Accounts for installing and using the solution

General account requirements

To install the Kaspersky Security management MMC plug-ins and the Integration Server, an account that belongs to the local administrator group on the device where installation is being performed must be used.

The following accounts can be used to start the Integration Server Console:

• If you plan to use Kaspersky Security Center Administration Console to manage the Kaspersky Security solution and the device hosting Kaspersky Security Center Administration Console belongs to the Microsoft Windows domain, you can use an account that belongs to the local or domain KLAdmins group or an account that belongs to the local administrator group to start the Integration Server Console. You can also use the Integration Server administrator account created when installing the Integration Server.
• If you plan to use Kaspersky Security Center Web Console to manage the Kaspersky Security solution, or the device on which Kaspersky Security Center Administration Console is installed is not a member of a Microsoft Windows domain or your account is not a member of the local or domain KLAdmins group or the local administrator group, you can only start the Integration Server Console using the Integration Server administrator account that was created when installing the Integration Server.

VMware vSphere platform

The following accounts are required to install and operate the solution on a VMware vSphere infrastructure:

• An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
  • Datastore.Allocate space
  • Datastore.Low level file operations
  • Datastore.Remove file
  • Global.Cancel task
  • Global.Licenses
  • Host.Config.Virtual machine autostart configuration
  • Host.Inventory.Modify cluster
  • Network.Assign network
  • Tasks.Create task
  • vApp.Import
  • Virtual machine.Change configuration.Add new disk (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
  • Virtual machine.Configuration.Add new disk (only for VMware vCenter Server 6.5)
  • Virtual machine.Change configuration.Add or remove device (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
  • Virtual machine.Configuration.Add or remove device (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
  • Virtual machine.Change configuration.Change memory (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
  • Virtual machine.Configuration.Memory (only for VMware vCenter Server 6.5)
  • Virtual machine.Interaction.Power Off
  • Virtual machine.Interaction.Power On
  • Virtual machine.Provisioning.Customize guest (only for VMware vCenter Server 7.0 and VMware vCenter Server 6.7)
  • Virtual machine.Provisioning.Customize (only for VMware vCenter Server 6.5)
  • Virtual machine.Inventory.Create new (only for VMware vCenter Server 6.5)
  • Virtual machine.Inventory.Remove (only for VMware vCenter Server 6.5)
• To connect the Integration Server to the VMware vCenter Server, it is recommended to use an account that has been assigned the preset system role ReadOnly.
• Connection of the Integration Server to VMware NSX Manager requires a VMware NSX Manager account that has been assigned the Enterprise Administrator role.

Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter Server.

Microsoft Hyper-V platform

To deploy, remove, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:

• root\cimv2
• root\MSCluster
• root\virtualization
• root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)

A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.

Citrix Hypervisor platform

The following accounts are required for installation and operation of the solution in a Citrix Hypervisor infrastructure:

• To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
• To connect the Integration Server to the Citrix Hypervisor, it is recommended to use an account with the Read Only role.

KVM platform

The following accounts are required for installation and operation of the solution in a KVM infrastructure:

• Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.
• To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the "read only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Proxmox VE platform

The following accounts are required for installation and operation of the solution in a Proxmox VE infrastructure:

• To deploy, remove, or reconfigure an SVM, the root account is required.
• To connect the Integration Server to the Proxmox VE hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.

Skala-R platform

The following accounts are required for installation and operation of the solution in a Skala-R infrastructure:

• To deploy, remove, or reconfigure an SVM, an account with the "Main Administrator" role is required.
• To connect the Integration Server to the Skala-R Management virtual infrastructure administration server, it is recommended to use an account with the "Infrastructure Monitoring" role.

HUAWEI FusionSphere platform

The following accounts are required to install and operate the solution on a HUAWEI FusionSphere infrastructure:

• To deploy, remove, or reconfigure an SVM, an account with the VMManager role is required.
• To connect the Integration Server to a HUAWEI FusionCompute VRM, it is recommended to use an account with the Auditor role.

