This page describes the role models used by Tenable products to control access to API endpoints:
Tenable Vulnerability Management and Tenable Web App Scanning use the following role types:
User roles are a set of Tenable-provided privileges that are predefined. For more information about user roles, see Tenable-Provided Roles and Privileges in the Tenable Vulnerability Management User Guide.
👍To determine user permissions for the current user, use the GET /users/{user_id} endpoint.
| Name | Value | Description |
|---|
| Read-Only | 0 | Users with this role can view information without being able to make changes, run scans, or manage settings. This role is often assigned to auditors, compliance officers, or executives who need visibility into vulnerability data without risk of accidental modifications. |
| Basic | 16 | Users with this role can view scan results and manage their user profile. |
| Scan Operator | 24 | In addition to basic user privileges, users with this role can create and run scans based on scan templates (policies) that were created by a standard user or higher. They can also analyze scan results. |
| Standard | 32 | Users with this role can create scans, scan templates (policies), and user target groups. |
| Scan Manager | 40 | In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions. |
| Administrator | 64 | Users with this role have the same privileges as the standard user but can also manage users, groups, agents, asset data exports, vulnerability data exports, exclusions, system target groups, user target groups, access groups, and scanners. Additionally, administrators can view scans created by all users. |
Custom roles are a custom set of privileges that allow you to tailor user privileges and access to resources on your Tenable Vulnerability Management instance that are specific to your organization's needs. For more information about custom roles, see Custom Roles in the Tenable Vulnerability Management User Guide.
When you create a custom role, you can add all or some of the following privileges:
📘To use any Vulnerability Management custom role privilege, you must also have the VM.TOGGLE_VM.USE privilege. To use any Sensors privilege, you must also have the VM.VM_SENSOR.TOGGLE_VM_SENSOR.USE privilege.
| Action | Role Privilege String |
|---|
| Read | VM.VM_DASHBOARD.VM_DASHBOARD.READ |
| Create | VM.VM_DASHBOARD.VM_DASHBOARD.CREATE |
| Delete | VM.VM_DASHBOARD.VM_DASHBOARD.DELETE |
| Edit | VM.VM_DASHBOARD.VM_DASHBOARD.EDIT |
| Export | VM.VM_DASHBOARD.VM_DASHBOARD.EXPORT |
| Share | VM.VM_DASHBOARD.VM_DASHBOARD.SHARE |
| Action | Role Privilege String |
|---|
| Read | VM.VM_EXPLORE.VM_EXPLORE.READ |
| Delete | VM.VM_EXPLORE.VM_EXPLORE.DELETE |
| Edit ACR | VM.VM_EXPLORE.VM_EXPLORE.EDIT_ACR |
| Export | VM.VM_EXPLORE.VM_EXPLORE.EXPORT |
| Action | Role Privilege String |
|---|
| Read | VM.VM_EXPORT.VM_EXPORT.READ |
| Delete | VM.VM_EXPORT.VM_EXPORT.DELETE |
| Enable/Disable | VM.VM_EXPORT.VM_EXPORT.DISABLE |
| Edit | VM.VM_EXPORT.VM_EXPORT.EDIT |
| Action | Role Privilege String |
|---|
| Read | VM.VM_ER.VM_ER.READ |
| Create | VM.VM_ER.VM_ER.CREATE |
| Delete | VM.VM_ER.VM_ER.DELETE |
| Edit | VM.VM_ER.VM_ER.EDIT |
| Export | VM.VM_ER.VM_ER.EXPORT |
| Action | Role Privilege String |
|---|
| Read | VM.VM_RECAST.VM_RECAST.READ |
| Create | VM.VM_RECAST.VM_RECAST.CREATE |
| Delete | VM.VM_RECAST.VM_RECAST.DELETE |
| Enable/Disable | VM.VM_RECAST.VM_RECAST.DISABLE |
| Edit | VM.VM_RECAST.VM_RECAST.EDIT |
| Export | VM.VM_RECAST.VM_RECAST.EXPORT |
| Action | Role Privilege String |
|---|
