Roles

This page describes the role models used by Tenable products to control access to API endpoints:


Vulnerability Management and Web App Scanning Roles

Tenable Vulnerability Management and Tenable Web App Scanning use the following role types:

User Roles

User roles are a set of Tenable-provided privileges that are predefined. For more information about user roles, see Tenable-Provided Roles and Privileges in the Tenable Vulnerability Management User Guide.

👍

Tip

To determine user permissions for the current user, use the GET /users/{user_id} endpoint.

NameValueDescription
Read-Only0Users with this role can view information without being able to make changes, run scans, or manage settings. This role is often assigned to auditors, compliance officers, or executives who need visibility into vulnerability data without risk of accidental modifications.
Basic16Users with this role can view scan results and manage their user profile.
Scan Operator24In addition to basic user privileges, users with this role can create and run scans based on scan templates (policies) that were created by a standard user or higher. They can also analyze scan results.
Standard32Users with this role can create scans, scan templates (policies), and user target groups.
Scan Manager40In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions.
Administrator64Users with this role have the same privileges as the standard user but can also manage users, groups, agents, asset data exports, vulnerability data exports, exclusions, system target groups, user target groups, access groups, and scanners. Additionally, administrators can view scans created by all users.

Custom Roles

Custom roles are a custom set of privileges that allow you to tailor user privileges and access to resources on your Tenable Vulnerability Management instance that are specific to your organization's needs. For more information about custom roles, see Custom Roles in the Tenable Vulnerability Management User Guide.

When you create a custom role, you can add all or some of the following privileges:

Vulnerability Management

📘

Note

To use any Vulnerability Management custom role privilege, you must also have the VM.TOGGLE_VM.USE privilege. To use any Sensors privilege, you must also have the VM.VM_SENSOR.TOGGLE_VM_SENSOR.USE privilege.

