Configuring user permissions to manage Kaspersky Industrial CyberSecurity for Nodes
By default, all features of Kaspersky Industrial CyberSecurity for Nodes are accessible to the members of the Administrators group on the protected device, members of the KICS Administrators group created on the protected device when installing Kaspersky Industrial CyberSecurity for Nodes, and the SYSTEM group.
Users who are not registered in the list of Kaspersky Industrial CyberSecurity for Nodes users cannot open the Application Console.
You can allow or block access to specific functions of Kaspersky Industrial CyberSecurity for Nodes for individual users or groups of users.
About access permissions for Kaspersky Industrial CyberSecurity for Nodes functions
User rights
Description
Manage tasks
Ability to start / stop / pause / resume Kaspersky Industrial CyberSecurity for Nodes tasks.
Create and remove tasks
Ability to create and delete On-Demand Scan tasks.
Edit settings
Ability to:
Import Kaspersky Industrial CyberSecurity for Nodes settings from a configuration file.
Edit the application settings.
Read settings
Ability to:
View Kaspersky Industrial CyberSecurity for Nodes general settings and task settings.
Export Kaspersky Industrial CyberSecurity for Nodes settings to a configuration file.
View settings for task logs, system audit log, and notifications.
Manage storages
Ability to:
Move objects to Quarantine.
Remove objects from Quarantine and Backup.
Restore objects from Quarantine and Backup.
Manage logs
Ability to delete task logs and clear the system audit log.
Read logs
Ability to view Anti-Virus events in task logs and the system audit log.
Retrieve statistics
Ability to view statistics for each Kaspersky Industrial CyberSecurity for Nodes task.
Manage application licensing
Ability to activate Kaspersky Industrial CyberSecurity for Nodes.
Uninstall the application
Ability to uninstall Kaspersky Industrial CyberSecurity for Nodes.
Read permissions
Ability to view the list of Kaspersky Industrial CyberSecurity for Nodes users and user access privileges.
Edit permissions
Ability to:
Edit the list of users with access to application management.
Edit user access permissions for Kaspersky Industrial CyberSecurity for Nodes functions.
Remote connection to application
Ability to remotely connect to the application using the Application Console.
Exit the application
Ability to exit the application using the Application Console.
Disable Kaspersky Security Center policy
Ability to disable the Kaspersky Security Center policy.
Export settings
Ability to export Kaspersky Industrial CyberSecurity for Nodes settings.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select Supplementary.
In the User access permissions for application management section, click Settings.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Industrial CyberSecurity for Nodes access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
Save your changes. To apply the policy on computers, close the locks .
In the Application Console tree, select the Kaspersky Industrial CyberSecurity for Nodes node and select User access permissions for application management from the context menu of the node.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Industrial CyberSecurity for Nodes access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Go to Supplementary → User access permissions for application management and click the Configure button.
This opens a window; in that window, select the Allow confirmation of actions with the application using credentials from manually created users check box and set a password for the KLAdmin user account. The user account is automatically added to the list of user accounts.
If necessary, add user accounts to which you want to grant access to application management. To do so, click Add in the table of user accounts.
This opens the form for configuring user access permissions.
Select the method that you want to use to add users:
Select a user / group from Active Directory. You can grant Kaspersky Industrial CyberSecurity for Nodes access to individual users or groups within the Active Directory domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the application permission to an individual user.
Add a user / group of users manually. You can create a user account that is not present in Active Directory and assign individual permissions to that user account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any user name and password. For example, you can grant the Read logs permission to the service user account. As a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account or the KLAdmin user account.
To add a user or group of users manually, you must enable Password protection.
Select a user or group of users to which you want to grant access to managing the application.
In the Permissions list, configure user access permissions to application functionality.
Save your changes. To apply the policy on computers, close the locks .
.
.