Role-based Access Control (RBAC)

Note: At this time, RBAC capability is limited in scope and available exclusively for the TPM On-Prem offering. Full RBAC capabilities for both TPM On-Prem and TPM SaaS are currently on the product roadmap and are projected to be delivered during the first half of 2026.

Role-based access control (RBAC) allows your organization to manage who has access to resources in TPM, what resources they have access to, and what they can do with these resources. You can use built-in roles and/or create custom roles to meet your organization’s needs.

RBAC allows you to:

  • Assign permissions to specific job functions like operations

  • Maintain data protection and regulatory compliance

  • Protect sensitive data with the principle of least privilege

  • Create branch office administrators for specific business units

Explore the Security Roles

  • Log in to the Tenable Admin Portal.

  • Click the gear icon > Settings > Security > Roles.

  • On the Roles page, select the Patch Enterprise Roles folder.

Built-in Roles

There are 4 built-in roles for Tenable Patch Management. These roles cover the most common use cases, though custom roles can be added as needed. These roles will be automatically created when you add a Tenable Patch Management license.

Patch Enterprise Super Administrator: This role gives users full permission to TPM. This role is typically your IT solutions administrator.

Patch Enterprise Architect: This role is focused on design, architecture, and implementation of the patching solution. For example, the architect can configure custom integrations but can't submit patches to a strategy.

  • Full permission on all intent schema objects

  • Read permission on all Flex Controls

  • Full permission on Integrations

  • Read permission on all dashboards

Patch Enterprise Operator: This role is focused on the day to day running of the patching solution. For example, the operator can submit patches to a patching strategy. This role is typically your day-to-day IT Operations staff.

  • Read permission for all intent schema objects

  • Full permissions for Flex Controls

  • Read permissions to all patching dashboards

  • Additional permissions:

    • Log in to the Tenable Admin Portal.

    • Click the gear icon > Settings > Security > Roles.

    • On the Roles page, select the Patch Enterprise Roles folder.

Patch Enterprise Reviewer: This role is focused on observing the patching solution without access to any controls. For example, the reviewer can view patching strategies but can’t submit patches to a strategy.

  • Read permission to all intent schema objects

  • Read permission to Flex Controls

  • Permission for all patching dashboards

Branch Administrator Role

Tenable Patch Management allows you to create a branch administrator role that has full permission to TPM, but scoped to a specific Business Unit(s). The branch administrator has full control on all components within the scope of their business unit, but no class level permissions to objects outside of their scope. This branch administrator role is created dynamically in the Business Unit settings.

Patch Enterprise Branch Administrator: this role gives users full permission to all TPM components, scoped to one or more business units. For example, a Seattle HQ branch administrator can create a patching strategy for the Seattle HQ business unit, but not for any other business unit.

View a Role and Assign Members To It

You can view the permissions and membership of a role in the role details.

  • Select a Patch Enterprise role to open the properties page. You can view the role assignments and permissions details for the role.

  • Under Direct Administrators, click Browse and select a user to associate with this role and click OK.

  • Click Save.

Create a Custom Role

You can create a custom role in the Role security settings.

  • On the Security page, click Roles and select the Patch Enterprise Roles folder.

  • Click the ellipse next to Patch Enterprise Reviewer and click Save As.

  • Name your new role (ex. IT Security Analyst) and click Save As.

  • On the detail page for the role, scroll down to Permissions.

  • Click Create New Permissions.

  • Next to Class, click Browse.

  • On the Class Permission Definition page, search for OIDC, and select OidcProvider.

  • Click OK.

  • On the Class Level Permissions page, under Permissions, configure the following: a. Read: Allow b. Export: Allow

  • Click Save.

Audit Role Permission with Permissions Viewer

You can use Permissions Viewer to see the permissions scope for any role or user you configure.

  • Click the gear icon > Settings > Security > Permissions Viewer.

  • Next to Role, click Browse.

  • Select a role (ex. IT Security Analyst) and click OK.

  • Under Object Scope, type OIDC and then select OIDCProvider. In the Resultant Permissions pane, you can see the permissions this role has on the PatchingStrategy class.

Role Permission Details

The following specialty permissions and flex control permissions were created to enable role-based access control.

Specialty permissions

To enable role-based access control, new specialty permissions were created for the highest-level components in TPM:

  • Strategy: submit patches to a strategy, view/manage pause/resume operations, view/manage patching cycles, add/remove patches to cycle, scan for patches, reset deployment failures.

  • Deployment Channel: pause/resume operations, view/manage cycles, add/remove patches to cycle.

  • Business Unit: add to deployment waves, add to bot runtime, view dashboards, pause/resume operations, view/manage rollback, view/manage patch exceptions, view/manage rollout cycles, add/remove patches to cycle, scan for patches, reset deployment failures.

  • Deployment Waves: add to patching strategy, add to deployment channel

Flex control permissions

  • Pause/resume: View pause/resume operations, Manage pause/resume operations

  • Rollback: view and manage rollback operations

  • Patching exceptions: View and manage patching exception operations

  • Patching cycles: View and manage patching cycles, add/remove patches to/form patching cycles

  • Deployment channel cycles: View and manage deployment channel cycles, add/remove patches to/from deployment channel cycles

  • Business unit rollout cycles: View and manage business unit rollout cycles, add/remove patches to/form business unit rollout cycles

  • Patches: scan for patches, reset deployment failures for patches

If an administrator has been granted any of these permissions, they can perform these operations anywhere they want unless they are scoped to a specific object.