Kaspersky Next XDR Expert
1.1.9

Contents

Configuring access rights to application features. Role-based access control

Open Single Management Platform provides facilities for role-based access to the features of Open Single Management Platform and managed Kaspersky applications.

You can configure access rights to application features for Open Single Management Platform users in one of the following ways:

  • By configuring the rights for each user or group of users individually.
  • By creating standard user roles with a predefined set of rights and assigning those roles to users depending on their scope of duties.

Application of user roles is intended to simplify and shorten routine procedures of configuring users' access rights to application features. Access rights within a role are configured in accordance with the standard tasks and the users' scope of duties.

User roles can be assigned names that correspond to their respective purposes. You can create an unlimited number of roles in the application.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself.

In this section

Access rights to application features

Predefined user roles

Assigning access rights to specific objects

Assigning permissions to users and groups

See also:

Scenario: Configuring network protection
Page top
[Topic 203717]

Access rights to application features

The table below shows the Open Single Management Platform features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend to carefully grant these rights to a limited set of users who need them to perform their official duties.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area

Right

User action: right required to perform the action

Task

Report

Other

General features: Management of administration groups

Write
  • Add device to an administration group: Write
  • Delete device from an administration group: Write
  • Add an administration group to another administration group: Write
  • Delete an administration group from another administration group: Write

None

None

None

General features: Access objects regardless of their ACLs

Read

Get read access to all objects: Read

None

None

Access is granted regardless of other rights, even if they prohibit read access to specific objects.

General features: Basic functionality
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Device moving rules (create, modify, or delete) for the virtual Server: Write, Perform operations on device selections
  • Get Mobile (LWNGT) protocol custom certificate: Read
  • Set Mobile (LWNGT) protocol custom certificate: Write
  • Get NLA-defined network list: Read
  • Add, modify, or delete NLA-defined network list: Write
  • View Access Control List of groups: Read
  • View the operating system log: Read
  • "Download updates to the Administration Server repository"
  • "Deliver reports"
  • "Distribute installation package"
  • "Install application on secondary Administration Servers remotely"
  • "Report on protection status"
  • "Report on threats"
  • "Report on most heavily infected devices"
  • "Report on status of anti-virus databases"
  • "Report on errors"
  • "Report on network attacks"
  • "Summary report on perimeter defense applications installed"
  • "Summary report on types of applications installed"
  • "Report on users of infected devices"
  • "Report on incidents"
  • "Report on events"
  • "Report on activity of distribution points"
  • "Report on secondary Administration Servers"
  • "Report on Device Control events"
  • "Report on prohibited applications"
  • "Report on Web Control"
  • "Report on encryption status of managed devices"
  • "Report on encryption status of mass storage devices"
  • "Report on rights to access encrypted drives"
  • "Report on file encryption errors"
  • "Report on blockage of access to encrypted files"
  • "Report on effective user permissions"
  • "Report on rights"

None

General features: Deleted objects
  • Read
  • Write
  • View deleted objects in the Recycle Bin: Read
  • Delete objects from the Recycle Bin: Write

None

None

None

General features: Event processing
  • Delete events
  • Edit event notification settings
  • Edit event logging settings
  • Write
  • Change events registration settings: Edit event logging settings
  • Change events notification settings: Edit event notification settings
  • Delete events: Delete events

None

None

Settings:

  • The maximum number of events stored in the database
  • Period of time for storing events from the deleted devices

General features: Operations on Administration Server
  • Read
  • Write
  • Execute
  • Modify object ACLs
  • Perform operations on device selections
  • Specify ports of Administration Server for the network agent connection: Write
  • Specify ports of Activation Proxy launched on the Administration Server: Write
  • Specify ports of Activation Proxy for Mobile launched on the Administration Server: Write
  • Specify ports of the Web Server for distribution of standalone packages: Write
  • Specify ports of the Web Server for distribution of MDM profiles: Write
  • Specify SSL-ports of the Administration Server for connection via Web Console: Write
  • Specify ports of the Administration Server for mobile connection: Write
  • Specify the maximum number of events stored in the Administration Server database: Write
  • Specify the maximum number of events that can be sent by the Administration Server: Write
  • Specify time period during which events can be sent by the Administration Server: Write
  • "Backup of Administration Server data"
  • "Databases maintenance"

