Kaspersky Security Center 13.1 Help

Managing user accounts

Managing user accounts

This section provides information about user accounts and roles supported by the application. This section contains instructions on how to create accounts and roles for users of Kaspersky Security Center.

Kaspersky Security Center allows you to manage user accounts and groups of accounts. The application supports two types of accounts:

Accounts of organization employees. Administration Server retrieves data of the accounts of those users when polling the organization's network.
Accounts of internal users. These accounts are applied when virtual Administration Servers are used. Accounts of internal users are created and used only within Kaspersky Security Center.

In this section

Working with user accounts

Adding an account of an internal user

Editing an account of an internal user

Changing the number of allowed password entry attempts

Configuring the check of the name of an internal user for uniqueness

Adding a security group

Adding a user to a group

Configuring access rights to application features. Role-based access control

Assigning the user as a device owner

Delivering messages to users

Viewing the list of user mobile devices

Installing a certificate for a user

Viewing the list of certificates issued to a user

About the administrator of a virtual Administration Server

Page top

Working with user accounts

Kaspersky Security Center allows you to manage user accounts and groups of accounts. The application supports two types of accounts:

Accounts of organization employees. Administration Server retrieves data of the accounts of those users when polling the organization's network.
Accounts of internal users. These accounts are applied when virtual Administration Servers are used. Accounts of internal users are created and used only within Kaspersky Security Center.

All user accounts can be viewed in the User accounts folder in the console tree. The User accounts folder is a subfolder of the Advanced folder by default.

You can perform the following actions on user accounts and groups of accounts:

Configure users' rights of access to the application features using roles.
Send messages to users by email and SMS.
View the list of the user's mobile devices.
Issue and install certificates on the user's mobile devices.
View the list of certificates issued to the user.
Disable two-step verification for a user account.

Page top

Adding an account of an internal user

To add a new internal user account to Kaspersky Security Center:

In the console tree, open the User accounts folder.
The User accounts folder is a subfolder of the Advanced folder by default.
In the workspace, click the Add user button.
In the New user window that opens, specify the settings of the new user account:
- A user name ()
  Please be careful when entering the user name. You will not be able to change it after saving the changes.
- Description
- Full name
- Main email
- Main phone
- Password for the user connection to Kaspersky Security Center
  The password must comply with the following rules:
  - The password must be 8 to 16 characters long.
  - The password must contain characters from at least three of the groups listed below:
    - Uppercase letters (A-Z)
    - Lowercase letters (a-z)
    - Numbers (0-9)
    - Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
  - The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
  To see the entered password, click and hold the Show button.
  
  The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".
  
  If the user enters an invalid password the specified number of times, the user account is blocked for one hour. In the list of user accounts, the user icon () of a blocked account is dimmed (unavailable). You can unblock the user account only by changing the password.
- If necessary, select the Disable account check box to prohibit the user from connecting to the application. You can disable an account, for example, if you want to create it beforehand but activate it later.
- Select the Request the password when account settings are modified check box if you want to enable an additional option to protect a user account from unauthorized modification. If this option is enabled, modifying user account settings requires authorization of the user with the Modify object ACLs right of the General features: User permissions functional area.
Click OK.

The newly created user account is displayed in the workspace of the User accounts folder.

Page top

Editing an account of an internal user

To edit an internal user account in Kaspersky Security Center:

In the console tree, open the User accounts folder.
The User accounts folder is a subfolder of the Advanced folder by default.
In the workspace, double-click the internal user account that you want to edit.
In the Properties: <user name> window that opens, change the settings of the user account:
- Description
- Full name
- Main email
- Main phone
- Password for the user connection to Kaspersky Security Center
  The password must comply with the following rules:
  - The password must be 8 to 16 characters long.
  - The password must contain characters from at least three of the groups listed below:
    - Uppercase letters (A-Z)
    - Lowercase letters (a-z)
    - Numbers (0-9)
    - Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
  - The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
  To see the entered password, click and hold the Show button.
  
  The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".
  
