TOC & Recently Viewed

Recently Viewed Topics

User Roles

To access the Roles page, click Users > Roles.

Roles determine what a user can or cannot access from their account. comes with eight system-provided roles, but you can also create custom roles to satisfy complex security policy needs. You can customize the permissions on some, but not all, system-provided user roles.

For more information, see Create a User Role, Edit a User Role, and Delete a User Role.

User Role Customizable Permissions? Description
Administrator No

An account that manages as a whole. The primary task of the Administrator is to install and configure each organization. In addition, the Administrator adds components to such as NNM, LCE, and Nessus to extend its capabilities. The Administrator is automatically assigned the “Manage Application” role.

Because administrators do not belong to an organization, they do not have access to the data collected by

Organizational User Roles
Security Manager No

An account that manages an individual organization. This is the role assigned to the initial user that is assigned when a new organization is created. They have the ability to launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization.

A Security Manager is the account within an organization that has a broad range of security roles within the defined organization. This is the initial user that is created when a new organization is created and has the ability to launch scans, configure users (except for the Administrator user), vulnerability policies, and other objects that belong to their organization. This initial Security Manager account cannot be deleted without deleting the entire organization.

Security Managers have complete access to all data collected by their organization.

Auditor Yes

An account that can access summary information to perform third party audits. An Auditor can view dashboards, reports, and logs, but cannot perform scans or analyze vulnerability or event data.

Credential Manager Yes

An account that can be used specifically for handling credentials. A Credential Manager can create and share credentials without revealing the contents of the credential. This can be used by someone outside the security team to keep scanning credentials up to date.

Executive Yes

An account intended for users who are interested in a high-level overview of their security posture and risk profile. Executives would most likely browse dashboards and review reports, but would not be concerned with monitoring running scans or managing users. Executives would also be able to assign tasks to other users using the ticketing interface.

Security Analyst Yes

An account that has permissions to perform all actions at the Organizational level except managing groups and users. A Security Analyst is most likely an advanced user who can be trusted with some system related tasks such as setting blackout windows or updating plugins.

Vulnerability Analyst Yes

An account that can perform basic tasks within the application. A Vulnerability Analyst is allowed to view security data, perform scans, share objects, view logs, and work with tickets.

No Role No

An account with virtually no permissions. No Role is assigned to a user if their designated role is deleted.

Custom Role Yes A custom role that you create by enabling or disabling individual permissions.

See the following table for more information about other user role options.

Permissions Option Description



Custom role name


Custom role description

Scan Permissions

Create Scans

Allows user to create policy-based scans. Disabling Create Policies while enabling this permission allows you to lock user into specific set of policies for scanning.

Create Audit Files

Allows user to upload audit files, which can be used for configuration audit scans.

Create Policies

Allows user to set scan parameters and select plugins for scanning

Upload Nessus Scan Results

Allows user to import results from an external Nessus scanner. Result upload will be limited to user’s repositories and restricted by user’s IP address ranges.

Manage Blackout Windows

Allows user to add, edit, and delete organization-wide blackout windows. Blackout windows prevent scans from launching and stop any scans in progress.

Asset Permissions

Create LDAP Query Assets

Allows user to create LDAP Query Assets, which update a list of hosts based on a user-defined LDAP query.

Analysis Permissions

Accept Risks

Allows user to accept risks for vulnerabilities, which removes them from the default view for analysis, dashboards, and reports.

Recast Risks

Allows user to change the severity for vulnerabilities.

Organizational Permissions

Share Objects Between Groups

Allows user to share assets, audit files, credentials, queries, and policies with any group. Users in groups to which these objects have been shared will be able to use them for filtering and scan creation.

View Organization Logs

Allows user to view logs for entire organization.

User Permissions

Manage Roles

Allows user to create new roles and edit and delete organizational roles. Any roles added must have permissions equal to or lesser than the user’s role.

Manage Groups

Allows user to add, edit, and delete groups. Users with this permission are allowed to create groups with access to any vulnerability and event data available to the organization.

Manage Group Relationships

Allows user to set other user’s relationship with any other groups. Group relationships allow for a user to view and manage objects and users in other groups.

Report Permissions

Manage Images

Allows user to upload images, which can be used in reports by anyone in the organization.

Manage Attribute Sets

Allows user to add, edit, and delete attribute sets.

System Permissions

Update Feeds

Allows user to request a plugin update or a feed update.

Workflow Permissions

Create Alerts

Allows user to create alerts which are used to trigger actions (e.g., launch scans, run reports, send emails) when specified vulnerability or event conditions occur.

Create Tickets

Allows user to create tickets, which are typically used to delegate work to other users.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.