Organizations and Groups

An organization is a set of distinct users and groups and the resources they have available to them. These users are assigned repositories and zones within one or more specified IP address networks. Users refers to any non-administrator user account on Tenable Security Center Director. Groups refers to collections of users with the same permissions within an organization.

Organizations

An organization is a set of distinct users and groups and the resources (for example, scanners, repositories, and LDAP servers) they have available to them.

The organization is managed primarily by the administrator users and security manager users. The administrator user creates the organization and creates, assigns, and maintains the security manager user account. The security manager user (or any organizational user with appropriate permissions) creates other users within the organization. Groups allow you to manage users and share permissions to resources and objects among the group. For more information, see User Access.

Multiple organizations can share the same repositories, and the vulnerability data associated with the overlapping ranges is shared between each organization. Conversely, organizations can be configured with their own discrete repositories to facilitate situations where data must be kept confidential between different organizational units.

Creation of an organization is a multi-step process. After you create an organization, Tenable Security Center Director prompts you to create the initial security manager user.

For more details, see Manage Organizations.

To view the users in an organization, filter by the organization on the Users page. For more information about filters, see Apply a Filter.

Organization Options

Option

Description

General

Name

(Required) The organization name.

Description

A description for the organization.

Contact Information

The relevant contact information for the organization including address, city, state, country, and phone number.

Password Expiration

Enable Password Expiration

When enabled, passwords for users in the organization will expire after the number of days specified in the Expiration Days box.

Expiration Days

The number of days before the user's password expires. You can enter a number between 1 and 365.

The user will receive daily password expiration notifications at login, starting 14 days before the password expires. After the password expires, the user must change their password at the next login. For more information about Tenable Security Center notifications, see Notifications.

Scanning

Distribution Method

The scan distribution mode you want to use for this organization:

  • Automatic Distribution Only: Tenable Security Center chooses one or more scan zones to run the scan. Organizational users cannot choose a scan zone when configuring a scan.

    Tenable Security Center distributes targets for scans based on your configured scan zone ranges. This facilitates optimal scanning and is useful if an organization has devices placed behind a firewall or NAT device or has conflicting RFC 1918 non-internet-routable address spaces.

  • Locked Zone: Tenable Security Center uses the one Available Zone you specify to run the scan. Organizational users cannot modify the scan zone when configuring a scan.

  • Selectable Zones: Tenable Security Center allows organizational users to select a scan zone when configuring a scan.

    This mode allows organizational users to use scanners to run internal and external vulnerability scans and analyze the vulnerability stance from a new perspective. For example, an organizational user can choose an external scanner to see the attack surface from an external attacker’s perspective.

For more information about scan zones, see Scan Zones.

Available Zones

One or more scan zones that you want organizational users to have access to when configuring scans.

Allow for Automatic Distribution

Enable or disable this option to specify whether you want Tenable Security Center to select one or more scan zones automatically if an organizational user does not specify a scan zone when configuring a scan.

  • When enabled, Tenable Security Center chooses one or more scan zones as specified by your Restrict to Selected Zones setting.

  • When disabled, Tenable Security Center requires the organizational user to specify a scan zone when configuring a scan.

Restrict to Selected Zones

If Allow for Automatic Distribution is enabled, enable or disable this option to specify the zones you want Tenable Security Center to choose from when automatically distributing zones.

  • When enabled, Tenable Security Center chooses from the Available Zones shared with the organization.

  • When disabled, Tenable Security Center chooses from all zones on Tenable Security Center.

Restricted Scan Ranges

The IP address ranges you do not want users in this organization to scan.

Analysis

Accessible LCEs

The Log Correlation Engines that you want this organization to have access to. You can search for the Log Correlation Engines by name or scroll through the list.

Accessible Repositories

The repositories that you want this organization to have access to. You can search for the repositories by name or scroll through the list.

Accessible Agent Capable Scanners

The Tenable Nessus scanners (with Tenable Agents enabled) that you want this organization to have access to. Select one or more of the available scanners to allow the organization to import Tenable Agent results from the selected scanner.

Accessible LDAP Servers

The LDAP servers that you want this organization to have access to. An organization must have access to an LDAP server to perform LDAP authentication on user accounts within that organization, and to configure LDAP query assets.

Note: If you revoke access to an LDAP server, users in the organization cannot authenticate and LDAP query assets cannot run.

Custom Analysis Links

A list of custom analysis links provided to users within the host vulnerability details when analyzing data outside of Tenable Security Center is desired. Click Add Custom Link to create a new option to type the link name and URL to look up additional data external to Tenable Security Center.

For example: http://example.com/index.htm?ip=%ip%

The %ip% reference is a variable that inserts the IP address of the current host into the specified URI.

Vulnerability Weights

Low

The vulnerability weighting to apply to Low criticality vulnerabilities for scoring purposes. (Default: 1)

Medium

The vulnerability weighting to apply to Medium criticality vulnerabilities for scoring purposes. (Default: 3)

High

The vulnerability weighting to apply to High criticality vulnerabilities for scoring purposes. (Default: 10)

Critical

The vulnerability weighting to apply to Critical criticality vulnerabilities for scoring purposes. (Default: 40)

Vulnerability Scoring System

Scoring System

The scoring system Tenable Security Center Director uses to assess the severity of vulnerabilities: CVSS v2 or CVSS v3.

Note: Changing the Scoring System while Tenable Security Center Director is running certain operations, such as preparing reports or dashboard data, results in data using mixed CVSS v2 and CVSS v3 scores.

Note: Changing the Scoring System does not impact historical dashboard trend data. For example, if you change the Scoring System from CVSS v2 to CVSS v3, dashboard trend data before the change displays CVSS v2 scores while dashboard trend data after the change displays CVSS v3 scores.

Groups

User groups are a way to group rights to objects within an organization, and then quickly assign these rights to one or more users. A user's group membership determines their access to security data. When a user creates various objects such as reports, scan policies, dashboards, and other similar items, these objects are automatically shared among the group members if the group permissions allow view and control.

For more information, see Manage Groups.

Group Options

Option Description

General tab

Name

The name for the group.

Description

A description for the group (e.g., security team at the central office or executives on the east coast).

Viewable Hosts

The IP addresses and agent IDs that are viewable by the group. The selection is made by all defined assets or the selection of one or more asset lists.

Repositories

The repositories you want to share with the group.

Log Correlation Engines

The Log Correlation Engines you want to assign to the group.
Sample Content

When enabled, Tenable provides sample content objects to users in the group:

  • sample dashboards (Executive 7 Day, Executive Summary, and Vulnerability Overview)
  • sample reports (Critical and Exploitable Vulnerabilities, Monthly Executive, and Remediation Instructions by Host)
  • sample ARCs (CCC 1: Maintain an Inventory of Software and Hardware, CCC 2: Remove Vulnerabilities and Misconfigurations, CCC 3: Deploy a Secure Network, CCC 4: Authorize Users, and CCC 5: Search for Malware and Intruders)
  • sample assets required for the sample ARCs

After enabling Sample Content, you must add a new user to the group before all users in the group can access the sample content.

Note: If a user in a group deletes a sample content object, the object is deleted for all other users in that group.

Note: If you move a sample content object owner (e.g., move the first user in group A to group B), Tenable Security Center:

  1. Assigns their dashboards and ARCs to a new sample content object owner in group A. Tenable Security Center does not reassign reports or assets.

  2. Recreates their dashboards, ARCs, and assets required for ARCs in group B. Tenable Security Center does not recreate reports.

Share to Group tab
Available Objects The list of available objects to be shared with the group on creation or edit in a bulk operation.