  If the user enters an invalid password the specified number of times, the user account is blocked for one hour. In the list of user accounts, the user icon () of a blocked account is dimmed (unavailable). You can unblock the user account only by changing the password.
- If necessary, select the Disable account check box to prohibit the user from connecting to the application. You can disable an account, for example, after an employee leaves the company.
- Select the Request the password when account settings are modified option if you want to enable an additional option to protect a user account from unauthorized modification. If this option is enabled, modifying user account settings requires authorization of the user with the Modify object ACLs right of the General features: User permissions functional area.
Click OK.

The edited user account is displayed in the workspace of the User accounts folder.

Page top

Changing the number of allowed password entry attempts

The Kaspersky Security Center user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.

By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts, as described in this section.

To change the number of allowed password entry attempts:

Open the system registry of the device on which Administration Server is installed (for example, locally, using the regedit command in the Start → Run menu).
Go to the following key:
- For 32-bit systems:
  HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags
- For 64-bit systems:
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags
If the SrvSplPpcLogonAttempts value is not present, create it. The value type is DWORD.
By default, after Kaspersky Security Center is installed this value is not created.
Specify the required number of attempts in the SrvSplPpcLogonAttempts value.
Click OK to save the changes.
Restart the Administration Server service.

The maximum number of allowed password entry attempts is changed.

Page top

Configuring the check of the name of an internal user for uniqueness

You can configure the check of the name of an internal user of Kaspersky Security Center for uniqueness when this name is added to the application. The check of the name of an internal user for uniqueness can only be performed on a virtual Administration Server or on the primary Administration Server for which the user account is to be created, or on all virtual Administration Servers and on the primary Administration Server. By default, the name of an internal user is checked for uniqueness on all virtual Administration Servers and on the primary Administration Server.

To enable the check of the name of an internal user for uniqueness on a virtual Administration Server or on the primary Administration Server:

Open the system registry of the device on which Administration Server is installed (for example, locally, using the regedit command in the Start → Run menu).
Go to the following hive:
- For 32-bit systems:
  HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM
- For 64-bit systems:
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM
For the LP_InterUserUniqVsScope (DWORD) key, set the 00000001 value.
The default value specified for this key is 0.
Restart the Administration Server service.

The name will only be checked for uniqueness on the virtual Administration Server on which the internal user was created, or on the primary Administration Server if the internal user was created on the primary Administration Server.

To enable the check of the name of an internal user on all virtual Administration Servers and on the primary Administration Server:

Open the system registry of the device on which Administration Server is installed (for example, locally, using the regedit command in the Start → Run menu).
Go to the following hive:
- For a 64-bit system:
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\KLLIM
- For a 32-bit system:
  HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\KLLIM
For the LP_InterUserUniqVsScope (DWORD) key, set the 00000000 value.
The default value specified for this key is 0.
Restart the Administration Server service.

The check of the name for uniqueness will be performed on all virtual Administration Servers and on the primary Administration Server.

Page top

Adding a security group

You can add security groups (groups of users), perform flexible configuration of groups and security group access to various application features. Security groups can be assigned names that correspond to their respective purposes. For example, the name can correspond to where users are located in the office or to the name of the company's organizational unit to which the users belong.

One user can belong to several security groups. A user account managed by a virtual Administration Server can belong only to security groups of this virtual Server and have access rights only within this virtual Server.

To add a security group:

In the console tree select the User accounts folder.
The User accounts folder is a subfolder of the Advanced folder by default.
Click the Add security group button.
The Add security group window opens.
In the Add security group window, in the General section specify the name of the group.
A group name cannot be more than 255 characters long and contain special symbols such as *, <, >, ?, \, :, |. The group name must be unique.

You can enter the group description in the Description entry field. Filling in the Description field is optional.
Click OK.

The security group that you have added appears in the User accounts folder in the console tree. You can add users to the newly created group.

