Accounts for installing and using the application

User account for installing the Kaspersky Security administration plug-in and Integration Server

Installation of the Kaspersky Security administration plug-in and Integration Server requires an account that has software installation privileges (for example, an account from the group of local administrators).

If the computer hosting the Kaspersky Security Center Administration Console belongs to an Active Directory domain, connection to the Integration Server requires a domain account that belongs to the KLAdmins group or an account that belongs to the group of local administrators.

To prevent unauthorized access, it is recommended to ensure the security of the account that is used to connect to the Integration Server.

User accounts for deploying and removing SVMs, and for operation of the application

The following user accounts are required to deploy, delete and work with the SVMs that have Kaspersky Security components:

• To connect the Integration Server to VMware vCenter Server, you can use one of the following accounts:
  • VMware vCenter Server account to which the ReadOnly predefined system role is assigned with the Propagate to children flag. To ensure that powered-off virtual machines can be scanned, the following privileges need to be assigned to this account:
    • Virtual machine → Change Configuration → Add existing disk
    • Virtual machine → Change Configuration → Add or remove device
    • Virtual machine → Change Configuration → Remove disk
    • ESX Agent Manager → Modify
  • VMware vCenter Server account to which the Administrator predefined system role is assigned with the Propagate to children flag.
• To connect the Integration Server to VMware NSX Manager, you need a VMware NSX Manager account that has the Enterprise Admin or Enterprise Administrator role assigned (depending on VMware NSX Manager version). Integration Server connection is required to enable registration of Kaspersky Security services and configuration of new SVM settings.
• In the infrastructure managed by VMware NSX-T Manager, a VMware vCenter Server administrator account or an account with the following privileges is required to connect VMware NSX-T Manager to VMware vCenter Server:
  • Extension → Register extension
  • Extension → Unregister extension
  • Extension → Update extension
  • Sessions → Message
  • Sessions → Validate session
  • Sessions → View and stop sessions
  • Host → Configuration → Maintenance
  • Host → Configuration → NetworkConfiguration
  • Host → Local Operations → virtual machine
  • Host → Local Operations → Delete virtual machine
  • Host → Local Operations → Reconfigure virtual machine
  • Tasks
  • Scheduled task
  • Global → Cancel task
  • Permissions → Reassign role permissions
  • Resource → Assign vApp to resource pool
  • Resource → Assign virtual machine to resource pool
  • Virtual Machine → Configuration
  • Virtual Machine → Guest Operations
  • Virtual Machine → Provisioning
  • Virtual Machine → Inventory
  • Network → network
  • vApp
• If you want to use Kaspersky Security to protect the virtual infrastructure managed by VMware Cloud Director, you also need a VMware Cloud Director account that has the following permissions to connect the Integration Server to VMware Cloud Director:
  • General → Perform administrator queries
  • Organization → View Organizations

Roles must be assigned to user accounts at the top level of the hierarchy of VMware virtual infrastructure objects.

For information on how to create user accounts in a VMware infrastructure, please refer to VMware documentation.

User account for connecting the Integration Server to Kaspersky Security Center

This account is used if the application is operating in multitenancy mode.

The Integration Server connects to Kaspersky Security Center to receive information about virtual Administration Servers created in Kaspersky Security Center, and to map virtual Administration Servers to Cloud Director organizations that contain tenant virtual machines.

Connecting the Integration Server to Kaspersky Security Center requires an account with read permissions in the following Kaspersky Security Center functional scopes:

• General functions → Basic functionality
• General functions → Virtual Administration Servers

You can create and configure the account used for connecting the Integration Server to Kaspersky Security Center in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

For more details on the rights of user accounts in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.

User account for connecting SVMs to network data storage

This user account is required if you are using network data storage for SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs.

To connect SVMs to network data storage, you need an account with read and write permissions in the network folder hosting the storage.

It is recommended to restrict access to this network folder for all other user accounts.