Kaspersky Security Center 13.1
13.1
English

Contents

Configuring access rights to application features. Role-based access control

Kaspersky Security Center provides facilities for role-based access to the features of Kaspersky Security Center and managed Kaspersky applications.

You can configure access rights to application features for Kaspersky Security Center users in one of the following ways:

  • By configuring the rights for each user or group of users individually.
  • By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

User role (also referred to as a role) is a predefined set of access rights to the features of Kaspersky Security Center or managed Kaspersky applications. A role can be assigned to a user or a group of users.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Adding a user role

Assigning a role to a user or a user group

Assigning permissions to users and groups

Propagating user roles to secondary Administration Servers

See also:

Licenses and features of Kaspersky Security Center 13.1
Page top
[Topic 89266]

Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Modify, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area

Right

User action: right required to perform the action

Task

Report

Other

General features: Management of administration groups

Modify
  • Add device to an administration group: Modify
  • Delete device from an administration group: Modify
  • Add an administration group to another administration group: Modify
  • Delete an administration group from another administration group: Modify

None

None

None

General features: Access objects regardless of their ACLs

Read

Get read access to all objects: Read

None

None

None

General features: Basic functionality
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Device moving rules (create, modify, or delete) for the virtual Server: Modify, Perform operations on device selections
  • Get Mobile (LWNGT) protocol custom certificate: Read
  • Set Mobile (LWNGT) protocol custom certificate: Write
  • Get NLA-defined network list: Read
  • Add, modify, or delete NLA-defined network list: Modify
  • View Access Control List of groups: Read
  • View the Kaspersky Event Log: Read
  • "Download updates to the Administration Server repository"
  • "Deliver reports"
  • "Distribute installation package"
  • "Install application on secondary Administration Servers remotely"
  • "Report on protection status"
  • "Report on threats"
  • "Report on most heavily infected devices"
  • "Report on status of anti-virus databases"
  • "Report on errors"
  • "Report on network attacks"
  • "Summary report on mail system protection applications installed"
  • "Summary report on perimeter defense applications installed"
  • "Summary report on types of applications installed"
  • "Report on users of infected devices"
  • "Report on incidents"
  • "Report on events"
  • "Report on activity of distribution points"
  • "Report on Secondary Administration Servers"
  • "Report on Device Control events"
  • "Report on vulnerabilities"
  • "Report on prohibited applications"
  • "Report on Web Control"
  • "Report on encryption status of managed devices"
  • "Report on encryption status of mass storage devices"
  • "Report on file encryption errors"
  • "Report on blockage of access to encrypted files"
  • "Report on rights to access encrypted devices"
  • "Report on effective user permissions"
  • "Report on rights"

None

General features: Deleted objects
  • Read
  • Modify
  • View deleted objects in the Recycle Bin: Read
  • Delete objects from the Recycle Bin: Modify

None

None

None

General features: Event processing
  • Delete events
  • Edit event notification settings
  • Edit event logging settings
  • Modify
  • Change events registration settings: Edit event logging settings
  • Change events notification settings: Edit event notification settings
  • Delete events: Delete events

None

None

Settings:

  • Virus outbreak settings: number of virus detections required to create a virus outbreak event
  • Virus outbreak settings: period of time for evaluation of virus detections
  • The maximum number of events stored in the database
  • Period of time for storing events from the deleted devices

General features: Operations on Administration Server
  • Read
  • Modify
  • Execute
  • Modify object ACLs
  • Perform operations on device selections
  • Specify ports of Administration Server for the network agent connection: Modify
  • Specify ports of Activation Proxy launched on the Administration Server: Modify
  • Specify ports of Activation Proxy for Mobile launched on the Administration Server: Modify
  • Specify ports of the Web Server for distribution of standalone packages: Modify
  • Specify ports of the Web Server for distribution of MDM profiles: Modify
  • Specify SSL ports of the Administration Server for connection via Kaspersky Security Center Web Console: Modify
  • Specify ports of the Administration Server for mobile connection: Modify
  • Specify the maximum number of events stored in the Administration Server database: Modify
  • Specify the maximum number of events that can be sent by the Administration Server: Modify
  • Specify time period during which events can be sent by the Administration Server: Modify
  • "Backup of Administration Server data"
  • "Databases maintenance"

