TOC & Recently Viewed

Recently Viewed Topics

Permissions

Tenable.io uses the following permissions types:

User Roles

Tip: To determine user permissions for the current user, see Determine Current User Permissions.

Name Value Description
Basic 16 Users with this role can only view scan results and manage their user profile.
Scan Operator 24

In addition to basic user privileges, users with this role can use existing scan policies that were created by a standard user or higher. They can also analyze scan results and create user target groups.

Standard 32 In addition to basic user privileges, users with this role can create policies to be used with scans.
Scan Manager 40

In addition to standard user privileges, users with this role can manage scanners, agents, and exclusions.

Administrator 64

In addition to scan manager privileges, users with this role have all permissions, are responsible for setting up the Tenable.io account, and know the organization's architecture. They can create groups to organize different business units, and add and manage users on the account. In the API, administrators can view scans created by all users.

Scan Roles

Name Value Description
No Access 0 Users assigned this permission for a scan cannot view, control, or configure the scan. As a result, the scan does not appear for the user in the Tenable.io user interface, and the user cannot access the scan using the scans API.
Can View 16

Users assigned this permission can view the results of the scan. As a result, the scan appears for the user in the Tenable.io user interface, and the user can access the scan using the scans API.

Can Control 32

Users assigned this permission can launch, pause, and stop a scan, in addition to performing any tasks allowed by Can View.

Can Configure 64

Users assigned this permission can modify any setting for the scan except scan ownership, in addition to performing any tasks allowed by Can Control.

Owner 128 The user assigned this permission owns the scan. The owner can modify any setting for the scan, including scan ownership.

Policy Roles

Name Value Description
No Access 0 Users assigned this permission cannot view or use the policy. As a result, this policy does not appear for the user in the Tenable.io user interface, and the user cannot access the policy using the policies API.
Can Use 16 Users assigned this permission can view the policy and use it to create scans.
Can Edit 32 Users assigned this permission can modify any setting for the policy except permissions, in addition to performing any tasks allowed by Can Use.
Can Configure 64

Users assigned this permission can modify any setting for the policy except policy ownership, in addition to performing any tasks allowed by Can Edit.

Scanner Roles

Name Value Description
No Access 0 Users assigned this permission cannot use the scanner. As a result, this scanner does not appear for the user in the Tenable.io user interface, and the user cannot access the scanner using the scanners API.
Can Use 16 Users assigned this permission can use the scanner.
Can Manage 64 Users assigned this permission can manage the scanner.

Agent Roles

Name Value Description
No Access 0 Users assigned this permission cannot use the agent group in agent scans. As a result, this agent group does not appear for the user in the Tenable.io user interface, and the user cannot access the agent group using the agent-groups API.
Can Use 16 Users assigned this permission can use the agent group in agent scans.

Target Group (System Roles)

Note: System target groups allow you to control which hosts a user can scan. By default, all users can scan all hosts. You can restrict this by removing scan permissions on the default target group and creating additional target groups with more granular permissions.

Name Value Description
No Access 0 Users assigned this permission cannot scan hosts in the system target group or use hosts in the system target group to filter dashboards.
Can Use 32 Users assigned this permission can use hosts in the system target group to filter dashboards.
Can Scan 64 Users assigned this permission can scan hosts in the system target group.

Target Group (User Roles)

Note: User target groups do not grant scan permissions. Instead, user target groups provide more granular filtering on the hosts permitted to you in system target groups. You can use these lists when filtering dashboards or configuring scans.

Name Value Description
No Access 0 Users assigned this permission cannot configure scans for hosts in the user target group or use hosts in the user target group to filter dashboards.
Can Use 32 Users assigned this permission can use hosts in the user target groups to filter dashboards and configure scans.
Can Change 64 Users assigned this permission can modify the user target group.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.