Contents
- Managing users and user roles
- About user accounts
- About user roles
- Configuring access rights to application features. Role-based access control
- Adding an account of an internal user
- Creating a security group
- Editing an account of an internal user
- Editing a security group
- Assigning a role to a user or a security group
- Adding user accounts to an internal security group
- Assigning a user as a device owner
- Two-step verification
- Scenario: Configuring two-step verification for all users
- About two-step verification for an account
- Enabling two-step verification for your own account
- Enabling required two-step verification for all users
- Disabling two-step verification for a user account
- Disabling required two-step verification for all users
- Excluding accounts from two-step verification
- Configuring two-step verification for your own account
- Prohibit new users from setting up two-step verification for themselves
- Generating a new secret key
- Editing the name of a security code issuer
- Changing the number of allowed password entry attempts
- Deleting a user or a security group
- Creating a user role
- Editing a user role
- Editing the scope of a user role
- Deleting a user role
- Associating policy profiles with roles
Managing users and user roles
This section describes users and user roles, and provides instructions for creating and modifying them, for assigning roles and groups to users, and for associating policy profiles with roles.
About user accounts
Open Single Management Platform allows you to manage user accounts and security groups. The application supports two types of accounts:
- Accounts of organization employees. Administration Server retrieves data of the accounts of those local users when polling the organization's network.
- Accounts of internal users of Open Single Management Platform. You can create accounts of internal users on the portal. These accounts are used only within Open Single Management Platform.
The kladmins group cannot be used to access OSMP Console in Open Single Management Platform. The kladmins group can only contain accounts that are used to start Open Single Management Platform services.
To view tables of user accounts and security groups:
- In the main menu, go to Users & roles → Users & groups.
- Select the Users or the Groups tab.
The table of users or security groups opens. If you want to view the table with only internal users or groups or with only local users or groups, set the Subtype filter criteria to Internal or Local respectively.
Page topAbout user roles
A user role (also referred to as a role) is an object containing a set of rights and privileges. A role can be associated with settings of Kaspersky applications installed on a user device. You can assign a role to a set of users or to a set of security groups at any level in the hierarchy of administration groups, Administration Servers, or at the level of specific objects.
If you manage devices through a hierarchy of Administration Servers that includes virtual Administration Servers, note that you can create, modify, or delete user roles only from a physical Administration Server. Then, you can propagate the user roles to secondary Administration Servers, including virtual ones.
You can associate user roles with policy profiles. If a user is assigned a role, this user gets security settings necessary to perform job functions.
A user role can be associated with users of devices in a specific administration group.
User role scope
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
Advantage of using roles
An advantage of using roles is that you do not have to specify security settings for each of the managed devices or for each of the users separately. The number of users and devices in a company may be quite large, but the number of different job functions that require different security settings is considerably smaller.
Differences from using policy profiles
Policy profiles are properties of a policy that is created for each Kaspersky application separately. A role is associated with many policy profiles created for different applications. Therefore, a role is a method of uniting settings for a certain user type in one place.
Configuring access rights to application features. Role-based access control
Open Single Management Platform provides facilities for role-based access to the features of Open Single Management Platform and managed Kaspersky applications.
You can configure access rights to application features for Open Single Management Platform users in one of the following ways:
- By configuring the rights for each user or group of users individually.
- By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.
Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.
User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.
You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.
Access rights to application features
The table below shows the Open Single Management Platform features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.
To perform the user actions listed in the table, a user has to have the right specified next to the action.
Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.
The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend to carefully grant these rights to a limited set of users who need them to perform their official duties.
All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.
