Tenable Security Center API: Organization Security Manager

passwordSetDate

This endpoint should only be used by administrators and will only impact Security Managers in the Full Access Group.

/organization/{orgID}/securityManager

/organization/{orgUUID}/securityManager

Methods
GET

Retrieves all Security Managers in an Organization.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields

*id
*uuid
**firstname
**lastname
**status
role
username
title
email
address
city
state
country
phone
fax
createdTime
modifiedTime
lastLogin
lastLoginIP
mustChangePassword
passwordExpires
passwordExpiration
passwordExpirationOverride
passwordSetDate
locked
failedLogins
authType
fingerprint
password
description
managedUsersGroups
managedObjectsGroups
canUse
canManage
preferences 
responsibleAsset
group
ldapUsername
ldap
parent

Legend

* = always comes back
** = comes back if fields list not specified on GET all

redFont =  field is a JSON object e.g. "repository" :{ "id" : <id>, "name" : <name> } )

Request Parameters

None

Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{
    "type" : "regular",
    "response" : [
        {
            "id" : "1",
            "status" : "0",
            "username" : "head",
            "ldapUsername" : "head",
            "firstname" : "",
            "lastname" : "",
            "title" : "",
            "email" : "",
            "address" : "",
            "city" : "",
            "state" : "",
            "country" : "",
            "phone" : "",
            "fax" : "",
            "createdTime" : "1433519288",
            "modifiedTime" : "1453477493",
            "lastLogin" : "1454347644",
            "lastLoginIP" : "172.26.0.0",
            "mustChangePassword" : "false",
            "passwordExpires": "true",
            "passwordExpiration": "90",
            "passwordExpirationOverride": "false",
            "passwordSetDate": "1433519288",
            "locked" : "false",
            "failedLogins" : "0",
            "authType" : "tns",
            "fingerprint" : null,
            "password" : "SET",
            "managedUsersGroups" : [
                {
                    "id" : "-1",
                    "name" : "All Groups",
                    "description" : "All Groups"                }
            ],
            "managedObjectsGroups" : [
                {
                    "id" : "-1",
                    "name" : "All Groups",
                    "description" : "All Groups"                }
            ],
            "preferences" : [
                {
                    "name" : "timezone",
                    "value" : "America/Nome",
                    "tag" : "system"                }
            ],
            "canUse" : true,
            "canManage" : true,
            "role" : {
                "id" : "2",
                "name" : "Security Manager",
                "description" : "The Security Manager role has full access to all actions at the organization level. A Security Manager has the ability to create new groups and manage existing ones. A Security Manager can also define how users interact with other groups.\n\nThe ability to manage other users and their objects can be configured using group permissions on the Access tab of User add/edit. This includes viewing and stopping running scans and reports."         },
            "responsibleAsset" : {
                "id" : "19",
                "name" : "Windows Hosts",
                "description" : "The operating system detected has Windows installed.\n\nThis will be helpful for those getting started with Tenable.sc.",
                "uuid" : "2DF066B8-F310-44BB-B6BE-BC6D5BDEE0AB"         },
            "group" : {
                "id" : "0",
                "name" : "Full Access",
                "description" : "Full Access group"         },
            "ldap" : {
                "id" : -1,
                "name" : "",
                "description" : ""          },
            "parent" : {
                "user" {
                    "id" : "1",
                    "username" : "admin",
                    "firstname" : "Jane",
                    "lastname" : "Doe",
                    "uuid" : "C7FBF99F-DA90-4E67-898F-9245CC21BDCB"             },
                "organization" : {
                    "id" : "0",
                    "name" : "Tenable.sc Administration",
                    "description" : ""              }
            },
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"
        }
    ],
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1454349445
}
POST

Adds a Security Manager.

Request Parameters
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
    "roleID" : <number>,
    "username" : <string>,
    "firstname" : <string> DEFAULT "",
    "lastname" : <string> DEFAULT "",
    "title" : <string> DEFAULT "",
    "email" : <string> DEFAULT "" (required to be present and valid if emailNotice is not empty and is not "none"),
    "address" : <string> DEFAULT "",
    "city" : <string> DEFAULT "",
    "state" : <string> DEFAULT "",
    "country" : <string> DEFAULT "",
    "phone" : <string> DEFAULT "",
    "fax" : <string> DEFAULT "",
    "locked" : <string> "false" | "true" DEFAULT "false",
    "authType" : <string> "ldap" | "legacy" "saml" | "tns",
    "fingerprint" : <string> DEFAULT null,
    "mustChangePassword" : <string> "false" | "true" DEFAULT "false",
    "emailNotice" :  <string> "both" | "id" | "none" | "password" DEFAULT "",
    "responsibleAssetID" : <number> OR "responsibleAssetUUID" : <string>,
    "preferences" : [
        {
            "name" : <string>,
            "tag" : <string> DEFAULT "",
            "value" : <string>        }...
    ] DEFAULT [
        {
            "name" : "timezone",
            "tag" : "system",
            "value" : <string> (default timezone)
        }
    ]
}

authType "ldap"

Note: The "ldapUsername" attribute will be set to mirror the "username" attribute.

