Access rights to Administration Server and its objects
Dec 4, 2023
The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation. These groups are granted permissions to connect to the Administration Server and to process Administration Server objects.
Depending on the type of account that is used for installation of Kaspersky Security Center, the KLAdmins and KLOperators groups are created as follows:
- If the application is installed under a user account included in a domain, the groups are created on the Administration Server and in the domain that includes the Administration Server.
- If the application is installed under a system account, the groups are created on the Administration Server only.
You can view the KLAdmins and KLOperators groups and modify the access privileges of the users that belong to the KLAdmins and KLOperators groups by using the standard administrative tools of the operating system.
The KLAdmins group is granted all access rights; the KLOperators group is granted only Read and Execute rights. The rights granted to the KLAdmins group are locked.
Users that belong to the KLAdmins group are called Kaspersky Security Center administrators, while users from the KLOperators group are called Kaspersky Security Center operators.
In addition to users included in the KLAdmins group, administrator rights for Kaspersky Security Center are also provided to the local administrators of devices on which Administration Server is installed.
You can exclude local administrators from the list of users who have Kaspersky Security Center administrator rights.
All operations started by the administrators of Kaspersky Security Center are performed using the rights of the Administration Server account.
An individual KLAdmins group can be created for each Administration Server from the network; the group will have the necessary rights for that Administration Server only.
If devices belonging to the same domain are included in the administration groups of different Administration Servers, the domain administrator is the Kaspersky Security Center administrator for all the groups. The KLAdmins group is the same for those administration groups; it is created during installation of the first Administration Server. All operations initiated by a Kaspersky Security Center administrator are performed using the account rights of the Administration Server for which these operations have been started.
After the application is installed, an administrator of Kaspersky Security Center can do the following:
- Modify the rights granted to the KLOperators groups.
- Grant rights—to access Kaspersky Security Center functionality—to other security groups and individual users who are registered on the administrator's workstation.
- Assign user access rights within each administration group.
The Kaspersky Security Center administrator can assign access rights to each administration group or to other objects of Administration Server in the Security section in the properties window of the selected object.
You can track user activity by using the records of events in the Administration Server operation. Event records are displayed in the Administration Server node on the Events tab. These events have the importance level Info events and the event types begin with "Audit".