Custom Roles

Custom roles allow you to create and manage user roles with precisely defined permissions tailored to your organization’s operational and security needs. You can create custom roles for users on your Tenable Vulnerability Management instance to fine-tune access for different teams, ensuring users have only the rights necessary for their responsibilities, for example, to create scans but not delete them, or view reports but not modify policies.

Note: A user's access to resources on the account may be limited by their permissions, regardless of their role.

Important! Tenable is currently migrating to a new RBAC model for Tenable Exposure Management roles! At this time you will see both the legacy and new RBAC models side-by-side within the Tenable Vulnerability Management user interface. Be sure to update your Tenable Exposure Management custom roles before January 30, 2026 to maintain your access to your Tenable products.

Custom Role Privileges

The following privileges are available for use when creating custom roles within Tenable Vulnerability Management. You can also edit a custom role to remove privileges. Which privileges you can add to or remove from a role depend on the area of Tenable Vulnerability Management where each privilege applies.

Note: When creating a custom role, you must enable the application for use before you can select these privileges. For more information, see Create a Custom Role.

Privilege	Definition	Examples
Read	Allows view-only access for the user to ensure auditors, compliance officers, or executives can access the data they need without the risk of modifying objects.	See the configuration details of the object (scan settings, policy definitions, asset group members, etc.). Browse scan results, vulnerabilities, dashboards, or reports within the assigned scope. Use dashboards or filters to review vulnerability data. View and interact with the data on the Exposure View page within Tenable Exposure Management.
Write	Lets a user make changes to an object (like a scan, asset group, dashboard, or report) but still stops short of giving them full administrative control.	Launch, pause, stop, resume, or edit scans. Add or remove assets from asset groups. Edit report templates, dashboards, or filters. View, analyze, and export results from scans.
Manage	Grants the user the ability to create, edit, configure, and delete objects within their assigned scope - such as scans, policies, dashboards, assets, or repositories - depending on where the privilege is applied. Note: When you add the Manage privilege to a custom role, Tenable automatically adds the Read privilege as well. You cannot disable the Read privilege unless you first disable the Manage privilege.	Create, edit, duplicate, or delete scans and scan templates. Create, modify, or remove scan policies and templates. Manage tagging, assets lists, or export operations. Create and customize dashboards or reports.
Manage Own	Allows the user to view, modify, and delete only exports that the user created.	View, modify, or delete a scheduled export that you created.
Manage All	Allows the user to view, modify, and delete exports, including exports that others created.	View, modify, or delete a scheduled export that you created. View, modify, or delete a scheduled export created by another user.
Share	Empowers the user to share specific objects they have access to with other users, groups, or roles within their organization — such as scans, dashboards, reports, policies, or assets. This privilege is primarily about collaboration and data visibility: it lets a user decide who else can view, run, or modify the resources they control.	Share existing scans or templates with other users or access groups, and grant others permission to view, run, or manage the shared scans. Share dashboards, exposure cards, or reports with specific users or groups. Share scan policies or credentials with others who need to reuse them.
Use	Gives the user the ability to access and apply an existing object, such as a scan policy, credential, or dashboard, without modifying or managing it. This enables a user to leverage objects that have already been created (for example, by an administrator or scan manager), while preventing them from editing, deleting, or sharing those objects.	Select and apply an existing scan template or scan policy when creating or running a scan. Use existing stored credentials in scans for authenticated testing. Apply shared dashboard or report templates.
Create	Allows the user to build new objects or configurations within the system without granting broader control over the application.	Create an exposure card or a tag within Tenable Exposure Management. Create an asset within Tenable Web App Scanning.
Edit	Enables the user to modify existing tags within Tenable Inventory without creating new tags or deleting them.	Edit a tag in Tenable Inventory.
Import	Allows the user to upload scans so they can be used or analyzed in Tenable Web App Scanning.	Import web app scan data into the Tenable Web App Scanning application. Integrate imported results into dashboards, reports, or analytics.
Search	Allows the user to create search queries within Attack Path Analysis.	Generate an attack path query in Attack Path Analysis Generate an asset query in Attack Path Analysis
Save	Lets the user save a query for later use within Attack Path Analysis.	Save a query as a bookmark within the Top Attack Pathssection of Attack Path Analysis.
Asset Category: Cloud Resource Computing Resource Identity Operational Technology Web Application	Allows the user to access assets from the relevant data sources within Tenable Inventory and Lumin Exposure View.	View asset data for the selected asset category within Tenable Inventory. View asset data for the selected asset category within Lumin Exposure View.
Submit PCI	Allows the user to submit Tenable Vulnerability Management or Tenable Web App Scanning scans for PCI ASV review.	Submit a scan for PCI ASV review from the Scan Details page.