Configuring user permissions to manage Kaspersky Embedded Systems Security
By default, all features of Kaspersky Embedded Systems Security are accessible to the members of the Administrators group on the protected device, members of the ESS Administrators group created on the protected device when installing Kaspersky Embedded Systems Security, and the SYSTEM group.
Users who are not registered in the list of Kaspersky Embedded Systems Security users cannot open the Application Console.
You can allow or block access to specific functions of Kaspersky Embedded Systems Security for individual users or groups of users.
About access permissions for Kaspersky Embedded Systems Security functions
User rights
Description
Manage tasks
Ability to start / stop / pause / resume Kaspersky Embedded Systems Security tasks.
Create and remove tasks
Ability to create and delete On-Demand Scan tasks.
Edit settings
Ability to:
Import Kaspersky Embedded Systems Security settings from a configuration file.
Edit the application settings.
Read settings
Ability to:
View Kaspersky Embedded Systems Security general settings and task settings.
Export Kaspersky Embedded Systems Security settings to a configuration file.
View settings for task logs, system audit log, and notifications.
Manage storages
Ability to:
Move objects to Quarantine.
Remove objects from Quarantine and Backup.
Restore objects from Quarantine and Backup.
Manage logs
Ability to delete task logs and clear the system audit log.
Read logs
Ability to view Anti-Virus events in task logs and the system audit log.
Retrieve statistics
Ability to view statistics for each Kaspersky Embedded Systems Security task.
Manage application licensing
Ability to activate Kaspersky Embedded Systems Security.
Uninstall the application
Ability to uninstall Kaspersky Embedded Systems Security.
Read permissions
Ability to view the list of Kaspersky Embedded Systems Security users and user access privileges.
Edit permissions
Ability to:
Edit the list of users with access to application management.
Edit user access permissions for Kaspersky Embedded Systems Security functions.
Remote connection to application
Ability to remotely connect to the application using the Application Console.
For remote access, the user must also have the access rights to the Read settings functionality.
Exit the application
Ability to exit the application using the Application Console.
Disable Kaspersky Security Center policy
Ability to disable the Kaspersky Security Center policy.
Export settings
Ability to export Kaspersky Embedded Systems Security settings.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select Supplementary.
In the User access permissions for application management section, click Settings.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Embedded Systems Security access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
Save your changes. To apply the policy on computers, close the locks .
In the Application Console tree, select the Kaspersky Embedded Systems Security node and select User access permissions for application management from the context menu of the node.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Embedded Systems Security access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Embedded Systems Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Supplementary → User access permissions for application management and click the Configure button.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Embedded Systems Security access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
Save your changes. To apply the policy on computers, close the locks .
.
.