Page top

Adding a user to a group

To add a user to a group:

In the console tree, select the User accounts folder.
The User accounts folder is a subfolder of the Advanced folder by default.
In the list of user accounts and groups, select the group to which you want to add the user.
In the group properties window, select the Group users section and click the Add button.
A window with a list of users opens.
In the list, select a user that you want to include in the group.
Click OK.

The user is added to the group and displayed in the list of group users.

Page top

Configuring access rights to application features. Role-based access control

Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:

By configuring the rights for each user or group of users individually.
By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

User role (also referred to as a role) is a predefined set of access rights to the features of Kaspersky Security Center or managed Kaspersky applications. A role can be assigned to a user or a group of users.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Adding a user role

Assigning a role to a user or a user group

Assigning permissions to users and groups

Propagating user roles to secondary Administration Servers

Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area	Right	User action: right required to perform the action	Task	Report	Other
General features: Management of administration groups	Modify	Add device to an administration group: Modify Delete device from an administration group: Modify Add an administration group to another administration group: Modify Delete an administration group from another administration group: Modify	None	None	None
General features: Access objects regardless of their ACLs	Read	Get read access to all objects: Read	None	None	None
General features: Basic functionality	Read Modify Execute Perform operations on device selections	Device moving rules (create, modify, or delete) for the virtual Server: Modify, Perform operations on device selections Get Mobile (LWNGT) protocol custom certificate: Read Set Mobile (LWNGT) protocol custom certificate: Write Get NLA-defined network list: Read Add, modify, or delete NLA-defined network list: Modify View Access Control List of groups: Read View the Kaspersky Event Log: Read	"Download updates to the Administration Server repository" "Deliver reports" "Distribute installation package" "Install application on secondary Administration Servers remotely"	"Report on protection status" "Report on threats" "Report on most heavily infected devices" "Report on status of anti-virus databases" "Report on errors" "Report on network attacks" "Summary report on mail system protection applications installed" "Summary report on perimeter defense applications installed" "Summary report on types of applications installed" "Report on users of infected devices" "Report on incidents" "Report on events" "Report on activity of distribution points" "Report on Secondary Administration Servers" "Report on Device Control events" "Report on vulnerabilities" "Report on prohibited applications" "Report on Web Control" "Report on encryption status of managed devices" "Report on encryption status of mass storage devices" "Report on file encryption errors" "Report on blockage of access to encrypted files" "Report on rights to access encrypted devices" "Report on effective user permissions" "Report on rights"	None
General features: Deleted objects	Read Modify	View deleted objects in the Recycle Bin: Read Delete objects from the Recycle Bin: Modify	None	None	None
General features: Event processing	Delete events Edit event notification settings Edit event logging settings Modify	Change events registration settings: Edit event logging settings Change events notification settings: Edit event notification settings Delete events: Delete events	None	None	Settings: Virus outbreak settings: number of virus detections required to create a virus outbreak event Virus outbreak settings: period of time for evaluation of virus detections The maximum number of events stored in the database Period of time for storing events from the deleted devices
General features: Operations on Administration Server	Read Modify Execute Modify object ACLs Perform operations on device selections	Specify ports of Administration Server for the network agent connection: Modify Specify ports of Activation Proxy launched on the Administration Server: Modify Specify ports of Activation Proxy for Mobile launched on the Administration Server: Modify Specify ports of the Web Server for distribution of standalone packages: Modify Specify ports of the Web Server for distribution of MDM profiles: Modify Specify SSL ports of the Administration Server for connection via Kaspersky Security Center Web Console: Modify Specify ports of the Administration Server for mobile connection: Modify Specify the maximum number of events stored in the Administration Server database: Modify Specify the maximum number of events that can be sent by the Administration Server: Modify Specify time period during which events can be sent by the Administration Server: Modify	"Backup of Administration Server data" "Databases maintenance"	None	None
