Kaspersky Container Security

Users and roles

This section describes how to manage users and user roles, and provides instructions on creating, editing, and deleting them.

In this Help section

Managing users

About user roles

Working with system roles

Displaying the list of roles

Adding users and roles

Editing the settings of users and roles

Resetting the password for user accounts

Deleting users and roles

Page top
[Topic 251969]

Managing users

Multiple users can have access to Kaspersky Container Security. A user account is created for each user, and one or more user roles are assigned to them.

The list of Kaspersky Container Security users is displayed in the table in the AdministrationAccess managementUsers section.

You can do the following:

Page top
[Topic 250413]

About user roles

A user role in Kaspersky Container Security is a set of permissions to perform certain actions in the solution web interface. Depending on their role, users have access to different sections and functional capabilities.

Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments.

The following system roles are provided during initial installation of the solution:

  • The Administrator of Kaspersky Container Security role is intended for users who are tasked with deploying and supporting the infrastructure and system software required for the solution to work (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.

    In the web interface, this role is indicated by the KCSADM abbreviation.

  • The Information Security Administrator (IS Administrator) role is intended for users who are tasked with creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, Agents and outputs, and configuring security policies.

    In the web interface, this role is indicated by the ISADM abbreviation.

  • The IS auditor role is intended for users who view the resources and user list of a solution, and who monitor the results of scans and compliance checks.

    In the web interface, this role is indicated by the ISAUD abbreviation.

  • The IS officer role is intended for users who view and manage security policies, connect public image registries, and view the results of runtime container analyses for projects in which these users are directly involved.

    In the web interface, this role is indicated by the ISOFF abbreviation.

  • The Developer role is intended for users who perform compliance checks and view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.

    In the web interface, this role is indicated by the DEV abbreviation.

You can assign system roles to user accounts when creating or viewing these user accounts.

Multiple user roles can be assigned to a user.

If a specific system role is not needed, you can delete it.

However, you cannot delete the last active system role that has permissions to manage other roles.

If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.

When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:

  • To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
  • Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
  • To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
  • The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.

You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.

When assigning the scopes to roles, you must take into account that a security policy can be implemented within a specific scope only if this scope is assigned to one of your roles.

If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.

Page top
[Topic 251976]

Working with system roles

The table below lists the main actions that are available to users with system roles in the Kaspersky Container Security web interface.

User roles and their available actions

Action

Administrator of Kaspersky Container Security

IS Administrator

IS auditor

IS officer

Developer

View image scan results

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

Manually start scanning images

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

Manage risks (accept a risk, edit a risk and cancel risk acceptance)

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

View risks

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"Yes" icon.

View clusters

"No" icon.

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

View registries

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

Add an image to a registry

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

Delete a repository/image from a registry

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

View CI/CD

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

View Agents

"No" icon.

"Yes" icon.

"No" icon.

"No" icon.

"No" icon.

View standards

"No" icon.

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

Start benchmark compliance check

"No" icon.

"No" icon.

"No" icon.

"Yes" icon.

"No" icon.

View policies

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

"No" icon.

Manage policies

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

View the list of users

"Yes" icon.

"Yes" icon.

"Yes" icon.

"No" icon.

"No" icon.

Manage users, roles and permission sets

"Yes" icon.

"Yes" icon.

"No" icon.

"No" icon.

"No" icon.

View image registry integrations

"No" icon.

"Yes" icon.

"Yes" icon.

"Yes" icon.

"No" icon.

Manage image registries

"No" icon.

"Yes" icon.

"No" icon.

"Yes" icon.

"No" icon.

View integrations with notification services

"No" icon.

"Yes" icon.

"Yes" icon.

"No" icon.

"No" icon.

Manage integrations with notification services

"No" icon.

"Yes" icon.

"No" icon.

"No" icon.

"No" icon.

View connection settings

"Yes" icon.

"Yes" icon.

"No" icon.

"No" icon.

"No" icon.

