TOC & Recently Viewed

Recently Viewed Topics

Target Groups

Note: System target view permissions have been migrated to access groups. Scan permissions are still managed by system target groups.

A target group allows you to set permissions on which hosts users can scan. By default, all users can scan all hosts.

You must grant at least one user the ability to run scans, either by changing the default target permissions or by granting individual users permissions within a target group.

Target Groups page

Target Group Types
System

System target groups are used to set permissions on which hosts a user can scan. By default, all users can scan all hosts. You can restrict this by removing scan permissions on the default target group and creating additional target groups with more granular permissions.

Optionally, you can enable asset isolation to deactivate the default target group and control scanning permissions via individual system target group settings. For more information, see Enable or Disable Asset Isolation.

User User target groups do not grant scan or view permissions. Instead, user target groups provide more granular filtering on the hosts permitted to you in system target groups. You can use these lists when filtering dashboards or configuring scans.

You can use target groups in scans based on the permissions assigned to the target group.

Target Group Settings

Setting

Description

General

Name

A name for the target group.

Targets

A comma-separated list of FQDNs, CIDR notation, or IP address ranges that you want to scan.

Upload Targets

A text file containing a comma-separated list of FQDNs or IP address ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save the target group.

Permissions

Add users or groups

One or more existing user accounts that you want to grant permissions to scan the target group.

Note: Target group permissions do not increase user role permissions (e.g., basic users cannot run scans). Consider a user's role when assigning them target group permissions.

Default

The default permissions for user accounts not listed in the Add users or groups box.

System target groups: No access, Can use, or Can scan

User target groups: No access, Can use, or Can change

For descriptions of the permissions, see the Target Group Permissions table.

Target Group Permissions

Permission

Description

System target groups

No access

Users assigned this permission cannot scan hosts in the system target group or use hosts in the system target group to filter dashboards.

Can use

Users assigned this permission can use hosts in the system target group to filter dashboards.

Can scan

Users assigned this permission can scan hosts in the system target group.

User target groups

No access

Users assigned this permission cannot configure scans for hosts in the user target group or use hosts in the user target group to filter dashboards.

Can use

Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.

Can scan

Users assigned this permission can modify the user target group.

Note: For auditing cloud infrastructure, Tenable.io requires a target group with Can Scan permissions to be present on 127.0.0.1.

Asset Isolation

Occasionally, users may encounter an issue if:

  • Asset isolation is disabled.
  • The default target group has Can Use or lower permissions.
  • No target group has specifically allowed 127.0.0.1.

Not allowing scanning of 127.0.0.1 may prevent scans that use this loopback address as its target from running.

To fix the issue do one of the following:

  • If asset isolation is disabled, and the default target group has Can Use or lower permissions, then elevate the permissions to Can Scan.
  • If asset isolation is enabled, then create a target group with Can Scan permissions to explicitly allow 127.0.0.1.

For more information on target groups, see the following topics:

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.