KUMA users may have the following roles:
User roles rights
Web interface section and actions |
General administrator |
Tenant administrator |
Tier 2 analyst |
Tier 1 analyst |
Junior analyst |
Access to shared resources |
Access to NCIRCC |
Access to CII |
Comment |
Reports |
|
|
|
|
|
|
|
|
|
Create report template |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
View and edit templates and reports |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts and Tier 1 analysts can:
Tier 2 analysts can edit predefined templates. Specifying the user's email address in the template is no longer grounds for providing access to a report generated from that template. Such a report is available to the user for viewing if all tenants specified in the template are available for the user's role. |
Generate reports |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts and Tier 1 analysts can generate any reports, their own and those of other users, provided that all tenants specified in the template are available for the role. Tier 2 analysts and Tier 1 analysts cannot generate reports that were sent to the analyst by email. |
Export generated reports |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts and Tier 1 analysts can download any reports, provided that all tenants specified in the template are available for the role. |
Delete templates and generated reports |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts can delete their own templates and reports, as well as predefined templates. Tier 2 analysts cannot delete reports that were sent to them by email. General administrator, Tenant administrator, Tier 2 analyst can delete predefined templates and reports. |
Edit the settings for generating reports |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts can edit the settings for generating predefined templates and reports, as well as their own templates and reports. Tier 1 analysts can edit the settings for generating the reports they created. |
Duplicate report template |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts and Tier 1 analysts can duplicate their own reports and predefined reports. |
Open the generated report by email |
yes |
yes |
yes |
yes |
yes |
no |
no |
no |
If a report is sent as a link, it is available to KUMA users only. If a report is sent as an attachment, the report is available to the recipient if all tenants specified in the report template are available to the role of the recipient. |
Dashboard |
|
|
|
|
|
|
|
|
|
View data on the dashboard and change layouts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
Available if the user has full access. Full access means that the list of tenants defined at the dashboard level is identical to the list of tenants available to the user. Tenants in the toggle switch are also taken into account. |
View the Universal layout |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Add layouts |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
This includes adding widgets to a layout. Only the general administrator can add a universal layout. |
Edit and rename layouts |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
This includes adding, editing, and deleting widgets. Tier 2 analysts can change/rename predefined layouts and layouts that were created by their own account. Tier 1 analysts can edit/rename layouts created by their own account. |
Delete layouts |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tenant administrators may delete layouts in the tenants available to them. Tier 2 analysts and Tier 1 analysts can delete layouts created by their own account. General administrators, Tenant administrators, and Tier 2 analysts can delete predefined layouts. When the kuma-core.service service is restarted, predefined layouts are restored to their original condition if they were previously deleted. |
Enable and disable the TV mode |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Resources → Services and Resources → Services → Active services |
|
|
|
|
|
|
|
|
|
View the list of active services |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
Only the General Administrator can view and delete storage spaces. Access rights do not depend on the tenants selected in the menu. Tier 1 analysts and Tier 2 analysts can:
|
View the contents of the active list |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Import/export/clear the contents of the active list |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 1 analysts can import data into any list or correlator table of an available tenant. |
Create a set of resources for services |
yes |
yes |
yes |
no |
no |
no |
no |
no |
Tier 2 analysts cannot create storages. |
Create a service under Resources → Services → Active services |
yes |
yes |
no |
no |
no |
no |
no |
no |
Only the general administrator can create a service. |
Delete services |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Restart services |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Update the settings of services |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Reset certificates |
yes |
yes |
no |
no |
no |
no |
no |
no |
Users with the Tenant administrator role can reset the certificates of services only in the tenants that are accessible to the user. |
Resources → Resources |
|
|
|
|
|
|
|
|
|
View the list of resources |
yes |
yes |
yes |
yes |
no |
yes |
no |
no |
Tier 2 analysts and Tier 1 analysts cannot view the list of resources of secrets, but these resources are available to them when creating services. |
Add resources |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts and Tier 1 analysts cannot add resources of secrets. |
Duplicate resources |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 1 analysts can duplicate a resource created by other users, including the resource set of a service. However, Tier 1 analysts cannot change the dependent resources in the copy of the set of service resources. |
Edit resources |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 1 analysts can edit only resources they created. |
Delete resources |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Tier 2 analysts cannot delete resources of secrets. Tier 1 analysts can delete only resources they created. |
Import resources |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Only the general administrator can import resources to a shared tenant. |
View the repository, import the resources from the repository |
yes |
yes |
yes |
no |
no |
no |
no |
no |
The Shared tenant's dependent resources are imported into the Shared tenant. A special right to the Shared tenant is not required; only the right to import in the target tenant is checked. |
Export resources |
yes |
yes |
yes |
yes |
no |
yes |
no |
no |
This includes resources from a shared tenant. |
Source status → List of event sources |
|
|
|
|
|
|
|
|
|
View sources of events |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Change sources of events |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Delete sources of events |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Source status → Monitoring policies |
|
|
|
|
|
|
|
|
|
View monitoring policies |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
Create monitoring policies |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Edit monitoring policies |
yes |
yes |
yes |
no |
no |
no |
no |
no |