Access rights to application features
Functional area |
Right |
User action: right required to perform the action |
Task |
Report |
Other |
|---|---|---|---|---|---|
General features: Management of administration groups |
Write |
|
None |
None |
None |
General features: Access objects regardless of their ACLs |
Read |
Get read access to all objects: Read |
None |
None |
Access is granted regardless of other rights, even if they prohibit read access to specific objects. |
General features: Basic functionality |
|
|
|
|
None |
General features: Deleted objects |
|
|
None |
None |
None |
General features: Event processing |
|
|
None |
None |
Settings:
|
General features: Operations on Administration Server |
|
|
|
None |
None |
General features: Kaspersky software deployment |
|
Approve or decline installation of the patch: Manage Kaspersky patches |
None |
|
Installation package: "Kaspersky" |
General features: Key management |
|
|
None |
None |
None |
General features: Enforced report management |
|
|
None |
None |
None |
General features: Hierarchy of Administration Servers |
Configure hierarchy of Administration Servers |
|
None |
None |
None |
General features: User permissions |
Modify object ACLs |
|
None |
None |
None |
General features: Virtual Administration Servers |
|
|
None |
None |
None |
General features: Encryption Key Management |
Write |
Import the encryption keys: Write |
None |
None |
None |
System management: Vulnerability and patch management |
|
|
|
"Report on software updates" |
None |
Predefined user roles
User roles assigned to Open Single Management Platform users provide them with sets of access rights to application features.
You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Open Single Management Platform can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor. Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.
Examples of roles for specific job positions
Role |
Description |
Auditor |
Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization. |
Supervisor |
Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
Security Officer |
Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization. |
The table below shows the access rights assigned to each predefined user role.
Features of the functional areas Mobile Device Management: General and System management are not available in Open Single Management Platform. A user with the roles Vulnerability and patch management administrator/operator or Mobile Device Management Administrator/Operator has access only for rights from the General features: Basic functionality area.
Access rights of predefined user roles
Role |
Description |
|---|---|
Basic roles |
|
Administration Server Administrator |
Permits all operations in the following functional areas, in General features:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Administration Server Operator |
Grants the Read and Execute rights in all of the following functional areas, in General features:
|
Auditor |
Permits all operations in the following functional areas, in General features:
You can assign this role to a person who performs the audit of your organization. |
Installation Administrator |
Permits all operations in the following functional areas, in General features:
Grants Read and Execute rights in the General features: Virtual Administration Servers functional area. |
Installation Operator |
Grants the Read and Execute rights in all of the following functional areas, in General features:
|
Kaspersky Endpoint Security Administrator |
Permits all operations in the following functional areas:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Kaspersky Endpoint Security Operator |
Grants the Read and Execute rights in all of the following functional areas:
|
Main Administrator |
Permits all operations in functional areas, except for the following areas, in General features:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Main Operator |
Grants the Read and Execute (where applicable) rights in all of the following functional areas:
|
Mobile Device Management Administrator |
Permits all operations in the General features: Basic functionality functional area.
|
Security Officer |
Permits all operations in the following functional areas, in General features:
Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. You can assign this role to an officer in charge of the IT security in your organization. |
Self Service Portal User |
Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version. |
Supervisor |
Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
XDR roles |
|
Main administrator |
Permits all operations in the XDR functional areas:
|
Tenant administrator |
Permits all operations in the XDR functional areas:
This role corresponds to the Main Administrator role, but it has a restriction. In KUMA, a tenant administrator has limited access to the preset objects. |
SOC administrator |
Grants the following rights in the XDR functional areas:
|
Junior analyst |
Grants the following rights in the XDR functional areas:
|
Tier 2 analyst |
Grants the following rights in the XDR functional areas:
|
Tier 1 analyst |
Grants the following rights in the XDR functional areas:
This role corresponds to the Tier 2 analyst role, but it has a restriction. In KUMA, a Tier 1 analyst can only modify their own objects. |
SOC manager |
Grants the following rights in the XDR functional areas:
|
Approver |
Grants the following rights in the XDR functional areas:
|
Observer |
Grants the following rights in the XDR functional areas:
|
Interaction with NCIRCC |
Grants the following rights in the XDR functional areas:
You can work with XDR incidents, create NCIRCC incidents based on them, and export NCIRCC incidents (without access to critical information infrastructure). |
Service roles |
|
Automatic Threat Responder |
Grants service accounts the right to respond to threats. Access rights are configured automatically in accordance with the role-based access control policies of Kaspersky Security Center Linux and managed Kaspersky applications. You can assign this role only to service accounts. This role cannot be edited.
