About access rights to the settings of policies and tasks in Kaspersky Security Center

The rights to access the settings of policies and tasks (read, write, and execute) are defined for each user who has access to the Kaspersky Security Center Administration Server. In the Kaspersky Security Center Administration Console, you can grant user accounts the rights to perform certain actions within the functional scopes of Kaspersky Security.

When using the Web Console to manage Kaspersky Security by means of Kaspersky Security Center, it is not possible to differentiate access rights to functional scopes of Kaspersky Security. User permissions to perform actions with Kaspersky Security policies and tasks that were configured in the Administration Console are not taken into account in the Web Console.

One functional scope is allocated for the Protection Server component: Basic functionality. This functional scope includes the following settings and functions:

• Settings for connecting SVMs to the Integration Server.
• Settings for connecting Light Agents to SVMs.
• SNMP monitoring settings.
• KSN usage settings.
• SVM advanced settings.
• Application activation task.
• Application database update task and latest application database update rollback task.
• SVM application module update task.

The following functional scopes are allocated for the Light Agent for Windows component:

• Protection components. This functional scope includes the following settings and functions:
  • Enabling and disabling of File Anti-Virus for Windows.
  • File Anti-Virus for Windows settings:
    • File security level.
    • The action that is performed by the application on detection of an infected file.
    • File Anti-Virus protection scope.
    • Settings for scanning compound files, optimization, and the scan mode.
    • Automatically pausing File Anti-Virus.
    • Use of heuristic analysis and iSwift scan technology.
  • Enabling and disabling AMSI Protection.
  • The scan settings of the compound files when the objects are scanned in response to AMSI requests.
  • Enabling and disabling Mail Anti-Virus.
  • Mail Anti-Virus settings:
    • Mail security level.
    • Action taken by the application when it detects an infected email message.
    • Mail Anti-Virus protection scope.
    • Settings for scanning compound files attached to messages, and attachment filtering by type.
    • Use of heuristic analysis and the Mail Anti-Virus extension for Microsoft Office Outlook.
  • Enabling and disabling Web Anti-Virus.
  • Web Anti-Virus settings:
    • Web traffic security level.
    • Action taken by the application when it detects a malicious object in web traffic.
    • Enabling and disabling scanning of URLs against databases of phishing and malicious web addresses.
    • Use of heuristic analysis and the duration of web traffic caching by Web Anti-Virus.
    • List of trusted web addresses.
  • Virus scan task for Light Agent for Windows.
• Basic functionality. This functional scope includes the following settings and functions:
  • Settings for connecting Light Agents to SVMs.
  • Network traffic monitoring settings.
  • List of domains excluded from secure connections scan.
  • Settings for reports and Backup.
  • Application Self-Defense settings.
  • Light Agent for Windows local interface settings.
  • Password-protecting access to application settings in a local interface.
  • Settings for managing tasks from the local interface.
  • Settings for scanning removable drives when they are connected.
  • Settings for automatic startup of the application.
  • Advanced Disinfection settings.
  • Change application components task.
  • Settings for interaction with Kaspersky Managed Detection and Response.
• Application Control. This functional scope includes the following settings and functions:
  • Enabling and disabling Application Startup Control.
  • Application Startup Control settings:
    • The action taken by Kaspersky Security when it detects an attempt to start an application that is not allowed by an Application Startup Control rule.
    • Configuring and using application categories and application startup control rules.
    • Startup control of executable modules and drivers.
    • Configuring Application Startup Control message templates.
  • Enabling and disabling Application Privilege Control.
  • Application Privilege Control settings:
    • Configuring and using Application Control rules.
    • Protecting operating system resources.
  • Inventory task and getting information about applications that are installed on protected virtual machines.
• Device Control. This functional scope includes the following settings and functions:
  • Enabling and disabling Device Control.
  • Device Control settings:
    • Devices access rules.
    • Connection bus access rule.
    • Configuring Device Control messages templates.
• Web Control. This functional scope includes the following settings and functions:
  • Enabling and disabling Web Control.
  • Web Control settings:
    • Configuring and using web resource access rules.
    • Configuring Web Control messages templates.
• Intrusion Prevention. This functional scope includes the following settings and functions:
  • Enabling or disabling Firewall.
  • Configuring and using network packet rules and application network rules.
  • Enabling and disabling Network Attack Blocker.
  • The settings used in blocking an attacking device.
  • List of IP addresses excluded from blocking in case a network attack is detected.
  • Virtual machine proactive protection.
  • Protecting shared folders against external encryption.
  • Rollback of malware actions.
• System Integrity Monitoring. This functional scope includes the following settings and functions:
  • Enabling or disabling the System Integrity Monitoring.
  • The System Integrity Monitoring scope and the System Integrity Check scope.
  • Baseline update task.
  • System Integrity Check task.
  • The System Integrity Monitoring component logs.
• Trusted zone. This functional scope includes the following settings and functions:
  • List of objects and applications excluded from scans.
  • Enabling and disabling the use of exclusions.
  • List of trusted applications.

The following functional scopes are allocated for the Light Agent for Linux component:

• Protection components. This functional scope includes the following settings and functions:
  • Enabling and disabling of File Anti-Virus for Linux.
  • File Anti-Virus for Linux settings:
    • File security level.
    • The action that is performed by the application on detection of an infected file.
    • File Anti-Virus protection scope.
    • Settings for scanning compound files and the scan mode.
    • Use of heuristic analysis and iChecker scan technology.
  • Virus scan task for Light Agent for Linux.
• Basic functionality. This functional scope includes the following settings and functions:
  • Settings for connecting Light Agents to SVMs.
  • Backup settings.
• Trusted zone. This functional scope includes the following settings and functions:
  • List of objects and applications excluded from scans.
  • Enabling and disabling the use of exclusions.

The following actions are available to the user regardless of the rights of the user account within the functional scopes of Kaspersky Security:

• Viewing the settings of policies.
• Creating a policy.

  When creating a policy, the user can configure only settings related to the functional scopes for which the user account has modification rights.

To perform the following actions with policies and tasks, the user account must have permissions within the functional scopes of Kaspersky Security:

• Reconfiguration of a previously saved policy requires read and modification rights within the functional scopes of those settings.
• Modifying the status of a policy (active/inactive) and removing the policy requires read and modification rights within the functional scopes of the policy settings closed with a "lock". If a policy has settings that are closed with a "lock" (in other words, for these settings it is prohibited to change a parameter in the child policies and in the local interface of the application), and the user does not have read and modification rights within the functional scopes of these settings, it is impossible to delete or modify the status of the policy. If a policy does not have settings for which it is prohibited to modify a parameter in child policies or in the local interface of the application, the user can delete or modify the status of the policy regardless of the account's rights within the functional scopes of the application.
• Creation, removal, and configuration of the settings of tasks require read and modification rights within the functional scope of the task.
• Viewing task settings requires read permissions within the functional scope of the task.
• Execution rights within the functional scope of a task are required to run the task.

Access rights to functional scopes of Kaspersky Security are configured in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable display of the Security section, select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart Kaspersky Security Center Administration Console.

For more details on access rights to Kaspersky Security Center objects, please refer to the Kaspersky Security Center help.