Access Groups

Note: System target group permissions that controlled viewing scan results and scanning specified targets have been migrated to access groups. For more information, see Scan Permissions Migration.

With access groups, you can control which users or groups in your organization can:

  • View specific assets and related vulnerabilities in aggregated scan result views (dashboards in the new interface and workbenches in classic interface).
  • Run scans against specific targets and view individual scan results for the targets.

An access group contains assets or targets as defined by the rules you set. Access group rules specify identifying attributes that Tenable.io uses to associate assets or targets with the group (for example, an AWS Account ID, FQDN, or IP address). By assigning users or user groups to the access group, you grant them view or scan permissions for assets or targets associated with the access group.

Note: When you create or edit an access group, Tenable.io may take some time to assign assets to the access group, depending on the system load, the number of matching assets, and the number of vulnerabilities.

You can view the status of this assignment process in the Status column of the access groups table on the Access Groups page.

Only administrators can view, create, and edit access groups. As a basic or standard user, you can see the access groups to which you belong and the related rules, but not the other users that are in the access group.

By default, all users have access to the All Assets group, which contains all assets. Therefore, if you want to limit permissions for assets, you must first restrict users for All Assets.

Note: Tenable.io applies dynamic tags to any assets, regardless of access group scoping. As a result, it may apply tags you create to assets outside of the access groups to which you belong.

Your organization can create up to 5,000 access groups.

For information on using access groups, see: