User roles
KUMA users may have the following roles:
- General administrator—this role is designed for users who are responsible for the core functionality of KUMA systems. For example, they install system components, perform maintenance, work with services, create backups, and add users to the system. These users have full access to KUMA.
- Administrator—this role is for users responsible for the core functionality of KUMA systems owned by specific tenants.
- Analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules.
- First line analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules. Users with this role have fewer privileges than analysts.
- Operator—this role is for users dealing with immediate security threats of a specific tenant. A user with the operator role sees resources in a shared tenant through the REST API.
User roles rights
Web interface section and actions
General administrator
Administrator
Analyst
First line analyst
Operator
Comment
Reports
View and edit templates and reports
filled in
filled in
filled in
filled in
no
The first line analysts and analysts can:
- View and edit templates and reports that they created themselves.
- View reports sent to them by email.
- View predefined templates.
Generate reports
filled in
filled in
filled in
filled in
no
The analysts can generate the reports they created or the predefined reports (from a template or a report).
The analysts cannot generate reports sent to them by email.
Export generated reports
filled in
filled in
filled in
filled in
no
The first line analysts and the analysts can upload:
- Reports that they created themselves.
- Predefined reports.
- Reports received by email.
Delete templates and generated reports
filled in
filled in
filled in
filled in
no
The first line analysts and the analysts can delete the templates and reports they generated.
The first line analysts and the analysts cannot delete:
- Predefined templates.
- Reports received by email.
Only the general administrator can delete predefined templates and reports.
Edit the settings for generating reports
filled in
filled in
filled in
filled in
no
The analysts can change the settings for generating predefined reports and the reports they created.
The first line analysts can change the settings for generating the reports they created.
Duplicate report template
filled in
filled in
filled in
filled in
no
The first line analysts and the analysts can duplicate their own reports and predefined reports.
Receive the generated report by email
filled in
filled in
filled in
filled in
filled in
If a report is sent as a link, it is available to KUMA users only.
If a report is sent as an attachment, it is available to all recipients in the list of email addresses.
Dashboard
View data on the dashboard and change layouts
filled in
filled in
filled in
filled in
filled in
View the Universal layout
filled in
filled in
filled in
filled in
filled in
Add layouts
filled in
filled in
filled in
filled in
no
This includes adding widgets to a layout.
Only the general administrator can add a universal layout.
Edit and rename layouts
filled in
filled in
filled in
only own
no
This includes adding, editing, and deleting widgets.
Analysts may change/rename predefined layouts and layouts that were created using their account.
Delete layouts
filled in
filled in
filled in
only own
no
Tenant administrators may delete layouts in the tenants available to them.
Analysts may delete layouts that were created using their account.
Only the general administrator can delete predefined layouts.
Enable and disable the TV mode
filled in
filled in
filled in
filled in
filled in
Resources → Services and Resources → Services → Active services
View the list of active services
filled in
filled in
filled in
filled in
no
Only the general administrator can view and delete storage spaces.
Access rights do not depend on the tenants selected in the menu.
View the contents of the active list
filled in
filled in
filled in
filled in
no
Import/export/clear the contents of the active list
filled in
filled in
filled in
filled in
no
First line analysts can:
Export the contents of all the active lists they have access to.
Import and clear the active lists they created.
Create a set of resources for services
filled in
filled in
filled in
no
no
Analysts cannot create storages.
Create a service under Resources → Services → Active services
filled in
filled in
no
no
no
Only the general administrator can create a service.
Delete services
filled in
filled in
no
no
no
Restart services
filled in
filled in
no
no
no
Update the settings of services
filled in
filled in
filled in
no
no
Reset certificates
filled in
filled in
no
no
no
A user with the administrator role can reset the certificates of services only in the tenants that are accessible to the user.
Resources → Resources
View the list of resources
filled in
filled in
filled in
filled in
no
Analysts cannot view the list of secret resources, but these resources are available to them when they create services.
Add resources
filled in
filled in
filled in
filled in
no
Analysts cannot add secret resources.
Duplicate resources
filled in
filled in
filled in
filled in
no
The first line analysts can duplicate a resource created by other users, including a set of service resources. However, the first line analysts cannot change the dependent resources in the copy of the set of service resources.
Edit resources
filled in
filled in
filled in
filled in
no
Create/edit/delete resources in a shared tenant
filled in
no
no
no
no
Delete resources
filled in
filled in
filled in
filled in
no
Analysts cannot delete secret resources.
The first line analysts can delete only their own resources.
Import resources
filled in
filled in
filled in
no
no
Only the general administrator can import resources to a shared tenant.
View the repository, import the resources from the repository
filled in
filled in
filled in
no
no
Only the general administrator can import resources to a shared tenant.
Export resources
filled in
filled in
filled in
no
no
This includes resources from a shared tenant.
View/edit collector or correlator drafts
filled in
filled in
filled in
filled in
no
The user may only access their own drafts, regardless of the selected tenant. The list of drafts is generated based on those that belong to the user.
Source status → List of event sources
View sources of events
filled in
filled in
filled in
filled in
filled in
Change sources of events
filled in
filled in
filled in
no
no
Delete sources of events
filled in
filled in
filled in
no
no
Source status → Monitoring policies
View monitoring policies
filled in
filled in
filled in
filled in
filled in
Create monitoring policies
filled in
filled in
filled in
no
no
Edit monitoring policies
filled in
filled in
filled in
no
no
Only the general administrator can edit the predefined monitoring policies.
Delete monitoring policies
filled in
filled in
filled in
no
no
Predefined policies cannot be removed.
Assets
View assets and asset categories
filled in
filled in
filled in
filled in
filled in
This includes shared tenant categories.
Add/edit/delete asset categories
filled in
filled in
filled in
filled in
no
Within the tenant available to the user.
Add asset categories in a shared tenant
filled in
no
no
no
no
This includes editing and deleting shared tenant categories.
Link assets to an asset category of the shared tenant
filled in
filled in
filled in
filled in
no
Add assets
filled in
filled in
filled in
filled in
no
Edit assets
filled in
filled in
filled in
filled in
no
Delete assets
filled in
filled in
filled in
filled in
no
Import assets from Kaspersky Security Center
filled in
filled in
filled in
filled in
no
Start tasks on assets in Kaspersky Security Center
filled in
filled in
filled in
filled in
no
Run tasks on Kaspersky Endpoint Detection and Response assets
filled in
filled in
filled in
filled in
no
Confirm updates to fix the asset vulnerabilities and accept the licensing agreements
filled in
filled in
no
no
no
Run the tasks on the assets in KEDR
filled in
filled in
filled in
filled in
no
Editing custom fields of the assets (Settings → Assets)
filled in
filled in
filled in
filled in
no
Alerts
View the list of alerts
filled in
filled in
filled in
filled in
filled in
Change the severity of alerts
filled in
filled in
filled in
filled in
filled in
Open the details of alerts
filled in
filled in
filled in
filled in
filled in
Assign responsible users
filled in
filled in
filled in
filled in
filled in
Close alerts
filled in
filled in
filled in
filled in
filled in
Add comments to alerts
filled in
filled in
filled in
filled in
filled in
Attach an event to alerts
filled in
filled in
filled in
filled in
filled in
Detach an event from alerts
filled in
filled in
filled in
filled in
filled in
Edit and delete someone else's filters
filled in
filled in
no
no
no
Analysts and operators can edit or delete only their own filter resources.
Incidents
View the list of incidents
filled in
filled in
filled in
filled in
filled in
Create blank incidents
filled in
filled in
filled in
filled in
filled in
Manually create incidents from alerts
filled in
filled in
filled in
filled in
filled in
Change the severity of incidents
filled in
filled in
filled in
filled in
filled in
Open the incident details
filled in
filled in
filled in
filled in
filled in
Incident details display data from only those tenants to which the user has access.
Assign executors
filled in
filled in
filled in
filled in
filled in
Close incidents
filled in
filled in
filled in
filled in
filled in
Add comments to incidents
filled in
filled in
filled in
filled in
filled in
Attach alerts to incidents
filled in
filled in
filled in
filled in
filled in
Detach alerts from incidents
filled in
filled in
filled in
filled in
filled in
Edit and delete someone else's filters
filled in
filled in
no
no
no
Analysts and operators can edit or delete only their own filter resources.
Export incidents to RuCERT
filled in
filled in
filled in
filled in
filled in
The export function is always available to the general administrator. Other users can perform export if the "Can interact with RuCERT" check box is selected in their profile.