| Read | VM.VM_REMEDIATION.VM_REMEDIATION.READ |
| Create | VM.VM_REMEDIATION.VM_REMEDIATION.CREATE |
| Delete | VM.VM_REMEDIATION.VM_REMEDIATION.DELETE |
| Edit | VM.VM_REMEDIATION.VM_REMEDIATION.EDIT |
| Export | VM.VM_REMEDIATION.VM_REMEDIATION.EXPORT |
| Action | Role Privilege String |
|---|
| Read | VM.VM_REPORT.VM_REPORT.READ |
| Create | VM.VM_REPORT.VM_REPORT.CREATE |
| Delete | VM.VM_REPORT.VM_REPORT.DELETE |
| Download | VM.VM_REPORT.VM_REPORT.DOWNLOAD |
| Edit | VM.VM_REPORT.VM_REPORT.EDIT |
| Generate | VM.VM_REPORT.VM_REPORT.GENERATE |
| Schedule | VM.VM_REPORT.VM_REPORT.SCHEDULE |
| Share | VM.VM_REPORT.VM_REPORT.SHARE |
| Type | Action | Role Privilege String |
|---|
| Managed Credential | Read | VM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.READ |
| Managed Credential | Create | VM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.CREATE |
| Managed Credential | Delete | VM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.DELETE |
| Managed Credential | Edit | VM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.EDIT |
| Managed Credential | Export | VM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.EXPORT |
| Nessus/Agent Scan | Read | VM.VM_SCAN.VM_SCAN.READ |
| Nessus/Agent Scan | Create | VM.VM_SCAN.VM_SCAN.CREATE |
| Nessus/Agent Scan | Delete | VM.VM_SCAN.VM_SCAN.DELETE |
| Nessus/Agent Scan | Edit | VM.VM_SCAN.VM_SCAN.EDIT |
| Nessus/Agent Scan | Export | VM.VM_SCAN.VM_SCAN.EXPORT |
| Nessus/Agent Scan | Launch | VM.VM_SCAN.VM_SCAN.LAUNCH |
| Nessus/Agent Scan | Submit PCI | VM.VM_SCAN.VM_SCAN.SUBMIT_PCI |
| Scan Exclusion | Read | VM.VM_SCAN.VM_SCAN_EXCLUSION.READ |
| Scan Exclusion | Create | VM.VM_SCAN.VM_SCAN_EXCLUSION.CREATE |
| Scan Exclusion | Delete | VM.VM_SCAN.VM_SCAN_EXCLUSION.DELETE |
| Scan Exclusion | Edit | VM.VM_SCAN.VM_SCAN_EXCLUSION.EDIT |
| Scan Exclusion | Export | VM.VM_SCAN.VM_SCAN_EXCLUSION.EXPORT |
| Shared Collections | Read | VM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.READ |
| Shared Collections | Create | VM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.CREATE |
| Shared Collections | Delete | VM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.DELETE |
| Shared Collections | Edit | VM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.EDIT |
| Tenable-provided Scan Template | Use | VM.VM_SCAN.VM_SCAN_TENABLE_TEMPLATE.READ |
| User-defined Scan Template | Read | VM.VM_SCAN.VM_SCAN_USER_TEMPLATE.READ |
| User-defined Scan Template | Create | VM.VM_SCAN.VM_SCAN_USER_TEMPLATE.CREATE |
| User-defined Scan Template | Delete | VM.VM_SCAN.VM_SCAN_USER_TEMPLATE.DELETE |
| User-defined Scan Template | Edit | VM.VM_SCAN.VM_SCAN_USER_TEMPLATE.EDIT |
| User-defined Scan Template | Export | VM.VM_SCAN.VM_SCAN_USER_TEMPLATE.EXPORT |
| Type | Action | Role Privilege String |
|---|
| Agent Group | Read | VM.VM_SENSOR.AGENT_GROUP.READ |
| Agent Group | Create | VM.VM_SENSOR.AGENT_GROUP.CREATE |
| Agent Group | Delete | VM.VM_SENSOR.AGENT_GROUP.DELETE |
| Agent Group | Edit | VM.VM_SENSOR.AGENT_GROUP.EDIT |
| Linking Key | Read | VM.VM_SENSOR.LINKING_KEY.READ |
| Linking Key | Create | VM.VM_SENSOR.LINKING_KEY.CREATE |
| Nessus Agent | Read | VM.VM_SENSOR.VM_AGENT.READ |
| Nessus Agent | Delete | VM.VM_SENSOR.VM_AGENT.DELETE |
| Nessus Agent | Edit | VM.VM_SENSOR.VM_AGENT.EDIT |
| Nessus Agent | Export | VM.VM_SENSOR.VM_AGENT.EXPORT |
| Nessus Network Monitor | Read | VM.VM_SENSOR.VM_NETWORK_MONITOR.READ |
| Nessus Network Monitor | Delete | VM.VM_SENSOR.VM_NETWORK_MONITOR.DELETE |
| Nessus Network Monitor | Edit | VM.VM_SENSOR.VM_NETWORK_MONITOR.EDIT |