Only the general administrator can edit the predefined monitoring policies. |
Delete monitoring policies |
yes |
yes |
yes |
no |
no |
no |
no |
no |
Predefined policies cannot be removed. |
Assets |
|
|
|
|
|
|
|
|
|
View assets and asset categories |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
This includes shared tenant categories. |
Add/edit/delete asset categories |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
Within the tenant available to the user. |
Add asset categories in a shared tenant |
yes |
no |
no |
no |
no |
no |
no |
no |
This includes editing and deleting shared tenant categories. |
Link assets to an asset category of the shared tenant |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Add assets |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Edit assets |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Delete assets |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Import assets from Kaspersky Security Center |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Start tasks on assets in Kaspersky Security Center |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Run tasks on assets in Kaspersky Endpoint Detection and Response |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Confirm updates to fix the asset vulnerabilities and accept the licensing agreements |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Editing CII categorization in the asset card |
yes |
no |
no |
no |
no |
no |
no |
yes |
|
Editing custom fields of the assets (Settings → Assets) |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Alerts |
|
|
|
|
|
|
|
|
|
View the list of alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Change the severity of alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Open the details of alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Assign responsible users |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Close alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Add comments to alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Attach an event to alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Detach an event from alerts |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Edit and delete someone else's filters |
yes |
yes |
no |
no |
no |
no |
no |
no |
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources. |
Incidents |
|
|
|
|
|
|
|
|
|
View the list of incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Create blank incidents |
yes |
yes |
yes |
yes |
yes |
no |
|
|
|
Manually create incidents from alerts |
yes |
yes |
yes |
yes |
yes |
no |
|
|
|
Change the severity of incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Open the incident details |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
Incident details display data from only those tenants to which the user has access. |
Assign executors |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Close incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Add comments to incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Attach alerts to incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Detach alerts from incidents |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Edit and delete someone else's filters |
yes |
yes |
no |
no |
no |
no |
no |
no |
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources. |
Export incidents to NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
The functions are always available to the General administrator. Other users can use the functions if the "Can interact with NCIRCC" check box is selected in their profile.
|
Send files to NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
Download files sent to NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
Export additional incident data to NCIRCC upon request |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
Send messages to NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
View messages from NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
View incident data exported to NCIRCC |
yes |
no |
no |
no |
no |
no |
yes |
no |
|
Events |
|
|
|
|
|
|
|
|
|
View the list of events |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Search events |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Open the details of events |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Open statistics |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Perform a retroscan |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Export events to a TSV file |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Edit and delete someone else's filters |
yes |
yes |
no |
no |
no |
no |
no |
no |
Tier 2 analysts, Tier 1 analysts, and Junior analysts can edit or delete only their own filter resources. |
Start ktl enrichment |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Run tasks on Kaspersky Endpoint Detection and Response assets in event details |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Create presets |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Delete presets |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
Tier 2 analysts, Tier 1 analysts, and Junior analysts can delete only their own presets. |
View and use presets |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Settings → Users |
|
|
|
|
|
|
|
|
|
View the list of users |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Add a user |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit a user |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Generate token |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
All users can generate their own tokens. The general administrator can generate a token for any user. |
Change access rights for a token |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
The General administrator can modify access rights for any user. Users can assign to themselves only those rights that are available to them as part of the user's role. |
View the data of their own profile |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
|
Edit the data of their own profile |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
The user role is not available for change. |
Settings → LDAP server |
|
|
|
|
|
|
|
|
|
View the LDAP connection settings |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Edit the LDAP connection settings |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete the configuration of an entire tenant from the settings |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Import assets |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Settings → Tenants |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the list of tenants |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Add tenants |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Change tenants |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Disable tenants |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Domain authorization |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the Active Directory connection settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the Active Directory connection settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Add filters based on roles for tenants |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Run tasks in Active Directory |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Settings → General |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the SMTP connection settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the SMTP connection settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → License |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the list of added license keys |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Add license keys |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Delete license keys |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky Security Center |
