User Roles
Roles determine what a user can or cannot access from their account. Tenable Security Center comes with eight system-provided roles, but you can also create custom roles to satisfy complex security policy needs. You can customize the permissions on some, but not all, system-provided user roles.
You can create linked user accounts and linked non-admin user accounts to allow users to switch between accounts without logging out and logging back in to Tenable Security Center. For more information, see Linked User Accounts.
For more information about user roles in Tenable Security Center, see Create a User Role, Edit a User Role, View User Role Details, and Delete a User Role.
Roles
User Role | Customizable Permissions? | Description |
---|---|---|
Administrator | No |
An account that manages Tenable Security Center as a whole. The primary task of the Administrator is to install and configure each organization. Because administrators do not belong to an organization, they do not have access to the data collected by Tenable Security Center. |
Organizational User Roles | ||
Security Manager | No |
An account that manages an individual organization. This is the role assigned to the initial user that is assigned when a new organization is created. They can launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization. A Security Manager is the account within an organization that has a broad range of security roles within the defined organization. This is the initial user that is created when a new organization is created, and the user can launch scans, configure users (except for the Administrator user), vulnerability policies, and other objects that belong to their organization. This initial Security Manager account cannot be deleted without deleting the entire organization. Security Managers have complete access to all data collected by their organization. |
SM-Linked | No | A linked account that has the same abilities as a Security Manager, except an SM-Linked account cannot configure users. |
Auditor | Yes |
An account that can access summary information to perform third-party audits. An Auditor can view dashboards, reports, and logs, but cannot perform scans or create tickets. |
Credential Manager | Yes |
An account that can be used specifically for handling credentials. A Credential Manager can create and share credentials without revealing the contents of the credential. This can be used by someone outside the security team to keep scanning credentials up to date. |
Executive | Yes |
An account intended for users who are interested in a high-level overview of their security posture and risk profile. Executives would most likely browse dashboards and review reports, but would not be concerned with monitoring running scans or managing users. Executives would also be able to assign tasks to other users using the ticketing interface. |
Security Analyst | Yes |
An account that has permissions to perform all actions at the Organizational level except managing groups and users. A Security Analyst is most likely an advanced user who can be trusted with some system-related tasks such as setting freeze windows or updating plugins. |
Vulnerability Analyst | Yes |
An account that can perform basic tasks within the application. A Vulnerability Analyst is allowed to view security data, perform scans, share objects, view logs, and work with tickets. |
No Role | No |
An account with virtually no permissions. No Role is assigned to a user if their designated role is deleted. |
Custom Role | Yes | A custom role that you create by enabling or disabling individual permissions. |
Permissions Option | Description |
---|---|
General |
|
Name |
Custom role name |
Description |
Custom role description |
Scanning Permissions |
|
Create Scans |
Allows the user to create policy-based scans. Disabling Create Policies while enabling this permission allows you to lock user into specific set of policies for scanning. |
Create Plugin Scans | (Appears when Create Scans is enabled) Allows the user to create single plugin remediation scans. |
Create Agent Synchronization Jobs | Allows the user to add agent synchronization jobs that fetch agent scan results from Tenable Vulnerability Management or Tenable Nessus Manager. |
Create Agent Scans | Allows the user to add agent scans that create and launch parallel scans in Tenable Nessus Manager, then import the scan results to Tenable Security Center. |
Create Audit Files |
Allows the user to upload audit files, which can be used for configuration audit scans. |
Create Policies |
Allows the user to set scan parameters and select plugins for scanning. |
Upload Nessus Scan Results |
Allows the user to import results from an external Nessus scanner. Result upload will be limited to user’s repositories and restricted by user’s IP address ranges. |
Manage Freeze Windows |
Allows the user to add, edit, and delete organization-wide freeze windows. Freeze windows prevent scans from launching and stop any scans in progress. |
Asset Permissions |
|
Create LDAP Query Assets |
Allows the user to create LDAP Query Assets, which update a list of hosts based on a user-defined LDAP query. |
Analysis Permissions |
|
Accept Risks |
Allows the user to accept risks for vulnerabilities, which removes them from the default view for analysis, dashboards, and reports. |
Recast Risks |
Allows the user to change the severity for vulnerabilities. |
Organizational Permissions |
|
Share Objects Between Groups |
Allows the user to share assets, audit files, credentials, queries, and policies with any group. Users in groups to which these objects have been shared can use the objects for filtering and scan creation. |
View Organization Logs |
Allows the user to view logs for entire organization. |
User Permissions |
|
Manage Roles |
Allows the user to create new roles and edit and delete organizational roles. Any roles added must have permissions equal to or lesser than the user’s role. |
Manage Groups |
Allows the user to add, edit, and delete groups. Users with this permission are allowed to create groups with access to any vulnerability and event data available to the organization. |
Manage Group Relationships |
Allows the user to set other user’s relationship with any other groups. Group relationships allow for a user to view and manage objects and users in other groups. |
Report Permissions |
|
Manage Images |
Allows the user to upload images, so anyone in the organization can use the images in reports. |
Manage Attribute Sets |
Allows the user to add, edit, and delete attribute sets. |
System Permissions |
|
Update Feeds |
Allows the user to request a plugin update or a Tenable Security Center feed update. |
Workflow Permissions |
|
Create Alerts |
Allows the user to create alerts which are used to trigger actions (e.g., launch scans, run reports, send emails) when specified vulnerability or event conditions occur. |
Create Tickets |
Allows the user to create tickets, which are typically used to delegate work to other users. |
Attack Surface Discovery Permissions | |
Manage Attack Surface Discovery Domains | Allows the user to manage Attack Surface Discovery Domains. |
View Domain Inventory Assets | Allows the user to view domain inventory assets. |
Host Assets Permissions | |
View Host Assets | Allows the user to view host assets. |