Dashboards
ActionRole Privilege String
ReadVM.VM_DASHBOARD.VM_DASHBOARD.READ
CreateVM.VM_DASHBOARD.VM_DASHBOARD.CREATE
DeleteVM.VM_DASHBOARD.VM_DASHBOARD.DELETE
EditVM.VM_DASHBOARD.VM_DASHBOARD.EDIT
ExportVM.VM_DASHBOARD.VM_DASHBOARD.EXPORT
ShareVM.VM_DASHBOARD.VM_DASHBOARD.SHARE
Explore
ActionRole Privilege String
ReadVM.VM_EXPLORE.VM_EXPLORE.READ
DeleteVM.VM_EXPLORE.VM_EXPLORE.DELETE
Edit ACRVM.VM_EXPLORE.VM_EXPLORE.EDIT_ACR
ExportVM.VM_EXPLORE.VM_EXPLORE.EXPORT
Exports
ActionRole Privilege String
ReadVM.VM_EXPORT.VM_EXPORT.READ
DeleteVM.VM_EXPORT.VM_EXPORT.DELETE
Enable/DisableVM.VM_EXPORT.VM_EXPORT.DISABLE
EditVM.VM_EXPORT.VM_EXPORT.EDIT
Exposure Response
ActionRole Privilege String
ReadVM.VM_ER.VM_ER.READ
CreateVM.VM_ER.VM_ER.CREATE
DeleteVM.VM_ER.VM_ER.DELETE
EditVM.VM_ER.VM_ER.EDIT
ExportVM.VM_ER.VM_ER.EXPORT
Recast/Accept Rules
ActionRole Privilege String
ReadVM.VM_RECAST.VM_RECAST.READ
CreateVM.VM_RECAST.VM_RECAST.CREATE
DeleteVM.VM_RECAST.VM_RECAST.DELETE
Enable/DisableVM.VM_RECAST.VM_RECAST.DISABLE
EditVM.VM_RECAST.VM_RECAST.EDIT
ExportVM.VM_RECAST.VM_RECAST.EXPORT
Remediation
ActionRole Privilege String
ReadVM.VM_REMEDIATION.VM_REMEDIATION.READ
CreateVM.VM_REMEDIATION.VM_REMEDIATION.CREATE
DeleteVM.VM_REMEDIATION.VM_REMEDIATION.DELETE
EditVM.VM_REMEDIATION.VM_REMEDIATION.EDIT
ExportVM.VM_REMEDIATION.VM_REMEDIATION.EXPORT
Reports
ActionRole Privilege String
ReadVM.VM_REPORT.VM_REPORT.READ
CreateVM.VM_REPORT.VM_REPORT.CREATE
DeleteVM.VM_REPORT.VM_REPORT.DELETE
DownloadVM.VM_REPORT.VM_REPORT.DOWNLOAD
EditVM.VM_REPORT.VM_REPORT.EDIT
GenerateVM.VM_REPORT.VM_REPORT.GENERATE
ScheduleVM.VM_REPORT.VM_REPORT.SCHEDULE
ShareVM.VM_REPORT.VM_REPORT.SHARE
Scans
TypeActionRole Privilege String
Managed CredentialReadVM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.READ
Managed CredentialCreateVM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.CREATE
Managed CredentialDeleteVM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.DELETE
Managed CredentialEditVM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.EDIT
Managed CredentialExportVM.VM_SCAN.VM_SCAN_MANAGED_CREDENTIAL.EXPORT
Nessus/Agent ScanReadVM.VM_SCAN.VM_SCAN.READ
Nessus/Agent ScanCreateVM.VM_SCAN.VM_SCAN.CREATE
Nessus/Agent ScanDeleteVM.VM_SCAN.VM_SCAN.DELETE
Nessus/Agent ScanEditVM.VM_SCAN.VM_SCAN.EDIT
Nessus/Agent ScanExportVM.VM_SCAN.VM_SCAN.EXPORT
Nessus/Agent ScanLaunchVM.VM_SCAN.VM_SCAN.LAUNCH
Nessus/Agent ScanSubmit PCIVM.VM_SCAN.VM_SCAN.SUBMIT_PCI
Scan ExclusionReadVM.VM_SCAN.VM_SCAN_EXCLUSION.READ
Scan ExclusionCreateVM.VM_SCAN.VM_SCAN_EXCLUSION.CREATE
Scan ExclusionDeleteVM.VM_SCAN.VM_SCAN_EXCLUSION.DELETE
Scan ExclusionEditVM.VM_SCAN.VM_SCAN_EXCLUSION.EDIT
Scan ExclusionExportVM.VM_SCAN.VM_SCAN_EXCLUSION.EXPORT
Shared CollectionsReadVM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.READ
Shared CollectionsCreateVM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.CREATE
Shared CollectionsDeleteVM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.DELETE
Shared CollectionsEditVM.VM_SCAN.VM_SCAN_SHARED_COLLECTION.EDIT
Tenable-provided Scan TemplateUseVM.VM_SCAN.VM_SCAN_TENABLE_TEMPLATE.READ
User-defined Scan TemplateReadVM.VM_SCAN.VM_SCAN_USER_TEMPLATE.READ
User-defined Scan TemplateCreateVM.VM_SCAN.VM_SCAN_USER_TEMPLATE.CREATE
User-defined Scan TemplateDeleteVM.VM_SCAN.VM_SCAN_USER_TEMPLATE.DELETE
User-defined Scan TemplateEditVM.VM_SCAN.VM_SCAN_USER_TEMPLATE.EDIT
User-defined Scan TemplateExportVM.VM_SCAN.VM_SCAN_USER_TEMPLATE.EXPORT
Sensors
TypeActionRole Privilege String
Agent GroupReadVM.VM_SENSOR.AGENT_GROUP.READ
Agent GroupCreateVM.VM_SENSOR.AGENT_GROUP.CREATE
Agent GroupDeleteVM.VM_SENSOR.AGENT_GROUP.DELETE
Agent GroupEditVM.VM_SENSOR.AGENT_GROUP.EDIT
Linking KeyReadVM.VM_SENSOR.LINKING_KEY.READ
Linking KeyCreateVM.VM_SENSOR.LINKING_KEY.CREATE
Nessus AgentReadVM.VM_SENSOR.VM_AGENT.READ
Nessus AgentDeleteVM.VM_SENSOR.VM_AGENT.DELETE
Nessus AgentEditVM.VM_SENSOR.VM_AGENT.EDIT
Nessus AgentExportVM.VM_SENSOR.VM_AGENT.EXPORT
Nessus Network MonitorReadVM.VM_SENSOR.VM_NETWORK_MONITOR.READ
Nessus Network MonitorDeleteVM.VM_SENSOR.VM_NETWORK_MONITOR.DELETE
Nessus Network MonitorEditVM.VM_SENSOR.VM_NETWORK_MONITOR.EDIT
Nessus Network MonitorExportVM.VM_SENSOR.VM_NETWORK_MONITOR.EXPORT
Nessus ScannerReadVM.VM_SENSOR.VM_SCANNER.READ
Nessus ScannerDeleteVM.VM_SENSOR.VM_SCANNER.DELETE
Nessus ScannerEditVM.VM_SENSOR.VM_SCANNER.EDIT
Nessus ScannerExportVM.VM_SENSOR.VM_SCANNER.EXPORT
NetworkReadVM.VM_SENSOR.NETWORK.READ
NetworkCreateVM.VM_SENSOR.NETWORK.CREATE
NetworkDeleteVM.VM_SENSOR.NETWORK.DELETE
NetworkEditVM.VM_SENSOR.NETWORK.EDIT
NetworkExportVM.VM_SENSOR.NETWORK.EXPORT
Scanner GroupReadVM.VM_SENSOR.SCANNER_GROUP.READ
Scanner GroupCreateVM.VM_SENSOR.SCANNER_GROUP.CREATE
Scanner GroupDeleteVM.VM_SENSOR.SCANNER_GROUP.DELETE
Scanner GroupEditVM.VM_SENSOR.SCANNER_GROUP.EDIT
Scanner GroupExportVM.VM_SENSOR.SCANNER_GROUP.EXPORT
Web Application ScannerReadVM.VM_SENSOR.VM_WAS_SCANNER.READ
Web Application ScannerDeleteVM.VM_SENSOR.VM_WAS_SCANNER.DELETE
Web Application ScannerEditVM.VM_SENSOR.VM_WAS_SCANNER.EDIT
Web Application ScannerExportVM.VM_SENSOR.VM_WAS_SCANNER.EXPORT
Target Groups
ActionRole Privilege String
ReadIO.SCAN_TARGET_GROUP.READ
ManageIO.SCAN_TARGET_GROUP.MANAGE
Vulnerability Intelligence
ActionRole Privilege String
ReadVM.VM_INTELLIGENCE.VM_INTELLIGENCE.READ
ExportVM.VM_INTELLIGENCE.VM_INTELLIGENCE.EXPORT

