Access rights to application features

The table below shows the Kaspersky Security Center features with the access rights to manage the associated tasks, reports, settings, and perform the associated user actions.

To perform the user actions listed in the table, a user has to have the right specified next to the action.

Read, Write, and Execute rights are applicable to any task, report, or setting. In addition to these rights, a user has to have the Perform operations on device selections right to manage tasks, reports, or settings on device selections.

The General features: Access objects regardless of their ACLs functional area is intended for audit purposes. When users are granted Read rights in this functional area, they get full Read access to all objects and are able to execute any created tasks on selections of devices connected to the Administration Server via Network Agent with local administrator rights (root for Linux). We recommend to carefully grant these rights to a limited set of users who need them to perform their official duties.

All tasks, reports, settings, and installation packages that are missing in the table belong to the General features: Basic functionality functional area.

Access rights to application features

Functional area

Right

User action: right required to perform the action

Task

Report

Other

General features: Management of administration groups

Write

  • Add device to an administration group: Write
  • Delete device from an administration group: Write
  • Add an administration group to another administration group: Write
  • Delete an administration group from another administration group: Write

None

None

None

General features: Access objects regardless of their ACLs

Read

Get read access to all objects: Read

None

None

Access is granted regardless of other rights, even if they prohibit read access to specific objects.

General features: Basic functionality

  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Device moving rules (create, modify, or delete) for the virtual Server: Write, Perform operations on device selections
  • Get Mobile (LWNGT) protocol custom certificate: Read
  • Set Mobile (LWNGT) protocol custom certificate: Write
  • Get NLA-defined network list: Read
  • Add, modify, or delete NLA-defined network list: Write
  • View Access Control List of groups: Read
  • View the Kaspersky Event Log: Read
  • "Download updates to the Administration Server repository"
  • "Deliver reports"
  • "Distribute installation package"
  • "Install application on secondary Administration Servers remotely"
  • "Report on protection status"
  • "Report on threats"
  • "Report on most heavily infected devices"
  • "Report on status of anti-virus databases"
  • "Report on errors"
  • "Report on network attacks"
  • "Summary report on mail system protection applications installed"
  • "Summary report on perimeter defense applications installed"
  • "Summary report on types of applications installed"
  • "Report on users of infected devices"
  • "Report on incidents"
  • "Report on events"
  • "Report on activity of distribution points"
  • "Report on Secondary Administration Servers"
  • "Report on Device Control events"
  • "Report on vulnerabilities"
  • "Report on prohibited applications"
  • "Report on Web Control"
  • "Report on encryption status of managed devices"
  • "Report on encryption status of mass storage devices"
  • "Report on file encryption errors"
  • "Report on blockage of access to encrypted files"
  • "Report on rights to access encrypted devices"
  • "Report on effective user permissions"
  • "Report on rights"

None

General features: Deleted objects

  • Read
  • Write
  • View deleted objects in the Recycle Bin: Read
  • Delete objects from the Recycle Bin: Write

None

None

None

General features: Event processing

  • Delete events
  • Edit event notification settings
  • Edit event logging settings
  • Write
  • Change events registration settings: Edit event logging settings
  • Change events notification settings: Edit event notification settings
  • Delete events: Delete events

None

None

Settings:

  • Virus outbreak settings: number of virus detections required to create a virus outbreak event
  • Virus outbreak settings: period of time for evaluation of virus detections
  • The maximum number of events stored in the database
  • Period of time for storing events from the deleted devices

General features: Operations on Administration Server

  • Read
  • Write
  • Execute
  • Modify object ACLs
  • Perform operations on device selections
  • Specify ports of Administration Server for the network agent connection: Write
  • Specify ports of Activation Proxy launched on the Administration Server: Write
  • Specify ports of Activation Proxy for Mobile launched on the Administration Server: Write
  • Specify ports of the Web Server for distribution of standalone packages: Write
  • Specify ports of the Web Server for distribution of MDM profiles: Write
  • Specify SSL ports of the Administration Server for connection via Kaspersky Security Center Web Console: Write
  • Specify ports of the Administration Server for mobile connection: Write
  • Specify the maximum number of events stored in the Administration Server database: Write
  • Specify the maximum number of events that can be sent by the Administration Server: Write
  • Specify time period during which events can be sent by the Administration Server: Write
  • "Backup of Administration Server data"
  • "Databases maintenance"

None

None

General features: Kaspersky software deployment

  • Manage Kaspersky patches
  • Read
  • Write
  • Execute
  • Perform operations on device selections

Approve or decline installation of the patch: Manage Kaspersky patches

None

  • "Report on license key usage by virtual Administration Server"
  • "Report on Kaspersky software versions"
  • "Report on incompatible applications"
  • "Report on versions of Kaspersky software module updates"
  • "Report on protection deployment"

