Contents
Users and roles
This section describes how to manage users and user roles, and provides instructions on creating, editing, and deleting them.
Managing users
Multiple users can have access to Kaspersky Container Security. A user account is created for each user, and one or more user roles are assigned to them.
The list of Kaspersky Container Security users is displayed in the table in the Administration → Access management → Users section.
You can do the following:
- Add users.
- View and edit user account settings.
- Reset password for the selected accounts.
- Delete users.
- Sort values in the list of users by clicking the
icon in the corresponding column (displayed user name, user name, assigned role). Sorting can be done in alphabetic order and reverse alphabetical order.
- Search by user name by using the Search by user name field above the table.
About user roles
A user role in Kaspersky Container Security is a set of permissions to perform certain actions in the solution web interface. Depending on their role, users have access to different sections and functional capabilities.
Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments.
The following system roles are provided during initial installation of the solution:
- The Administrator of Kaspersky Container Security role is intended for users who are tasked with deploying and supporting the infrastructure and system software required for the solution to work (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.
In the web interface, this role is indicated by the KCSADM abbreviation.
- The Information Security Administrator (IS Administrator) role is intended for users who are tasked with creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, Agents and outputs, and configuring security policies.
In the web interface, this role is indicated by the ISADM abbreviation.
- The IS auditor role is intended for users who view the resources and user list of a solution, and who monitor the results of scans and compliance checks.
In the web interface, this role is indicated by the ISAUD abbreviation.
- The IS officer role is intended for users who view and manage security policies, connect public image registries, and view the results of runtime container analyses for projects in which these users are directly involved.
In the web interface, this role is indicated by the ISOFF abbreviation.
- The Developer role is intended for users who perform compliance checks and view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.
In the web interface, this role is indicated by the DEV abbreviation.
You can assign system roles to user accounts when creating or viewing these user accounts.
Multiple user roles can be assigned to a user.
If a specific system role is not needed, you can delete it.
However, you cannot delete the last active system role that has permissions to manage other roles.
If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.
When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:
- To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
- Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
- To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
- The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.
You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.
When assigning the scopes to roles, you must take into account that a security policy can be implemented within a specific scope only if this scope is assigned to one of your roles.
If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.
Page topWorking with system roles
The table below lists the main actions that are available to users with system roles in the Kaspersky Container Security web interface.
User roles and their available actions
Action |
Administrator of Kaspersky Container Security |
IS Administrator |
IS auditor |
IS officer |
Developer |
---|---|---|---|---|---|
View image scan results |
|||||
Manually start scanning images |
|||||
Manage risks (accept a risk, edit a risk and cancel risk acceptance) |
|||||
View risks |
|||||
View clusters |
|||||
View registries |
|||||
Add an image to a registry |
|||||
Delete a repository/image from a registry |
|||||
View CI/CD |
|||||
View Agents |
|||||
View standards |
|||||
Start benchmark compliance check |
|||||
View policies |
|||||
Manage policies |
|||||
View the list of users |
|||||
Manage users, roles and permission sets |
|||||
View image registry integrations |
|||||
Manage image registries |
|||||
View integrations with notification services |
|||||
Manage integrations with notification services |
|||||
View connection settings |
|||||
Manage LDAP server integration |
Displaying the list of roles
Kaspersky Container Security displays the list of active roles in the Administration → Access management → Roles section.
The table presents all active system roles and user roles while indicating their ID, name, and user assigned the specific role.
Page topAdding users and roles
To add a user account:
- In the Administration → Access management → Users section, click the Add user button above the list of users.
- In the window that opens, specify the following settings:
- User name is a unique value that must be assigned to a user for identification within Kaspersky Container Security.
A user name can include only letters of the English alphabet and numerals. The minimum user name length is 4 characters, and the maximum user name length is 254 characters.
- Display name (optional) is the value that is displayed in the solution web interface. If this parameter is not specified, the user name is displayed in the web interface.
- Email (optional).
- User name is a unique value that must be assigned to a user for identification within Kaspersky Container Security.
- Enter the password in the Password field.
Passwords have the following requirements:
- The password must contain numerals, special characters, and uppercase and lowercase letters.
- The minimum password length is 6 characters, and the maximum password length is 72 characters. The default password length is 8 characters.
- Confirm the entered password in the Confirm password field.
- Select the check box if the user should change the password the next time the solution starts.
- Assign a role to the user by selecting from the list of available roles.
While you are not required to assign a role when creating a user, a new user without an assigned role will not be able to interact with Kaspersky Container Security.
- Click Add.
To add a user, permission to view and configure settings is required. If you do not have this permission, any user you add will only be able to view the main page of the solution.
To add a user role:
- In the Administration → Access management → Roles section, click the Add role button above the list of roles.
- In the window that opens, specify the following values:
- Role ID is a unique value that must be assigned to a role for identification within Kaspersky Container Security.
The role ID can include uppercase Latin letters and numbers. A role ID cannot contain special characters or spaces.
- Role name is the value displayed in the solution web interface.
- Description (optional).
- Role ID is a unique value that must be assigned to a role for identification within Kaspersky Container Security.
- In the Active Directory mapping field, specify the Active Directory groups that the user belongs to.
- Select the check boxes next to the permissions that will be available for the role being added.
- Click Add.
Editing the settings of users and roles
To edit a user account:
- In the Administration → Access management → Users section, click the user name in the list of users.
- In the window that opens, make the necessary changes.
If you make changes to a user account with the administrator privileges, do not delete all roles, since doing so results in the loss of administrator access to the solution.
- Click Save.
To edit a user role:
- In the Administration → Access management → Roles section, click the role identifier in the Role ID column in the list of roles.
- In the opened window, make the necessary changes.
- Click Save.
After a role is modified, all users having the role assigned, must be reauthorized.
Resetting the password for user accounts
To reset the password for a user account,
- Go to the Administration → Access management → Users section.
- Do one of the following:
- In the user list, select the row of the specific user account, then click the Reset password link above the table.
- In the user account row, open the menu (
) and select Reset password.
Deleting users and roles
To delete a user account:
- In the Administration → Access management → Users section, do one of the following:
- Select the user from the row of the specific user account, then click the Delete link above the table containing the list of users.
You can select one or more user accounts.
- In the row with the user account, open the menu (
) and select Delete user.
- Select the user from the row of the specific user account, then click the Delete link above the table containing the list of users.
- In the window that opens, confirm deletion by clicking Delete.
The user account used for authorization in Kaspersky Container Security cannot be deleted.
To delete a user role:
- In the Administration → Access management → Roles section, in the role row in the list of roles, click the deletion icon (
).
- In the window that opens, confirm deletion by clicking Delete.
The last active system role that has permissions to manage other user roles cannot be deleted.
It is also impossible to delete a role that is assigned to a specific user.