Users, roles, and scopes

This section describes how to work with users and user roles, and provides instructions on how to create, edit, and delete them. This section also describes how to use scopes to give different levels of access to different user roles.

Managing users

Multiple users can have access to Kaspersky Container Security. A user account is created for each user, and one or more user roles are assigned to them.

The list of Kaspersky Container Security users is displayed in the table in the Administration → Access management → Users section.

You can do the following:

• Add users.
• View and edit user account settings.
• Reset password for the selected accounts.
• Delete users.
• Sort values in the list of users by clicking the icon in the corresponding column (displayed user name, user name, assigned role). Sorting can be done in alphabetic order and reverse alphabetical order.
• Search by user name by using the Search by user name field above the table.

About user roles

A user role in Kaspersky Container Security is a set of permissions to perform certain actions in the solution web interface. Depending on their role, users have access to different sections and functional capabilities.

Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments.

The following system roles are provided during initial installation of the solution:

• The Administrator of Kaspersky Container Security role is intended for users who are tasked with deploying and supporting the infrastructure and system software required for the solution to work (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.

  In the web interface, this role is indicated by the KCSADM abbreviation.

• The Information Security Administrator (IS Administrator) role is intended for users who are tasked with creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, Agents and outputs, and configuring security policies.

  In the web interface, this role is indicated by the ISADM abbreviation.

• The IS auditor role is intended for users who view the resources and user list of a solution, and who monitor the results of scans and compliance checks.

  In the web interface, this role is indicated by the ISAUD abbreviation.

• The IS officer role is intended for users who view and manage security policies, connect public image registries, and view the results of runtime container analyses for projects in which these users are directly involved.

  In the web interface, this role is indicated by the ISOFF abbreviation.

• The Developer role is intended for users who perform compliance checks and view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.

  In the web interface, this role is indicated by the DEV abbreviation.

You can assign system roles to user accounts when creating or viewing these user accounts.

Multiple user roles can be assigned to a user.

If a specific system role is not needed, you can delete it.

However, you cannot delete the last active system role that has permissions to manage other roles.

If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.

When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:

• To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
• Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
• To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
• The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.

You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.

When assigning the scopes to roles, you must take into account that a security policy can be implemented within a specific scope only if this scope is assigned to one of your roles.

If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.

Working with system roles

The table below lists the main actions that are available to users with system roles in the Kaspersky Container Security web interface after installation.

User roles and their available actions

Displaying list of roles

Kaspersky Container Security displays the list of active roles in the Administration → Access management → Roles section.

The table presents all active system roles and user roles and indicates ID, name, and number of users assigned to the specific role. If you have configured integration with LDAP, the table also shows Active Directory user groups that correspond to the user roles in Kaspersky Container Security.

About scopes

In Kaspersky Container Security, a scope is a resource list of reasons why the solution is being used (e.g. specific cluster, multiple external registries, or specific namespaces).

Scopes are used for the following purposes:

• To differentiate access to resources, for example, in order to monitor the operation of clusters, registries, or namespaces.

  This access control is performed by assigning a scope when creating a scope or editing its settings.

• To distinguish the objects that policies and scans are applied to.

  These objects are differentiated by assigning a scope when creating security policies or editing their settings.

In Kaspersky Container Security, you can add your own scopes or assign the default global scope to users.

The default scope includes access to all solution resources. This scope is added by default during installation of Kaspersky Container Security.

You cannot change the settings of the default scope or delete it.

Only a user with the appropriate rights can access the default scope. To assign default scope to other users and roles, you need to have permission to manage the default scope.

If you assign the default scope to a policy, the policy will be applied to all resources and applied in all environments.

Scopes and enforcement of security policies

In Kaspersky Container Security, scopes are specified for all security policies. To ensure that all necessary resources are scanned, each policy can be assigned one or more scopes. Moreover, the same scope can be specified in multiple policies.

Regardless of the number of policies implemented in a scope (for example, when scanning an image or scanning a cluster in a runtime), all security policies are applied.

When multiple security policies and multiple scopes are applied simultaneously, the following rules apply:

• For scanner policies: scanning is performed using a cumulative list of settings that is obtained by combining all scanner policies in force within the scope.
• For assurance policies: when scanning images, all policies applicable to the scanned resources are applied, in line with specified scopes.
• For response policies: when events occur, the user is notified using the notification tools specified in all response policies applicable to resources specified in the assigned scopes.
• For runtime policies: containers are monitored and, if necessary, blocked from running in the runtime in accordance with all applicable policies assigned to the scope.

  If a scope includes an object subject to a runtime policy in Audit mode and a runtime policy in Enforce mode, all actions specified in the runtime policies are applied in Enforce mode.

Switching between scopes

In Kaspersky Container Security, several scopes can be assigned to a role. You can view the list of available scopes or switch scopes in order to access resources available in a different scope.

When switching between scopes, bear in mind the following:

• If you select the scope with resources by registry, in the Resources → Clusters section, Kaspersky Container Security does not display a list of clusters, namespaces, and pods. A full visual representation of the links between resources is displayed, but you cannot view information about an object that is outside of the available scope.
• Select the scope with resources by cluster, in the Resources → Registries section. Kaspersky Container Security then displays a list of the images used to start the containers in clusters.
• In the Scanners section, you can view lists of all scanners and scan tasks. However, you will not be able to view information about a scanned object if it is not within a scope that is available to you.
• In the Compliance → Kubernetes benchmarks section, Kaspersky Container Security displays a list of all nodes within clusters in the scope, regardless of the level of cluster detail in the scope. However, you cannot view information about a cluster node if it is not within a scope that is available to you.
• In the Policies section, Kaspersky Container Security shows the following:
  1. All policies in which at least one of the author's roles matches your role.
  2. All policies in which at least one scope matches the scope you selected.
  3. All policies that are linked to scopes assigned to your roles. However, you cannot delete these policies or edit their settings.