|
Assigning access rights to specific objects
In addition to assigning access rights at the server level, you can configure access to specific objects, for example, to a specific task. The application allows you to specify access rights to the following object types:
- Administration groups
- Tasks
- Reports
- Device selections
- Event selections
To assign access rights to a specific object:
- Depending on the object type, in the main menu, go to the corresponding section:
- Assets (Devices) → Hierarchy of groups
- Assets (Devices) → Tasks
- Monitoring & reporting → Reports
- Assets (Devices) → Device selections
- Monitoring & reporting → Event selections
- Open the properties of the object to which you want to configure access rights.
To open the properties window of an administration group or a task, click the object name. Properties of other objects can be opened by using the button on the toolbar.
- In the properties window, open the Access rights section.
The user list opens. The listed users and security groups have access rights to the object. By default, if you use a hierarchy of administration groups or Servers, the list and access rights are inherited from the parent administration group or primary Server.
- To be able to modify the list, enable the Use custom permissions option.
- Configure access rights:
- Use the Add and Delete buttons to modify the list.
- Specify access rights for a user or security group. Do one of the following:
- If you want to specify access rights manually, select the user or security group, click the Access rights button, and then specify the access rights.
- If you want to assign a user role to the user or security group, select the user or security group, click the Roles button, and then select the role to assign.
- Click the Save button.
The access rights to the object are configured.
Assigning permissions to users and groups
You can give users and security groups access rights to use different features of Administration Server and of the Kaspersky applications for which you have management plug-ins, for example, Kaspersky Endpoint Security for Windows.
To assign permissions to a user or security group:
- In the main menu, click the settings icon (
) next to the name of the required Administration Server.The Administration Server properties window opens.
- On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.
You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.
- Configure the set of rights for the user or group:
- Expand the node with features of Administration Server or other Kaspersky application.
- Select the Allow or Deny check box next to the feature or the access right that you want.
Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.
Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.
- After you configure the set of access rights, click OK.
The set of rights for the user or group of users will be configured.
The permissions of the Administration Server (or the administration group) are divided into the following areas:
- General features:
- Management of administration groups
- Access objects regardless of their ACLs
- Basic functionality
- Deleted objects
- Encryption Key Management
- Event processing
- Operations on Administration Server
- Device tags
- Kaspersky software deployment
- License key management
- Enforced report management
- Hierarchy of Servers
- User rights
- Virtual Administration Servers
- Mobile Device Management:
- General
- System Management:
- Connectivity
- Hardware inventory
- Network Access Control
- Deploy operating system
- Manage vulnerabilities and patches
- Remote installation
- Software inventory
If neither Allow nor Deny is selected for a permission, then the permission is considered undefined: it is denied until it is explicitly denied or allowed for the user.
The rights of a user are the sum of the following:
- User's own rights
- Rights of all the roles assigned to this user
- Rights of all the security group to which the user belongs
- Rights of all the roles assigned to the security groups to which the user belongs
If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.
You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
Page topAdding an account of an internal user
To add a new internal user account to Open Single Management Platform:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Click Add.
- In the Add user window that opens, specify the settings of the new user account:
- Name.
- Password for the user connection to Open Single Management Platform.
The password must comply with the following rules:
- The password must be 8 to 256 characters long.
- The password must contain characters from at least three of the groups listed below:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
- The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
To see the characters that you entered, click and hold the Show button.
The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts to enter a password, as described in "Changing the number of allowed password entry attempts".
If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.
- Click Save to save the changes.
A new user account is added to the user list.
