Permissions

Tenable.io uses the following permissions types:

User Roles

๐Ÿ‘

Tip

To determine user permissions for the current user, use the GET /users/{user_id} endpoint.

NameValueDescription
Basic16Users with this role can view scan results and manage their user profile.
Scan Operator24In addition to basic user privileges, users with this role can create and run scans based on scan templates (policies) that were created by a standard user or higher. They can also analyze scan results.
Standard32Users with this role can create scans, scan templates (policies), and user target groups.
Scan Manager40In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions.
Administrator64Users with this role have the same privileges as the standard user but can also manage users, groups, agents, asset data exports, vulnerability data exports, exclusions, system target groups, user target groups, access groups, and scanners. Additionally, administrators can view scans created by all users.

Scan Permissions

NameValueDescription
No Access0Users assigned this permission for a scan cannot view, control, or configure the scan. As a result, the scan does not appear for the user in the Tenable.io user interface, and the user cannot access the scan using the scans API.
Can View16Users and groups assigned this permission can view the results of the scan, export scan results, and move the scan to the trash folder. As a result, the scan appears for the user in the Tenable.io user interface, and the user can access the scan using the scans API. Users assigned this permission cannot view the scan configuration or permanently delete the scan.
Can Execute32In addition to the tasks allowed by the Can View permission, users and groups assigned the Can Execute permission can launch, pause, and stop a scan. Users assigned this permission cannot view the scan configuration or permanently delete the scan.
Can Edit64In addition to the tasks allowed by the Can Execute permission, users and groups assigned the Can Edit permission can view the scan configuration, modify any setting for the scan except scan ownership, and permanently delete the scan.
Owner128The user assigned this permission owns the scan. The owner can modify any setting for the scan, including scan ownership.

Scan Template (Policy) Permissions

NameValueDescription
No Access0Users assigned this permission cannot view or use the scan template (policy). As a result, this scan template does not appear for the user in the Tenable.io user interface, and the user cannot access the scan template using the policies API.
Can View16Users and groups assigned this permission can view the scan template and use it to create scans.
Can Execute32In addition to the tasks allowed by the Can View permission, users assigned the Can Execute permission can modify any setting for the scan template except permissions.
Can Edit64In addition to the tasks allowed by the Can Execute permission, users assigned the Can Edit permission can modify any setting for the scan template except scan template ownership.
Owner128The user assigned this permission owns the scan template. The owner can modify any setting for the scan template, including scan template ownership.

Credential Permissions

NameValueDescription
Can Use32Users assigned this permission can use the managed credential in a scan, but cannot edit managed credential configuration.
Can Edit64In addition to Can Use privileges, users assigned this permission can view and edit settings for the managed credential and can delete the managed credential.

Scanner Permissions

NameValueDescription
No Access0Users assigned this permission cannot use the scanner. As a result, this scanner does not appear for the user in the Tenable.io user interface, and the user cannot access the scanner using the scanners API.
Can Use16Users assigned this permission can use the scanner.
Can Manage64Users assigned this permission can manage the scanner.

Agent Permissions

NameValueDescription
No Access0Users assigned this permission cannot use the agent group in agent scans. As a result, this agent group does not appear for the user in the Tenable.io user interface, and the user cannot access the agent group using the agent-groups API.
Can Use16Users assigned this permission can use the agent group in agent scans.

Target Groups

๐Ÿ›‘

Caution

Target groups were deprecated in Tenable.io on February 4th, 2022. Tenable recommends that customers use tags instead to group and scan assets. Please update any existing integrations that your organization has. If you want to automatically migrate your target groups to tags via the API and pyTenable, see Migrate Target Groups to Tags. For more information about tags, see Tags in the Tenable.io User Guide.

User Target Groups

NameValueDescription
No Access0(Default user only) Users assigned this permission cannot configure scans for hosts in the user target group or use hosts in the user target group to filter dashboards.
Can Use16Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable.io excludes the targets from the scan results. For more information, see Access Groups
Can Change32In addition to using hosts in this user target group when configuring scans and filtering dashboards, users assigned this permission can modify any setting for the target group except permissions.

System Target Groups

NameValueDescription
No Access0(Default user only) Users assigned this permission cannot use the system target group to filter dashboards.
Can Use32Caution: System target groups are deprecated; Tenable recommends using user target groups instead.

Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable.io excludes the targets from the scan results. For more information, see Access Groups.

Access Groups

๐Ÿ›‘

Caution

Access groups were deprecated in Tenable.io on February 4th, 2022. Tenable recommends that customers use access control instead to manage user and group access to resources in Tenable.io. Please update any existing integrations that your organization has. For more information about access control, see Access Control in the Tenable.io User Guide.

NameValueDescription
No Access[]Users assigned this permission cannot scan the assets or targets specified in the access group, or view individual or aggregated scan results for the assets or targets in the asset group.
Can View["CAN_VIEW"]For users assigned this permission, aggregated scan results (workbenches/dashboards) include data from scans of the assets or targets specified in the access group.
Can Scan["CAN_SCAN"]Users assigned this permission can scan assets or targets specified in the access group and view individual scan results for the assets or targets. If you do not have this permission, Tenable.io does not prevent you from configuring a scan using assets or targets specified in the access group; however, the scanner does not scan the assets or targets.
Can View & Can Scan["CAN_VIEW", "CAN_SCAN"]Users assigned this permission can both view specific assets and related vulnerabilities in aggregated scan result views and run scans against specific targets and view individual scan results for the targets.