None

None

General features: Kaspersky software deployment
  • Manage Kaspersky patches
  • Read
  • Modify
  • Execute
  • Perform operations on device selections

Approve or decline installation of the patch: Manage Kaspersky patches

None
  • "Report on license key usage by virtual Administration Server"
  • "Report on Kaspersky software versions"
  • "Report on incompatible applications"
  • "Report on versions of Kaspersky software module updates"
  • "Report on protection deployment"

Installation package: "Kaspersky"

General features: Key management
  • Export key file
  • Modify
  • Export key file: Export key file
  • Modify Administration Server license key settings: Modify

None

None

None

General features: Enforced report management
  • Read
  • Modify
  • Create reports regardless of their ACLs: Write
  • Execute reports regardless of their ACLs: Read

None

None

None

General features: Hierarchy of Administration Servers

Configure hierarchy of Administration Servers

Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers

None

None

None

General features: User permissions

Modify object ACLs
  • Change Security properties of any object: Modify object ACLs
  • Manage user roles: Modify object ACLs
  • Manage internal users: Modify object ACLs
  • Manage security groups: Modify object ACLs
  • Manage aliases: Modify object ACLs

None

None

None

General features: Virtual Administration Servers
  • Manage virtual Administration Servers
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Get list of virtual Administration Servers: Read
  • Get information on the virtual Administration Server: Read
  • Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers
  • Move a virtual Administration Server to another group: Manage virtual Administration Servers
  • Set administration virtual Server permissions: Manage virtual Administration Servers

None

"Report on results of installation of third-party software updates"

None

Mobile device management: General

  • Connect new devices
  • Send only information commands to mobile devices
  • Send commands to mobile devices
  • Manage certificates
  • Read
  • Modify
  • Get Key Management Service restore data: Read
  • Delete user certificates: Manage certificates
  • Get user certificate public part: Read
  • Check if Public Key Infrastructure is enabled: Read
  • Check Public Key Infrastructure account: Read
  • Get Public Key Infrastructure templates: Read
  • Get Public Key Infrastructure templates by Extended Key Usage certificate: Read
  • Check if Public Key Infrastructure certificate is revoked: Read
  • Update user certificate issuance settings: Manage certificates
  • Get user certificate issuance settings: Read
  • Get packages by application name and version: Read
  • Set or cancel user certificate: Manage certificates
  • Renew user certificate: Manage certificates
  • Set user certificate tag: Manage certificates
  • Run generation of MDM installation package; cancel generation of MDM installation package: Connect new devices

None

None

None

System management: Connectivity
  • Start RDP sessions
  • Connect to existing RDP sessions
  • Initiate tunneling
  • Save files from devices to the administrator's workstation
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Create desktop sharing session: The right to create desktop sharing session
  • Create RDP session: Connect to existing RDP sessions
  • Create tunnel: Initiate tunneling
  • Save content network list: Save files from devices to the administrator's workstation

None

"Report on device users"

None

System management: Hardware inventory
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Get or export hardware inventory object: Read
  • Add, set or delete hardware inventory object: Write

None
  • "Report on hardware registry"
  • "Report on configuration changes"
  • "Report on hardware"

None

System management: Network access control
  • Read
  • Modify
  • View CISCO settings: Read
  • Change CISCO settings: Write

None

None

None

System management: Operating system deployment
  • Deploy PXE servers
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • Deploy PXE servers: Deploy PXE servers
  • View a list of PXE servers: Read
  • Start or stop the installation process on PXE clients: Execute
  • Manage drivers for WinPE and operating system images: Modify

"Create installation package upon reference device OS image"

None

Installation package: "OS Image"

System management: Vulnerability and patch management

 

 
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • View third-party patch properties: Read
  • Change third-party patch properties: Modify
  • "Perform Windows Update synchronization"
  • "Install Windows Update updates"
  • "Fix vulnerabilities"
  • "Install required updates and fix vulnerabilities"

"Report on software updates"

None

System management: Remote installation
  • Read
  • Modify
  • Execute
  • Perform operations on device selections
  • View third-party Vulnerability and Patch Management based installation package properties: Read
  • Change third-party Vulnerability and Patch Management based installation package properties: Modify

None

None

Installation packages:

  • "Custom application"
  • "VAPM package"

System management: Software inventory
  • Read
  • Modify
  • Execute
  • Perform operations on device selections

None

None
  • "Report on installed applications"
  • "Report on applications registry history"
  • "Report on status of licensed applications groups"
  • "Report on third-party software license keys"

None

Page top

[Topic 201621]

Predefined user roles

User roles assigned to Kaspersky Security Center users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Kaspersky Security Center can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor (these roles are present in Kaspersky Security Center starting from the version 11). Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role

Comment

Auditor

Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.

