Tenable-Provided Roles and Privileges

Tenable-provided roles are a set of predefined user privileges within Tenable Vulnerability Management that broadly determine the functions a user can access and the actions they can perform. These roles provide a structured, tiered approach to managing access, ensuring users only have the capabilities necessary for their security responsibilities. When you create a user account, you must assign one of these roles, which automatically grants a specific set of privileges.

Roles vs. Permissions: What's the difference?

Roles — Roles allow you to manage privileges for major functions in Tenable Vulnerability Management and control which Tenable Vulnerability Management modules and functions users can access.
Permissions — Permissions allow you to manage access to data, such as Tags, Assets, and their Findings.

Simply put, roles are the actions you can take in a product, and permissions determine the data to which you can perform those actions.

Tenable Vulnerability Management Roles

The primary Tenable-provided roles used for Tenable Vulnerability Management, from most restricted to most privileged, include:

Basic

Basic users can run and view scans assigned to them, but they don’t have the ability to configure the platform, manage other users, or control system settings. Their role is designed for day-to-day vulnerability assessment tasks within the boundaries set by Administrators or Scan Managers.

Core Capabilities of a Basic User

Scan Usage
- Launch scans that have been shared with them or that they own.
- View results of scans they created or were given access to.
- Stop or pause scans they are permitted to run.
- Share their own scans with other users, if allowed.
- Receive scan assignments from Scan Managers or Administrators.
Results and Reporting
- View scan results for their own scans or assigned scans.
- Generate, filter, and export reports (PDF, CSV, etc.) for those scans.
- Use dashboards and findings to track vulnerabilities related to their scope.
Assets and Policies
- Use existing scan policies made available by Scan Managers or Administrators.
- Assign scans to specific assets or asset groups they have permission to see.

Scan Operator

Scan Operators can operate and manage scans within assigned assets, repositories, or networks. These users are generally focused on running and managing vulnerability scans, but not necessarily creating or administering broader system configurations.

Core Capabilities of a Scan Operator

Run Scans
- Launch or start scans that have already been created or assigned to them.
- Pause, resume, or stop scans they have permission to operate.
View Scan Status and Results
- View scan status (running, completed, stopped, failed, etc.) and progress metrics during active scans.
- Access and review scan results for scans they have run or that are shared with them.
- Export scan data (e.g., as reports in CSV or PDF formats).
Manage Assigned Scans
- Clone or modify existing scans if permitted within their access group.
- Re-run scans using existing configurations or schedules.

Standard

Standard is a built-in role designed for regular users who need to view and work with vulnerability data, but who do not require administrative or configuration privileges. A Standard user has access primarily for viewing, analyzing, and reporting on vulnerability data that has already been collected. They can see assets, dashboards, and reports shared with them, but they cannot create, modify, or launch scans unless specifically granted additional privileges.

Core Capabilities of a Standard User

View Vulnerability Data
- Access vulnerabilities, assets, dashboards, and reports assigned to their access group.
- Review findings, severity levels, and vulnerability trends.
- Filter or search vulnerability data to support analysis or remediation tracking.
Utilize Dashboards and Reporting
- View and interact with built-in or shared dashboards.
- Filter or search vulnerability data to support analysis or remediation tracking.
- Generate vulnerability reports using available templates or saved filters and export results for analysis.
Collaborate Within Scope
- Comment on findings or work within remediation workflows if enabled.
- Access shared data and insights within their assigned access group or assets.

Scan Manager

The Scan Manager’s purpose is to create, manage, and oversee vulnerability scans and scan results without having unrestricted system-wide control. A scan manager user can fully manage scans but does not have administrative powers over the platform or users.

Core Capabilities of a Standard User

Scan Creation and Management
- Create, configure, launch, and schedule vulnerability scans.
- Define targets and asset groups for scans.
- Edit or delete scans they own or have been granted access to.
- Share scans with other users or groups (with rights granted by an Administrator).
- Assign scan permissions.
Asset and Scanner Usage
- Use available scanners and scan zones (assigned by an Administrator).
- Assign scans to specific scanners.
- Manage scan distribution across scanner resources.
Results and Reporting
- View scan results for the scans they own or manage.
- Generate and export reports (PDF, CSV, etc.).