General features: Kaspersky software deployment	Manage Kaspersky patches Read Modify Execute Perform operations on device selections	Approve or decline installation of the patch: Manage Kaspersky patches	None	"Report on license key usage by virtual Administration Server" "Report on Kaspersky software versions" "Report on incompatible applications" "Report on versions of Kaspersky software module updates" "Report on protection deployment"	Installation package: "Kaspersky"
General features: Key management	Export key file Modify	Export key file: Export key file Modify Administration Server license key settings: Modify	None	None	None
General features: Enforced report management	Read Modify	Create reports regardless of their ACLs: Write Execute reports regardless of their ACLs: Read	None	None	None
General features: Hierarchy of Administration Servers	Configure hierarchy of Administration Servers	Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers	None	None	None
General features: User permissions	Modify object ACLs	Change Security properties of any object: Modify object ACLs Manage user roles: Modify object ACLs Manage internal users: Modify object ACLs Manage security groups: Modify object ACLs Manage aliases: Modify object ACLs	None	None	None
General features: Virtual Administration Servers	Manage virtual Administration Servers Read Modify Execute Perform operations on device selections	Get list of virtual Administration Servers: Read Get information on the virtual Administration Server: Read Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers Move a virtual Administration Server to another group: Manage virtual Administration Servers Set administration virtual Server permissions: Manage virtual Administration Servers	None	"Report on results of installation of third-party software updates"	None
Mobile device management: General	Connect new devices Send only information commands to mobile devices Send commands to mobile devices Manage certificates Read Modify	Get Key Management Service restore data: Read Delete user certificates: Manage certificates Get user certificate public part: Read Check if Public Key Infrastructure is enabled: Read Check Public Key Infrastructure account: Read Get Public Key Infrastructure templates: Read Get Public Key Infrastructure templates by Extended Key Usage certificate: Read Check if Public Key Infrastructure certificate is revoked: Read Update user certificate issuance settings: Manage certificates Get user certificate issuance settings: Read Get packages by application name and version: Read Set or cancel user certificate: Manage certificates Renew user certificate: Manage certificates Set user certificate tag: Manage certificates Run generation of MDM installation package; cancel generation of MDM installation package: Connect new devices	None	None	None
System management: Connectivity	Start RDP sessions Connect to existing RDP sessions Initiate tunneling Save files from devices to the administrator's workstation Read Modify Execute Perform operations on device selections	Create desktop sharing session: The right to create desktop sharing session Create RDP session: Connect to existing RDP sessions Create tunnel: Initiate tunneling Save content network list: Save files from devices to the administrator's workstation	None	"Report on device users"	None
System management: Hardware inventory	Read Modify Execute Perform operations on device selections	Get or export hardware inventory object: Read Add, set or delete hardware inventory object: Write	None	"Report on hardware registry" "Report on configuration changes" "Report on hardware"	None
System management: Network access control	Read Modify	View CISCO settings: Read Change CISCO settings: Write	None	None	None
System management: Operating system deployment	Deploy PXE servers Read Modify Execute Perform operations on device selections	Deploy PXE servers: Deploy PXE servers View a list of PXE servers: Read Start or stop the installation process on PXE clients: Execute Manage drivers for WinPE and operating system images: Modify	"Create installation package upon reference device OS image"	None	Installation package: "OS Image"
System management: Vulnerability and patch management	Read Modify Execute Perform operations on device selections	View third-party patch properties: Read Change third-party patch properties: Modify	"Perform Windows Update synchronization" "Install Windows Update updates" "Fix vulnerabilities" "Install required updates and fix vulnerabilities"	"Report on software updates"	None
System management: Remote installation	Read Modify Execute Perform operations on device selections	View third-party Vulnerability and Patch Management based installation package properties: Read Change third-party Vulnerability and Patch Management based installation package properties: Modify	None	None	Installation packages: "Custom application" "VAPM package"
System management: Software inventory	Read Modify Execute Perform operations on device selections	None	None	"Report on installed applications" "Report on applications registry history" "Report on status of licensed applications groups" "Report on third-party software license keys"	None