Creating a security group
To create a security group:
- In the main menu, go to Users & roles → Users & groups, and then select the Groups tab.
- Click Add.
- In the Create security group window that opens, specify the following settings for the new security group:
- Group name
- Description
- Click Save to save the changes.
A new security group is added to the group list.
Editing an account of an internal user
To edit an internal user account in Open Single Management Platform:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Click the name of the user account that you want to edit.
- In the user settings window that opens, on the General tab, change the settings of the user account:
- Description
- Full name
- Email address
- Main phone
- Set new password for the user connection to Open Single Management Platform.
The password must comply with the following rules:
- The password must be 8 to 16 characters long.
- The password must contain characters from at least three of the groups listed below:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
- The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
To see the entered password, click and hold the Show button.
The number of attempts for entering the password is limited. By default, the maximum number of allowed password entry attempts is 10. You can change the allowed number of attempts; however, for security reasons, we do not recommend that you decrease this number. If the user enters an invalid password the specified number of times, the user account is blocked for one hour. You can unblock the user account only by changing the password.
- If necessary, switch the toggle button to Disabled to prohibit the user from connecting to the application. You can disable an account, for example, after an employee leaves the company.
- On the Authentication security tab, you can specify the security settings for this account.
- On the Groups tab, you can add the user to security groups.
- On the Devices tab, you can assign devices to the user.
- On the Roles tab, you can assign roles to the user.
- Click Save to save the changes.
The updated user account appears in the list of users.
Editing a security group
To edit a security group:
- In the main menu, go to Users & roles → Users & groups, and then select the Groups tab.
- Click the name of the security group that you want to edit.
- In the group settings window that opens, change the settings of the security group:
- On the General tab, you can change the Name and Description settings. These settings are available only for internal security groups.
- On the Users tab, you can add users to the security group. This setting is available only for internal users and internal security groups.
- On the Roles tab, you can assign a role to the security group.
- Click Save to save the changes.
The changes are applied to the security group.
Assigning a role to a user or a security group
To assign a role to a user or a security group:
- In the main menu, go to Users & roles → Users & groups, and then select the Users or the Groups tab.
- Select the name of the user or the security group to whom to assign a role.
You can select multiple names.
- On the menu line, click the Assign role button.
The Role assignment wizard starts.
- Follow the instructions of the wizard: select the role that you want to assign to the selected users or security groups, and then select the scope of role.
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
The role with a set of rights for working with Administration Server is assigned to the user (or users, or the security group). In the list of users or security groups, a check box appears in the Has assigned roles column.
Page topAdding user accounts to an internal security group
You can add only accounts of internal users to an internal security group.
To add user accounts to an internal security group:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Select check boxes next to user accounts that you want to add to a security group.
- Click the Assign group button.
- In the Assign group window that opens, select the security group to which you want to add user accounts.
- Click the Save button.
The user accounts are added to the security group. You can also add internal users to a security group by using the group settings.
Assigning a user as a device owner
For information about assigning a user as a mobile device owner, see Kaspersky Security for Mobile Help.
To assign a user as a device owner:
- If you want to assign an owner of a device connected to a virtual Administration Server, first switch to the virtual Administration Server:
- In the main menu, click the chevron icon (
) to the right of the current Administration Server name. - Select the required Administration Server.
- In the main menu, click the chevron icon (
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
A user list opens. If you are currently connected to a virtual Administration Server, the list includes users from the current virtual Administration Server and the primary Administration Server.
- Click the name of the user account that you want to assign as a device owner.
- In the user settings window that opens, select the Devices tab.
- Click Add.
- From the device list, select the device that you want to assign to the user.
- Click OK.
The selected device is added to the list of devices assigned to the user.
You can perform the same operation at Assets (Devices) → Managed devices, by clicking the name of the device that you want to assign, and then clicking the Manage device owner link.