Supervisor

Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Security Officer

Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Access rights of predefined user roles

Role

Description

Administration Server Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Event processing
    • Hierarchy of Administration Servers
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Administration Server Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Virtual Administration Servers
  • System management:
    • Connectivity
    • Hardware inventory
    • Software inventory

Auditor

Permits all operations in the functional areas, in General features:

  • Access objects regardless of their ACLs
  • Deleted objects
  • Enforced report management

You can assign this role to a person who performs the audit of your organization.

Installation Administrator

Permits all operations in the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment
    • License key management
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Grants the Read and Execute rights in the General features: Virtual Administration Servers functional area.

Installation Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Kaspersky software deployment (also grants the Manage Kaspersky patches right in this area)
    • Virtual Administration Servers
  • System management:
    • Operating system deployment
    • Vulnerability and patch management
    • Remote installation
    • Software inventory

Kaspersky Endpoint Security Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Kaspersky Endpoint Security Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Main Administrator

Permits all operations in functional areas, except for the following areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Main Operator

Grants the Read and Execute (where applicable) rights in all of the following functional areas:

  • General features:
    • Basic functionality
    • Deleted objects
    • Operations on Administration Server
    • Kaspersky software deployment
    • Virtual Administration Servers
  • Mobile Device Management: General
  • System management, including all features
  • Kaspersky Endpoint Security area, including all features

Mobile Device Management Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Mobile Device Management: General

Mobile Device Management Operator

Grants the Read and Execute rights in the General features: Basic functionality functional area.

Grants Read and Send only information commands to mobile devices in the Mobile Device Management: General functional area.

Security Officer

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read, Modify, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area.

You can assign this role to an officer in charge of the IT security in your organization.

Self Service Portal User

Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version.

Supervisor

Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas.

You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Vulnerability and Patch Management Administrator

Permits all operations in the General features: Basic functionality and System management (including all features) functional areas.

Vulnerability and Patch Management Operator

Grants the Read and Execute (where applicable) rights in the General features: Basic functionality and System management (including all features) functional areas.

Page top

[Topic 173787]

Adding a user role

To add a user role:

  1. In the console tree, select the node with the name of the required Administration Server.
  2. In the context menu of the Administration Server, select Properties.
  3. In the Administration Server properties window, in the Sections pane select User roles and click the Add button.

    The User roles section is available if the Display security settings sections option is enabled.

  4. In the New role properties window, configure the role:
    • In the Sections, select General and specify the name of the role.

      The name of a role cannot be more than 100 characters long.

    • Select the Rights section, and configure the set of rights by selecting the Allow and Deny check boxes next to the application features.

    If you are operating on the primary Administration Server, you can enable the Relay list of roles to secondary Administration Servers option.

  5. Click OK.

The role is added.

User roles that have been created for Administration Server are displayed in the Administration Server properties window, in the User roles section. You can modify and delete user roles, as well as assign roles to user groups or selected users.

Page top

[Topic 89268]

Assigning a role to a user or a user group

To assign a role to a user or a group of users:

  1. In the console tree, select the node with the name of the required Administration Server.
  2. In the context menu of the Administration Server, select Properties.
  3. In the Administration Server properties window, select the Security section.

    The Security section is available if the Display security settings sections check box is selected in the interface settings window.

  4. In the Names of groups or users field, select a user or a group of users to which you want to assign a role.

    If the user or the group is not contained in the field, you can add it by clicking the Add button.

    When you add a user by clicking the Add button, you can select the type of user authentication (Microsoft Windows or Kaspersky Security Center). Kaspersky Security Center authentication is used for selecting the accounts of internal users that are used for working with virtual Administration Servers.

  5. Select the Roles tab and click the Add button.

    The User roles window opens. This window displays user roles that have been created.

