Kaspersky Security lets you use the following roles to restrict user access to application features and services:
Kaspersky Security 9.0 for Microsoft Exchange Servers lets you apply application user roles to manage shared user access to the application. Each role is assigned a set of available application functions, and a set of available nodes displayed in the Management Console tree.
A role is assigned to a user by adding the user account to an Active Directory group. A user can combine multiple roles. In this case, the user account must be added to the Active Directory groups that correspond to these roles. The user will be granted access rights in accordance with the roles assigned.
Applying changes made to Active Directory groups may take up to 10 minutes.
The table below shows the names and descriptions of roles, names of Active Directory groups corresponding to those roles, and a list of nodes, which are displayed in the Management Console for each role.
All available profiles for all user roles are displayed in the Management Console.
Roles of application users
Role |
Description |
Active Directory group |
Nodes displayed in Management Console |
Administrator |
A specialist who performs general application administration tasks, such as configuring Anti-Virus and Anti-Spam settings, generating Anti-Virus and Anti-Spam operation reports, creating/deleting profiles, adding/deleting Security Servers from profiles, and configuring access to profiles. The To administrator section describes the administrator tasks and instructions on how to perform them. |
Kse Administrators |
Profiles <Security Server name> Server protection Updates Notifications Backup Reports Settings Licensing |
Anti-Virus Security Officer |
A specialist who has the rights to access the following application features: viewing the details of the protection status of Microsoft Exchange servers, retrieving reports on the operation of Anti-Virus, Anti-Spam, and Attachment Filtering, restricted access rights to features for management of Backup objects (except for object deletion), and access rights to all of the application settings but without the capability to edit them. |
Kse AV Security Officers |
Profiles <Security Server name> Server protection Updates Notifications Backup Reports Settings Licensing |
Anti-Virus Security Operator |
Specialist who has access rights to view the details of the protection status of Microsoft Exchange servers and to retrieve reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering. |
Kse AV Operators |
Profiles <Security Server name> Reports |
User groups in Active Directory are created automatically when the application is installed or upgraded to Kaspersky Security 9.0 for Microsoft Exchange Servers. Those groups can also be created manually before the application installation using standard Active Directory data management tools. Groups can be created in any domain of the organization. The type of groups is "Universal".
When Management Console is launched, the application checks which group includes the user account under which Management Console has been launched, and the user's role in the application is determined on the basis of this information.
The names of user account groups must remain unique within the Active Directory forest.
A set of profile roles lets you manage user access to individual profiles. Each role is assigned a set of available application functions, and a set of available nodes displayed in the Management Console tree for the profile.
A role is assigned to users when configuring access to a specific profile. A user can have multiple roles and have access to multiple profiles.
The table below shows the profile roles and their descriptions, and a list of nodes that are displayed in the Management Console for each role within a profile.
Profile roles
Role |
Description |
Profile nodes displayed in the Management Console |
Profile administrator |
A specialist who performs general application administration tasks for a profile, such as configuring Anti-Virus and Anti-Spam settings or generating Anti-Virus and Anti-Spam operation reports. |
Server protection Updates Notifications Backup Reports Settings Licensing Servers |
Profile Anti-Virus Security Officer |
A specialist who has the rights to access the following application features within a profile: viewing the details of the protection status of Microsoft Exchange servers, retrieving reports on the operation of Anti-Virus, Anti-Spam, and Attachment Filtering, restricted access rights to features for management of Backup objects (except for object deletion), and access rights to all application settings but without the capability to modify them. |
Server protection Updates Notifications Backup Reports Settings Licensing Servers |
Profile Anti-Virus Security Operator |
A specialist who has access rights to view the details of the protection status of Microsoft Exchange servers and to retrieve reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering within a profile. |
Reports Servers |
When the Management Console is started, the application checks which profile role is assigned to the user account whose permissions were used to start the Management Console, and based on this information the application determines the user's rights to access profiles.
For correct operation of role-based restriction of user access to profiles, you must make sure that the users have not been added to the Kse Administrators, Kse AV Security Officers or Kse AV Operators groups in Active Directory. Otherwise, the users will have access to all existing profiles.
A system role will be held by the account on behalf of which the Kaspersky Security 9.0 for Microsoft Exchange Servers application service will be launched
The system role is assigned to the account that you selected during installation of the application. If you want to specify another account for starting the application service after the application has already been installed, you must assign the system role to it. The system role is assigned by adding a user account to the Kse Watchdog Service group in Active Directory.
Applying changes made to Active Directory groups may take up to 10 minutes.