Administrator

Administrators have the highest level of permissions and can perform both security management and system configuration tasks. Their role is to control the overall deployment, user access, and operational setup of the product environment.

Core Capabilities of an Administrator

User and Role Management
- Create, modify, disable, or delete user accounts.
- Assign roles, permissions, and group memberships.
- Enforce security policies like password requirements or authentication methods.
System Configuration
- Configure global system settings (network settings, logging, notifications, authentication, etc.).
- Integrate Tenable with external systems (LDAP/AD, SIEMs, ticketing systems, APIs).
- Set up and manage access controls.
Scan and Asset Management
- Create, configure, launch, and schedule vulnerability scans.
- Manage scanners and scan zones.
- Define scan policies and templates for other users.
- Add, organize, and monitor assets or asset groups.
Plugin and Update Management
- Control plugin updates for Tenable platforms.
- Ensure scanners have the latest detection capabilities.
Data and Reporting
- Access all vulnerability data, scan results, and reports across the environment.
- Configure report templates and dashboards.
- Share or restrict visibility of findings to other users.
Security and Compliance Oversight
- Configure compliance scans (CIS, DISA STIG, PCI DSS, etc.).
- Manage audit files and compliance templates.
- Review and enforce organization-wide remediation strategies.
User Management
- Define user roles and scope of data access.
- Oversee activity logs and audit trails.
- Revoke user or system access when necessary.

Tenable Vulnerability Management Role Privileges

The following table describes privileges associated with each Tenable-provided Tenable Vulnerability Management user role, organized by privilege and function.

Note: You can further refine user access to specific resources by assigning permissions to individual users or groups. For more information, see Permissions.

Tip: The following roles and privileges apply to commercial and Tenable FedRAMP Moderate environments, where appropriate.

Area	Tenable Vulnerability Management-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator	Basic
Activity Logs	view, export	-	-	-	-
API Keys	view, modify	view, modify	view, modify	view, modify	view, modify
Account Settings	view, modify	view, modify	view, modify	view, modify	view, modify
Agents	view, delete	view, delete	-	-	-
Agent Freeze Windows	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Settings	view, modify	view, modify	-	-	-
Assets	view, modify, export, delete	view, modify, export, delete	view, modify, export, delete	view, modify, export, delete	view, export
Connectors	view, create, modify, delete	-	-	-	-
Dashboards	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete
Exclusions	view, import, export, delete	view, import, export, delete	-	-	-
Exports	view, modify, export, delete	-	-	-	-
Findings	view, export	view, export	view, export	view, export	view, export
General Settings	view, modify	-	-	-	-
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
Recast Rules	view, create, modify, delete	-	-	-	-
Reports	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view
Scan Results	view, export, delete	view, export, delete	view, export, delete	view, export, delete	view, export, delete
Scans 1	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create2, modify3, delete	view4, import
Scanner Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Sensors	view, add, modify, delete	view, add, modify, delete	-	-	-
Shared Collections	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view
Tags5	view, create tag category, create tag value, delete, export, assign, unassign	view, create tag value, delete, assign, unassign	view, delete, assign, unassign6	view, delete, assign, unassign	view, assign, unassign
User Groups	view, create, modify, delete, export	-	-	-	-
Users	view, create, modify, delete	-	-	-	-

Other Tenable One Platform Product Roles and Privileges

Within Tenable Vulnerability Management, you can also apply privileges for other applications within the Tenable One platform. For more information, see Tenable One Product Architecture in the Tenable One Deployment Guide.

The following tables describe privileges associated with each product's available user roles, organized by function in their respective product.

Note: You can further refine user access to specific resources by assigning permissions to individual users or groups. For more information, see Permissions.

