Tenable-Provided Roles and Privileges

The following tables describe privileges associated with each Tenable-provided user role, organized by function in their respective product.

Area	Tenable Vulnerability Management-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Activity Logs	view, export	-	-	-	-
API Keys	view, modify	view, modify	view, modify	view, modify	view, modify
Account Settings	view, modify	view, modify	view, modify	view, modify	view, modify
Agents	view, delete	view, delete	-	-	-
Agent Freeze Windows	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Settings	view, modify	view, modify	-	-	-
Assets	view, modify, export, delete	view, modify, delete	view, modify, delete	view, modify, delete	view
Connectors	view, create, modify, delete	-	-	-	-
Dashboards	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete
Exclusions	view, import, export, delete	view, import, export, delete	-	-	-
Exports	view, modify, export, delete	-	-	-	-
General Settings	view, modify	-	-	-	-
Health and Status	view	-	-	-	-
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
PCI Managing	view, import, export, create, modify, delete	-	-	-	-
Recast Rules	view, create, modify, delete	-	-	-	-
Reports	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view
Report Results	view, delete	view, delete	view, delete	view, delete	view
Scans1 User roles determine a user's abilities, but the permissions that a user has for a particular scan are dictated by scan permissions.	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create2 Can create scans using existing user-defined policies that are shared with the user., modify, delete	view3 Can view list of scans, but not scan configuration details., import
Scan Results	view, delete	view, delete	view, delete	view, delete	view, delete
Sensors	view, add, modify, delete	view, add, modify, delete	-	-	-
Scanner Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Tags4 Assigning and Unassigning tags can be done from the Asset Details page.	view, create tag category, create tag value, delete, export, assign, unassign	view, create tag value, delete, assign, unassign	view, delete, assign, unassign5 Standard users must have the Can Use permission to view, delete, assign, and unassign tags.	view, delete, assign, unassign	view, assign, unassign
User Groups	view, create, modify, delete, export	-	-	-	-
User-Defined Scan Templates	view, import, export, create, modify, delete	view, import, export, create, modify, delete	view, import, export, create, modify, delete	-	-
Users	view, create, modify, delete	-	-	-	-
Vulnerabilities	view, export	view, export	view, export	view, export	view, export

Area	Tenable Web App Scanning-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator		Basic
Dashboards	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view	view
Tenable-Provided Scan Templates	view	view	view	-	-	-
User-Defined Templates	view, create, modify, delete	view, create, modify, delete	view	-	-	-
Scans (also requires scan permissions)	view, create, modify, run, delete	view, create, modify, run, delete	view, create, modify, run, delete	view, import, create6 Can create scans using existing user-defined policies that are shared with the user., modify, run, delete, move to trash	view	view
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
Scan Permissions	view, create, modify, delete7 Administrator users can create, modify, and delete permissions for scans that any user on the account owns.	view, create, modify, delete8 Scan Manager users can create, modify, or delete permissions only on scans they own.	view, create, modify, delete9 Standard users can create, modify, or delete permissions only on scans they own.	view, create, modify, delete10 Scan Operator users can create, modify, or delete permissions only on scans they own.	-	-
Scan Results (also requires scan permissions)	view, delete	view, delete	view, delete	view, delete	view, delete	view, delete

Area	Lumin Exposure View-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Settings	manage, read	read	read	read	read
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Exposure Card	create, share, read	create, share, read	create, share, read	share, read	read

Area	Asset Inventory-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Tag	create, edit	create, edit	-	-	-

Area	Attack Path Analysis-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Export	manage own	manage own	manage own	manage own	manage own
Finding	manage, read	manage, read	read	read	read
Query	search, save	search, save	search, save	search	search

Area	Tenable Container Security-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Dashboards	view	view	view	view	view
Usage Data	view 11 User with the Administrator role can view license information that is not available to other roles.	view	view	view	view
Images	view, push to Tenable Vulnerability Management, delete 12 Besides user with the Administrator role, users can delete only images that they imported. Administrator users can delete images for all users on an account.	view, push to Tenable Vulnerability Management, delete	view, push to Tenable Vulnerability Management, delete	view, push to Tenable Vulnerability Management, delete	-
Image Repository	view, search, delete	view, search, delete	view, search, delete	view, search, delete	view, search
Containers	view	view	view	view	view
Policies	create, view, edit, set permissions, delete	create, view, edit, set permissions, delete	view	view	view
Connectors	create, configure, view, delete	-	-	-	-
CS Scanner	download, view, configure, run	download, view, configure, run	download, view, configure, run	download, view, configure, run	download
Scan Results	view, search	view, search	view, search	view, search	view, search