Note: At this time, RBAC capability is limited in scope and available exclusively for the TPM On-Prem offering. Full RBAC capabilities for both TPM On-Prem and TPM SaaS are currently on the product roadmap and are projected to be delivered during the first half of 2026.

You can create a branch administrator role that has permissions scoped to a specific Business Unit(s). A user with this role has full control over components within the scope of their Business Unit, but no class level permissions to objects outside of their scope. The Branch Administrator role is created dynamically from a Business Unit by an administrator.

• Patch Enterprise Branch Administrator: this role gives users full permission to Tenable Patch Management, scoped to one or more Business Units. For example, a Seattle HQ branch administrator can create a patching strategy for the Seattle HQ Business Unit, but not for any other Business Unit.

Create a branch administrator role

Complete the following to create a new branch administrator role.

1. In the left-hand navigation pane, click Asset Management > Business Units.

2. Next to your Business Unit, click the ellipsis (...) and then click Create Branch Administrator.

   

3. On the Create Branch Administrator page, give the account a name.

   

4. The Business Unit is scoped to your previous selection.

5. Click OK.

6. Click Settings > Security > Roles, and in the page click the Branch Administrator Roles folder.

   The new branch administrator role is created in the Branch Administrator Roles folder, under Patch Enterprise Roles.

   The role has no class level permissions for features in Tenable Patch Management. All permissions for the role are scoped to a folder under the intent objects.

   

7. Select the new branch administrator role to open the properties page.

8. Under Direct Administrators, click Browse, select a user to associate with this role, and click OK.

   

9. Click Save.

View components scoped to the branch administrator

Administrators with the branch administrator role will have full access only to objects scoped to their role. These objects are all organized in a folder for each Patch feature. For example, view the dedicated folder for the branch admin role in Patching Strategies.

1. In the left-hand navigation pane, click Strategies.

2. Under Patching Strategies is a new folder named Branch : %role name% : PatchingStrategy.

   

The branch administrator will only have full access to the patching strategies in this folder.

View the branch admin permissions in Permissions Viewer

You can view the limited scope of a branch administrator's permissions using the Permissions Viewer.

1. Click Settings > Security > Permissions Viewer.

2. Next to Role, click Browse.

3. Select the branch administrator role and click OK.

4. Under Object Scope, type and then select PatchingStrategy.

5. In the Resultant Permissions pane, you can see that the branch administrator role does not have permissions on the PatchingStrategy class.

6. Next to Folder, click Browse.

7. Select the folder named Branch : %role name% : PatchingStrategy and click OK.

In the Resultant Permissions pane, you can see that the branch administrator has full permissions on the PatchingStrategy class within the scope of the folder.