Access rights to Administration Server and its objects in Kaspersky Security Center 11
Latest update: August 04, 2020
ID: 15245
You can grant permissions to individual users or groups of users to use the features of Administration Server and Kaspersky programs for which the management plug-ins were installed. To do this:
- Open Kaspersky Security Center 11.
- Select the Display security settings sections checkbox in the interface settings of Kaspersky Security Center 11. For instructions, see Online Help.
- Open Administration Server properties and go to the Security section.
- Select a user or a user group.
- Go to the Rights tab.
- Set access rights for users or user groups. To configure the rights, select Allow or Deny checkboxes in the corresponding lines. The descriptions of Administration Server access rights are listed below.
- Click OK.
The permissions will be set for the user or the user group.
Descriptions of Administration Server access rights
There are three types of permissions in Administration Server:
- General features
- Mobile Device Management
- System management
What is comprised in General features
- Administration group management. Includes the following rights:
- Modify. You can deny or allow actions on administration groups.
- Access to objects regardless of their ACLs. Includes the following rights:
- Read.
- Basic functionality. Includes the following rights:
- Read. You can deny or allow access to Basic functionality.
- Modify. You can deny or allow viewing and modifying Basic functionality configuration.
- Execute. You can deny or allow running Administration Server tasks.
- Perform operations on device selections. You can deny or allow a device selection to run Administration Server tasks.
- Deleted objects. Includes the following rights:
- Read. You can deny or allow viewing the information on deleted objects.
- Modify. You can deny or allow adjusting the storage time for deleted objects.
- Event processing. Includes the following rights:
- Modify. You can deny or allow changing the number of events stored in Administration Server database and the storage time for objects deleted from computers.
- Change event log settings.
- Edit event notification settings.
- Delete events.
- Operations on Administration Server. Includes the following rights:
- Read.
- Modify.
- Execute.
- Perform operations on device selections.
- Kaspersky software deployment. Includes the following rights:
- Read. You can deny or allow viewing: stored installation packages of Kaspersky software, properties of the remote installation tasks, Enforced reports.
- Modify. You can deny or allow creating and modifying: new packages and tasks, Enforced reports.
- Execute. You can deny or allow running remote installation tasks.
- Perform operations on device selections. You can deny or allow a device selection to run remote installation tasks.
- Key management. Includes the following rights:
- Modify. You can deny or allow: adding new keys to the storage, deleting old keys, and automatically deploying the keys.
- Export key file. You can deny or allow exporting the key files from the storage.
- Report management. Includes the following rights:
- Read. You can deny or allow running and creating reports.
- Modify. You can deny or allow modifying report parameters.
- Hierarchy of Administration Servers. Includes the following rights:
- Manage Administration Servers hierarchy. You can deny or allow adding and removing Secondary Administration Servers.
- User permissions. Includes the following rights:
- Edit access control lists. You can deny or allow adjusting the rights distribution system: modifying rights of existing users and user groups, granting rights to new users, creating users, creating and modifying user roles, canceling rights inheritance in the group hierarchy.
- Virtual Administration Servers. Includes the following rights:
- Read. Modify. Execute. Manage virtual servers. You can deny or allow adding virtual Administration Servers.
- Perform operations on device selections. You can deny or allow a device selection to add virtual Administration Servers.
What is comprised in Mobile Device Management
- General. Includes the following rights:
- Read. You can deny or allow displaying the Mobile Device Management node in Administration Console.
- Modify. You can deny or allow: configuring the connection to Google Cloud Messaging, modifying the certificate issue parameters, editing Mobile Device Management settings, with the exception of mobile device management server parameters.
- Connect new devices. You can deny or allow generating certificates and customized packages of Kaspersky Security 10 which include user certificates for mobile devices. You can send users the links to these packages.
- Send only information commands to mobile devices.
- Send commands to mobile devices. You can deny or allow sending supported commands to mobile devices.
- Manage certificates.
- Self Service Portal. Includes the following rights:
- Read. You can deny or allow access to Self Service Portal.
- Modify. You can deny or allow deleting previously created installation packages.
- Connect new devices. You can deny or allow creating installation packages and transferring them to new mobile devices.
- Send only information commands to mobile devices.
- Send commands to mobile devices. You can deny or allow sending supported commands to mobile devices.
What is comprised in System management
- Connections. Includes the following rights:
- Read. You can deny or allow viewing Report on device users.
- Modify. You can deny or allow creating or editing Report on device users.
- Execute.
- Save files from devices to the administrator workstation. You can deny or allow saving files from Quarantine and Backup storages.
- Initiate tunneling. For more information, see Online Help.
- Create RDP sessions.
- Connection to existing RDP sessions.
- Perform operations on device selections.
- Hardware inventory. Includes the following rights:
- Read. You can deny or allow: displaying Hardware section, reviewing Report on hardware registry.
- Modify. You can deny or allow: modifying device attributes, adding devices, adding consolidated fields to the reports, importing from XML and EXEL files, editing properties of the reports.
- Execute.
- Perform operations on device selections.
- Network Access Control. Includes the following rights:
- Read. You can deny or allow displaying the Network Access Control (NAC) section in the Network Agent policy.
- Modify. You can deny or allow: enabling or disabling NAC Enforcer, adjusting its mode of operation.
- Deploy operating system. Includes the following rights:
- Read. You can deny or allow displaying the Deploy device images section and the installation packages.
- Modify. You can deny or allow: creating tasks for capturing images of operating systems, creating and modifying the package with image from WIM file.
- Execute. You can deny or allow running tasks for capturing images of operating systems or tasks for installing the image package.
- Deploy PXE servers. You can deny or allow editing destinations of PXE servers.
- Perform operations on device selections. You can deny or allow a device selection to run tasks for capturing images of operating systems or tasks for installing the image package.
- Manage vulnerabilities and patches. Includes the following rights:
- Read. You can deny or allow displaying the Software updates section.
- Modify. You can deny or allow changing policy settings of Network Agent in the Software updates and vulnerabilities section. You can create and modify the Windows Update synchronization task and the task for installing required updates, as well as accept update license agreements. You can also approve or decline updates and create installation packages using Kaspersky database of third-party applications.
- Execute. You can deny or allow running tasks for Windows Update synchronization and installation of required updates.
- Perform operations on device selections. You can deny or allow a device selection to run tasks for Windows Update synchronization and installation of required updates.
- Remote installation. Includes the following rights:
- Read. You can deny or allow viewing installation packages.
- Modify. You can deny or allow modifying installation packages.
- Execute.
- Perform operations on device selections.
- Software inventory. Includes the following rights:
- Read. You can deny or allow displaying the Application registry section and creating application registry report.
- Modify. You can deny or allow adding Monitored applications , publishing installation events, editing created application registry reports.
- Execute. You can deny or allow modifying the automatic updating settings.
- Perform operations on device selections. You can deny or allow a device selection to modify the automatic updating settings.
