Managing virtual Administration Servers

This section describes the following actions to manage virtual Administration Servers:

• Create virtual Administration Servers
• Enable and disable virtual Administration Servers
• Assign an administrator for a virtual Administration Server
• Change the Administration Server for client devices
• Delete virtual Administration Servers

Creating a virtual Administration Server

You can create virtual Administration Servers and add them to administration groups.

To create and add a virtual Administration Server:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.
2. On the page that opens, proceed to the Administration Servers tab.
3. Select the administration group to which you want to add a virtual Administration Server.
   The virtual Administration Server will manage devices from the selected group (including the subgroups).
4. On the menu line, click New virtual Administration Server.
5. On the page that opens, define the properties of the new virtual Administration Server:
   • Name of virtual Administration Server.
   • Administration Server connection address

     You can specify the name or the IP address of your Administration Server.

6. From the list of users, select the virtual Administration Server administrator. If you want, you can edit one of the existing accounts before assigning it the administrator's role, or create a new user account.
7. Click Save.

The new virtual Administration Server is created, added to the administration group and displayed on the Administration Servers tab.

If you are connected to your primary Administration Server in OSMP Console, and can not connect to a virtual Administration Server that is managed by a secondary Administration Server, you can use one of the following ways:

• Modify the existing OSMP Console installation to add the secondary Server to the list of trusted Administration Servers. Then you will be able to connect to the virtual Administration Server in OSMP Console.
  1. On the device where OSMP Console is installed, run the OSMP Console installation file corresponding to the Linux distribution installed on your device under an account with administrative privileges.

     The Setup Wizard will start. Proceed through the wizard by using the Next button.

  2. Select the Upgrade option.
  3. On the Modification type step, select the Edit connection settings option.
  4. On the Trusted Administration Servers step, add the required secondary Administration Server.
  5. On the last step, click Modify to apply the new settings.
  6. After the application reconfiguration successfully completes, click the Finish button.
• Use OSMP Console to connect directly to the secondary Administration Server where the virtual Server was created. Then you will be able to switch to the virtual Administration Server in OSMP Console.

Enabling and disabling a virtual Administration Server

When you create a new virtual Administration Server, it is enabled by default. You can disable or enable it again at any time. Disabling or enabling a virtual Administration Server is equal to switching off or on a physical Administration Server.

To enable or disable a virtual Administration Server:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.
2. On the page that opens, proceed to the Administration Servers tab.
3. Select the virtual Administration Server that you want to enable or disable.
4. On the menu line, click the Enable / disable virtual Administration Server button.

The virtual Administration Server state is changed to enabled or disabled, depending on its previous state. The updated state is displayed next to the Administration Server name.

Assigning an administrator for a virtual Administration Server

When you use virtual Administration Servers in your organization, you might want to assign a dedicated administrator for each virtual Administration Server. For example, this might be useful when you create virtual Administration Servers to manage separate offices or departments of your organization, or if you are an MSP provider and you manage your tenants through virtual Administration Servers.

When you create a virtual Administration Server, it inherits the user list and all of the user rights of the primary Administration Server. If a user has access rights to the primary Server, this user has access rights to the virtual Server as well. After creation, you configure the access rights to the Servers independently. If you want to assign an administrator for a virtual Administration Server only, make sure that the administrator does not have access rights on the primary Administration Server.

You assign an administrator for a virtual Administration Server by granting the administrator access rights to the virtual Administration Server. You can grant the required access rights in one of the following ways:

• Configure access rights for the administrator manually
• Assign one or more user roles for the administrator

To sign in to OSMP Console, an administrator of a virtual Administration Server specifies the virtual Administration Server name, user name, and password. OSMP Console authenticates the administrator and opens the virtual Administration Server to which the administrator has access rights. The administrator cannot switch between Administration Servers.

Prerequisites

Before you start, ensure that the following conditions are met:

• The virtual Administration Server is created.
• On the primary Administration Server, you have created an account for the administrator that you want to assign for the virtual Administration Server.
• You have the Modify object ACLs right in the General features → User permissions functional area.

Configuring access rights manually

To assign an administrator for a virtual Administration Server:

1. In the main menu, switch to the required virtual Administration Server:
   1. Click the chevron icon () to the right of the current Administration Server name.
   2. Select the required Administration Server.
2. In the main menu, click the settings icon () next to the name of the Administration Server.

   The Administration Server properties window opens.

3. On the Access rights tab, click the Add button.

   A unified list of users of the primary Administration Server and the current virtual Administration Server opens.

4. From the list of users, select the account of the administrator that you want to assign for the virtual Administration Server, and then click the OK button.

   The application adds the selected user to the user list on the Access rights tab.

5. Select the check box next to the added account, and then click the Access rights button.
6. Configure the rights that the administrator will have on the virtual Administration Server.

   For successful authentication, at minimum, the administrator must have the following rights:

   • Read right in the General features → Basic functionality functional area
   • Read right in the General features → Virtual Administration Servers functional area

The application saves the modified user rights to the administrator account.

Configuring access rights by assigning user roles

Alternatively, you can grant the access rights to a virtual Administration Server administrator through user roles. For example, this might be useful if you want to assign several administrators on the same virtual Administration Server. If this is the case, you can assign the administrators' accounts the same one or more user roles instead of configuring the same user rights for several administrators.

To assign an administrator for a virtual Administration Server by assigning user roles:

1. On the primary Administration Server, create a new user role, and then specify all of the required access rights that an administrator must have on the virtual Administration Server. You can create several roles, for example, if you want to separate access to different functional areas.
2. In the main menu, switch to the required virtual Administration Server:
   1. Click the chevron icon () to the right of the current Administration Server name.
   2. Select the required Administration Server.
3. Assign the new role or several roles to the administrator account.

The application assigns the roles to the administrator account.

Configuring access rights at the object level

In addition to assigning access rights at the functional area level, you can configure access to specific objects on the virtual Administration Server, for example, to a specific administration group or a task. To do this, switch to the virtual Administration Server, and then configure the access rights in the object's properties.

Changing the Administration Server for client devices

Expand all | Collapse all

You can change the Administration Server that manages client devices to a different Server using the Change Administration Server task. After the task completion, the selected client devices will be put under the management of the Administration Server that you specify.

To change the Administration Server that manages client devices to a different Server:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. For the Open Single Management Platform application, select the Change Administration Server task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Select the Administration Server that you want to use to manage the selected devices.
7. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

8. If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

13. Run the created task.

After the task is complete, the client devices for which it was created are put under the management of the Administration Server specified in the task settings.

Deleting a virtual Administration Server

When you delete a virtual Administration Server, all of the objects created on the Administration Server, including policies and tasks, will be deleted as well. The managed devices from the administration groups that were managed by the virtual Administration Server will be removed from the administration groups. To return the devices under management of Kaspersky Next XDR Expert, run the network polling, and then move the found devices from the Unassigned devices group to the administration groups.

To delete a virtual Administration Server:

1. In the main menu, click the settings icon () next to the name of the Administration Server.
2. On the page that opens, proceed to the Administration Servers tab.
3. Select the virtual Administration Server that you want to delete.
4. On the menu line, click the Delete button.

The virtual Administration Server is deleted.