Two-step verification
This section describes how you can use two-step verification to reduce the risk of unauthorized access to OSMP Console.
Scenario: Configuring two-step verification for all users
This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.
If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.
Prerequisites
Before you start:
- Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
- Make sure that the other users of Administration Server install an authenticator app on their devices.
Stages
Enabling two-step verification for all users proceeds in stages:
- Installing an authenticator app on a device
You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:
- Google Authenticator
- Microsoft Authenticator
- Bitrix24 OTP
- Yandex Key
- Avanpost Authenticator
- Aladdin 2FA
To check if Open Single Management Platform supports the authenticator app that you want to use, enable two-step verification for all users or for a particular user.
One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Open Single Management Platform supports the selected authenticator.
We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established.
- Synchronizing the authenticator app time with the time of the device on which Administration Server is installed
Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC, by using external time sources. Otherwise, failures may occur during the authentication and activation of two-step verification.
- Enabling two-step verification for your account and receiving the secret key for your account
After you enable two-step verification for your account, you can enable two-step verification for all users.
- Enabling two-step verification for all users
Users with two-step verification enabled must use it to log in to Administration Server.
- Prohibit new users from setting up two-step verification for themselves
In order to further improve OSMP Console access security, you can prohibit new users from setting up two-step verification for themselves.
- Editing the name of a security code issuer
If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.
- Excluding user accounts for which you do not need to enable two-step verification
If required, you can exclude users from two-step verification. Users with excluded accounts do not have to use two-step verification to log in to Administration Server.
- Configuring two-step verification for your own account
If the users are not excluded from two-step verification and two-step verification is not yet configured for their accounts, they need to configure it in the window that opens when they sign in to OSMP Console. Otherwise, they will not be able to access the Administration Server in accordance with their rights.
Results
Upon completion of this scenario:
- Two-step verification is enabled for your account.
- Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.
About two-step verification for an account
Open Single Management Platform provides two-step verification for users of OSMP Console. When two-step verification is enabled for your own account, every time you log in to OSMP Console, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must have an authenticator app on the computer or mobile device.
A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator app. You can change the name of the security code issuer name. The security code issuer name has a default value that is the same as the name of the Administration Server. The issuer name is used as an identifier of the Administration Server in the authenticator app. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator app. A security code is single-use and valid for up to 90 seconds (the exact time may vary).
Any user for whom two-step verification is enabled can reissue his or her own secret key. When a user authenticates with the reissued secret key and uses it for logging in, Administration Server saves the new secret key for the user account. If the user enters the new secret key incorrectly, Administration Server does not save the new secret key and leaves the current secret key valid for the further authentication.
Any authentication software that supports the Time-based One-time Password algorithm (TOTP) can be used as an authenticator app, for example, Google Authenticator. In order to generate the security code, you must synchronize the time set in the authenticator app with the time set for Administration Server.
To check if Open Single Management Platform supports the authenticator app that you want to use, enable two-step verification for all users or for a particular user.
One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Open Single Management Platform supports the selected authenticator.
An authenticator app generates the security code as follows:
- Administration Server generates a special secret key and QR code.
- You pass the generated secret key or QR code to the authenticator app.
- The authenticator app generates a single-use security code that you pass to the authentication window of Administration Server.
We highly recommend that you save the secret key (or QR code) and keep it in a safe place. This will help you to restore access to OSMP Console in case you lose access to the mobile device.
To secure the usage of Open Single Management Platform, you can enable two-step verification for your own account and enable two-step verification for all users.
You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.
Two-step verification works according to the following rules:
- Only a user account that has the Modify object ACLs right in the General features: User permissions functional area can enable two-step verification for all users.
- Only a user that enabled two-step verification for his or her own account can enable the option of two-step verification for all users.
- Only a user that enabled two-step verification for his or her own account can exclude other user accounts from the list of two-step verification enabled for all users.
- A user can enable two-step verification only for his or her own account.