1
2
3
4
5
...
    "mustChangePassword" : <string> "false" DEFAULT "false",
    "ldap" : {
        "id" : <string>   }
...

authType "saml"

1
2
...
    "mustChangePassword" : <string> "false" DEFAULT "false"...

authType not "ldap" or "saml"

1
2
3
4
5
6
7
...
    "password" : <string> (must meet the requirements for configuration setting, "PasswordMinLength"),
    "mustChangePassword" : <string> "false" | "true" DEFAULT "false",  
    "passwordExpires" : <string> "false" | "true" DEFAULT "false",
    "passwordExpiration" : <number> (a number between 1 and 365) DEFAULT 90,
    "passwordExpirationOverride" : <string> "false" | "true" DEFAULT "false",  
...

authType "linked" or "linked_non_admin"

Note: If the authType is linked_non_admin, the roleID must be the SM-Linked roleID. 

1
2
3
4
...
    "parent" : {
        "id" : <number> DEFAULT "-1"  }
...

Session user's role can manage group relationships or Session user role "1" (Administrator)

1
2
3
4
5
6
7
8
9
10
...
    "managedUsersGroups" : [
        {
            "id" : <number>       }...
    ],
    "managedObjectsGroups" : [
        {
            "id" : <number>       }...
    ]
...

roleID not "1" (Administrator)

WARNING: The parameters in this section have been DEPRECATED as of Tenable.sc 5.11.0. Relying on their usage is highly discouraged. See /group::POST (createDefaultObjects parameter).

1
2
3
4
5
6
7
8
9
10
11
...
    "importReports" : <string> "false" | "true" DEFAULT <Target Group's createDefaultObjects setting> ,
    "importDashboards" : <string> "false" | "true" DEFAULT <Target Group's createDefaultObjects setting>,
    "importARCs" : <string> "false" | "true" DEFAULT <Target Group's createDefaultObjects setting>,
 
    "importDashboards" is "true"    ----------------------------
    "dashboardTemplate" : <string> (File path to template) DEFAULT <Default filepath>,
 
    "importARCs" is "true"  ----------------------
    "arcTemplate" : <string> (File path to template) DEFAULT <Default filepath>,
...
Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
{
    "type" : "regular",
    "response" : {
        "id" : "1",
        "status" : "0",
        "username" : "head",
        "ldapUsername" : "",
        "firstname" : "",
        "lastname" : "",
        "title" : "",
        "email" : "",
        "address" : "",
        "city" : "",
        "state" : "",
        "country" : "",
        "phone" : "",
        "fax" : "",
        "createdTime" : "1433519288",
        "modifiedTime" : "1453477493",
        "lastLogin" : "1454347644",
        "lastLoginIP" : "172.20.0.0",
        "mustChangePassword" : "false",
        "passwordExpires": "true",
        "passwordExpiration": "90",
        "passwordExpirationOverride": "false",
        "passwordSetDate": "1433519288",
           "locked" : "false",
        "failedLogins" : "0",
        "authType" : "tns",
        "fingerprint" : null,
        "password" : "SET",
        "managedUsersGroups" : [
            {
                "id" : "-1",
                "name" : "All Groups",
                "description" : "All Groups"            }
        ],
        "managedObjectsGroups" : [
            {
                "id" : "-1",
                "name" : "All Groups",
                "description" : "All Groups"            }
        ],
        "preferences" : [
            {
                "name" : "timezone",
                "value" : "America/Nome",
                "tag" : "system"            }
        ],
        "canUse" : true,
        "canManage" : true,
        "role" : {
            "id" : "2",
            "name" : "Security Manager",
            "description" : "The Security Manager role has full access to all actions at the organization level. A Security Manager has the ability to create new groups and manage existing ones. A Security Manager can also define how users interact with other groups.\n\nThe ability to manage other users and their objects can be configured using group permissions on the Access tab of User add/edit. This includes viewing and stopping running scans and reports."     },
        "responsibleAsset" : {
            "id" : "19",
            "name" : "Windows Hosts",
            "description" : "The operating system detected has Windows installed.\n\nThis will be helpful for those getting started with Tenable.sc.",
            "uuid" : "2DF066B8-F310-44BB-B6BE-BC6D5BDEE0AB"     },
        "group" : {
            "id" : "0",
            "name" : "Full Access",
            "description" : "Full Access group"     },
        "ldap" : {
            "id" : -1,
            "name" : "",
            "description" : ""      },
        "parent" : {
            "user" {
                "id" : "1",
                "username" : "admin",
                "firstname" : "Jane",
                "lastname" : "Doe",
                "uuid" : "C7FBF99F-DA90-4E67-898F-9245CC21BDCB"         },
            "organization" : {
                "id" : "0",
                "name" : "Tenable.sc Administration",
                "description" : ""          }
        },
        "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1454349746
}