| Nessus Network Monitor | Export | VM.VM_SENSOR.VM_NETWORK_MONITOR.EXPORT |
| Nessus Scanner | Read | VM.VM_SENSOR.VM_SCANNER.READ |
| Nessus Scanner | Delete | VM.VM_SENSOR.VM_SCANNER.DELETE |
| Nessus Scanner | Edit | VM.VM_SENSOR.VM_SCANNER.EDIT |
| Nessus Scanner | Export | VM.VM_SENSOR.VM_SCANNER.EXPORT |
| Network | Read | VM.VM_SENSOR.NETWORK.READ |
| Network | Create | VM.VM_SENSOR.NETWORK.CREATE |
| Network | Delete | VM.VM_SENSOR.NETWORK.DELETE |
| Network | Edit | VM.VM_SENSOR.NETWORK.EDIT |
| Network | Export | VM.VM_SENSOR.NETWORK.EXPORT |
| Scanner Group | Read | VM.VM_SENSOR.SCANNER_GROUP.READ |
| Scanner Group | Create | VM.VM_SENSOR.SCANNER_GROUP.CREATE |
| Scanner Group | Delete | VM.VM_SENSOR.SCANNER_GROUP.DELETE |
| Scanner Group | Edit | VM.VM_SENSOR.SCANNER_GROUP.EDIT |
| Scanner Group | Export | VM.VM_SENSOR.SCANNER_GROUP.EXPORT |
| Web Application Scanner | Read | VM.VM_SENSOR.VM_WAS_SCANNER.READ |
| Web Application Scanner | Delete | VM.VM_SENSOR.VM_WAS_SCANNER.DELETE |
| Web Application Scanner | Edit | VM.VM_SENSOR.VM_WAS_SCANNER.EDIT |
| Web Application Scanner | Export | VM.VM_SENSOR.VM_WAS_SCANNER.EXPORT |
| Action | Role Privilege String |
|---|
| Read | IO.SCAN_TARGET_GROUP.READ |
| Manage | IO.SCAN_TARGET_GROUP.MANAGE |
| Action | Role Privilege String |
|---|
| Read | VM.VM_INTELLIGENCE.VM_INTELLIGENCE.READ |
| Export | VM.VM_INTELLIGENCE.VM_INTELLIGENCE.EXPORT |
| Entity | Action | Role Privilege String |
|---|
| Managed Credential | Read | WAS.SCAN_WAS_USER_TEMPLATE.READ |
| Managed Credential | Manage | WAS.SCAN_CREDENTIAL.MANAGE |
| Recast/Accept Rule | Read | WAS.RECAST_RULE.READ |
| Recast/Accept Rule | Manage | WAS.RECAST_RULE.MANAGE |
| Tenable-provided Scan Template | Use | WAS.SCAN_WAS_SYSTEM_TEMPLATE.USE |
| User-defined Scan Template | Read | WAS.SCAN_WAS_USER_TEMPLATE.READ |
| User-defined Scan Template | Manage | WAS.SCAN_WAS_USER_TEMPLATE.MANAGE |
| Web Application Scan | Read | WAS.SCAN_WAS.READ |
| Web Application Scan | Manage | WAS.SCAN_WAS.MANAGE |
| Web Application Scan | Import | WAS.SCAN_WAS.IMPORT |
| Web Application Scan | Submit PCI | WAS.SCAN_WAS.SUBMIT_PCI |
Tenable Enclave Security uses a separate, permission-based role model for Container Security that is independent of the Vulnerability Management and Web App Scanning role system described above.
Each Container Security role has a set of permissions that are enabled or disabled by default. Administrators can assign these roles to users to control access to Container Security features. Additionally, administrators can create custom roles and assign specific Container Security permissions to tailor access for their organization's needs. For more information about Container Security permissions, see Permissions.
The following table lists the default Container Security roles and their enabled permissions:
| Role | Manage Roles and Users | Manage Scanners | Schedule Scans | Export Data | Run Reports | View Application | Manage Policies | View Logs | Exposure Response Manager |
|---|
| Auditor | No | No | No | No | No | No | No | No | No |
| Container Security Administrator | Yes | No | No | No | No | No | No | Yes | No |
| Credential Manager | No | No | No | No | No | No | No | No | No |
| Executive | No | No | No | No | No | No | No | No | No |
| Exposure Response Manager | No | No | No | Yes | Yes | Yes | No | No | Yes |
| Security Analyst | No | No | No | Yes | Yes | Yes | No | No | Yes |
| Security Manager | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Vulnerability Analyst | No | No | No | No | No | No | No | No | No |