Page top

Predefined user roles

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role	Comment
Auditor	Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.
Supervisor	Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.
Security Officer	Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Role	Description
Administration Server Administrator	Permits all operations in the following functional areas: General features: Basic functionality Event processing Hierarchy of Administration Servers Virtual Administration Servers System management: Connectivity Hardware inventory Software inventory
Administration Server Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Virtual Administration Servers System management: Connectivity Hardware inventory Software inventory
Auditor	Permits all operations in the functional areas, in General features: Access objects regardless of their ACLs Deleted objects Enforced report management You can assign this role to a person who performs the audit of your organization.
Installation Administrator	Permits all operations in the following functional areas: General features: Basic functionality Kaspersky software deployment License key management System management: Operating system deployment Vulnerability and patch management Remote installation Software inventory Grants the Read and Execute rights in the General features: Virtual Administration Servers functional area.
Installation Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Kaspersky software deployment (also grants the Manage Kaspersky patches right in this area) Virtual Administration Servers System management: Operating system deployment Vulnerability and patch management Remote installation Software inventory
Kaspersky Endpoint Security Administrator	Permits all operations in the following functional areas: General features: Basic functionality Kaspersky Endpoint Security area, including all features
Kaspersky Endpoint Security Operator	Grants the Read and Execute rights in all of the following functional areas: General features: Basic functionality Kaspersky Endpoint Security area, including all features
Main Administrator	Permits all operations in functional areas, except for the following areas, in General features: Access objects regardless of their ACLs Enforced report management
Main Operator	Grants the Read and Execute (where applicable) rights in all of the following functional areas: General features: Basic functionality Deleted objects Operations on Administration Server Kaspersky software deployment Virtual Administration Servers Mobile Device Management: General System management, including all features Kaspersky Endpoint Security area, including all features
Mobile Device Management Administrator	Permits all operations in the following functional areas: General features: Basic functionality Mobile Device Management: General
Mobile Device Management Operator	Grants the Read and Execute rights in the General features: Basic functionality functional area. Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area.
Security Officer	Permits all operations in the following functional areas, in General features: Access objects regardless of their ACLs Enforced report management Grants the Read, Modify, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. You can assign this role to an officer in charge of the IT security in your organization.
Self Service Portal User	Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version.
Supervisor	Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas. You can assign this role to a security officer and other managers in charge of the IT security in your organization.
Vulnerability and Patch Management Administrator	Permits all operations in the General features: Basic functionality and System management (including all features) functional areas.
Vulnerability and Patch Management Operator	Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas.

Page top

Adding a user role

To add a user role:

In the console tree, select the node with the name of the required Administration Server.
In the context menu of the Administration Server, select Properties.
In the Administration Server properties window, in the Sections pane select User roles and click the Add button.
The User roles section is available if the Display security settings sections option is enabled.
In the New role properties window, configure the role:
- In the Sections, select General and specify the name of the role.
  The name of a role cannot be more than 100 characters long.
- Select the Rights section, and configure the set of rights by selecting the Allow and Deny check boxes next to the application features.
If you are operating on the primary Administration Server, you can enable the Relay list of roles to secondary Administration Servers option.
Click OK.

The role is added.

User roles that have been created for Administration Server are displayed in the Administration Server properties window, in the User roles section. You can modify and delete user roles, as well as assign roles to user groups or selected users.

Page top

Assigning a role to a user or a user group

To assign a role to a user or a group of users:

In the console tree, select the node with the name of the required Administration Server.
In the context menu of the Administration Server, select Properties.
In the Administration Server properties window, select the Security section.
The Security section is available if the Display security settings sections check box is selected in the interface settings window.
In the Names of groups or users field, select a user or a group of users to which you want to assign a role.
If the user or the group is not contained in the field, you can add it by clicking the Add button.

When you add a user by clicking the Add button, you can select the type of user authentication (Microsoft Windows or Kaspersky Security Center). Kaspersky Security Center authentication is used for selecting the accounts of internal users that are used for working with virtual Administration Servers.
Select the Roles tab and click the Add button.
The User roles window opens. This window displays user roles that have been created.
In the User roles window, select a role for the user group.
Click OK.

