Permissions

This section and the topics in it describe the performance of and functionality for a new feature in Tenable.io Key Enhancements. For more information, see Tenable.io Key Enhancements.

Tenable.io allows you to create and manage configurations that determine which users on your organization's account can perform specific actions with the organization's resources and data. This documentation refers to these configurations as permission configurations.

On the My Accounts page, each user can view the permission configurations assigned to them. However, only administrator users can view or manage permission configurations for other users. For more information, see Tenable-Provided Role Privileges.

When you create a user or user group, you can assign existing permission configurations to them for assets that meet the criteria specified by a previously created tag. In Tenable.io, these assets and the tags that define them are called objects.

Roles vs. Permissions: What's the difference?
  • Roles — Roles allow you to manage privileges for major functions in Tenable.io and control which Tenable.io modules and functions users can access.
  • Permissions — Permissions allow you to manage access to your own data, such as Tags, Assets, and their Findings.

When you create a permission configuration, you must select one or more of the following predefined permissions. These permissions determine the actions users can take with the object or objects defined in the permission configuration.

Permission Description
Can View

Allows the user or group to view the assets defined by the object.

Can Scan

Allows the user or group to scan the assets defined by the object.

Note: For a manually entered target to be considered valid, it must meet the following criteria:
  • The user is an administrator

    OR

  • The user has at least Scan Operator role privileges, AND

  • If the target does not exist within the Tenable.io system, the user must have CanScan permissions on an object that refers to the target explicitly via IPv4, IPV6 or FQDN. If the object has more than one rule, the rules must be joined by the "Match Any" filter, OR

  • If the target already exists within the Tenable.io system, then it must be tagged by an object for which the user has CanScan permissions.

Can Edit Allows the user or group to edit the tag that defines the object.
Can Use Allows the user or group to use the tag that defines the object.

To view your permission configurations in Tenable.io:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears. On this page, you can control user and group access to resources in your Tenable.io account.

  4. Click the Permissions tab.

    The Permissions tab appears. This tab contains a table that lists all of the permission configurations on your Tenable.io instance.

    Note:The first row of the permissions table contains a read-only entry for Administrators. This entry exists to remind you that Administrators have all permissions for every resource on your account. For more information, see Roles.

On the Permissions tab, you can perform the following actions: