Accounts for installing and using the application
To install the Kaspersky Security management MMC plug-ins and the Integration Server, an account that belongs to the group of local administrators on the computer where installation is performed must be used.
The following accounts can be used to start the Integration Server Console:
- If the computer hosting Kaspersky Security Center Administration Console belongs to the Microsoft Windows domain, you can use an account that belongs to the local or domain KLAdmins group or an account that belongs to the local administrators group to start the Integration Server Console. You can also use the Integration Server administrator account created automatically during the Integration Server installation.
- If the computer on which Kaspersky Security Center Administration Console is installed is not a member of a Microsoft Windows domain or your account is not a member of the local or domain KLAdmins group or the local administrators group, you can only use the Integration Server administrator account, that was automatically created when installing the Integration Server, to start the Integration Server Console.
VMware ESXi hypervisor
The following accounts are required for installation and operation of the application on a VMware ESXi hypervisor:
- An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
- Datastore.Allocate space
- Datastore.Low level file operations
- Datastore.Remove file
- Global.Cancel task
- Global.Licenses
- Host.Config.Virtual machine autostart configuration
- Host.Inventory.Modify cluster
- Network.Assign network
- Tasks.Create task
- VApp.Import
- Virtual machine.Configuration.Add new disk
- Virtual machine.Configuration.Add or remove device
- Virtual machine.Configuration.Memory
- Virtual machine.Interaction.Power Off
- Virtual machine.Interaction.Power On
- Virtual machine.Provisioning.Customize
- Virtual machine.Inventory.Create new (only for VMware vCenter Server 6.0 and VMware vCenter Server 6.5)
- Virtual machine.Inventory.Remove (only for VMware vCenter Server 6.0 and VMware vCenter Server 6.5)
- System.Anonymous (only for VMware vCenter Server 6.0)
- System.Read (only for VMware vCenter Server 6.0)
- System.View (only for VMware vCenter Server 6.0)
- To connect the Integration Server to the VMware vCenter Server, it is recommended to use an account that has been assigned the preset system role ReadOnly.
- Connection of the Integration Server to VMware NSX Manager requires a VMware NSX Manager account that has been assigned the Enterprise Administrator role.
Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter Server.
Microsoft Windows Server (Hyper-V) hypervisor
To deploy, delete, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:
- root\cimv2
- root\MSCluster
- root\virtualization
- root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)
A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.
Citrix Hypervisor (Citrix XenServer)
The following accounts are required for installation and operation of the application on a Citrix Hypervisor (Citrix XenServer):
- To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
- To connect the Integration Server to the Citrix Hypervisor (Citrix XenServer), it is recommended to use an account with the Read Only role.
KVM hypervisor
The following accounts are required for installation and operation of the application on a KVM hypervisor:
- To deploy, delete, or reconfigure an SVM, a root account, or an account with the right to perform actions on behalf of the root account, is required.
- To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the “read only” Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Proxmox VE hypervisor
The following accounts are required for installation and operation of the application on a Proxmox VE hypervisor:
- To deploy, delete, or reconfigure an SVM, a root account, or an account with the right to perform actions on behalf of the root account, is required.
- To connect the Integration Server to the Proxmox VE hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.
R-Virtualization hypervisor
The following accounts are required for installation and operation of the application on a R-Virtualization hypervisor:
- To deploy, remove, or reconfigure an SVM, an account with the “Main Administrator” role is required.
- To connect the Integration Server to the Skala-R Management virtual infrastructure administration server, it is recommended to use an account with the “Infrastructure Monitoring” role.
HUAWEI FusionCompute CNA hypervisor
The following accounts are required for installation and operation of the application on a HUAWEI FusionCompute CNA hypervisor:
- To deploy, remove, or reconfigure an SVM, an account with the VMManager role is required.
- To connect the Integration Server to a HUAWEI FusionCompute VRM, it is recommended to use an account with the Auditor role.
Nutanix AHV hypervisor
Protection of the virtual infrastructure on the Nutanix Acropolis platform is supported only in the following Kaspersky Security updates: 5.1.1, 5.1.2, and 5.1.3.
The following accounts are required for installation and operation of the application on a Nutanix AHV hypervisor:
- To deploy, remove, or reconfigure an SVM, an account with Cluster Admin role is required.
- To connect the Integration Server to Nutanix Prism, it is recommended to use an account with the Viewer role.
Page top