In the case of hierarchical KUMA deployment, interaction with RuCERT is performed from the main KUMA node.
Send files to RuCERT
filled in
filled in
filled in
filled in
filled in
Download files sent to RuCERT
filled in
filled in
filled in
filled in
filled in
Export additional incident data to RuCERT upon request
filled in
filled in
filled in
filled in
filled in
Send messages to RuCERT
filled in
filled in
filled in
filled in
filled in
View messages from RuCERT
filled in
filled in
filled in
filled in
filled in
View incident data exported to RuCERT
filled in
filled in
filled in
filled in
filled in
Events
View the list of events
filled in
filled in
filled in
filled in
filled in
Search events
filled in
filled in
filled in
filled in
filled in
Open the details of events
filled in
filled in
filled in
filled in
filled in
Open statistics
filled in
filled in
filled in
filled in
filled in
Conduct a retroscan
filled in
filled in
filled in
no
no
Export events to a TSV file
filled in
filled in
filled in
filled in
filled in
Edit and delete someone else's filters
filled in
filled in
no
no
no
Analysts and operators can edit or delete only their own filter resources.
Start ktl enrichment
filled in
filled in
filled in
filled in
no
Run tasks on Kaspersky Endpoint Detection and Response assets in event details
filled in
filled in
filled in
filled in
no
Create presets
filled in
filled in
filled in
filled in
filled in
Delete presets
filled in
filled in
filled in
filled in
filled in
The first line analysts and the operators can delete only their own presets.
View and use presets
filled in
filled in
filled in
filled in
filled in
Settings → Users
View the list of users
filled in
no
no
no
no
Add a user
filled in
no
no
no
no
Edit a user
filled in
no
no
no
no
Generate token
filled in
filled in
filled in
filled in
filled in
All users can generate their own tokens.
The general administrator can generate a token for any user.
Change access rights for a token
filled in
filled in
no
no
no
The general administrator can change access rights for any user, tenant administrators can change only their own access rights.
View the data of their own profile
filled in
filled in
filled in
filled in
filled in
Edit the data of their own profile
filled in
filled in
filled in
filled in
filled in
The user role is not available for change.
Settings → LDAP server
View the LDAP connection settings
filled in
filled in
filled in
filled in
no
Edit the LDAP connection settings
filled in
filled in
no
no
no
Delete the configuration of an entire tenant from the settings
filled in
filled in
no
no
no
Import assets
filled in
filled in
no
no
no
Settings → Tenants
This section is available only to the general administrator.
View the list of tenants
filled in
no
no
no
no
Add tenants
filled in
no
no
no
no
Change tenants
filled in
no
no
no
no
Disable tenants
filled in
no
no
no
no
Settings → Domain authorization
This section is available only to the general administrator.
View the Active Directory connection settings
filled in
no
no
no
no
Edit the Active Directory connection settings
filled in
no
no
no
no
Add filters based on roles for tenants
filled in
no
no
no
no
Run tasks in Active Directory
filled in
filled in
filled in
no
no
Settings → General
This section is available only to the general administrator.
View the SMTP connection settings
filled in
no
no
no
no
Edit the SMTP connection settings
filled in
no
no
no
no
Settings → License
This section is available only to the general administrator.
View the list of added license keys
filled in
no
no
no
no
Add license keys
filled in
no
no
no
no
Delete license keys
filled in
no
no
no
no
Settings → Kaspersky Security Center
View the list of successfully integrated Kaspersky Security Center servers
filled in
filled in
filled in
filled in
no
Add Kaspersky Security Center connections
filled in
filled in
no
no
no
Delete Kaspersky Security Center connections
filled in
filled in
no
no
no
Delete the configuration of an entire tenant from the settings
filled in
filled in
no
no
no
Start the tasks for importing Kaspersky Security Center assets
filled in
filled in
no
no
no
Settings → Kaspersky Industrial CyberSecurity for Networks
View a list of KICS for Networks servers with which integration has been configured
filled in
filled in
no
no
no
Add and modify the settings of KICS for Networks integration
filled in
filled in
no
no
no
Delete the settings of KICS for Networks integration
filled in
filled in
no
no
no
Run the tasks to import assets from the KICS for Networks settings
filled in
filled in
no
no
no
Settings → Kaspersky Automated Security Awareness Platform
View the ASAP integration settings
filled in
no
no
no
no
Edit the ASAP integration settings
filled in
no
no
no
no
View information from ASAP in the user details window
filled in
filled in
filled in
filled in
filled in
Assign users to an ASAP learning group
filled in
filled in
filled in
filled in
no
Settings → Kaspersky Endpoint Detection and Response
View the connection settings
filled in
filled in
filled in
filled in
no
Add, edit and disconnect the connections when the distributed solution mode is enabled
filled in
no
no
no
no
Enable the distributed solution mode
filled in
no
no
no
no
Add connections when the distributed solution mode is disabled
filled in
filled in
no
no
no
Delete the connections when the distributed solution mode is disabled
filled in
filled in
no
no
no
Delete the configuration of an entire tenant from the settings
filled in
filled in
no
no
no
Settings → Kaspersky CyberTrace
This section is available only to the general administrator.
