About user roles

A user role in Kaspersky Container Security is a set of permissions to perform certain actions in the solution web interface. Depending on their role, users have access to different sections and functional capabilities.

Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments.

The following system roles are provided during initial installation of the solution:

• The Administrator of Kaspersky Container Security role is intended for users who are tasked with deploying and supporting the infrastructure and system software required for the solution to work (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.

  In the web interface, this role is indicated by the KCSADM abbreviation.

• The Information Security Administrator (IS Administrator) role is intended for users who are tasked with creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, Agents and outputs, and configuring security policies.

  In the web interface, this role is indicated by the ISADM abbreviation.

• The IS auditor role is intended for users who view the resources and user list of a solution, and who monitor the results of scans and compliance checks.

  In the web interface, this role is indicated by the ISAUD abbreviation.

• The IS officer role is intended for users who view and manage security policies, connect public image registries, and view the results of runtime container analyses for projects in which these users are directly involved.

  In the web interface, this role is indicated by the ISOFF abbreviation.

• The Developer role is intended for users who perform compliance checks and view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.

  In the web interface, this role is indicated by the DEV abbreviation.

You can assign system roles to user accounts when creating or viewing these user accounts.

Multiple user roles can be assigned to a user.

If a specific system role is not needed, you can delete it.

However, you cannot delete the last active system role that has permissions to manage other roles.

If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.

When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:

• To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
• Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
• To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
• The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.

You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.

When assigning the application scopes to roles, you must take into account that a security policy can be implemented within a specific application scope only if this application scope is assigned to one of your roles.

If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.