The role with a set of rights for working with Administration Server is assigned to the user or the user group. Roles that have been assigned are displayed on the Roles tab in the Security section of the Administration Server properties window.

Page top

Assigning permissions to users and groups

You can give users and groups permissions to use different features of Administration Server and of the Kaspersky programs for which you have management plug-ins, for example, Kaspersky Endpoint Security for Windows.

To assign permissions to a user or a group of users:

In the console tree, do one of the following:
- Expand the Administration Server node and select the subfolder with the name of the required Administration Server.
- Select the administration group.
In the context menu of the Administration Server or the administration group, select Properties.
In the Administration Server properties window (or the administration group properties window) that opens, in the left Sections pane select Security.
The Security section is available if the Display security settings sections check box is selected in the interface settings window.
In the Security section, in the Names of groups or users list select a user or a group.
In the permissions list in the lower part of the workspace, on the Rights tab configure the set of rights for the user or group:
1. Click the plus signs (+) to expand the nodes in the list and gain access to the permissions.
2. Select the Allow and Deny check boxes next to the permissions that you want.
  Example 1: Expand the Access objects regardless of their ACLs node or Deleted objects node, and select Read.
  
  Example 2: Expand the Basic functionality node, and select Write.
When you have configured the set of rights, click Apply.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

General features:
- Management of administration groups (only for Kaspersky Security Center 11 or later)
- Access objects regardless of their ACLs (only for Kaspersky Security Center 11 or later)
- Basic functionality
- Deleted objects (only for Kaspersky Security Center 11 or later)
- Event processing
- Operations on Administration Server (only in the property window of Administration Server)
- Deploy Kaspersky applications
- License key management
- Enforced report management (only for Kaspersky Security Center 11 or later)
- Hierarchy of Servers
- User rights
- Virtual Administration Servers
Mobile Device Management:
- General
System Management:
- Connectivity
- Hardware inventory
- Network Access Control
- Deploy operating system
- Manage vulnerabilities and patches
- Remote installation
- Software inventory

If neither Allow nor Deny is selected for a permission, then the permission is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

User's own rights
Rights of all the roles assigned to this user
Rights of all the security group to which the user belongs
Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

Page top

Propagating user roles to secondary Administration Servers

By default, the lists of user roles of the primary and secondary Administration Servers are independent. You can configure the application to automatically propagate the user roles created on the primary Administration Server to all of the secondary Administration Servers. The user roles can also be propagated from a secondary Administration Server to its own secondary Administration Servers.

To propagate user roles from the primary Administration Server to the secondary Administration Servers:

Open the main application window.
Do one of the following:
- In the console tree, right-click the name of the Administration Server and select Properties in the context menu.
- If you have an active Administration Server policy, in the workspace of the Policies folder, right-click this policy and select Properties in the context menu.
In the Administration Server properties window, or in the policy settings window, in the Sections pane select User roles.
The User roles section is available if the Display security settings sections option is enabled.
Enable the Relay list of roles to secondary Administration Servers option.
Click OK.

The application copies the user roles of the primary Administration Server to the secondary Administration Servers.

When the Relay list of roles to secondary Administration Servers option is enabled and the user roles are propagated, they cannot be edited or deleted on the secondary Administration Servers. When you create a new role or edit an existing one on the primary Administration Server, the changes are automatically copied to the secondary Administration Servers. When you delete a user role on the primary Administration Server, this role remains on the secondary Administration Servers afterward, but it can be edited or deleted.

The roles that are propagated to the secondary Administration Server from the primary Server are displayed with the lock icon (). You cannot edit these roles on the secondary Administration Server.

If you create a role on the primary Administration Server, and there is a role with the same name on its secondary Administration Server, the new role is copied to the secondary Administration Server with the index added to its name, for example, ~~1, ~~2 (the index can be random).

If you disable the Relay list of roles to secondary Administration Servers option, all the user roles remain on the secondary Administration Servers, but they become independent from those on the primary Administration Server. After becoming independent, the user roles on the secondary Administration Servers can be edited or deleted.