|
|
|
|
|
|
|
|
|
View the list of successfully integrated Kaspersky Security Center servers |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Add Kaspersky Security Center connections |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete Kaspersky Security Center connections |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete the configuration of an entire tenant from the settings |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Start the tasks for importing Kaspersky Security Center assets |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky Industrial CyberSecurity for Networks |
|
|
|
|
|
|
|
|
|
View a list of KICS for Networks servers with which integration has been configured |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Add and modify the settings of KICS for Networks integration |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete the settings of KICS for Networks integration |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Run the tasks to import assets from the KICS for Networks settings |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky Automated Security Awareness Platform |
|
|
|
|
|
|
|
|
|
View the ASAP integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the ASAP integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky Endpoint Detection and Response |
|
|
|
|
|
|
|
|
|
View the connection settings |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Add, edit and disconnect the connections when the distributed solution mode is enabled |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Enable the distributed solution mode |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Add connections when the distributed solution mode is disabled |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete the connections when the distributed solution mode is disabled |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete the configuration of an entire tenant from the settings |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky CyberTrace |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the CyberTrace integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the CyberTrace integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → IRP / SOAR |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the settings for integration with IRP / SOAR |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the IRP/SOAR integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Kaspersky Threat Lookup |
|
|
|
|
|
|
|
|
This section is available only to the general administrator. |
View the Threat Lookup integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the Threat Lookup integration settings |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Alerts |
|
|
|
|
|
|
|
|
|
View the parameters |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Edit the parameters |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Delete the configuration of an entire tenant from the settings |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Settings → Incidents → Automatic linking of alerts to incidents |
|
|
|
|
|
|
|
|
This section is available for an account with the Tenant administrator, Tier 2 analyst, and Tier 1 analyst roles if the role is assigned in the Main tenant. |
View the parameters |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Edit the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Incidents → Incident types |
|
|
|
|
|
|
|
|
|
View the categories reference |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
View the categories charts |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Add categories |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Edit categories |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Delete categories |
yes |
yes |
no |
no |
no |
no |
no |
no |
|
Settings → NCIRCC |
|
|
|
|
|
|
|
|
|
View the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Settings → Hierarchy |
|
|
|
|
|
|
|
|
|
View the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Edit the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
View incidents from child nodes |
yes |
yes |
yes |
no |
yes |
no |
no |
no |
All users of the parent node have access to the incidents in the child nodes. |
Settings → Asset audit |
|
|
|
|
|
|
|
|
|
Create, clone and edit the settings |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
View the parameters |
yes |
yes |
yes |
yes |
no |
no |
no |
no |
|
Delete settings |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Settings → Repository update |
|
|
|
|
|
|
|
|
|
View the parameters |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Edit the parameters |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Start the repository update task manually |
yes |
yes |
yes |
no |
no |
no |
no |
no |
|
Settings → Assets |
|
|
|
|
|
|
|
|
|
Add, edit, and delete the asset fields |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Metrics |
|
|
|
|
|
|
|
|
|
Open metrics |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Task manager |
|
|
|
|
|
|
|
|
|
View a list of your own tasks |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
A user with the General administrator role has access to tasks of all tenants. Tenant administrators can view and manage tasks of other users in tenants available to the Tenant administrator. Users have access to tasks in available tenants. A user can restart a task of another user if the restarting user has rights to start tasks of that type. |
Finish your own tasks |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
Restart your own tasks |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
|
View a list of all tasks |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Finish any task |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Restart any task |
yes |
no |
no |
no |
no |
no |
no |
no |
|
CyberTrace |
|
|
|
|
|
|
|
|
This section is not displayed in the web interface unless CyberTrace integration is configured under Settings → CyberTrace. |
Open the section |
yes |
no |
no |
no |
no |
no |
no |
no |
|
Access to the data of tenants |
|
|
|
|
|
|
|
|
|
Access to tenants |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
A user has access to the tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant. |
Shared tenant |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
A shared tenant is used to store shared resources that must be available to all tenants. Although services cannot be owned by the shared tenant, these services may utilize resources that are owned by the shared tenant. These services are still owned by their respective tenants. Events, alerts and incidents cannot be shared. Permissions to access the shared tenant:
|
Main tenant |
yes |
yes |
yes |
yes |
yes |
no |
yes |
yes |
A user has access to the main tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant. Permissions to access the main tenant do not grant access to other tenants. |