None

None

General features: Kaspersky software deployment
  • Manage Kaspersky patches
  • Read
  • Write
  • Execute
  • Perform operations on device selections

Approve or decline installation of the patch: Manage Kaspersky patches

None
  • "Report on license key usage by virtual Administration Server"
  • "Report on Kaspersky software versions"
  • "Report on incompatible applications"
  • "Report on versions of Kaspersky software module updates"
  • "Report on protection deployment"

Installation package:

"Kaspersky"

General features: Key management
  • Export key file
  • Write
  • Export key file: Export key file
  • Modify Administration Server license key settings: Write

None

None

None

General features: Enforced report management
  • Read
  • Write
  • Create reports regardless of their ACLs: Write
  • Execute reports regardless of their ACLs: Read

None

None

None

General features: Hierarchy of Administration Servers

Configure hierarchy of Administration Servers
  • Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers

None

None

None

General features: User permissions

Modify object ACLs
  • Change Security properties of any object: Modify object ACLs
  • Manage user roles: Modify object ACLs
  • Manage internal users: Modify object ACLs
  • Manage security groups: Modify object ACLs
  • Manage aliases: Modify object ACLs

None

None

None

General features: Virtual Administration Servers
  • Manage virtual Administration Servers
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Get list of virtual Administration Servers: Read
  • Get information on the virtual Administration Server: Read
  • Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers
  • Move a virtual Administration Server to another group: Manage virtual Administration Servers
  • Set administration virtual Server permissions: Manage virtual Administration Servers

None

None

None

General features: Encryption Key Management

Write

Import the encryption keys: Write

None

None

None

System management: Vulnerability and patch management
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • View third-party patch properties: Read
  • Change third-party patch properties: Write
  • "Fix vulnerabilities"
  • "Install required updates and fix vulnerabilities"

"Report on software updates"

None

Page top
[Topic 203748]

Predefined user roles

User roles assigned to Open Single Management Platform users provide them with sets of access rights to application features.

You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Open Single Management Platform can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor. Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.

Examples of roles for specific job positions

Role

Description

Auditor

Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization.

Supervisor

Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization.

Security Officer

Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization.

The table below shows the access rights assigned to each predefined user role.

Features of the functional areas Mobile Device Management: General and System management are not available in Open Single Management Platform. A user with the roles Vulnerability and patch management administrator/operator or Mobile Device Management Administrator/Operator has access only for rights from the General features: Basic functionality area.

Access rights of predefined user roles

Role

Description

Basic roles

Administration Server Administrator

Permits all operations in the following functional areas, in General features:

  • Basic functionality
  • Event processing
  • Hierarchy of Administration Servers
  • Virtual Administration Servers

Grants the Read and Write rights in the General features: Encryption key management functional area.

Administration Server Operator

Grants the Read and Execute rights in all of the following functional areas, in General features:

  • Basic functionality
  • Virtual Administration Servers

Auditor

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Deleted objects
  • Enforced report management

You can assign this role to a person who performs the audit of your organization.

Installation Administrator

Permits all operations in the following functional areas, in General features:

  • Basic functionality
  • Kaspersky software deployment
  • License key management

Grants Read and Execute rights in the General features: Virtual Administration Servers functional area.

Installation Operator

Grants the Read and Execute rights in all of the following functional areas, in General features:

  • Basic functionality
  • Kaspersky software deployment (also grants the Manage Kaspersky Lab patches right in this area)
  • Virtual Administration Servers

Kaspersky Endpoint Security Administrator

Permits all operations in the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Grants the Read and Write rights in the General features: Encryption key management functional area.

