Role-based user access control for the application features and services

Kaspersky Security contains facilities for role-based access to the application features and services.

Roles of application users

Kaspersky Security 9.0 for Microsoft Exchange Servers allows you to apply role-based access to manage users. Each role is assigned a set of available application functions and, accordingly, a set of available nodes displayed in the Management Console tree.

A role is assigned to a user by adding the user account to an Active Directory group. A user can combine multiple roles. In this case, the account must be added to the Active Directory groups, which correspond to those roles. The user will be granted access rights in accordance with the roles assigned.

Applying changes made to Active Directory groups may take up to 10 minutes.

The table below shows the names and descriptions of roles, names of Active Directory groups corresponding to those roles, and a list of nodes, which are displayed in the Management Console for each role.

Role-based access

Role

Description

Active Directory group

Nodes displayed in Management Console

Administrator

A professional performing general application administration tasks, such as configuring Anti-Virus and Anti-Spam settings or creating Anti-Virus and Anti-Spam operation reports. The To administrator section describes the administrator tasks and instructions on how to perform them.

Kse Administrators

Profiles.

DLP Module settings.

<Security Server name>.

Server protection.

Updates.

Notifications.

Backup.

Reports.

Settings.

Licensing.

Security Officer

A specialist tasked with administering confidential data leak prevention tools (the DLP Module): configuring DLP categories and policies, processing incidents. The security officer tasks and instructions on how to perform them are provided in the To security officer section.

Kse Security Officers

Data Leak Prevention.

Categories and policies.

Incidents.

Reports.

Anti-Virus Security Officer

Specialist who have access rights to the following application features: viewing the details of the protection status of Microsoft Exchange servers, retrieving reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering, restricted access rights to features for management of Backup objects (except for object deletion), and access rights to all of the application settings (except for the settings of the Data Leak Prevention node and its subnodes) but without the option of editing them.

Kse AV Security Officers

Profiles.

DLP Module settings.

<Security Server name>.

Server protection.

Updates.

Notifications.

Backup.

Reports.

Settings.

Licensing.

Anti-Virus Security Operator

Specialist who has access rights to view the details of the protection status of Microsoft Exchange servers and to retrieve reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering.

Kse AV Operators

Profiles.

<Security Server name>.

Reports.

User groups in Active Directory are created automatically when the application is installed or upgraded to Kaspersky Security 9.0 for Microsoft Exchange Servers. Those groups can also be created manually before the application installation using standard Active Directory data management tools. Groups can be created in any domain of the organization. The type of groups is "Universal".

When Management Console is launched, the application checks which group includes the user account under which Management Console has been launched, and the user's role in the application is determined on the basis of this information.

Names of account groups must be unique within a single Active Directory domain forest.

System role

In addition to the user roles in the application there is also a system role. A system role will be held by the account on behalf of which the Kaspersky Security 9.0 for Microsoft Exchange Servers application service will be launched

The system role is assigned by the Application Installation Wizard to the account that you selected during the application installation. If after application installation you want to specify another account for launching the application service, you should assign it a system role. A system role is assigned by adding an account to the Kse Watchdog Service group in Active Directory.

Applying changes made to Active Directory groups may take up to 10 minutes.

Page top