- A user account that has the Modify object ACLs right in the General features: User permissions functional area and is logged in to OSMP Console by using two-step verification can disable two-step verification: for any other user only if two-step verification for all users is disabled, for a user excluded from the list of two-step verification that is enabled for all users.
- Any user that logged in to OSMP Console by using two-step verification can reissue his or her own secret key.
- You can enable the two-step verification for all users option for the Administration Server you are currently working with. If you enable this option on the Administration Server, you also enable this option for the user accounts of its virtual Administration Servers and do not enable two-step verification for the user accounts of the secondary Administration Servers.
Enabling two-step verification for your own account
You can enable two-step verification only for your own account.
Before you start enabling two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time set in the authenticator app is synchronized with the time set of the device on which Administration Server is installed.
To enable two-step verification for a user account:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Click the name of your account.
- In the user settings window that opens, select the Authentication security tab:
- Select the Request user name, password, and security code (two-step verification) option. Click the Save button.
- In the two-step verification window that opens, click View how to set up two-step verification.
Click View QR code.
- Scan the QR code by the authenticator app on the mobile device to receive one-time security code.
- In the two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.
- Click the Save button.
Two-step verification is enabled for your account.
Scan the QR code by the authenticator app on the mobile device to receive one-time security code.
Enabling required two-step verification for all users
You can enable two-step verification for all users of Administration Server if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.
To enable two-step verification for all users:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the Authentication security tab of the properties window, switch the toggle button of the two-step verification for all users option to the enabled position.
- If you did not enable two-step verification for your account, the application opens the window for enabling two-step verification for your own account.
- In the two-step verification window, click View how to set up two-step verification.
- Click View QR code.
- Scan the QR code by the authenticator app on the mobile device to receive one-time security code.
Alternatively, enter the secret key in the authenticator app manually.
- In the two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.
Two-step verification is enabled for all users. From now on, users of the Administration Server, including the users that were added after enabling two-step verification for all users, have to configure two-step verification for their accounts, except for users that are excluded from two-step verification.
Disabling two-step verification for a user account
You can disable two-step verification for your own account, as well as for an account of any other user.
You can disable two-step verification of another user's account if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.
To disable two-step verification for a user account:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Click the name of the internal user account for whom you want to disable two-step verification. This may be your own account or an account of any other user.
- In the user settings window that opens, select the Authentication security tab.
- Select the Request only user name and password option if you want to disable two-step verification for a user account.
- Click the Save button.
Two-step verification is disabled for the user account.
If you want to restore access for a user that cannot log in to OSMP Console by using two-step verification, disable two-step verification for this user account, and then select the Request only user name and password option as described above. After that, log in to OSMP Console under the user account for which you disabled two-step verification, and then enable verification again.
Disabling required two-step verification for all users
You can disable required two-step verification for all users if two-step verification is enabled for your account and your account has the Modify object ACLs right in the General features: User permissions functional area. If two-step verification is not enabled for your account, you must enable two-step verification for your account before disabling it for all users.
To disable two-step verification for all users:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the Authentication security tab of the properties window, switch the toggle button of the two-step verification for all users option to disabled position.
- Enter the credentials of your account in the authentication window.
Two-step verification is disabled for all users. Disabling two-step verification for all users does not applied to specific accounts for which two-step verification was previously enabled separately.
Excluding accounts from two-step verification
You can exclude user accounts from two-step verification if you have the Modify object ACLs right in the General features: User permissions functional area.
If a user account is excluded from the list of two-step verification for all users, this user does not have to use two-step verification.
Excluding accounts from two-step verification can be necessary for service accounts that cannot pass the security code during authentication.
If you want to exclude some user accounts from two-step verification:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the Authentication security tab of the properties window, in the two-step verification exclusions table, click the Add button.
- In the window that opens:
- Select the user accounts that you want to exclude.
- Click the OK button.
The selected user accounts are excluded from two-step verification.