  6. In the User roles window, select a role for the user group.
  7. Click OK.

The role with a set of rights for working with Administration Server is assigned to the user or the user group. Roles that have been assigned are displayed on the Roles tab in the Security section of the Administration Server properties window.

Page top

[Topic 89269]

Assigning permissions to users and groups

You can give users and groups permissions to use different features of Administration Server and of the Kaspersky programs for which you have management plug-ins, for example, Kaspersky Endpoint Security for Windows.

To assign permissions to a user or a group of users:

  1. In the console tree, do one of the following:
    • Expand the Administration Server node and select the subfolder with the name of the required Administration Server.
    • Select the administration group.
  2. In the context menu of the Administration Server or the administration group, select Properties.
  3. In the Administration Server properties window (or the administration group properties window) that opens, in the left Sections pane select Security.

    The Security section is available if the Display security settings sections check box is selected in the interface settings window.

  4. In the Security section, in the Names of groups or users list select a user or a group.
  5. In the permissions list in the lower part of the workspace, on the Rights tab configure the set of rights for the user or group:
    1. Click the plus signs (+) to expand the nodes in the list and gain access to the permissions.
    2. Select the Allow and Deny check boxes next to the permissions that you want.

      Example 1: Expand the Access objects regardless of their ACLs node or Deleted objects node, and select Read.

      Example 2: Expand the Basic functionality node, and select Write.

  6. When you have configured the set of rights, click Apply.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

  • General features:
    • Management of administration groups (only for Kaspersky Security Center 11 or later)
    • Access objects regardless of their ACLs (only for Kaspersky Security Center 11 or later)
    • Basic functionality
    • Deleted objects (only for Kaspersky Security Center 11 or later)
    • Event processing
    • Operations on Administration Server (only in the property window of Administration Server)
    • Deploy Kaspersky applications
    • License key management
    • Enforced report management (only for Kaspersky Security Center 11 or later)
    • Hierarchy of Servers
    • User rights
    • Virtual Administration Servers
  • Mobile Device Management:
    • General
  • System Management:
    • Connectivity
    • Hardware inventory
    • Network Access Control
    • Deploy operating system
    • Manage vulnerabilities and patches
    • Remote installation
    • Software inventory

If neither Allow nor Deny is selected for a permission, then the permission is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

  • User's own rights
  • Rights of all the roles assigned to this user
  • Rights of all the security group to which the user belongs
  • Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

Page top

[Topic 172173]

Propagating user roles to secondary Administration Servers

By default, the lists of user roles of the primary and secondary Administration Servers are independent. You can configure the application to automatically propagate the user roles created on the primary Administration Server to all of the secondary Administration Servers. The user roles can also be propagated from a secondary Administration Server to its own secondary Administration Servers.

To propagate user roles from the primary Administration Server to the secondary Administration Servers:

  1. Open the main application window.
  2. Do one of the following:
    • In the console tree, right-click the name of the Administration Server and select Properties in the context menu.
    • If you have an active Administration Server policy, in the workspace of the Policies folder, right-click this policy and select Properties in the context menu.
  3. In the Administration Server properties window, or in the policy settings window, in the Sections pane select User roles.

    The User roles section is available if the Display security settings sections option is enabled.

  4. Enable the Relay list of roles to secondary Administration Servers option.
  5. Click OK.

The application copies the user roles of the primary Administration Server to the secondary Administration Servers.

When the Relay list of roles to secondary Administration Servers option is enabled and the user roles are propagated, they cannot be edited or deleted on the secondary Administration Servers. When you create a new role or edit an existing one on the primary Administration Server, the changes are automatically copied to the secondary Administration Servers. When you delete a user role on the primary Administration Server, this role remains on the secondary Administration Servers afterward, but it can be edited or deleted.

The roles that are propagated to the secondary Administration Server from the primary Server are displayed with the lock icon (). You cannot edit these roles on the secondary Administration Server.

If you create a role on the primary Administration Server, and there is a role with the same name on its secondary Administration Server, the new role is copied to the secondary Administration Server with the index added to its name, for example, ~~1, ~~2 (the index can be random).

If you disable the Relay list of roles to secondary Administration Servers option, all the user roles remain on the secondary Administration Servers, but they become independent from those on the primary Administration Server. After becoming independent, the user roles on the secondary Administration Servers can be edited or deleted.

Page top
[Topic 173211]