Kaspersky
Solved

KSC User Rights


Badge
Dear Support,

Greetings,

Im using KSC Adminstration Server 10.5, i want to assign user a role only for Reporting and customizing the values of Reports. What role or rights should i assign the user ? Thanks
icon

Best answer by intrusus 29 April 2019, 13:16

So, this is quote from the official release notes of KSC 11:
Additionally detailed the administrator rights. To run a report, you now need only the read permission in the "Reports management" area. A separate permissions area named "Management of administration groups" has been added to the "General features".


This means in fact that there was actually no option to display and edit reports in KSC 10 only. Just install the new KSC 11 on a new server and install the new Network Agents from there (as I said, we didn't do an in-place upgrade, but of course you can do that, too). Then you have the possibility to grant permission for reports and test the KSC 11 first instead of using it productively.

Have a nice week,
Leon
View original

13 replies

Userlevel 2
Badge +1
Hi,

Please read the article https://help.kaspersky.com/KSC/11/en-US/89264.htm

Thank you!
Userlevel 4
Badge +3
Hey Hamid Ali,

if you want to use a role created by Kaspersky you can assign the specific user the user role "Auditor". It permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Modify permissions in the Deleted objects area). It does not permit other operations.

Here's what you gotta do if you want to create a user role only for reports:

  1. Go to the properties of the Administration Server (right click -> Properties)
  2. Go to the menu item "User roles" in the properties of the Administration Server.
  3. Add a new user role by clicking on "Add...".
  4. Name the user role e.g. "User for reports".
  5. Click on "Edit" to view the properties of the user role.
  6. Go to Permissions and check the Allow box at "Access objects independently of their ACLs"* and "Forced report management".**
You can actively forbid the rest or leave the other columns empty.

Then press OK.

Go to "Security" in the properties of the Administration Server and add the corresponding Windows user. At the bottom right you can assign him your new role. Remember that the user must not be in the domain group of KLAdmins, Domain Administrators or KLOperators. Otherwise your created role will be overwritten.

More information about user rights in KSC: https://help.kaspersky.com/KSC/11/en-US/89264.htm

Have fun! 🤘🏼
Leon

* I am not sure if it's possible without this permission to view reports somehow. When i unchecked this box, I got the error: insufficient permissions.
** i use the german version of KSC, the name of the specific properties could differ. Please excuse this. Look at the Screenshot for a better understanding.
Badge
Hey Hamid Ali,

if you want to use a role created by Kaspersky you can assign the specific user the user role "Auditor". It permits all operations with all types of reports, all viewing operations, including viewing deleted objects (grants the Read and Modify permissions in the Deleted objects area). It does not permit other operations.

Here's what you gotta do if you want to create a user role only for reports:

  1. Go to the properties of the Administration Server ( right click -> Properties)
  2. Go to the menu item "User roles" in the properties of the Administration Server.
  3. Add a new user role by clicking on " Add...".
  4. Name the user role e.g. "User for reports".
  5. Click on "Edit" to view the properties of the user role.
  6. Go to Permissions and check the Allow box at "Access objects independently of their ACLs"* and "Forced report management".**
You can actively forbid the rest or leave the other columns empty.

Then press OK.

Go to "Security" in the properties of the Administration Server and add the corresponding Windows user. At the bottom right you can assign him your new role. Remember that the user must not be in the domain group of KLAdmins, Domain Administrators or KLOperators. Otherwise your created role will be overwritten.

More information about user rights in KSC: https://help.kaspersky.com/KSC/11/en-US/89264.htm
Have fun! 🤘🏼

Leon

* I am not sure if it's possible without this permission to view reports somehow. When i unchecked this box, I got the error: insufficient permissions.
** i use the german version of KSC, the name of the specific properties could differ. Please excuse this. Look at the Screenshot for a better understanding.

Thank you very much for your response. I reckon this feature options are for KSC 11.
Could you please guide me according to KSC 10.5. Thanks
Badge
Hi,

Please read the article https://help.kaspersky.com/KSC/11/en-US/89264.htm
Thank you!


Thank you very much for your response. I reckon this feature options are for KSC 11.
Could you please guide me according to KSC 10.5. Thanks
Userlevel 4
Badge +3
It works the same on KSC 10, read this: https://help.kaspersky.com/ksc/sp3/en-US/67895.htm
Badge
It works the same on KSC 10, read this: https://help.kaspersky.com/ksc/sp3/en-US/67895.htm
Thanks for the response.

I would highly appreciate if you could please specify which roles and permissions should be used to grant access to Generate reports only and change the settings of report. Thank you very much !!
Badge
Dear Support,

Waiting for your response.

Thanks
Userlevel 4
Badge +3
Hi,

I can build it for you in the lab and send you a step-by-step guide in this thread.
Keep in mind that the members (except the Kaspersky Lab staff) are volunteers and we have to prioritize the work in our own companies. Therefore, there may always be delays in replies. 😉

Best regards
Leon
Badge
Hi,

I can build it for you in the lab and send you a step-by-step guide in this thread.
Keep in mind that the members (except the Kaspersky Lab staff) are volunteers and we have to prioritize the work in our own companies. Therefore, there may always be delays in replies. 😉


Best regards
Leon

Thank you very much and highly appreciated efforts and passion of yours (Y) . I know its not easy to volunteer but your interest and passion is great.
Surely you can take your time for this query i can wait for this. Thanks
Userlevel 4
Badge +3
Hi,

sorryfor my late answer.
In KSC 10 you can only give a user or a group limited access to the reports, because in contrast to the new KSC version there is no own authorization option for reports only.

However, you can implement your idea a little differently:
You can only give the user or group read-only permissions to the KSC, but that also means that they cannot create or modify reports.

I would advise you to upgrade to the new KSC 11 in the near future. We moved internally manually, so we didn't do a real upgrade on the same server to avoid bugs and are moving our clients one by one to the new administration server.

However, here's the guide on how to create a read-only KSC user:1. Configure the KSC 10 interface by click on "View" and then on "Display security settings section". Restart the administration console after that.



2. Go to the properties of the administration server and there on "Security".


3. Add an internal or Windows user and modify his rights at Basic functionality to "Read". Also, if you set the "Modify" to the right, the user can also change other objects on the Administration Server.

I know the answer doesn't satisfy you 100%.
Either you trust the user and give him or her permission to edit objects or you leave it at "read-only".

Kind regards,
Leon
Badge
Hi,

sorryfor my late answer.
In KSC 10 you can only give a user or a group limited access to the reports, because in contrast to the new KSC version there is no own authorization option for reports only.

However, you can implement your idea a little differently:
You can only give the user or group read-only permissions to the KSC, but that also means that they cannot create or modify reports.

I would advise you to upgrade to the new KSC 11 in the near future. We moved internally manually, so we didn't do a real upgrade on the same server to avoid bugs and are moving our clients one by one to the new administration server.

However, here's the guide on how to create a read-only KSC user:1. Configure the KSC 10 interface by click on "View" and then on "Display security settings section". Restart the administration console after that.





2. Go to the properties of the administration server and there on "Security".

3. Add an internal or Windows user and modify his rights at Basic functionality to "Read". Also, if you set the "Modify" to the right, the user can also change other objects on the Administration Server.I know the answer doesn't satisfy you 100%.
Either you trust the user and give him or her permission to edit objects or you leave it at "read-only".

Kind regards,
Leon

Dear Leon,

Perfectly demonstrated. Thanks

Yeah you said it right that by giving MODIFY rights can achieve my target to change the options of report, but this also allow the user to modify admin server components.

So as mentioned by you "Either you trust the user and give him or her permission to edit objects or you leave it at "read-only". So i have to choose between these.

So this means there is no other option than this ? Except i can upgrade to KSC 11. Thanks
Userlevel 4
Badge +3
So, this is quote from the official release notes of KSC 11:
Additionally detailed the administrator rights. To run a report, you now need only the read permission in the "Reports management" area. A separate permissions area named "Management of administration groups" has been added to the "General features".


This means in fact that there was actually no option to display and edit reports in KSC 10 only. Just install the new KSC 11 on a new server and install the new Network Agents from there (as I said, we didn't do an in-place upgrade, but of course you can do that, too). Then you have the possibility to grant permission for reports and test the KSC 11 first instead of using it productively.

Have a nice week,
Leon
Badge
So, this is quote from the official release notes of KSC 11:

Additionally detailed the administrator rights. To run a report, you now need only the read permission in the "Reports management" area. A separate permissions area named "Management of administration groups" has been added to the "General features".
This means in fact that there was actually no option to display and edit reports in KSC 10 only. Just install the new KSC 11 on a new server and install the new Network Agents from there (as I said, we didn't do an in-place upgrade, but of course you can do that, too). Then you have the possibility to grant permission for reports and test the KSC 11 first instead of using it productively.

Have a nice week,
Leon

Dear Leon,

Thank you very much for your interest and help in this regard. Appreciated !!!

Reply / Ответить