Configuring two-step verification for your own account
The first time you sign in to Open Single Management Platform after two-step verification is enabled, the window for configuring two-step verification for your own account opens.
Before you configure two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC, by using external time sources.
To configure two-step verification for your account:
- Generate a one-time security code by using the authenticator app on the mobile device. To do this, perform one of the following actions:
- Enter the secret key in the authenticator app manually.
- Click View QR code and scan the QR code by using the authenticator app.
A security code will display on the mobile device.
- In the configure two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.
Two-step verification is configured for your account. You are able to access the Administration Server in accordance with your rights.
Page topProhibit new users from setting up two-step verification for themselves
In order to further improve OSMP Console access security, you can prohibit new users from setting up two-step verification for themselves.
If this option is enabled, a user with disabled two-step verification, for example new domain administrator, cannot configure two-step verification for themselves. Therefore, such user cannot be authenticated on Administration Server and cannot sign in to OSMP Console without approval from another Open Single Management Platform administrator who already has two-step verification enabled.
This option is available if two-step verification is enabled for all users.
To prohibit new users from setting up two-step verification for themselves:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the Authentication security tab of the properties window, switch the toggle button Prohibit new users from setting up two-step verification for themselves to the enabled position.
This option does not affect the user accounts added to the two-step verification exclusions.
In order to grant OSMP Console access to a user with disabled two-step verification, temporary turn off the Prohibit new users from setting up two-step verification for themselves option, ask the user to enable two-step verification, and then turn on the option back.
Page topGenerating a new secret key
You can generate a new secret key for a two-step verification for your account only if you are authorized by using two-step verification.
To generate a new secret key for a user account:
- In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
- Click the name of the user account for whom you want to generate a new secret key for two-step verification.
- In the user settings window that opens, select the Authentication security tab.
- On the Authentication security tab, click the Generate a new secret key link.
- In the two-step verification window that opens, specify a new security key generated by the authenticator app.
- Click the Check and apply button.
A new secret key is generated for the user.
If you lose the mobile device, you can install an authenticator app on another mobile device and generate a new secret key to restore access to OSMP Console.
Page topEditing the name of a security code issuer
You can have several identifiers (they are called issuers) for different Administration Servers. You can change the name of a security code issuer in case, for example, if the Administration Server already uses a similar name of security code issuer for another Administration Server. By default, the name of a security code issuer is the same as the name of the Administration Server.
After you change the security code issuer name you have to reissue a new secret key and pass it to the authenticator app.
To specify a new name of security code issuer:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- In the user settings window that opens, select the Authentication security tab.
- On the Authentication security tab, click the Edit link.
The Edit security code issuer section opens.
- Specify a new security code issuer name.
- Click the OK button.
A new security code issuer name is specified for the Administration Server.
Changing the number of allowed password entry attempts
The Open Single Management Platform user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.
By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts, as described in this section.
To change the number of allowed password entry attempts:
- On the Administration Server device, run a Linux command line.
- For the klscflag utility, run the following command:
sudo /opt/kaspersky/ksc64/sbin/klscflag -fset -pv klserver -n SrvSplPpcLogonAttempts -t d -v Nwhere N is a number of attempts to enter a password.
- To apply the changes, restart the Administration Server service.
The maximum number of allowed password entry attempts is changed.
Page topDeleting a user or a security group
You can delete only internal users or internal security groups.
To delete a user or a security group:
- In the main menu, go to Users & roles → Users & groups, and then select the Users or the Groups tab.
- Select the check box next to the user or the security group that you want to delete.
- Click Delete.
- In the window that opens, click OK.
The user or the security group is deleted.
Creating a user role
To create a user role:
- In the main menu, go to Users & roles → Roles.
- Click Add.
- In the New role name window that opens, enter the name of the new role.
- Click OK to apply the changes.
- In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
- On the General tab, edit the role name.
- Click Save to save the changes.
The new role appears in the list of user roles.
