Contents
- Users and user roles
- About user roles
- Configuring access rights to application features. Role-based access control
- Adding an account of an internal user
- Creating a user group
- Editing an account of an internal user
- Editing a user group
- Adding user accounts to an internal group
- Assigning a user as a device owner
- Deleting a user or a security group
- Creating a user role
- Editing a user role
- Editing the scope of a user role
- Deleting a user role
- Associating policy profiles with roles
Users and user roles
This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.
About user roles
A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups.
You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.
A user role can be associated with users of devices in a specific administration group.
User role scope
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
Advantage of using roles
An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.
Differences from using policy profiles
Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.
Configuring access rights to application features. Role-based access control
Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.
You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:
- By configuring the rights for each user or group of users individually.
- By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.
Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.
User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.
You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.
Access rights to application features
The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.
To perform the user actions listed in the table, a user has to have the right specified next to the action.
Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.
All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.
Access rights to application features
Functional area |
Right |
User action: right required to perform the action |
Task |
Report |
Other |
|---|---|---|---|---|---|
General features: Management of administration groups |
Modify |
|
None |
None |
None |
General features: Access objects regardless of their ACLs |
Read |
Get read access to all objects: Read |
None |
None |
None |
General features: Basic functionality |
|
|
|
|
None |
General features: Deleted objects |
|
|
None |
None |
None |
General features: Event processing |
|
|
None |
None |
Settings:
|
General features: Operations on Administration Server |
|
|
|
None |
None |
General features: Kaspersky software deployment |
|
Approve or decline installation of the patch: Manage Kaspersky patches |
None |
|
Installation package: "Kaspersky" |
General features: Key management |
|
|
None |
None |
None |
General features: Enforced report management |
|
|
None |
None |
None |
General features: Hierarchy of Administration Servers |
Configure hierarchy of Administration Servers |
Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers |
None |
None |
None |
General features: User permissions |
Modify object ACLs |
|
None |
None |
None |
General features: Virtual Administration Servers |
|
|
None |
"Report on results of installation of third-party software updates" |
None |
Mobile device management: General |
|
|
None |
None |
None |
System management: Connectivity |
|
|
None |
"Report on device users" |
None |
System management: Hardware inventory |
|
|
None |
|
None |
System management: Network access control |
|
|
None |
None |
None |
System management: Operating system deployment |
|
|
"Create installation package upon reference device OS image" |
None |
Installation package: "OS Image" |
System management: Vulnerability and patch management
|
|
|
|
"Report on software updates" |
None |
System management: Remote installation |
|
|
None |
None |
Installation packages:
|
System management: Software inventory |
|
None |
None |
|
None |
Predefined user roles
User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.
You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.
Examples of roles for specific job positions
Role |
Comment |
Auditor |
Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization. |
Supervisor |
Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
Security Officer |
Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization. |
The table below shows the access rights assigned to each predefined user role.
Access rights of predefined user roles
Role |
Description |
|---|---|
Administration Server Administrator |
Permits all operations in the following functional areas:
|
Administration Server Operator |
Grants the Read and Execute rights in all of the following functional areas:
|
Auditor |
Permits all operations in the functional areas, in General features:
You can assign this role to a person who performs the audit of your organization. |
Installation Administrator |
Permits all operations in the following functional areas:
Grants the Read and Execute rights in the General features: Virtual Administration Servers functional area. |
Installation Operator |
Grants the Read and Execute rights in all of the following functional areas:
|
Kaspersky Endpoint Security Administrator |
Permits all operations in the following functional areas:
|
Kaspersky Endpoint Security Operator |
Grants the Read and Execute rights in all of the following functional areas:
|
Main Administrator |
Permits all operations in functional areas, except for the following areas, in General features:
|
Main Operator |
Grants the Read and Execute (where applicable) rights in all of the following functional areas:
|
Mobile Device Management Administrator |
Permits all operations in the following functional areas:
|
Mobile Device Management Operator |
Grants the Read and Execute rights in the General features: Basic functionality functional area. Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area. |
Security Officer |
Permits all operations in the following functional areas, in General features:
Grants the Read, Modify, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. You can assign this role to an officer in charge of the IT security in your organization. |
Self Service Portal User |
Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version. |
Supervisor |
Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
Vulnerability and Patch Management Administrator |
Permits all operations in the General features: Basic functionality and System management (including all features) functional areas. |
Vulnerability and Patch Management Operator |
Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas. |
Adding an account of an internal user
To add a new internal user account to Kaspersky Security Center:
- In the main menu, go to USERS & ROLES → USERS.
- Click Add.
- In the New entity window that opens, specify the settings of the new user account:
- Keep the default option User.
- Name.
- Password for the user connection to Kaspersky Security Center.
The password must comply with the following rules:
- The password must be 8 to 16 characters long.
- The password must contain characters from at least three of the groups listed below:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
- The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
To see the characters that you entered, click and hold the Show button.
The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".
If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.
- Full name
- Description
- Email address
- Phone
- Click OK to save the changes.
The new user account appears in the list of users and user groups.
Creating a user group
To create a user group:
- In the main menu, go to USERS & ROLES → USERS.
- Click Add.
- In the New entity window opens, select Group.
- Specify the following settings for the new user group:
- Group name
- Description
- Click OK to save the changes.
The new user group appears in the list of users and user groups.
Editing an account of an internal user
To edit an internal user account in Kaspersky Security Center:
- In the main menu, go to USERS & ROLES → USERS.
