AUTOMATE. BUILD. DELIVER.

Integrate with the world's first Cyber Exposure platform using Tenable APIs

Get Started    API Explorer

Permissions

Tenable.io uses the following permissions types:

User Roles

🗹

Tip

To determine user permissions for the current user, use the GET /users/{user_id} endpoint.

NameValueDescription
Basic16Users with this role can view and configure scan results.
Scan Operator24In addition to basic user privileges, users with this role can use existing scan policies that were created by a standard user or higher. They can also analyze scan results and create user target groups.
Standard32Users with this role can create scans, policies, and user target groups.
Scan Manager40In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions.
Administrator64Users with this role have the same privileges as the standard user but can also manage users, groups, agents, asset data exports, vulnerability data exports, exclusions, system target groups, user target groups, access groups, and scanners.

Scan Roles

NameValueDescription
No Access0Users assigned this permission for a scan cannot view, control, or configure the scan. As a result, the scan does not appear for the user in the Tenable.io user interface, and the user cannot access the scan using the scans API.
Can View16Users assigned this permission can view the results of the scan. As a result, the scan appears for the user in the Tenable.io user interface, and the user can access the scan using the scans API.
Can Control32Users assigned this permission can launch, pause, and stop a scan, in addition to performing any tasks allowed by Can View.
Can Configure64Users assigned this permission can modify any setting for the scan except scan ownership, in addition to performing any tasks allowed by Can Control.
Owner128The user assigned this permission owns the scan. The owner can modify any setting for the scan, including scan ownership.

Policy Roles

NameValueDescription
No Access0Users assigned this permission cannot view or use the policy. As a result, this policy does not appear for the user in the Tenable.io user interface, and the user cannot access the policy using the policies API.
Can Use16Users assigned this permission can view the policy and use it to create scans.
Can Edit32In addition to Can Use permissions, users assigned this permission can modify any setting for the policy except permissions.
Can Configure64In addition to Can Edit privileges, users assigned this permission can modify any setting for the policy except policy ownership.

Credential Roles

NameValueDescription
Can Use32Users assigned this permission can use the managed credential in a scan, but cannot edit managed credential configuration.
Can Edit64In addition to Can Use privileges, users assigned this permission can view and edit settings for the managed credential and can delete the managed credential.

Scanner Roles

NameValueDescription
No Access0Users assigned this permission cannot use the scanner. As a result, this scanner does not appear for the user in the Tenable.io user interface, and the user cannot access the scanner using the scanners API.
Can Use16Users assigned this permission can use the scanner.
Can Manage64Users assigned this permission can manage the scanner.

Agent Roles

NameValueDescription
No Access0Users assigned this permission cannot use the agent group in agent scans. As a result, this agent group does not appear for the user in the Tenable.io user interface, and the user cannot access the agent group using the agent-groups API.
Can Use16Users assigned this permission can use the agent group in agent scans.

Target Groups

🛈

Note

For more information about target groups, see Target Groups in the Tenable.io Vulnerability Management User Guide.

User Target Groups

NameValueDescription
No Access0(Default user only) Users assigned this permission cannot configure scans for hosts in the user target group or use hosts in the user target group to filter dashboards.
Can Use16Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable.io excludes the targets from the scan results. For more information, see Access Groups
Can Change32In addition to using hosts in this user target group when configuring scans and filtering dashboards, users assigned this permission can modify any setting for the target group except permissions.

System Target Groups

NameValueDescription
No Access0(Default user only) Users assigned this permission cannot use the system target group to filter dashboards.
Can Use32Caution: System target groups are deprecated; Tenable recommends using user target groups instead.

Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable.io excludes the targets from the scan results. For more information, see Access Groups.

Access Groups

🛈

Note

For more information about access groups, see Access Groups in the Tenable.io Vulnerability Management User Guide.

NameValueDescription
No Access[]Users assigned this permission cannot scan the assets or targets specified in the access group, or view individual or aggregated scan results for the assets or targets in the asset group.
Can View["CAN_VIEW"]For users assigned this permission, aggregated scan results (workbenches/dashboards) include data from scans of the assets or targets specified in the access group.
Can Scan["CAN_SCAN"]Users assigned this permission can scan assets or targets specified in the access group and view individual scan results for the assets or targets. If you do not have this permission, Tenable.io does not prevent you from configuring a scan using assets or targets specified in the access group; however, the scanner does not scan the assets or targets.
Can View & Can Scan["CAN_VIEW", "CAN_SCAN"]Users assigned this permission can both view specific assets and related vulnerabilities in aggregated scan result views and run scans against specific targets and view individual scan results for the targets.

Updated about a month ago


Permissions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.