Installation package: "Kaspersky"

General features: Key management

  • Export key file
  • Write
  • Export key file: Export key file
  • Modify Administration Server license key settings: Write

None

None

None

General features: Enforced report management

  • Read
  • Write
  • Create reports regardless of their ACLs: Write
  • Execute reports regardless of their ACLs: Read

None

None

None

General features: Hierarchy of Administration Servers

Configure hierarchy of Administration Servers

Register, update, or delete secondary Administration Servers: Configure hierarchy of Administration Servers

None

None

None

General features: User permissions

Modify object ACLs

  • Change Security properties of any object: Modify object ACLs
  • Manage user roles: Modify object ACLs
  • Manage internal users: Modify object ACLs
  • Manage security groups: Modify object ACLs
  • Manage aliases: Modify object ACLs

None

None

None

General features: Virtual Administration Servers

  • Manage virtual Administration Servers
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Get list of virtual Administration Servers: Read
  • Get information on the virtual Administration Server: Read
  • Create, update, or delete a virtual Administration Server: Manage virtual Administration Servers
  • Move a virtual Administration Server to another group: Manage virtual Administration Servers
  • Set administration virtual Server permissions: Manage virtual Administration Servers

None

"Report on results of installation of third-party software updates"

None

General features: Encryption Key Management

Write

Import the encryption keys: Write

None

None

None

Mobile device management: General

  • Connect new devices
  • Send only information commands to mobile devices
  • Send commands to mobile devices
  • Manage certificates
  • Read
  • Write
  • Get Key Management Service restore data: Read
  • Delete user certificates: Manage certificates
  • Get user certificate public part: Read
  • Check if Public Key Infrastructure is enabled: Read
  • Check Public Key Infrastructure account: Read
  • Get Public Key Infrastructure templates: Read
  • Get Public Key Infrastructure templates by Extended Key Usage certificate: Read
  • Check if Public Key Infrastructure certificate is revoked: Read
  • Update user certificate issuance settings: Manage certificates
  • Get user certificate issuance settings: Read
  • Get packages by application name and version: Read
  • Set or cancel user certificate: Manage certificates
  • Renew user certificate: Manage certificates
  • Set user certificate tag: Manage certificates
  • Run generation of MDM installation package; cancel generation of MDM installation package: Connect new devices

None

None

None

System management: Connectivity

  • Start RDP sessions
  • Connect to existing RDP sessions
  • Initiate tunneling
  • Save files from devices to the administrator's workstation
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Create desktop sharing session: The right to create desktop sharing session
  • Create RDP session: Connect to existing RDP sessions
  • Create tunnel: Initiate tunneling
  • Save content network list: Save files from devices to the administrator's workstation

None

"Report on device users"

None

System management: Hardware inventory

  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Get or export hardware inventory object: Read
  • Add, set or delete hardware inventory object: Write

None

  • "Report on hardware registry"
  • "Report on configuration changes"
  • "Report on hardware"

None

System management: Network access control

  • Read
  • Write
  • View CISCO settings: Read
  • Change CISCO settings: Write

None

None

None

System management: Operating system deployment

  • Deploy PXE servers
  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • Deploy PXE servers: Deploy PXE servers
  • View a list of PXE servers: Read
  • Start or stop the installation process on PXE clients: Execute
  • Manage drivers for WinPE and operating system images: Write

"Create installation package upon reference device OS image"

None

Installation package: "OS Image"

System management: Vulnerability and patch management

 

 

  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • View third-party patch properties: Read
  • Change third-party patch properties: Write
  • "Perform Windows Update synchronization"
  • "Install Windows Update updates"
  • "Fix vulnerabilities"
  • "Install required updates and fix vulnerabilities"

"Report on software updates"

None

System management: Remote installation

  • Read
  • Write
  • Execute
  • Perform operations on device selections
  • View third-party Vulnerability and patch management based installation package properties: Read
  • Change third-party Vulnerability and patch management based installation package properties: Write

None

None

Installation packages:

  • "Custom application"
  • "VAPM package"

System management: Software inventory

  • Read
  • Write
  • Execute
  • Perform operations on device selections

None

None

  • "Report on installed applications"
  • "Report on applications registry history"
  • "Report on status of licensed applications groups"
  • "Report on third-party software license keys"

None

System management: Execute scripts remotely

  • Read
  • Write
  • Execute
  • Perform operations on device selections

User can view the task properties: Read

User can create, delete or modify an installation package: Write

User can run a task: Write. On client Linux devices scripts are executed with root privileges.

User can run a task or schedule it to run: Execute

User can run a task on a selection of devices: Perform operations on device selections

"Execute scripts remotely"

None

None

See also:

Scenario: Configuring network protection

Page top