Editing a user role
To edit a user role:
- In the main menu, go to Users & roles → Roles.
- Click the name of the role that you want to edit.
- In the role properties window that opens, change the settings of the role:
- On the General tab, edit the role name.
You cannot edit the name of a predefined role.
- On the Settings tab, edit the role scope and policies and profiles associated with the role.
- On the Access rights tab, edit the rights for access to Kaspersky applications.
- On the General tab, edit the role name.
- Click Save to save the changes.
The updated role appears in the list of user roles.
Editing the scope of a user role
A user role scope is a combination of users and administration groups. Settings associated with a user role apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.
To add users, security groups, and administration groups to the scope of a user role, you can use either of the following methods:
Method 1:
- In the main menu, go to Users & roles → Users & groups, and then select the Users or the Groups tab.
- Select check boxes next to the users or security groups that you want to add to the user role scope.
- Click the Assign role button.
The Role assignment wizard starts. Proceed through the wizard by using the Next button.
- On the Select role step, select the user role that you want to assign.
- On the Define scope step, select the administration group that you want to add to the user role scope.
- Click the Assign role button to close the window.
The selected users or security groups and the selected administration group are added to the scope of the user role.
Method 2:
- In the main menu, go to Users & roles → Roles.
- Click the name of the role for which you want to define the scope.
- In the role properties window that opens, select the Settings tab.
- In the Role scope section, click Add.
The Role assignment wizard starts. Proceed through the wizard by using the Next button.
- On the Define scope step, select the administration group that you want to add to the user role scope.
- On the Select users step, select users and security groups that you want to add to the user role scope.
- Click the Assign role button to close the window.
- Click the Close button (
) to close the role properties window.
The selected users or security groups and the selected administration group are added to the scope of the user role.
Method 3:
- In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
- On the Access rights tab, select the check box next to the name of the user or the security group that you want to add to the user role scope, and then click the Roles button.
You cannot select multiple users or security groups at the same time. If you select more than one item, the Roles button will be disabled.
- In the Roles window, select the user role that you want to assign, and then apply and save changes.
The selected users or security groups are added to the scope of the user role.
Deleting a user role
To delete a user role:
- In the main menu, go to Users & roles → Roles.
- Select the check box next to the name of the role that you want to delete.
- Click Delete.
- In the window that opens, click OK.
The user role is deleted.
Associating policy profiles with roles
You can associate user roles with policy profiles. In this case, the activation rule for this policy profile is based on the role: the policy profile becomes active for a user that has the specified role.
For example, the policy bars any GPS navigation software on all devices in an administration group. GPS navigation software is necessary only on a single device in the Users administration group—the device owned by a courier. In this case, you can assign a "Courier" role to its owner, and then create a policy profile allowing GPS navigation software to run only on the devices whose owners are assigned the "Courier" role. All the other policy settings are preserved. Only the user with the role "Courier" will be allowed to run GPS navigation software. Later, if another worker is assigned the "Courier" role, the new worker also can run navigation software on your organization's device. Running GPS navigation software will still be prohibited on other devices in the same administration group.
To associate a role with a policy profile:
- In the main menu, go to Users & roles → Roles.
- Click the name of the role that you want to associate with a policy profile.
The role properties window opens with the General tab selected.
- Select the Settings tab, and scroll down to the Policies & profiles section.
- Click Edit.
- To associate the role with:
- An existing policy profile—Click the chevron icon (
) next to the required policy name, and then select the check box next to the profile with which you want to associate the role. - A new policy profile:
- Select the check box next to the policy for which you want to create a profile.
- Click New policy profile.
- Specify a name for the new profile and configure the profile settings.
- Click the Save button.
- Select the check box next to the new profile.
- An existing policy profile—Click the chevron icon (
- Click Assign to role.
The profile is associated with the role and appears in the role properties. The profile applies automatically to any device whose owner is assigned the role.