Kaspersky Endpoint Security Operator

Grants the Read and Execute rights in all of the following functional areas:

  • General features: Basic functionality
  • Kaspersky Endpoint Security area, including all features

Main Administrator

Permits all operations in functional areas, except for the following areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read and Write rights in the General features: Encryption key management functional area.

Main Operator

Grants the Read and Execute (where applicable) rights in all of the following functional areas:

  • General features:
  • Basic functionality
  • Deleted objects
  • Operations on Administration Server
  • Kaspersky Lab software deployment
  • Virtual Administration Servers
  • Kaspersky Endpoint Security area, including all features

Mobile Device Management Administrator

Permits all operations in the General features: Basic functionality functional area.

 

Security Officer

Permits all operations in the following functional areas, in General features:

  • Access objects regardless of their ACLs
  • Enforced report management

Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area.

You can assign this role to an officer in charge of the IT security in your organization.

Self Service Portal User

Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version.

Supervisor

Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas.

You can assign this role to a security officer and other managers in charge of the IT security in your organization.

XDR roles

Main administrator

Permits all operations in the XDR functional areas:

  • Alerts and incidents
  • NCIRCC incidents
  • Playbooks and response
  • Asset Management
  • IAM
  • Tenants
  • Integrations
  • Licenses

Tenant administrator

Permits all operations in the XDR functional areas:

  • Alerts and incidents
  • NCIRCC incidents
  • Playbooks and response
  • Asset Management
  • IAM
  • Tenants
  • Integrations
  • Licenses

This role corresponds to the Main Administrator role, but it has a restriction. In KUMA, a tenant administrator has limited access to the preset objects.

SOC administrator

Grants the following rights in the XDR functional areas:

  • Playbooks and response: Read, Write, and Delete
  • IAM: Read users and roles, Assign roles, and Lists users
  • Tenants: Read and Write
  • Integrations: Read, Write, and Delete
  • Licenses: Read

Junior analyst

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read and Write
  • Playbooks and response: Read and Execute
  • Asset Management: Read
  • IAM: Read users and roles and Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

Tier 2 analyst

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read and Write
  • Playbooks and response: Read, Write, Delete, and Execute
  • Asset Management: Read
  • IAM: Read users and roles and Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

Tier 1 analyst

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read and Write
  • Playbooks and response: Read, Write, Delete, and Execute
  • Asset Management: Read
  • IAM: Read users and roles and Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

This role corresponds to the Tier 2 analyst role, but it has a restriction. In KUMA, a Tier 1 analyst can only modify their own objects.

SOC manager

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read and Write
  • Playbooks and response: Read
  • Asset Management: Read
  • IAM: Read users and roles and Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

Approver

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read, Write, Close
  • Playbooks and response: Read and Response confirmation
  • Asset Management: Read
  • IAM: Read users and roles
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

Observer

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read
  • Playbooks and response: Read
  • Asset Management: Read
  • IAM: Read users and roles and Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

Interaction with NCIRCC

Grants the following rights in the XDR functional areas:

  • Alerts and incidents: Read and Write
  • NCIRCC incidents: Read and Write
  • Playbooks and response: Read
  • Asset Management: Read
  • IAM: Read users and roles, Lists users
  • Tenants: Read
  • Integrations: Read
  • Licenses: Read

You can work with XDR incidents, create NCIRCC incidents based on them, and export NCIRCC incidents (without access to critical information infrastructure).

Service roles

Automatic Threat Responder

Grants service accounts the right to respond to threats.

Access rights are configured automatically in accordance with the role-based access control policies of Kaspersky Security Center Linux and managed Kaspersky applications.

You can assign this role only to service accounts.

This role cannot be edited.

