Custom Roles
You can create custom roles for users on your Tenable Vulnerability Management instance to give those users privileges that are specific to your organization's needs.
When you create a custom role, you can add all or some of the following privileges. You can also edit a custom role to remove privileges. Which privileges you can add to or remove from a role depend on the area of Tenable Vulnerability Management where each privilege applies.
Note: A user's access to resources on the account may be limited by their permissions, regardless of their role.
-
Create — Allows users to create an exposure card or a tag. This privilege is specific to Lumin Exposure View and Tenable Inventory, respectively.
-
Manage — Allows the user to create, modify, and delete in the area where the privilege applies.
Note: When you add the Manage privilege to a custom role, Tenable automatically adds the Read privilege as well. You cannot disable the Read privilege unless you first disable the Manage privilege.
- Manage All — Allows the user to view, modify, and delete exports, including exports that others created.
- Manage Own — Allows the user to view, modify, and delete only exports that the user created.
-
Share — Allows the user to share objects with other users or groups.
Note: If a custom role does not also have the Read permission enabled, they cannot access a list of other users with which to share objects. -
Read — Allows the user to view items in the area where the privilege applies.
-
Use — Allows the user to use Tenable-provided scan templates during scan creation.
-
Import — Allows the user to import Tenable Web App Scanning scan data. For more information, see the Tenable Web App Scanning User Guide.
-
Submit PCI — Allows the user to submit the scan for PCI validation. For more information, see the Tenable PCI ASV User Guide.
- Search — Allows the user to search for a query where the privilege applies. This privilege is specific to Attack Path Analysis.
- Save — Allows the user to save a query where the privilege applies. This privilege is specific to Attack Path Analysis.
- Cloud Resource — Allows the user to access assets from Cloud Resource data sources. This privilege is specific to Lumin Exposure View and Tenable Inventory.
- Computing Resource — Allows the user to access assets from Computing Resource data sources. This privilege is specific to Lumin Exposure View and Tenable Inventory.
- Identity — Allows the user to access assets from Identity data sources. This privilege is specific to Lumin Exposure View and Tenable Inventory.
- Web Application — Allows the user to access assets from Web Application data sources. This privilege is specific to Lumin Exposure View and Tenable Inventory.
The following table describes the privilege options available for custom roles in different sections of Tenable Vulnerability Management.
Note: When you create a custom role, you must include Read privileges for the General Settings, License, and My Account sections. If you do not include Read privileges for these sections, users assigned to the role cannot log in to Tenable Vulnerability Management.
| Section | Privilege Options |
|---|---|
| Platform Settings | |
| Asset | Read |
| Findings | Read |
| My Account | Read, Manage |
| Access Control |
Read, Manage Caution: Adding the Manage privilege in Access Control allows any user with that custom role to create an Administrator user, log in as that user, and change the privileges or permissions for any user on your Tenable Vulnerability Management instance, including their own. If you want to create a user account with the ability to manage your Access Control configurations, Tenable recommends that you assign that user the Administrator role. For more information, see Tenable-Provided Roles and Privileges. |
| Activity Log | Read |
| General Setting | Read, Manage |
| License Information | Read |
| Tenable Attack Surface Management | |
| Business | Manage |
| Inventory | Manage
Note: Selecting only the Inventory checkbox allows you to manage your inventory, but does not allow you access to the Administrator interface. For more information, see Tenable Attack Surface Management roles in the Tenable Attack Surface Management User Guide. |
| Vulnerability Management | |
| Dashboard | Manage, Share Note: Custom role privileges in the Dashboards section do not include the ability to export a dashboard. Assign a Tenable-provided role to a user if you want the user to be able to export dashboards. Note: All users can view the dashboards they create or that others share with them regardless of the privileges you assign to them. |
| Export | Manage All, Manage Own |
| Recast/Accept Rule | Read, Manage |
| Web App Scanning | |
| Web Application Scan | Read, Manage, Import, Submit PCI Note: For the Submit PCI privilege to function properly, you must also enable the Enable PCI ASV toggle when creating the custom role. |
| Tenable-Provided Scan Template | Use
Note: For the Use privilege to function properly, you must also enable the Manage privilege in the Web Application Scan and/or User-Defined Scan Template sections.
|
| User-Defined Scan Template | Read, Manage |
| Managed Credential | Read, Manage Caution: To restrict managed credential access in Legacy Tenable Web App Scanning, you must deselect the check boxes in this section AND the Managed Credential check boxes in the Vulnerability Management > Scan section of the custom role creation page. |
| Recast/Accept Rule | Read, Manage Caution: Enabling these Recast/Accept Rule privileges grants access to both Tenable Vulnerability Management and Tenable Web App Scanning recast rule operations. |
| Asset Inventory | |
| Access to Asset Type | Cloud Resource, Computing Resource, Identity, Web Application |
| Inventory | Read |
| Export | Manage Own |
| Tag | Create, Edit |
| Attack Path Analysis | |
| Export | Manage Own |
| Finding | Read, Manage |
| Query | Save, Search |
| Lumin Exposure View | |
| Access to Asset Type | Cloud Resource, Computing Resource, Identity, Web Application |
| Export | Manage Own |
| Exposure Card | Read, Create, Share |
| Settings | Read, Manage |
| Scan | |
| Nessus/Agent Scan | Read, Manage, Submit PCI |
| Scan Exclusion | Read, Manage |
| Tenable-Provided Scan Template | Use |
| User-Defined Scan Template | Read, Manage |
| Managed Credential | Read, Manage |
| Target Group | Read, Manage |