Page top

Assigning the user as a device owner

You can assign the user as a device owner to allocate a device to that user. If you have to perform some actions on the device (for example, upgrade hardware), the administrator can notify the device owner to authorize those actions.

To assign a user as the owner of a device:

In the console tree, select the Managed devices folder.
In the workspace of the folder, on the Devices tab, select the device for which you need to assign an owner.
In the context menu of the device, select Properties.
In the device properties window, select System Info → Sessions.
Click the Assign button next to the Device owner field.
In the User selection window, select the user to assign as the device owner and click OK.
Click OK.

The device owner is assigned. By default, the Device owner field is filled with a value from Active Directory and is updated during every Active Directory poll. You can view the list of device owners in the Report on device owners. You can create a report using the New Report Wizard.

Page top

Delivering messages to users

To send a message to a user by email:

In the console tree, in the User accounts folder, select a user.
The User accounts folder is a subfolder of the Advanced folder by default.
In the user's context menu, select Notify by email.
Fill in the relevant fields in the Send message to user window and click the OK button.

The message will be sent to the email address that has been specified in the user's properties.

To send an SMS message to a user:

In the console tree, in the User accounts folder, select a user.
In the user's context menu, select Send an SMS.
Fill in the relevant fields in the SMS text window and click the OK button.

The message will be sent to the mobile device with the number that has been specified in the user's properties.

Page top

Viewing the list of user mobile devices

To view a list of a user's mobile devices:

In the console tree, in the User accounts folder, select a user.
The User accounts folder is a subfolder of the Advanced folder by default.
In the context menu of the user account, select Properties.
In the properties window of the user account, select the Mobile devices section.

In the Mobile devices section, you can view the list of the user's mobile devices and information about each of them. You can click the Export to file button to save the list of mobile devices to a file.

Page top

Installing a certificate for a user

You can install three types of certificates for a user:

Shared certificate, which is required to identify the user's mobile device.
Mail certificate, which is required to set up the corporate mail on the user's mobile device.
VPN certificate, which is required to set up the virtual private network on the user's mobile device.

To issue a certificate to a user and then install it:

In the console tree, open the User accounts folder and select a user account.
The User accounts folder is a subfolder of the Advanced folder by default.
In the context menu of the user account, select Install certificate.

The Certificate Installation Wizard starts. Follow the instructions of the Wizard.

After the Certificate Installation Wizard has finished, the certificate will be created and installed for the user. You can view the list of installed user certificates and export it to a file.

Page top

Viewing the list of certificates issued to a user

To view a list of all certificates issued to a user:

In the console tree, in the User accounts folder, select a user.
The User accounts folder is a subfolder of the Advanced folder by default.
In the context menu of the user account, select Properties.
In the properties window of the user account, select the Certificates section.

In the Certificates section, you can view the list of the user's certificates and information about each of them. You can click the Export to file button to save the list of certificates to a file.

Page top

About the administrator of a virtual Administration Server

An administrator of the enterprise network managed through a virtual Administration Server starts Kaspersky Security Center 13.1 Web Console under the user account specified in this window to view the details of anti-virus protection.

If necessary, several administrator accounts can be created on a virtual Server.

The administrator of a virtual Administration Server is an internal user of Kaspersky Security Center. No data on internal users is transferred to the operating system. Kaspersky Security Center authenticates internal users.

Page top

Contents

Managing user accounts

Working with user accounts

Adding an account of an internal user

Editing an account of an internal user

Changing the number of allowed password entry attempts

Configuring the check of the name of an internal user for uniqueness

Adding a security group

Adding a user to a group

Configuring access rights to application features. Role-based access control

Access rights to application features

Predefined user roles

Adding a user role

Assigning a role to a user or a user group

Assigning permissions to users and groups

Propagating user roles to secondary Administration Servers

Assigning the user as a device owner

Delivering messages to users

Viewing the list of user mobile devices

Installing a certificate for a user

Viewing the list of certificates issued to a user

About the administrator of a virtual Administration Server