Roles
Tenable Vulnerability Management and Tenable Web App Scanning use the following role types:
User Roles
User roles are a set of Tenable-provided privileges that are predefined. For more information about user roles, see Tenable-Provided Roles and Privileges in the Tenable Vulnerability Management User Guide.
Tip
To determine user permissions for the current user, use the GET /users/{user_id} endpoint.
| Name | Value | Description |
|---|---|---|
| Basic | 16 | Users with this role can view scan results and manage their user profile. |
| Scan Operator | 24 | In addition to basic user privileges, users with this role can create and run scans based on scan templates (policies) that were created by a standard user or higher. They can also analyze scan results. |
| Standard | 32 | Users with this role can create scans, scan templates (policies), and user target groups. |
| Scan Manager | 40 | In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions. |
| Administrator | 64 | Users with this role have the same privileges as the standard user but can also manage users, groups, agents, asset data exports, vulnerability data exports, exclusions, system target groups, user target groups, access groups, and scanners. Additionally, administrators can view scans created by all users. |
Custom Roles
Custom roles are a custom set of privileges that allow you to tailor user privileges and access to resources on your Tenable Vulnerability Management instance that are specific to your organization's needs. For more information about custom roles, see Custom Roles in the Tenable Vulnerability Management User Guide.
When you create a custom role, you can add all or some of the following privileges:
Vulnerability Management
| Entity | Action | Role Privilege String |
|---|---|---|
| Dashboard | Manage | TIO_BACKEND.DASHBOARD.MANAGE |
| Dashboard | Share | TIO_BACKEND.DASHBOARD.SHARE |
| Export | Manage Own | TIO_BACKEND.EXPORT.MANAGE_OWN |
| Export | Manage All | TIO_BACKEND.EXPORT.MANAGE_ALL |
| Recast/Accept Rule | Read | TIO_BACKEND.RECAST_RULE.READ |
| Recast/Accept Rule | Manage | TIO_BACKEND.RECAST_RULE.MANAGE |
| Nessus/Agent Scan | Read | IO.SCAN_VM.READ |
| Nessus/Agent Scan | Manage | IO.SCAN_VM.MANAGE |
| Nessus/Agent Scan | Submit PCI | IO.SCAN_VM.SUBMIT_PCI |
| Scan Exclusion | Read | IO.SCAN_CREDENTIAL.READ |
| Scan Exclusion | Manage | IO.SCAN_EXCLUSION.MANAGE |
| Tenable-provided Scan Template | Use | IO.SCAN_SYSTEM_TEMPLATE.USE |
| User-defined Scan Template | Read | IO.SCAN_USER_TEMPLATE.READ |
| User-defined Scan Template | Manage | IO.SCAN_USER_TEMPLATE.MANAGE |
| Managed Credential | Read | IO.SCAN_CREDENTIAL.READ |
| Managed Credential | Manage | IO.SCAN_CREDENTIAL.MANAGE |
| Target Group | Read | IO.SCAN_TARGET_GROUP.READ |
| Target Group | Manage | IO.SCAN_TARGET_GROUP.MANAGE |
Web App Scanning
| Entity | Action | Role Privilege String |
|---|---|---|
| Web Application Scan | Read | WAS.SCAN_WAS.READ |
| Web Application Scan | Manage | WAS.SCAN_WAS.MANAGE |
| Web Application Scan | Import | WAS.SCAN_WAS.IMPORT |
| Web Application Scan | Submit PCI | WAS.SCAN_WAS.SUBMIT_PCI |
| Tenable-provided Scan Template | Use | WAS.SCAN_WAS_SYSTEM_TEMPLATE.USE |
| User-defined Scan Template | Read | WAS.SCAN_WAS_USER_TEMPLATE.READ |
| User-defined Scan Template | Manage | WAS.SCAN_WAS_USER_TEMPLATE.MANAGE |
| Managed Credential | Read | WAS.SCAN_WAS_USER_TEMPLATE.READ |
| Managed Credential | Manage | WAS.SCAN_CREDENTIAL.MANAGE |
| Recast/Accept Rule | Read | WAS.RECAST_RULE.READ |
| Recast/Accept Rule | Manage | WAS.RECAST_RULE.MANAGE |
Updated about 1 month ago