/organization/{orgID}/securityManager/{id}

/organization/{orgUUID}/securityManager/{uuid}

Methods
GET

Gets a specific Security Manager.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields

*id
*uuid
**firstname
**lastname
**status
role
username
title
email
address
city
state
country
phone
fax
createdTime
modifiedTime
lastLogin
lastLoginIP
mustChangePassword
passwordExpires
passwordExpiration
passwordExpirationOverride
passwordSetDate
locked
failedLogins
authType
fingerprint
password
description
managedUsersGroups
managedObjectsGroups
canUse
canManage
preferences 
responsibleAsset
group
ldap
ldapUsername
parent
linkedUserRole

Legend

* = always comes back
** = comes back if fields list not specified on GET all

redFont =  field is a JSON object e.g. "repository" :{ "id" : <id>, "name" : <name> } )

Request User Parameters

None

Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
    "type" : "regular",
    "response" : {
        "id" : "1",
        "status" : "0",
        "username" : "head",
        "ldapUsername" : "",
        "firstname" : "",
        "lastname" : "",
        "title" : "",
        "email" : "",
        "address" : "",
        "city" : "",
        "state" : "",
        "country" : "",
        "phone" : "",
        "fax" : "",
        "createdTime" : "1433519288",
        "modifiedTime" : "1453477493",
        "lastLogin" : "1454347644",
        "lastLoginIP" : "172.20.0.0",
        "mustChangePassword" : "false",
        "passwordExpires": "true",
        "passwordExpiration": "90",
        "passwordExpirationOverride": "false",
        "passwordSetDate": "1433519288",
        "locked" : "false",
        "failedLogins" : "0",
        "authType" : "tns",
        "fingerprint" : null,
        "password" : "SET",
        "managedUsersGroups" : [
            {
                "id" : "-1",
                "name" : "All Groups",
                "description" : "All Groups"            }
        ],
        "managedObjectsGroups" : [
            {
                "id" : "-1",
                "name" : "All Groups",
                "description" : "All Groups"            }
        ],
        "preferences" : [
            {
                "name" : "timezone",
                "value" : "America/Nome",
                "tag" : "system"            }
        ],
        "canUse" : true,
        "canManage" : true,
        "role" : {
            "id" : "2",
            "name" : "Security Manager",
            "description" : "The Security Manager role has full access to all actions at the organization level. A Security Manager has the ability to create new groups and manage existing ones. A Security Manager can also define how users interact with other groups.\n\nThe ability to manage other users and their objects can be configured using group permissions on the Access tab of User add/edit. This includes viewing and stopping running scans and reports."     },
        "responsibleAsset" : {
            "id" : "19",
            "name" : "Windows Hosts",
            "description" : "The operating system detected has Windows installed.\n\nThis will be helpful for those getting started with Tenable.sc.",
            "uuid" : "2DF066B8-F310-44BB-B6BE-BC6D5BDEE0AB"     },
        "group" : {
            "id" : "0",
            "name" : "Full Access",
            "description" : "Full Access group"     },
        "ldap" : {
            "id" : -1,
            "name" : "",
            "description" : ""      },
        "parent" : {
            "user" {
                "id" : "0",
                "username" : "admin",
                "firstname" : "Jane",
                "lastname" : "Doe",
                "uuid" : "C7FBF99F-DA90-4E67-898F-9245CC21BDCB"         }
            "organization" : {
                "id" : "0",
                "name" : "Tenable.sc Administration",
                "description" : ""          }
        },
        "linkedUserRole": {
            "id": "8",
            "name": "SM-Linked",
            "description": "description"        },
        "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1454349746
}
PATCH

Edits the Security Manager associated with {id} or {uuid}.

If editing a linked user (a user whose authType = "linked" or authType = "linked_non_admin"), you cannot modify roleID, groupID, authType , parent, password, or mustChangePassword, passwordExpires, passwordExpirationOverride.

Request Parameters

(All fields are optional)

See /organization/{orgID}/securityManager::POST and /organization/{orgUUID}/securityManager::POST for parameters.

Example Response
See /organization/{orgID}/securityManager/{id}::GET and /organization/orgUUID/securityManager/{uuid}::GET.
DELETE

Deletes the Security Manager associated with {id} or {uuid}.

The objects owned by the user being deleted can be migrated to another user in the same organization by passing in the optional migrateUserID (or migrateUserUUID) parameter.

Request Parameters
Expand
1
2
3
{
    "migrateUserID": <number> OPTIONAL OR "migrateUserUUID": <number> OPTIONAL
}

Example Response

Expand
1
2
3
4
5
6
7
8
{
    "type" : "regular",
    "response" : "",
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1402436001
}