Create and Add a Permission Configuration

Required User Role: Administrator

When you create a permission configuration in Tenable MSSP, you can apply that configuration to one or several users or groups.

Before you begin:

  • Create a user or group for your Tenable MSSP account.

  • Create an account group for which you want to create a permission.

  • Ensure you enable the enforcement of permissions through Access Control. For more information, see Enforce Access Control Permissions.

To create and add a permission configuration to a user or group:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. Click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears. On this page, you can control user and group access to resources in your Tenable MSSP account.

  4. Click the Permissions tab.

    The Permissions tab appears with a table that lists all the permission configurations on your Tenable MSSP instance.

  5. At the top of the table, click Create Permission.

    The Create Permission window appears.

  6. In the Permission Name box, type a name for the permission configuration.

  7. (Optional) In the Users drop-down box, select one or several users.

    Note: Although the Users box is optional, you cannot save the permission configuration unless at least one user or user group is selected.

  8. (Optional) In the Groups drop-down box, select one or several user groups.

    Note: Although the Groups box is optional, you cannot save the permission configuration unless you select at least one user or user group.

    Note: You can select All Users in the Groups drop-down box to assign the permission configuration to all users on your Tenable MSSP instance. However, Tenable recommends that you use caution when assigning the permission configuration to all users because doing so goes against security best practices.

  9. In the Permissions drop-down box, select one or several permissions. Available permissions are: Can View, Can Edit, Can Impersonate Admin, Can Impersonate Scan Manager, and Can Impersonate Scan Operator.

  10. In the Objects drop-down box, select one or several objects to which to apply the permission configuration. For Tenable MSSP, the objects are accounts and account groups.

    Tip: Selecting the All Accounts object to apply permissions to all current and future accounts allows you to skip manual selection of individual accounts.

  11. Click Save.

    A confirmation message appears.

    Tenable MSSP saves your changes. The permission configuration appears on the Permissions tab.

    Note: A user with the Can Impersonate Admin, Can Impersonate Scan Manager, or Can Impersonate Scan Operator permission can log in to an associated child account as an administrator, Scan Manager, or Scan Operator. When the user with this permission tries to log in to the associated account, they get the following options on the Choose SAML details dialog box:

    • Login as Admin

    • Login as Scan Operator

    • Login as Scan Manager

      Selecting the relevant option allows the user to sign in as an administrator, Scan Manager, or Scan Operator.