Web App Scanning

EntityActionRole Privilege String
Managed CredentialReadWAS.SCAN_WAS_USER_TEMPLATE.READ
Managed CredentialManageWAS.SCAN_CREDENTIAL.MANAGE
Recast/Accept RuleReadWAS.RECAST_RULE.READ
Recast/Accept RuleManageWAS.RECAST_RULE.MANAGE
Tenable-provided Scan TemplateUseWAS.SCAN_WAS_SYSTEM_TEMPLATE.USE
User-defined Scan TemplateReadWAS.SCAN_WAS_USER_TEMPLATE.READ
User-defined Scan TemplateManageWAS.SCAN_WAS_USER_TEMPLATE.MANAGE
Web Application ScanReadWAS.SCAN_WAS.READ
Web Application ScanManageWAS.SCAN_WAS.MANAGE
Web Application ScanImportWAS.SCAN_WAS.IMPORT
Web Application ScanSubmit PCIWAS.SCAN_WAS.SUBMIT_PCI

Container Security Roles

Tenable Enclave Security uses a separate, permission-based role model for Container Security that is independent of the Vulnerability Management and Web App Scanning role system described above.

Each Container Security role has a set of permissions that are enabled or disabled by default. Administrators can assign these roles to users to control access to Container Security features. Additionally, administrators can create custom roles and assign specific Container Security permissions to tailor access for their organization's needs. For more information about Container Security permissions, see Permissions.

The following table lists the default Container Security roles and their enabled permissions:

RoleManage Roles and UsersManage ScannersSchedule ScansExport DataRun ReportsView ApplicationManage PoliciesView LogsExposure Response Manager
AuditorNoNoNoNoNoNoNoNoNo
Container Security AdministratorYesNoNoNoNoNoNoYesNo
Credential ManagerNoNoNoNoNoNoNoNoNo
ExecutiveNoNoNoNoNoNoNoNoNo
Exposure Response ManagerNoNoNoYesYesYesNoNoYes
Security AnalystNoNoNoYesYesYesNoNoYes
Security ManagerYesYesYesYesYesYesYesYesYes
Vulnerability AnalystNoNoNoNoNoNoNoNoNo