Tip: The following roles and privileges apply to commercial and Tenable FedRAMP Moderate environments, where appropriate.

Tenable Web App Scanning-Provided Roles and Privileges

Area	Tenable Web App Scanning-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator		Basic
Dashboards	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view	view
Tenable-Provided Scan Templates	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view	-	-
Scans (also requires scan permissions)	view, import, create, modify, run, delete	view, import, create, modify, run, delete	view, create, modify, run, delete	view, create7, modify8, run, delete, move to trash	view	view
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
Scan Permissions	view, create, modify, delete9	view, create, modify, delete10	view, create, modify, delete11	view, create, modify, delete12	-	-
Scan Results (also requires scan permissions)	view, delete	view, delete	view, delete	view, delete	view, delete	view, delete

Tenable Exposure Management-Provided Roles and Privileges

Area	Tenable Exposure Management-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator	Basic
Settings	manage, read	read	read	read	read
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Exposure Card	create, share, read	create, share, read	create, share, read	share, read	read
Finding	manage, read	manage, read	read	read	read
Query	search, save	search, save	search, save	search	search
Tag	create, edit	create, edit	-	-	-
Third-Party Connectors	create, manage, read	-	-	-	-

Tenable Identity Exposure-Provided Roles and Privileges

Area	Tenable Identity Exposure-Provided Roles and Privileges
Area	Global Administrator	Custom
Entire Application	Read, Edit, Create	User roles are defined in the application. For more information, see Roles.

Tenable Attack Surface Management-Provided Roles and Privileges

Area	Tenable Attack Surface Management-Provided Roles and Privileges
Area	Business Administrator	Cloud Connector Manager	Active User	View-Only User
Inventory	manage, add, modify, delete	add, modify, leave	add, modify, leave	view
Suggestions	manage, add, modify, delete	manage, add, modify, delete	manage, add, modify, delete	view
Subscriptions	manage, add, modify, delete	manage, add, modify, delete	manage, add, modify, delete	view
Dashboard	manage, add, modify, delete	manage, add, modify, delete	manage, add, modify, delete	view
Reports	manage, add, modify, delete	manage, add, modify, delete	manage, add, modify, delete	view
Txt Records	manage, modify, delete	manage, modify, delete	manage, modify, delete	view
Activity Logs	view	view	view	view
User Accounts	manage, modify, delete	-	-	-
Business	manage, modify	-	-	-
Cloud connectors	manage, add, modify, delete	manage, add, modify, delete	view	view

Note: By default, Tenable Attack Surface Management users created within Tenable One are mapped to a user role as documented in the Tenable Attack Surface Management User Guide.

Tenable Cloud Security-Provided Roles and Privileges

Area	Tenable Cloud Security-Provided Roles and Privileges
Area	Administrator	Collaborator	Viewer
Console Tabs	view	view	view
Reports	view, create, schedule, delete	view, create, schedule, delete	view, create
Inventory	view, manage, generate policy	view, manage, generate policy	-
Findings	view, share, manage, disable	view, share, manage	view, share
Administration	view, manage, audit	-	-

Tenable PCI ASV-Provided Roles and Privileges

Area	Tenable PCI ASV-Provided Roles and Privileges
Area	Administrator	Other
Entire Application	view, import, run, create, modify, delete	-

Lumin Exposure View-Provided Roles and Privileges

Area	Lumin Exposure View-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator	Basic
Settings	manage, read	read	read	read	read
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Exposure Card	create, share, read	create, share, read	create, share, read	share, read	read

Tenable Inventory-Provided Roles and Privileges

Area	Tenable Inventory-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator	Basic
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Tag	create, edit	create, edit	-	-	-

Attack Path Analysis-Provided Roles and Privileges

Area	Attack Path Analysis-Provided Roles and Privileges
Area	Administrator	Scan Manager	Standard	Scan Operator	Basic
Export	manage own	manage own	manage own	manage own	manage own
Finding	manage, read	manage, read	read	read	read
Query	search, save	search, save	search, save	search	search