To switch the scope:

1. Go to one of the following sections:
   • Resources → Clusters.
   • Resources → Registries.
   • Compliance → Kubernetes benchmarks.
   • Subsections of the Policies section: Scanner policies, Assurance policies, Response policies, or Runtime policies.
2. In the drop-down list of available scopes in the upper right part of the window, select the required scope.

   You can also activate all the scopes by selecting All in the list.

Adding users, roles, and scopes

To add a user account:

1. In the Administration → Access management → Users section, click the Add user button above the list of users.
2. In the window that opens, specify the following settings:
   • User name is a unique value that must be assigned to a user for identification within Kaspersky Container Security.

     A user name can include only letters of the English alphabet and numerals. The minimum user name length is 4 characters, and the maximum user name length is 254 characters.

   • Display name (optional) is the value that is displayed in the solution web interface. If this parameter is not specified, the user name is displayed in the web interface.
   • Email (optional).
3. Enter the password in the Password field.

   Passwords have the following requirements:

   • The password must contain numerals, special characters, and uppercase and lowercase letters.
   • The minimum password length is 6 characters, and the maximum password length is 72 characters. The default password length is 8 characters.
4. Confirm the entered password in the Confirm password field.
5. Select the check box if the user should change the password the next time the solution starts.
6. Assign a role to the user by selecting from the list of available roles.

   While you are not required to assign a role when creating a user, a new user without an assigned role will not be able to interact with Kaspersky Container Security.

7. Click Add.

To add a user, permission to view and configure settings is required. If you do not have this permission, any user you add will only be able to view the main page of the solution.

To add a user role:

1. In the Administration → Access management → Roles section, click the Add role button above the list of roles.
2. In the window that opens, specify the following values:
   • Role ID is a unique value that must be assigned to a role for identification within Kaspersky Container Security.

     The role ID can include uppercase Latin letters and numbers. A role ID cannot contain special characters or spaces.

   • Role name is the value displayed in the solution web interface.
   • Description (optional).
   • Scope is a setting that is used to differentiate access to resources.
3. In the Active Directory mapping field, specify the Active Directory groups that the user belongs to.
4. Select the check boxes next to the permissions that will be available for the role being added.
5. Click Add.

To add a scope:

1. In the Administration → Access management → Scopes section, click the Add scope button above the table with the list of scopes.
2. In the window that opens, specify the scope name and, if necessary, a scope description.
3. In the Resources section, select the resources for the scope:
   • Click the Add resources by registry button, and in the drop-down list, select the registries for the scope. You can define a more specific scope by selecting specific repositories and images from these repositories in the drop-down list.
   • Click the Add resources by cluster button and select the orchestrators for the scope from the drop-down list. You can define a more specific scope by selecting specific clusters, namespaces, and images from the orchestrators used to deploy the containers in the clusters.

   You must specify at least one resource for which access is granted for monitoring.

4. Click Set objects to scope.
5. Save the scope by clicking the Save button.

Resetting password for user accounts

To reset the password for a user account,

1. Go to the Administration → Access management → Users section.
2. Do one of the following:
   • In the user list, select the row of the specific user account, then click the Reset password link above the table.
   • In the user account row, open the menu () and select Reset password.

Changing settings for users, roles, and scopes

To edit a user account:

1. In the Administration → Access management → Users section, click the user name in the list of users.
2. In the opened window, make the necessary changes.

   If you make changes to a user account with the administrator privileges, do not delete all roles, since doing so results in the loss of administrator access to the solution.

3. Click Save.

To edit a user role:

1. In the Administration → Access management → Roles section, click the role identifier in the Role ID column in the list of roles.
2. In the opened window, make the necessary changes.
3. Click Save.

   After a role is modified, all users with the assigned role must be reauthorized.

   You cannot edit a role if it is the last active system role with rights to manage user accounts, user roles, or the default scope.

To edit a scope:

1. In the Administration → Access management → Scopes section, click on the scope name in the Scope name column of the table with the list of scopes.
2. In the opened window, make the necessary changes.
3. Click Save.

Removing users, roles, and scopes

To delete a user account:

1. In the Administration → Access management → Users section, do one of the following:
   • Select the user from the row of the specific user account, then click the Delete link above the table containing the list of users.

     You can select one or more user accounts.

   • In the row with the user account, open the menu () and select Delete user.
2. In the window that opens, confirm deletion by clicking Delete.

   The user account used for authorization in Kaspersky Container Security cannot be deleted.

To delete a user role:

1. In the Administration → Access management → Roles section, in the role row in the list of roles, click the deletion icon ().
2. In the window that opens, confirm deletion by clicking Delete.

You cannot delete the last active system role with rights to manage other user accounts, user roles, or the default scope.
You also cannot delete a role if it is assigned to any user.

To delete a scope:

1. In the Administration → Access management → Scopes section, in the role row in the list of scopes, click the delete icon ().
2. In the window that opens, confirm deletion by clicking Delete.

   You cannot delete the default scope.
   You also cannot delete a scope if it is assigned to a different active user role.