Predefined user roles
User roles assigned to Open Single Management Platform users provide them with sets of access rights to application features.
You can use the predefined user roles with already configured set of rights, or create new roles and configure the required rights yourself. Some of the predefined user roles available in Open Single Management Platform can be associated with specific job positions, for example, Auditor, Security Officer, Supervisor. Access rights of these roles are pre-configured in accordance with the standard tasks and scope of duties of the associated positions. The table below shows how roles can be associated with specific job positions.
Examples of roles for specific job positions
Role | Comment |
Auditor | Permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Write permissions in the Deleted objects area). Does not permit other operations. You can assign this role to a person who performs the audit of your organization. |
Supervisor | Permits all viewing operations; does not permit other operations. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
Security Officer | Permits all viewing operations, permits reports management; grants limited permissions in the System management: Connectivity area. You can assign this role to an officer in charge of the IT security in your organization. |
The table below shows the access rights assigned to each predefined user role.
Features of the functional areas Mobile Device Management: General and System management are not available in Open Single Management Platform. A user with the roles Vulnerability and patch management administrator/operator or Mobile Device Management Administrator/Operator has access only for rights from the General features: Basic functionality area.
Access rights of predefined user roles
Role | Description |
|---|---|
Basic roles | |
Administration Server Administrator | Permits all operations in the following functional areas, in General features:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Administration Server Operator | Grants the Read and Execute rights in all of the following functional areas, in General features:
|
Auditor | Permits all operations in the following functional areas, in General features:
You can assign this role to a person who performs the audit of your organization. |
Installation Administrator | Permits all operations in the following functional areas, in General features:
Grants Read and Execute rights in the General features: Virtual Administration Servers functional area. |
Installation Operator | Grants the Read and Execute rights in all of the following functional areas, in General features:
|
Kaspersky Endpoint Security Administrator | Permits all operations in the following functional areas:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Kaspersky Endpoint Security Operator | Grants the Read and Execute rights in all of the following functional areas:
|
Main Administrator | Permits all operations in functional areas, except for the following areas, in General features:
Grants the Read and Write rights in the General features: Encryption key management functional area. |
Main Operator | Grants the Read and Execute (where applicable) rights in all of the following functional areas:
|
Mobile Device Management Administrator | Permits all operations in the General features: Basic functionality functional area.
|
Security Officer | Permits all operations in the following functional areas, in General features:
Grants the Read, Write, Execute, Save files from devices to the administrator's workstation, and Perform operations on device selections rights in the System management: Connectivity functional area. You can assign this role to an officer in charge of the IT security in your organization. |
Self Service Portal User | Permits all operations in the Mobile Device Management: Self Service Portal functional area. This feature is not supported in Kaspersky Security Center 11 and later version. |
Supervisor | Grants the Read right in the General features: Access objects regardless of their ACLs and General features: Enforced report management functional areas. You can assign this role to a security officer and other managers in charge of the IT security in your organization. |
XDR roles | |
Main administrator | Permits all operations in the XDR functional areas:
|
Tenant administrator | Permits all operations in the XDR functional areas:
This role corresponds to the Main Administrator role, but it has a restriction. In KUMA, a tenant administrator has limited access to the preset objects. |
SOC administrator | Grants the following rights in the XDR functional areas:
|
Junior analyst | Grants the following rights in the XDR functional areas:
|
Tier 2 analyst | Grants the following rights in the XDR functional areas:
|
Tier 1 analyst | Grants the following rights in the XDR functional areas:
This role corresponds to the Tier 2 analyst role, but it has a restriction. In KUMA, a Tier 1 analyst can only modify their own objects. |
SOC manager | Grants the following rights in the XDR functional areas:
|
Approver | Grants the following rights in the XDR functional areas:
|
Observer | Grants the following rights in the XDR functional areas:
|
Interaction with NCIRCC | Grants the following rights in the XDR functional areas:
You can work with XDR incidents, create NCIRCC incidents based on them, and export NCIRCC incidents (without access to critical information infrastructure). |
Service roles | |
Automatic Threat Responder | Grants service accounts the right to respond to threats. Access rights are configured automatically in accordance with the role-based access control policies of Kaspersky Security Center Linux and managed Kaspersky applications. You can assign this role only to service accounts. This role cannot be edited.
|