 

Page top
[Topic 203750]

Assigning access rights to specific objects

In addition to assigning access rights at the server level, you can configure access to specific objects, for example, to a specific task. The application allows you to specify access rights to the following object types:

  • Administration groups
  • Tasks
  • Reports
  • Device selections
  • Event selections

To assign access rights to a specific object:

  1. Depending on the object type, in the main menu, go to the corresponding section:
    • Assets (Devices) → Hierarchy of groups
    • Assets (Devices) Tasks
    • Monitoring & reporting Reports
    • Assets (Devices) → Device selections
    • Monitoring & reporting Event selections
  2. Open the properties of the object to which you want to configure access rights.

    To open the properties window of an administration group or a task, click the object name. Properties of other objects can be opened by using the button on the toolbar.

  3. In the properties window, open the Access rights section.

    The user list opens. The listed users and security groups have access rights to the object. By default, if you use a hierarchy of administration groups or Servers, the list and access rights are inherited from the parent administration group or primary Server.

  4. To be able to modify the list, enable the Use custom permissions option.
  5. Configure access rights:
    • Use the Add and Delete buttons to modify the list.
    • Specify access rights for a user or security group. Do one of the following:
      • If you want to specify access rights manually, select the user or security group, click the Access rights button, and then specify the access rights.
      • If you want to assign a user role to the user or security group, select the user or security group, click the Roles button, and then select the role to assign.
  6. Click the Save button.

The access rights to the object are configured.

See also:

Configuring access rights to application features. Role-based access control

Access rights to application features

Predefined user roles
Page top
[Topic 237474]

Assigning permissions to users and groups

You can give users and security groups access rights to use different features of Administration Server and of the Kaspersky applications for which you have management plug-ins, for example, Kaspersky Endpoint Security for Windows.

To assign permissions to a user or security group:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.

    The Administration Server properties window opens.

  2. On the Access rights tab, select the check box next to the name of the user or the security group to whom to assign rights, and then click the Access rights button.

    You cannot select multiple users or security groups at the same time. If you select more than one item, the Access rights button will be disabled.

  3. Configure the set of rights for the user or group:
    1. Expand the node with features of Administration Server or other Kaspersky application.
    2. Select the Allow or Deny check box next to the feature or the access right that you want.

      Example 1: Select the Allow check box next to the Application integration node to grant all available access rights to the Application integration feature (Read, Write, and Execute) for a user or group.

      Example 2: Expand the Encryption key management node, and then select the Allow check box next to the Write permission to grant the Write access right to the Encryption key management feature for a user or group.

  4. After you configure the set of access rights, click OK.

The set of rights for the user or group of users will be configured.

The permissions of the Administration Server (or the administration group) are divided into the following areas:

  • General features:
    • Management of administration groups
    • Access objects regardless of their ACLs
    • Basic functionality
    • Deleted objects
    • Encryption Key Management
    • Event processing
    • Operations on Administration Server
    • Device tags
    • Kaspersky software deployment
    • License key management
    • Enforced report management
    • Hierarchy of Servers
    • User rights
    • Virtual Administration Servers
  • Mobile Device Management:
    • General
  • System Management:
    • Connectivity
    • Hardware inventory
    • Network Access Control
    • Deploy operating system
    • Manage vulnerabilities and patches
    • Remote installation
    • Software inventory

If neither Allow nor Deny is selected for a permission, then the permission is considered undefined: it is denied until it is explicitly denied or allowed for the user.

The rights of a user are the sum of the following:

  • User's own rights
  • Rights of all the roles assigned to this user
  • Rights of all the security group to which the user belongs
  • Rights of all the roles assigned to the security groups to which the user belongs

If at least one of these sets of rights has Deny for a permission, then the user is denied this permission, even if other sets allow it or leave it undefined.

You can also add users and security groups to the scope of a user role to use different features of Administration Server. Settings associated with a user role will only apply only to devices that belong to users who have this role, and only if these devices belong to groups associated with this role, including child groups.

Page top
[Topic 172173]