Nutanix Acropolis platform

The following accounts are required to install and operate the solution on a Nutanix Acropolis infrastructure:

• To deploy, remove, or reconfigure an SVM, an account with Cluster Admin role is required.
• To connect the Integration Server to Nutanix Prism virtual infrastructure administration server, it is recommended to use an account with the Viewer role. In the infrastructure managed by Nutanix Prism Central, an account with the Viewer role is required on the Nutanix Prism Central server and on the Nutanix Prism Element servers.

TIONIX Cloud Platform and OpenStack platform

The following accounts are required to install and operate the solution in an infrastructure running on TIONIX Cloud Platform or the OpenStack platform:

• An account with the following permissions is required to deploy, delete, or reconfigure an SVM:

  Permissions for infrastructure object operations.	Permissions for sending requests to OpenStack microservices API
  Keystone
  Authentication. Querying the state of authentication token for the current user.	auth/tokens (POST/GET)
  Getting a list of all OpenStack domains.	domains (GET)
  Getting a list of available OpenStack projects for the current user.	auth/projects (GET)
  Compute (Nova)
  Getting a list of virtual machines.	servers/detail (GET)
  Getting virtual machine information.	servers/{server_id} (GET)
  Getting a list of virtual machine types (instance types).	flavors/detail (GET)
  Getting information about available OpenStack project resources.	limits (GET)
  Getting a list of server groups.	os-server-groups (GET)
  Getting a list of availability zones.	os-availability-zone (GET)
  Getting a list of network interface of the virtual machine.	servers/{server_id}/os-interface (GET)
  Creating a network interface for the virtual machine.	servers/{server_id}/os-interface (POST)
  Creating the virtual machine.	servers (POST)
  Starting/stopping the virtual machine.	servers/{server_id}/action (POST)
  Removing network interface of the virtual machine.	servers/{server_id}/os-interface/{port_id} (DELETE)
  Removing the virtual machine.	servers/{server_id} (DELETE)
  Cinder
  Getting a list of volume types.	{project_id}/types (GET)
  Getting disk information.	{project_id}/volumes/{volume_id} (GET)
  Creating the disk.	{project_id}/volumes (POST)
  Removing the disk that was created by the current user.	{project_id}/volumes/{volume_id} (DELETE)
  Glance
  Getting image information.	images/{image_id} (GET)
  Creating the image.	images (POST)
  Downloading the image.	images/{image_id}/file (PUT)
  Removing the image that was created by the current user.	images/{image_id} (DELETE)
  Neutron
  Getting a list of networks.	networks (GET)
  Getting a list of security groups.	security-groups (GET)
  Creating a network port	ports (POST)
  Deleting a network port	ports/{port_id} (DELETE)
  Getting the ID of a network port	ports/{port_id} (GET)

• An account with the following permissions is required to connect the Integration Server to the virtual infrastructure:

  Permissions for infrastructure object operations.	Permissions for sending requests to OpenStack microservices API
  Keystone
  Authentication. Querying the state of authentication token for the current user.	auth/tokens (POST/GET)
  Getting a list of available OpenStack projects for the current user.	auth/projects (GET)
  Compute (Nova)
  Getting a list of virtual machines.	servers/detail (GET)
  Getting virtual machine information.	servers/{server_id} (GET)
  Getting a list of server groups.	os-server-groups (GET)
  Getting a list of availability zones.	os-availability-zone (GET)
  Getting a list of hypervisors. This permission is required only if you intend to apply licensing scheme that uses number of processors or number of processor cores on hypervisors, on which the protected virtual machines operate.	/os-hypervisors/detail (GET)

ALT Virtualization Server platform

The following accounts are required to install and operate the solution on an Alt Virtualization Server infrastructure:

• Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.
• To connect the Integration Server to a basic hypervisor of the ALT Virtualization Server platform, it is recommended to use an unprivileged user account with access to the "read-only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Astra Linux Platform

The following accounts are required for installation and operation of the solution on a KVM hypervisor running on the Astra Linux platform:

• Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.

  Prior to starting installation of the solution, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration.

• To connect the Integration Server to a KVM hypervisor running on the Astra Linux platform, it is recommended to use an unprivileged user account with access to the read-only Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Page top