Manage LDAP server integration

"No" icon.

"Yes" icon.

"No" icon.

"No" icon.

"No" icon.

Page top

[Topic 252005]

Displaying the list of roles

Kaspersky Container Security displays the list of active roles in the AdministrationAccess managementRoles section.

The table presents all active system roles and user roles while indicating their ID, name, and user assigned the specific role.

Page top
[Topic 254532]

Adding users and roles

To add a user account:

  1. In the AdministrationAccess managementUsers section, click the Add user button above the list of users.
  2. In the window that opens, specify the following settings:
    • User name is a unique value that must be assigned to a user for identification within Kaspersky Container Security.

      A user name can include only letters of the English alphabet and numerals. The minimum user name length is 4 characters, and the maximum user name length is 254 characters.

    • Display name (optional) is the value that is displayed in the solution web interface. If this parameter is not specified, the user name is displayed in the web interface.
    • Email (optional).
  3. Enter the password in the Password field.

    Passwords have the following requirements:

    • The password must contain numerals, special characters, and uppercase and lowercase letters.
    • The minimum password length is 6 characters, and the maximum password length is 72 characters. The default password length is 8 characters.
  4. Confirm the entered password in the Confirm password field.
  5. Select the check box if the user should change the password the next time the solution starts.
  6. Assign a role to the user by selecting from the list of available roles.

    While you are not required to assign a role when creating a user, a new user without an assigned role will not be able to interact with Kaspersky Container Security.

  7. Click Add.

To add a user, permission to view and configure settings is required. If you do not have this permission, any user you add will only be able to view the main page of the solution.

To add a user role:

  1. In the AdministrationAccess managementRoles section, click the Add role button above the list of roles.
  2. In the window that opens, specify the following values:
    • Role ID is a unique value that must be assigned to a role for identification within Kaspersky Container Security.

      The role ID can include uppercase Latin letters and numbers. A role ID cannot contain special characters or spaces.

    • Role name is the value displayed in the solution web interface.
    • Description (optional).
  3. In the Active Directory mapping field, specify the Active Directory groups that the user belongs to.
  4. Select the check boxes next to the permissions that will be available for the role being added.
  5. Click Add.
Page top
[Topic 252018]

Editing the settings of users and roles

To edit a user account:

  1. In the AdministrationAccess managementUsers section, click the user name in the list of users.
  2. In the window that opens, make the necessary changes.

    If you make changes to a user account with the administrator privileges, do not delete all roles, since doing so results in the loss of administrator access to the solution.

  3. Click Save.

To edit a user role:

  1. In the AdministrationAccess managementRoles section, click the role identifier in the Role ID column in the list of roles.
  2. In the opened window, make the necessary changes.
  3. Click Save.

    After a role is modified, all users having the role assigned, must be reauthorized.

Page top
[Topic 252024]

Resetting the password for user accounts

To reset the password for a user account,

  1. Go to the AdministrationAccess managementUsers section.
  2. Do one of the following:
    • In the user list, select the row of the specific user account, then click the Reset password link above the table.
    • In the user account row, open the menu (Context menu icon.) and select Reset password.
Page top
[Topic 254462]

Deleting users and roles

To delete a user account:

  1. In the AdministrationAccess management Users section, do one of the following:
    • Select the user from the row of the specific user account, then click the Delete link above the table containing the list of users.

      You can select one or more user accounts.

    • In the row with the user account, open the menu (Context menu icon.) and select Delete user.
  2. In the window that opens, confirm deletion by clicking Delete.

    The user account used for authorization in Kaspersky Container Security cannot be deleted.

To delete a user role:

  1. In the AdministrationAccess managementRoles section, in the role row in the list of roles, click the deletion icon ("Delete" icon.).
  2. In the window that opens, confirm deletion by clicking Delete.

The last active system role that has permissions to manage other user roles cannot be deleted.
It is also impossible to delete a role that is assigned to a specific user.

Page top
[Topic 252026]