You are here: Interface > Users > Users

TOC & Recently Viewed

Recently Viewed Topics

Users

The Users section is used to define Users, Roles, and Groups. If an option is not present, the most likely reason is that the logged in user does not have the appropriate permission to utilize the feature.

Users

Organizational users can be added, edited, viewed, and deleted by selecting Users from the drop-down menu in the Users tab. The username, group, role, title, and last login of the user are displayed as shown by the screen capture below:

Add User

Clicking on Add displays a screen configuration dialog with the following options:

User Basic Options

Option Description

First Name

The given first name for the user being created

Last Name

The given last name for the user being created

Type – TNS

Username

This is the name the user will use to login to SecurityCenter. When selecting this account name, it is sometimes easier to focus on the person’s real name as a convention (e.g., Bob Smirth would become bsmirth). However, it may also be useful to assign names based on role, such as “auditNY”.

Password / Confirm Password

Login password

Tip: It is recommended to use passwords that are at least eight characters in length and include a combination of lower and upper-case letters along with non-alphabetic characters.

User Must Change Password

When enabled, the user must change their password on the next successful login.

Type – LDAP

Search String

This is the LDAP search string to use to narrow down user searches. Proper format is: “attribute=<filter text>”. Wildcards are permitted and the field accepts up to 1024 characters.

 

For Example:

 

sAMAccountName=*

mail=a*

displayName=C*

User

List of available LDAP user accounts.

Username

Username for the user that is selected from the list of users above.

Membership

Role

The role assigned to the user. The default roles that may be used during user creation include:

 

  • Auditor
  • Credential Manager
  • Executive
  • No Role
  • Security Analyst
  • Security Manager
  • Vulnerability Analyst

 

A user may only create new users with permissions that the creating user currently has. For example, if a user has the “Auditor” role, they can only create new users with the “Auditor” or lesser role.

Group

This option assigns the user to a designated group. This determines the rights to which SecurityCenter resources the user is granted.

Group Permissions

All Groups

This sets the default permissions the user gets assigned when added to a new group.

 

If both Manage Objects and Manage Users is enabled, the user will have those permissions for all subsequent groups to which they are assigned.

 

If one or both are disabled, each subsequent group will be added by default with those permissions and the permissions may be modified on a group by group basis.

Responsibility

Asset

Optionally assigns a user to an asset list for which the user is responsible for. By utilizing this, it is easier to determine who in a group or Organization is to be assigned tickets, notifications, and similar to resolve issues with particular issues. Selecting an asset will update the User Responsibility Summary in the Vulnerability Analysis section.

Contact Information

Title, Address Information, Email, Phone

Contact information for the user can be entered here.

 

View

Clicking on the View option from the gear icon menu displays a summary of the user’s information, such as name, role, last login, repositories, and defined assets. When viewing a user the Options menu in the top right allows switching to the user edit window or deleting the user (as long as it is a different user, i.e., you cannot delete your own user while logged in).

Edit

Clicking on the Edit option from the gear icon menu allows editing of any information described in the previous section after the user has been created. Additionally, the user’s account may be locked or unlocked from the edit screen’s Basic tab.

Delete

Clicking on the Delete option from the gear icon menu displays a window asking to confirm the deletion of the user. Organization objects assigned to the user will be deleted permanently. All objects (scans, reports, etc.) associated to the user will be deleted.

Roles

Note: Custom roles can be edited by the administrator and Security Manager users.

Roles determine what a user can or cannot do when they access their account and are configurable to a great degree. SecurityCenter comes with a variety of pre-defined roles; however, custom roles may be created by the Security Manager user to facilitate organizations with complex security policy needs. In keeping with the SecurityCenter convention, role assignments are hierarchical. Users may only create new users with roles that have the same permissions or a subset of permissions of their current Role. For example, if a user has a custom role with View Vulnerability Data enabled and “Update Plugins” disabled, they can only create users with View Vulnerability Data enabled.

Available pre-defined roles include:

  • No Role
  • Security Manager
  • Security Analyst
  • Vulnerability Analyst
  • Executive
  • Credential Manager
  • Auditor

These roles are static and cannot be modified. An administrator is an account that has management responsibility over the console. The primary task of the administrator is to correctly install and configure each organization. In addition, the administrator adds components to SecurityCenter such as PVS, LCE, and Nessus to extend its capability. The administrator is automatically assigned the Manage Application permission.

A Security Manager is the account within an organization that has a broad range of security roles. This is the role assigned to the initial user that is created when a new organization is created. They have the ability to launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization. Each organization has a Security Manager account that cannot be deleted without deleting the entire Organization.

Additional users may be created and assigned one of the default roles or a custom role. Viewing the details of the roles describes the purpose of the role, the number of users assigned to the role, and the permissions granted.

