Assigning an administrator for a virtual Administration Server
When you use virtual Administration Servers in your organization, you might want to assign a dedicated administrator for each virtual Administration Server. For example, this might be useful when you create virtual Administration Servers to manage separate offices or departments of your organization, or if you are an MSP provider and you manage your tenants through virtual Administration Servers.
When you create a virtual Administration Server, it inherits the user list and all of the user rights of the primary Administration Server. If a user has access rights to the primary Server, this user has access rights to the virtual Server as well. After creation, you configure the access rights to the Servers independently. If you want to assign an administrator for a virtual Administration Server only, make sure that the administrator is not included in the Access rights list in the properties of the primary Administration Server.
You assign an administrator for a virtual Administration Server by granting the administrator access rights to the virtual Administration Server. You can grant the required access rights in one of the following ways:
- Configure access rights for the administrator manually
- Assign one or more user roles for the administrator
When you assign an administrator, make sure that you grant access to a single virtual Administration Server. An administrator with access to multiple virtual Administration Servers cannot sign in to Kaspersky Security Center Cloud Console.
An administrator of a virtual Administration Server signs in to Kaspersky Security Center Cloud Console the same way as signing in to the primary Administration Server. Kaspersky Security Center Cloud Console authenticates the administrator and opens the virtual Administration Server to which the administrator has access rights. The administrator cannot switch between Administration Servers.
Prerequisites
Before you start, ensure that the following conditions are met:
- The virtual Administration Server is created.
- On the primary Administration Server, you have created an account for the administrator that you want to assign for the virtual Administration Server.
- The created account of the virtual Server administrator is not included in the Access rights lists in the properties of any Servers—primary or secondary.
- You have the Modify object ACLs right in the General features → User permissions functional area.
Configuring access rights manually
To assign an administrator for a virtual Administration Server:
- In the main menu, switch to the required virtual Administration Server:
- Click the chevron icon () to the right of the current Administration Server name.
- Select the required Administration Server.
- In the main menu, click the settings icon () next to the name of the Administration Server.
The Administration Server properties window opens.
- On the Access rights tab, click the Add button.
A unified list of users of the primary Administration Server and the current virtual Administration Server opens.
- From the list of users, select the account of the administrator that you want to assign for the virtual Administration Server, and then click the OK button.
The application adds the selected user to the user list on the Access rights tab.
- Select the check box next to the added account, and then click the Access rights button.
- Configure the rights that the administrator will have on the virtual Administration Server.
For successful authentication, at minimum, the administrator must have the following rights:
- Read right in the General features → Basic functionality functional area
- Read right in the General features → Virtual Administration Servers functional area
The application saves the modified user rights to the administrator account.
Configuring access rights by assigning user roles
Alternatively, you can grant the access rights to a virtual Administration Server administrator through user roles. For example, this might be useful if you want to assign several administrators on the same virtual Administration Server. If this is the case, you can assign the administrators' accounts the same one or more user roles instead of configuring the same user rights for several administrators.
To assign an administrator for a virtual Administration Server by assigning user roles:
- On the primary Administration Server, create a new user role, and then specify all of the required access rights that an administrator must have on the virtual Administration Server. You can create several roles, for example, if you want to separate access to different functional areas.
- In the main menu, switch to the required virtual Administration Server:
- Click the chevron icon () to the right of the current Administration Server name.
- Select the required Administration Server.
- Assign the new role or several roles to the administrator account.
When assigning roles to a user, in the main menu, go to Users & roles → Users & groups, and then select the Users tab. If you select the Groups tab, and then assign roles to the group where the user is a member, the user will not be able to log in to Kaspersky Security Center Cloud Console.
The application assigns the new role to the administrator account.
Configuring access rights at the object level
In addition to assigning access rights at the functional area level, you can configure access to specific objects on the virtual Administration Server, for example, to a specific administration group or a task. To do this, switch to the virtual Administration Server, and then configure the access rights in the object's properties.