- Click the name of the user account that you want to edit.
- In the user settings window that opens, on the General tab, change the settings of the user account:
- Description
- Full name
- Email address
- Main phone
- Password for the user connection to Kaspersky Security Center.
The password must comply with the following rules:
- The password must be 8 to 16 characters long.
- The password must contain characters from at least three of the groups listed below:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
- The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
To see the entered password, click and hold the Show button.
The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts; however, for security reasons, we do not recommend that you decrease this number. If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.
- If necessary, switch the toggle button to Disabled to prohibit the user from connecting to the application. You can disable an account, for example, after an employee leaves the company.
- On the Authentication security tab, you can specify the security settings for this account.
- On the Groups tab, you can add the user to security groups.
- On the Devices tab, you can assign devices to the user.
- On the Roles tab, you can assign roles to the user.
- Click Save to save the changes.
The updated user account appears in the list of users and security groups.
Editing a user group
You can edit only internal groups.
To edit a user group:
- In the main menu, go to USERS & ROLES → USERS.
- Click the name of the user group that you want to edit.
- In the group settings window that opens, change the settings of the user group:
- Name
- Description
- Click Save to save the changes.
The updated user group appears in the list of users and user groups.
Adding user accounts to an internal group
You can add only accounts of internal users to an internal group.
To add user accounts to an internal group:
- In the main menu, go to USERS & ROLES → USERS.
- Select check boxes next to user accounts that you want to add to a group.
- Click the Assign group button.
- In the Assign group window that opens, select the group to which you want to add user accounts.
- Click the Assign button.
The user accounts are added to the group.
Assigning a user as a device owner
To assign a user as a device owner:
- Go to USERS & ROLES → USERS.
- Click the name of the user account that you want to assign as a device owner.
- In the user settings window that opens, click the Devices tab.
- Click Add.
- From the device list, select the device that you want to assign to the user.
- Click OK.
The selected device is added to the list of devices assigned to the user.
You can perform the same operation at DEVICES → MANAGED DEVICES, by clicking the name of the device that you want to assign, and then clicking the Manage device owner link.
Deleting a user or a security group
You can delete only internal users or internal security groups.
To delete a user or a security group:
- In the main menu, go to USERS & ROLES → USERS.
- Select the check box next to the user or the security group that you want to delete.
- Click Delete.
- In the window that opens, click OK.
The user or the security group is deleted.
Creating a user role
To create a user role:
- In the main menu, go to USERS & ROLES → Roles.
- Click Add.
- In the New role name window that opens, enter the name of the new role.
- Click OK to apply the changes.
- In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
- On the General tab, edit the role name.
- Click Save to save the changes.
The new role appears in the list of user roles.
Editing a user role
To edit a user role:
- In the main menu, go to USERS & ROLES → Roles.
- Click the name of the role that you want to edit.
- In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
- On the General tab, edit the role name.
- Click Save to save the changes.
The updated role appears in the list of user roles.
Editing the scope of a user role
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
To add users, security groups, and administration groups to the scope of a user role, you can use either of the following methods:
Method 1:
- In the main menu, go to USERS & ROLES → USERS.
- Select check boxes next to the users and security groups that you want to add to the user role scope.
- Click the Assign role button.
The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.
- On the Select role page of the Wizard, select the user role that you want to assign.
- On the Define scope page of the Wizard, select the administration group that you want to add to the user role scope.
- Click the Assign role button to close the Wizard.
The selected users or security groups and the selected administration group are added to the scope of the user role.
Method 2:
- In the main menu, go to USERS & ROLES → Roles.
- Click the name of the role for which you want to define the scope.
- In the role properties window that opens, select the Settings tab.
- In the Role scope section, click Add.
The Role Assignment Wizard starts. Proceed through the Wizard by using the Next button.
- On the Define scope page of the Wizard, select the administration group that you want to add to the user role scope.
- On the Select users page of the Wizard, select users and security groups that you want to add to the user role scope.
- Click the Assign role button to close the Wizard.
- Close the role properties window.
The selected users or security groups and the selected administration group are added to the scope of the user role.
Deleting a user role
To delete a user role:
- In the main menu, go to USERS & ROLES → Roles.
- Select the check box next to the name of the role that you want to delete.
- Click Delete.
- In the window that opens, click OK.
The user role is deleted.
Associating policy profiles with roles
You can associate user roles with policy profiles. In this case, the activation rule for this policy profile is based on the role: the policy profile becomes active for a user that has the specified role.
For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. In this case, you can assign a "Courier" role to its owner, and then create a policy profile allowing GPS navigation software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's device. Running GPS navigation software will still be prohibited on other devices in the same administration group.
To associate a role with a policy profile:
- In the main menu, go to USERS & ROLES → Roles.
- Click the name of the role that you want to associate with a policy profile.
The role properties window opens with the General tab selected.
- Select the Settings tab, and scroll down to the Policies & Profiles section.
- Click Edit.
- To associate the role with:
- An existing policy profile—Click the chevron icon (
) next to the required policy name, and then select the check box next to the profile with which you want to associate the role. - A new policy profile:
- Select the check box next to the policy for which you want to create a profile.
- Click New policy profile.
- Specify a name for the new profile and configure the profile settings.
- Click the Save button.
- Select the check box next to the new profile.
- An existing policy profile—Click the chevron icon (
- Click Assign to role.
The profile is associated with the role and appears in the role properties. The profile applies automatically to any device whose owner is assigned the role.