Tenable Vulnerability Management allows you to create and manage configurations that determine which users on your organization's account can perform specific actions with the organization's resources and data. This documentation refers to these configurations as permission configurations.

On the My Accounts page, each user can view the permission configurations assigned to them. However, only administrator users can view or manage permission configurations for other users. For more information, see Tenable-Provided Roles and Privileges.

When you create a user or user group, you can assign existing permission configurations to them for assets that meet the criteria specified by a previously created tag. In Tenable Vulnerability Management, these assets and the tags that define them are called objects.

Roles vs. Permissions: What's the difference?
  • Roles — Roles allow you to manage privileges for major functions in Tenable Vulnerability Management and control which Tenable Vulnerability Management modules and functions users can access.
  • Permissions — Permissions allow you to manage access to your own data, such as Tags, Assets, and their Findings.

When you create a permission configuration, you must select one or more of the following predefined permissions. These permissions determine the actions users can take with the object or objects defined in the permission configuration.

Permission Description
Can View

Allows a user or group with this permission to view the assets defined by the object.

Can Scan

Allows a user or group with this permission to scan the assets defined by the object.

Note: For a manually entered target to be considered valid, it must meet the following criteria:
  • The user is an administrator


  • The user has at least Scan Operator role privileges, AND

  • If the target does not exist within the Tenable Vulnerability Management system, the user must have CanScan permissions on an object that refers to the target explicitly via IPv4, IPV6 or FQDN. If the object has more than one rule, the rules must be joined by the "Match Any" filter, OR

  • If the target already exists within the Tenable Vulnerability Management system, then it must be tagged by an object for which the user has CanScan permissions.

Can Edit Allows a user or group with this permission to edit the tag that defines the object.
Can Use Allows a user or group with this permission to use the tag that defines the object.

To view your permission configurations in Tenable Vulnerability Management:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears. On this page, you can control user and group access to resources in your Tenable Vulnerability Management account.

  4. Click the Permissions tab.

    The Permissions tab appears. This tab contains a table that lists all of the permission configurations on your Tenable Vulnerability Management instance.

    Note:The first row of the permissions table contains a read-only entry for Administrators. This entry exists to remind you that Administrators have all permissions for every resource on your account. For more information, see Roles.

On the Permissions tab, you can perform the following actions: