Create a Custom Role

Required User Role: Administrator

To create a custom role:

1. In the left navigation, click Settings.

   The Settings page appears.

2. Click the Access Control tile.

   The Access Control page appears. On this page, you can control user and group access to resources in your Tenable Vulnerability Management account.

3. Click the Roles tab.

   The Roles page appears. This page contains a table that lists all the user roles available on your Tenable Vulnerability Management instance.

4. Do one of the following:

   • Duplicate and modify an existing role.

   • Add a new role:

     1. At the top of the table, click Add Role.

        The Add Role page appears.

        

     2. In the Name box, type a name for your custom role.

     3. (Optional) In the Description box, type a description for your custom role.

     4. Determine the applications to which the custom role has access:

        1. In the left panel, click the application name.

           An Enable toggle appears.

        2. Click the Enable toggle to enable or disable access to this application for the custom role you're creating.

           For some applications, privileges associated with the application appear.

           

        3. Select the checkbox for each privilege you want to add to your custom role.

           Tip: For more information about privileges, see Custom Role Privileges.

           Note: When you create a custom role, you must include Read privileges for the General Settings, License, and My Account sections. If you do not include Read privileges for these sections, users assigned to the role cannot log in to Tenable Vulnerability Management.

           Section	Privilege Options
           Platform Settings
           Asset	Read
           Findings	Read
           My Account	Read, Manage
           Access Control	Read, Manage Caution: Adding the Manage privilege in Access Control allows any user with that custom role to create an Administrator user, log in as that user, and change the privileges or permissions for any user on your Tenable Vulnerability Management instance, including their own. If you want to create a user account with the ability to manage your Access Control configurations, Tenable recommends that you assign that user the Administrator role. For more information, see Tenable-Provided Roles and Privileges.
           Access Control Users	Read Note: Creating a Shared Collection role with the Manage privilege also enables the Access Control UsersRead privilege.
           Activity Log	Read
           General Setting	Read, Manage
           License Information	Read
           Tenable Attack Surface Management
           Business	Manage
           Inventory	Manage Note: Selecting only the Inventory checkbox allows you to manage your inventory, but does not allow you access to the Administrator interface. For more information, see Tenable Attack Surface Management roles in the Tenable Attack Surface Management User Guide.
           Vulnerability Management
           Dashboard	Manage, Share Note: Custom role privileges in the Dashboards section do not include the ability to export a dashboard. Assign a Tenable-provided role to a user if you want the user to be able to export dashboards. Note: All users can view the dashboards they create or that others share with them regardless of the privileges you assign to them.
           Export	Manage All, Manage Own
           Recast/Accept Rule	Read, Manage Note: Enabling these Recast/Accept Rule privileges grants access to recast rule operations for Tenable Vulnerability Management, Tenable Web App Scanning, and Host Audit findings.
           Web App Scanning
           Web Application Scan	Read, Manage, Import, Submit PCI Note: For the Submit PCI privilege to function properly, you must also enable the Enable PCI ASV toggle when creating the custom role.
           Tenable-Provided Scan Template	Use Note: For the Use privilege to function properly, you must also enable the Manage privilege in the Web Application Scan and/or User-Defined Scan Template sections.
           User-Defined Scan Template	Read, Manage
           Managed Credential	Read, Manage Caution: To restrict managed credential access in Legacy Tenable Web App Scanning, you must deselect the check boxes in this section AND the Managed Credential check boxes in the Vulnerability Management > Scan section of the custom role creation page. Note: In the Legacy Tenable Web App Scanning interface, custom role users must be assigned the Manage role to view managed credentials. In the new Tenable Web App Scanning interface, users can view managed credentials with the Read role alone.
           Recast/Accept Rule	Read, Manage Note: Enabling these Recast/Accept Rule privileges grants access to recast rule operations for Tenable Vulnerability Management, Tenable Web App Scanning, and Host Audit findings.
           Tenable Exposure Management
           Access to Asset Type	Cloud Resource, Computing Resource, Identity, Web Application
           Inventory	Read
           Export	Manage Own
           Tag	Create, Edit
           Export	Manage Own
           Finding	Read, Manage
           Query	Save, Search
           Access to Asset Type	Cloud Resource, Computing Resource, Identity, Web Application
           Export	Manage Own
           Exposure Card	Read, Create, Share
           Settings	Read, Manage
           Scan
           Nessus/Agent Scan	Read, Manage, Submit PCI
           Scan Exclusion	Read, Manage
           Tenable-Provided Scan Template	Use
           User-Defined Scan Template	Read, Manage
           Managed Credential	Read, Manage
           Target Group	Read, Manage
           Shared Collection	Read, Manage Note: Creating a Shared Collection role with the Manage privilege also enables the Access Control UsersRead privilege.

     5. Click Save.

        Tenable Vulnerability Management saves the role and adds it to the roles table.