Accounts for installing and using the application

To install the Kaspersky Security administration plug-ins and the Integration Server, you must use an account that belongs to the group of local administrators on the computer where installation is performed.

If the computer hosting the Administration Console of Kaspersky Security Center belongs to a Microsoft Windows domain, starting the Kaspersky Security Center Administration Console requires a domain account that belongs to the KLAdmins group or an account that belongs to the group of local administrators.

VMware ESXi hypervisor

The following accounts are required for installation and operation of the application on a VMware ESXi hypervisor:

• An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
  • Datastore.Allocate space
  • Datastore.Low level file operations
  • Datastore.Remove file
  • Global.Cancel task
  • Global.Licenses
  • Host.Config.Virtual machine autostart configuration
  • Host.Inventory.Modify cluster
  • Network.Assign network
  • Tasks.Create task
  • VApp.Import
  • Virtual machine.Configuration.Add new disk
  • Virtual machine.Configuration.Add or remove device
  • Virtual machine.Configuration.Memory
  • Virtual machine.Interaction.Power Off
  • Virtual machine.Interaction.Power On
  • Virtual machine.Inventory.Create new
  • Virtual machine.Inventory.Remove
  • Virtual machine.Provisioning.Customize
  • System.Anonymous
  • System.Read
  • System.View
• To connect the Integration Server to the VMware vCenter server, it is recommended to use an account that has been assigned the preset system role ReadOnly.

Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter server.

Microsoft Windows Server (Hyper-V) hypervisor

To deploy, delete, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:

• root\cimv2
• root\MSCluster
• root\virtualization
• root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)

A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.

Citrix XenServer hypervisor

The following accounts are required for installation and operation of the application on a Citrix XenServer hypervisor:

• To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
• To connect the Integration Server to the Citrix XenServer hypervisor, it is recommended to use an account with the Read Only role.

KVM hypervisor

The following accounts are required for installation and operation of the application on a KVM hypervisor:

• To deploy, delete, or reconfigure an SVM, a root account, or an account with the right to perform actions on behalf of the root account, is required.
• To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the “read only” Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Proxmox hypervisor

The following accounts are required for installation and operation of the application on a Proxmox hypervisor:

• To deploy, delete, or reconfigure an SVM, a root account, or an account with the right to perform actions on behalf of the root account, is required.
• To connect the Integration Server to the Proxmox hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.

Page top