Add Role

Note: Only the administrator and Security Manager users can add new roles. Other user roles do not have this privilege.

A powerful feature of SecurityCenter is the ability to add new roles. These custom roles can be configured and fine-tuned to match the duties to be performed by users who are assigned them. When you click Add Role, the Add Role page appears.

The following table details the items that can be specified and configured when adding a Role.

Option Description

General

Name

Custom role name

Description

Custom role description

Scan Permissions

Create Scans

Allows user to create policy-based scans. Disabling Create Policies while enabling this permission allows you to lock user into specific set of policies for scanning.

Create Audit Files

Allows user to upload audit files, which can be used for configuration audit scans.

Create Policies

Allows user to set scan parameters and select plugins for scanning

Upload Nessus Scan Results

Allows user to import results from an external Nessus scanner. Result upload will be limited to user’s repositories and restricted by user’s IP ranges.

Manage Blackout Windows

Allows user to add, edit, and delete organization-wide blackout windows. Blackout Windows prevent scans from launching and stop any scans in progress.

Asset Permissions

Create LDAP Query Assets

Allows user to create LDAP Query Assets, which update a list of hosts based on a user-defined LDAP query.

Analysis Permissions

Accept Risks

Allows user to accept risks for vulnerabilities, which removes them from the default view for analysis, dashboards, and reports.

Recast Risks

Allows user to change the severity for vulnerabilities.

Organizational Permissions

Share Objects Between Groups

Allows user to share assets, audit files, credentials, queries, and policies with any group. Users in groups to which these objects have been shared will be able to use them for filtering and scan creation.

View Organization Logs

Allows user to view logs for entire organization.

User Permissions

Manage Roles

Allows user to create new roles and edit and delete organizational roles. Any roles added must have permissions equal to or lesser than the user’s role.

Manage Groups

Allows user to add, edit, and delete groups. Users with this permission are allowed to create groups with access to any vulnerability and event data available to the organization.

Manage Group Relationships

Allows user to set other user’s relationship with any other groups. Group relationships allow for a user to view and manage objects and users in other groups.

Report Permissions

Manage Images

Allows user to upload images, which can be used in reports by anyone in the organization.

Manage Attribute Sets

Allows user to add, edit, and delete attribute sets.

System Permissions

Update Feeds

Allows user to request a plugin update or a SecurityCenter feed update.

Workflow Permissions

Create Alerts

Allows user to create alerts which are used to trigger actions (e.g., launch scans, run reports, send emails) when specified vulnerability or event conditions occur.

Create Tickets

Allows user to create tickets, which are typically used to delegate work to other users.

Edit

Clicking on the Edit option from the gear icon menu allows you to change any of the information for any custom role that has been created.

Detail

Clicking on the Detail option from the gear icon menu displays a summary of the role, such as name, description, number of users and permissions.

Delete

Clicking on the Delete option from the gear icon menu displays a window asking if you really want to delete the role and then deletes it after confirmation.

Note: Deleting a role will cause all users with that role to lose all assigned permissions.

Groups

Access to security data (repositories and LCEs intersected with defining assets) is controlled through a group hierarchy. User access to security data is granted based on the user’s group membership. Users will be able to automatically use Policies, Assets, and other objects created by others in the same group with the appropriate permissions. The group-based model allows for more flexibility in user management, object management, and visibility into running scans and reports. Utilizing groups in SecurityCenter makes it quicker and simpler to create, maintain, and assign resources to multiple users.

From the Groups page, the name of the group, number of users in the group, and the last time the group was modified and is displayed in the table. From this page, groups may be added and from the gear icon menu edited, view the details of, and deleted with the appropriate permissions.

Add Group

The following table describes the fields available from the Add Group page when adding (or editing) a group.

Add Group

Option Description

General

Basic

Name

Allows the creation of a name for the group

Description

A text field used to create a description of what the group is used for, such as the security team at the central office, the executives on the east coast, and other desired information.

Access

Viewable IPs

Assigns the IP addresses that are viewable by the group. The selection is made by all defined assets or the selection of one or more asset lists.

Repositories

Makes one or more repositories available to the group

LCEs

Assigns one or more LCEs to the group

Share to Group

Available Objects Select from the list of available objects to be shared with the group on creation or edit in a bulk operation.

Edit

Clicking on the Edit option from the gear icon menu allows you to change any of the information for any custom group that has been created.

Detail

Clicking on the Detail option from the gear icon menu displays a summary of the group, such as name, description, assigned LCEs, available repositories, viewable IP addresses, and users assigned to the group.

Delete

Clicking on the Delete option from the gear icon menu displays a window asking if you really want to delete the group, and then deletes it after confirmation.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.