Start ktl enrichment
yes
yes
yes
yes
no
no
no
no
Run tasks on Kaspersky Endpoint Detection and Response assets in event details
yes
yes
yes
yes
no
no
no
no
Create presets
yes
yes
yes
yes
yes
no
yes
yes
Delete presets
yes
yes
yes
yes
yes
no
yes
yes
Tier 2 analysts, Tier 1 analysts, and Junior analysts can delete only their own presets.
View and use presets
yes
yes
yes
yes
yes
no
yes
yes
Settings → Users
View the list of users
yes
no
no
no
no
no
no
no
Add a user
yes
no
no
no
no
no
no
no
Edit a user
yes
no
no
no
no
no
no
no
Generate token
yes
yes
yes
yes
yes
yes
yes
yes
All users can generate their own tokens.
The general administrator can generate a token for any user.
Change access rights for a token
yes
yes
yes
yes
yes
yes
yes
yes
The General administrator can modify access rights for any user. Users can assign to themselves only those rights that are available to them as part of the user's role.
View the data of their own profile
yes
yes
yes
yes
yes
yes
yes
yes
Edit the data of their own profile
yes
yes
yes
yes
yes
yes
yes
yes
The user role is not available for change.
Settings → LDAP server
View the LDAP connection settings
yes
yes
yes
yes
no
no
no
no
Edit the LDAP connection settings
yes
yes
no
no
no
no
no
no
Delete the configuration of an entire tenant from the settings
yes
yes
no
no
no
no
no
no
Import assets
yes
yes
no
no
no
no
no
no
Settings → Tenants
This section is available only to the general administrator.
View the list of tenants
yes
no
no
no
no
no
no
no
Add tenants
yes
no
no
no
no
no
no
no
Change tenants
yes
no
no
no
no
no
no
no
Disable tenants
yes
no
no
no
no
no
no
no
Settings → Domain authorization
This section is available only to the general administrator.
View the Active Directory connection settings
yes
no
no
no
no
no
no
no
Edit the Active Directory connection settings
yes
no
no
no
no
no
no
no
Add filters based on roles for tenants
yes
no
no
no
no
no
no
no
Run tasks in Active Directory
yes
yes
yes
no
no
no
no
no
Settings → General
This section is available only to the general administrator.
View the SMTP connection settings
yes
no
no
no
no
no
no
no
Edit the SMTP connection settings
yes
no
no
no
no
no
no
no
Settings → License
This section is available only to the general administrator.
View the list of added license keys
yes
no
no
no
no
no
no
no
Add license keys
yes
no
no
no
no
no
no
no
Delete license keys
yes
no
no
no
no
no
no
no
Settings → Kaspersky Security Center
View the list of successfully integrated Kaspersky Security Center servers
yes
yes
yes
yes
no
no
no
no
Add Kaspersky Security Center connections
yes
yes
no
no
no
no
no
no
Delete Kaspersky Security Center connections
yes
yes
no
no
no
no
no
no
Delete the configuration of an entire tenant from the settings
yes
yes
no
no
no
no
no
no
Start the tasks for importing Kaspersky Security Center assets
yes
yes
no
no
no
no
no
no
Settings → Kaspersky Industrial CyberSecurity for Networks
View a list of KICS for Networks servers with which integration has been configured
yes
yes
no
no
no
no
no
no
Add and modify the settings of KICS for Networks integration
yes
yes
no
no
no
no
no
no
Delete the settings of KICS for Networks integration
yes
yes
no
no
no
no
no
no
Run the tasks to import assets from the KICS for Networks settings
yes
yes
no
no
no
no
no
no
Settings → Kaspersky Automated Security Awareness Platform
View the ASAP integration settings
yes
no
no
no
no
no
no
no
Edit the ASAP integration settings
yes
no
no
no
no
no
no
no
Settings → Kaspersky Endpoint Detection and Response
View the connection settings
yes
yes
yes
yes
no
no
no
no
Add, edit and disconnect the connections when the distributed solution mode is enabled
yes
no
no
no
no
no
no
no
Enable the distributed solution mode
yes
no
no
no
no
no
no
no
Add connections when the distributed solution mode is disabled
yes
yes
no
no
no
no
no
no
Delete the connections when the distributed solution mode is disabled
yes
yes
no
no
no
no
no
no
Delete the configuration of an entire tenant from the settings
yes
yes
no
no
no
no
no
no
Settings → Kaspersky CyberTrace
This section is available only to the general administrator.
