User Roles

Roles determine what a user can or cannot access from their account. Tenable Security Center comes with eight system-provided roles, but you can also create custom roles to satisfy complex security policy needs. You can customize the permissions on some, but not all, system-provided user roles.

You can create linked user accounts and linked non-admin user accounts to allow users to switch between accounts without logging out and logging back in to Tenable Security Center. For more information, see Linked User Accounts.

For more information about user roles in Tenable Security Center, see Create a User Role, Edit a User Role, View User Role Details, and Delete a User Role.

Roles

User Role Customizable Permissions? Description
Administrator No

An account that manages Tenable Security Center as a whole. The primary task of the Administrator is to install and configure each organization. In addition, the Administrator adds components to Tenable Security Center such as Tenable Nessus Network Monitor, Tenable Log Correlation Engine, and Tenable Nessus to extend its capabilities. The Administrator is automatically assigned the “Manage Application” role.

Because administrators do not belong to an organization, they do not have access to the data collected by Tenable Security Center.

Organizational User Roles
Security Manager No

An account that manages an individual organization. This is the role assigned to the initial user that is assigned when a new organization is created. They can launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization.

A Security Manager is the account within an organization that has a broad range of security roles within the defined organization. This is the initial user that is created when a new organization is created, and the user can launch scans, configure users (except for the Administrator user), vulnerability policies, and other objects that belong to their organization. This initial Security Manager account cannot be deleted without deleting the entire organization.

Security Managers have complete access to all data collected by their organization.

SM-Linked No A linked account that has the same abilities as a Security Manager, except an SM-Linked account cannot configure users.
Auditor Yes

An account that can access summary information to perform third-party audits. An Auditor can view dashboards, reports, and logs, but cannot perform scans or create tickets.

Credential Manager Yes

An account that can be used specifically for handling credentials. A Credential Manager can create and share credentials without revealing the contents of the credential. This can be used by someone outside the security team to keep scanning credentials up to date.

Executive Yes

An account intended for users who are interested in a high-level overview of their security posture and risk profile. Executives would most likely browse dashboards and review reports, but would not be concerned with monitoring running scans or managing users. Executives would also be able to assign tasks to other users using the ticketing interface.

Security Analyst Yes

An account that has permissions to perform all actions at the Organizational level except managing groups and users. A Security Analyst is most likely an advanced user who can be trusted with some system-related tasks such as setting freeze windows or updating plugins.

Vulnerability Analyst Yes

An account that can perform basic tasks within the application. A Vulnerability Analyst is allowed to view security data, perform scans, share objects, view logs, and work with tickets.

No Role No

An account with virtually no permissions. No Role is assigned to a user if their designated role is deleted.

Custom Role Yes A custom role that you create by enabling or disabling individual permissions.

Role Options

Permissions Option Description

General

Name

Custom role name

Description

Custom role description

Scanning Permissions

Create Scans

Allows the user to create policy-based scans. Disabling Create Policies while enabling this permission allows you to lock user into specific set of policies for scanning.

Create Plugin Scans (Appears when Create Scans is enabled) Allows the user to create single plugin remediation scans.
Create Agent Synchronization Jobs Allows the user to add agent synchronization jobs that fetch agent scan results from Tenable Vulnerability Management or Tenable Nessus Manager.
Create Agent Scans Allows the user to add agent scans that create and launch parallel scans in Tenable Nessus Manager, then import the scan results to Tenable Security Center.

Create Audit Files

Allows the user to upload audit files, which can be used for configuration audit scans.

Create Policies

Allows the user to set scan parameters and select plugins for scanning.

Upload Nessus Scan Results

Allows the user to import results from an external Nessus scanner. Result upload will be limited to user’s repositories and restricted by user’s IP address ranges.

Manage Freeze Windows

Allows the user to add, edit, and delete organization-wide freeze windows. Freeze windows prevent scans from launching and stop any scans in progress.

Asset Permissions

Create LDAP Query Assets

Allows the user to create LDAP Query Assets, which update a list of hosts based on a user-defined LDAP query.

Analysis Permissions

Accept Risks

Allows the user to accept risks for vulnerabilities, which removes them from the default view for analysis, dashboards, and reports.

Recast Risks

Allows the user to change the severity for vulnerabilities.

Manage Risks (Appears when Accept Risks or Recast Risks is enabled) Allows the user to modify accept and recast risk rules created by other users.

Organizational Permissions

Share Objects Between Groups

Allows the user to share assets, audit files, credentials, queries, and policies with any group. Users in groups to which these objects have been shared can use the objects for filtering and scan creation.

View Organization Logs

Allows the user to view logs for entire organization.

User Permissions

Manage Roles

Allows the user to create new roles and edit and delete organizational roles. Any roles added must have permissions equal to or lesser than the user’s role.

Manage Groups

Allows the user to add, edit, and delete groups. Users with this permission are allowed to create groups with access to any vulnerability and event data available to the organization.

Manage Group Relationships

Allows the user to set other user’s relationship with any other groups. Group relationships allow for a user to view and manage objects and users in other groups.

Report Permissions

Manage Images

Allows the user to upload images, so anyone in the organization can use the images in reports.

Manage Attribute Sets

Allows the user to add, edit, and delete attribute sets.

System Permissions

Update Feeds

Allows the user to request a plugin update or a Tenable Security Center feed update.

Workflow Permissions

Create Alerts

Allows the user to create alerts which are used to trigger actions (e.g., launch scans, run reports, send emails) when specified vulnerability or event conditions occur.

Create Tickets

Allows the user to create tickets, which are typically used to delegate work to other users.

Attack Surface Discovery Permissions
Manage Attack Surface Discovery Domains Allows the user to manage Attack Surface Discovery Domains.
View Domain Inventory Assets Allows the user to view domain inventory assets.
Host Assets Permissions
View Host Assets Allows the user to view host assets.