View the CyberTrace integration settings
filled in
no
no
no
no
Edit the CyberTrace integration settings
filled in
no
no
no
no
Settings → IRP / SOAR
This section is available only to the general administrator.
View the settings for integration with IRP / SOAR
filled in
no
no
no
no
Edit the IRP/SOAR integration settings
filled in
no
no
no
no
Settings → Kaspersky Threat Lookup
This section is available only to the general administrator.
View the Threat Lookup integration settings
filled in
no
no
no
no
Edit the Threat Lookup integration settings
filled in
no
no
no
no
Settings → Alerts
View the parameters
filled in
filled in
filled in
filled in
no
Edit the parameters
filled in
filled in
filled in
no
no
Delete the configuration of an entire tenant from the settings
filled in
filled in
filled in
no
no
Settings → Incidents → Automatic linking of alerts to incidents
View the parameters
filled in
filled in
filled in
filled in
no
Edit the parameters
filled in
no
no
no
no
Settings → Incidents → Incident types
View the categories reference
filled in
filled in
filled in
filled in
no
View the categories charts
filled in
filled in
filled in
filled in
no
Add categories
filled in
filled in
no
no
no
Edit categories
filled in
filled in
no
no
no
Delete categories
filled in
filled in
no
no
no
Settings → RuCERT
View the parameters
filled in
no
no
no
no
Edit the parameters
filled in
no
no
no
no
Settings → Hierarchy
View the parameters
filled in
no
no
no
no
Edit the parameters
filled in
no
no
no
no
View incidents from child nodes
filled in
filled in
filled in
no
filled in
All users of the parent node have access to the incidents in the child nodes.
Settings → Asset audit
Create, clone and edit the settings
filled in
filled in
filled in
no
no
View the parameters
filled in
filled in
filled in
filled in
no
Delete settings
filled in
filled in
no
no
no
Settings → Repository update
View the parameters
filled in
filled in
filled in
no
no
Edit the parameters
filled in
no
no
no
no
Start the repository update task manually
filled in
filled in
filled in
no
no
Settings → Assets
Add, edit, and delete the asset fields
filled in
no
no
no
no
Metrics
Open metrics
filled in
no
no
no
no
Task manager
View a list of your own tasks
filled in
filled in
filled in
filled in
filled in
The section and tasks are not tied to a tenant. The tasks are available only to the user who created them.
Finish your own tasks
filled in
filled in
filled in
filled in
filled in
Restart your own tasks
filled in
filled in
filled in
filled in
filled in
View a list of all tasks
filled in
no
no
no
no
Finish any task
filled in
no
no
no
no
Restart any task
filled in
no
no
no
no
CyberTrace
This section is not displayed in the web interface unless CyberTrace integration is configured under Settings → CyberTrace.
Open the section
filled in
no
no
no
no
Access to the data of tenants
Access to tenants
filled in
filled in
filled in
filled in
filled in
A user has access to the tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant.
Shared tenant
filled in
filled in
filled in
filled in
filled in
A shared tenant is used to store shared resources that must be available to all tenants.
Although services cannot be owned by the shared tenant, these services may utilize resources that are owned by the shared tenant. These services are still owned by their respective tenants.
Events, alerts and incidents cannot be shared.
Permissions to access the shared tenant:
- Read/write—only the general administrator.
- Read—all other users, including users that have permissions to access the main tenant.
Main tenant
filled in
filled in
filled in
filled in
filled in
A user has access to the main tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant.
Permissions to access the main tenant do not grant access to other tenants.