View the CyberTrace integration settings
yes
no
no
no
no
no
no
no
Edit the CyberTrace integration settings
yes
no
no
no
no
no
no
no
Settings → IRP / SOAR
This section is available only to the general administrator.
View the settings for integration with IRP / SOAR
yes
no
no
no
no
no
no
no
Edit the IRP/SOAR integration settings
yes
no
no
no
no
no
no
no
Settings → Kaspersky Threat Lookup
This section is available only to the general administrator.
View the Threat Lookup integration settings
yes
no
no
no
no
no
no
no
Edit the Threat Lookup integration settings
yes
no
no
no
no
no
no
no
Settings → Alerts
View the parameters
yes
yes
yes
yes
no
no
no
no
Edit the parameters
yes
yes
yes
no
no
no
no
no
Delete the configuration of an entire tenant from the settings
yes
yes
yes
no
no
no
no
no
Settings → Incidents → Automatic linking of alerts to incidents
This section is available for an account with the Tenant administrator, Tier 2 analyst, and Tier 1 analyst roles if the role is assigned in the Main tenant.
View the parameters
yes
yes
yes
yes
no
no
no
no
Edit the parameters
yes
no
no
no
no
no
no
no
Settings → Incidents → Incident types
View the categories reference
yes
yes
yes
yes
no
no
no
no
View the categories charts
yes
yes
yes
yes
no
no
no
no
Add categories
yes
yes
no
no
no
no
no
no
Edit categories
yes
yes
no
no
no
no
no
no
Delete categories
yes
yes
no
no
no
no
no
no
Settings → NCIRCC
View the parameters
yes
no
no
no
no
no
no
no
Edit the parameters
yes
no
no
no
no
no
no
no
Settings → Hierarchy
View the parameters
yes
no
no
no
no
no
no
no
Edit the parameters
yes
no
no
no
no
no
no
no
View incidents from child nodes
yes
yes
yes
no
yes
no
no
no
All users of the parent node have access to the incidents in the child nodes.
Settings → Asset audit
Create, clone and edit the settings
yes
yes
yes
no
no
no
no
no
View the parameters
yes
yes
yes
yes
no
no
no
no
Delete settings
yes
yes
yes
no
no
no
no
no
Settings → Repository update
View the parameters
yes
yes
yes
no
no
no
no
no
Edit the parameters
yes
no
no
no
no
no
no
no
Start the repository update task manually
yes
yes
yes
no
no
no
no
no
Settings → Assets
Add, edit, and delete the asset fields
yes
no
no
no
no
no
no
no
Metrics
Open metrics
yes
no
no
no
no
no
no
no
Task manager
View a list of your own tasks
yes
yes
yes
yes
yes
no
yes
yes
A user with the General administrator role has access to tasks of all tenants.
Tenant administrators can view and manage tasks of other users in tenants available to the Tenant administrator.
Users have access to tasks in available tenants.
A user can restart a task of another user if the restarting user has rights to start tasks of that type.
Finish your own tasks
yes
yes
yes
yes
yes
no
yes
yes
Restart your own tasks
yes
yes
yes
yes
yes
no
yes
yes
View a list of all tasks
yes
no
no
no
no
no
no
no
Finish any task
yes
no
no
no
no
no
no
no
Restart any task
yes
no
no
no
no
no
no
no
CyberTrace
This section is not displayed in the web interface unless CyberTrace integration is configured under Settings → CyberTrace.
Open the section
yes
no
no
no
no
no
no
no
Access to the data of tenants
Access to tenants
yes
yes
yes
yes
yes
no
yes
yes
A user has access to the tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant.
Shared tenant
yes
yes
yes
yes
yes
yes
yes
yes
A shared tenant is used to store shared resources that must be available to all tenants.
Although services cannot be owned by the shared tenant, these services may utilize resources that are owned by the shared tenant. These services are still owned by their respective tenants.
Events, alerts and incidents cannot be shared.
Permissions to access the shared tenant:
- Read/write—only the general administrator.
- Read—all other users, including users that have permissions to access the main tenant.
Main tenant
yes
yes
yes
yes
yes
no
yes
yes
A user has access to the main tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant.
Permissions to access the main tenant do not grant access to other tenants.