Custom Role Privilege Application

Custom Role privileges affect different areas of the Tenable One platform. The following tables describe the actions each privilege option can perform in their respective platform application.

Note: When creating a custom role, you must enable the application for use before you can select these privileges. For more information, see Create a Custom Role.

If you disable a user's access to an application:

Tenable removes the application from the Home page within Tenable Exposure Management.
All fields/tabs related to the application are disabled, including in the Inventory, Assets, and Asset Details views in Tenable Exposure Management.

Platform Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Assets	Read (Enabled by Default)	View your assets across the platform, including: The Assets page Asset details
Findings	Read (Enabled by Default)	View your findings across the platform, including: The Findings page Finding details
My Account	Read (Enabled by Default)	View your account details on the My Account page, including: The groups to which you belong The permissions assigned to your account The API keys page
My Account	Manage	Manage your account details on the My Account page, including: Your general account information Your password Enable two factor authentication Generate API keys
Access Control	Read	View Access Control data, including: The Groups page and all data therein The Permissions page and all data therein The Roles page and all data therein The API Access Security page and all data therein
Access Control	Manage	Manage Access Control configurations, including: Groups Create, edit, or delete a group Export your list of groups Permissions Create, edit, or delete permission configurations Add or remove a permission configuration from a user or group Export your list of permission configurations Roles Create, duplicate, edit, or delete a custom role Export your list of roles Edit allowed IP addresses on the API Access Security page
Access Control Users	Read	View the Users page and all data therein.
Activity Log	Read	View the Activity Logs page and all data therein.
General Settings	Read	View the General Settings page and all data therein.
General Settings	Manage	Configure options on the General Settings page, including: Severity metric Service-Level Agreement metric Plugin Language Default Export Expiration Plugin Output Search Email Allow List
License Information	Read	View the License Information page and all data therein

Tenable Exposure Management Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Exposure Signals	Read (Enabled by Default)	View the Exposure Signals page and all data therein
Exposure Signals	Write	Manage exposure signals, including: Add, edit, or duplicate a custom exposure signal Edit the priority of a built-In exposure signal Archive or delete a custom exposure signal
Inventory	Read (Enabled by Default)	View the Inventory page, its sub-pages, and all data therein, including: Assets View Asset Details Weaknesses View Weakness Details Findings View Findings Details Software View Software Details
Inventory	Write	Manage data in the Inventory section, including: Export data from any Inventory sub-page Save bookmarks Create a tag or exposure signal based off of the asset list
Analytics > Dashboards	Read	View the Dashboards page and all data therein View the Dashboard Overview page
Analytics > Dashboards	Write	Manage dashboards, including: Create, edit, and delete custom dashboards Make a copy of a dashboard Change the privacy of a custom dashboard Export dashboard data
Analytics > Exposure View	Read	View the Exposure View page and all data therein
	Write	Manage the Exposure View page, including: Comment on the Exposure View page and view comment notifications Export a section or all of the Exposure View page Configure Exposure View page settings
	Enable Built-In Card	View the Built-in Cards section of the Exposure Card Library.
Attack Path Important! To access the Attack Path section of Tenable Exposure Management, you must enable the Can View permission for All Assets. Note that this overrides and disables the ability to enforce specific tag permissions for this user in other parts of Tenable Exposure Management. For more information, see Permissions.	Read (Enabled by Default) Note: If a user does not have access to a specific node or asset, they can see it on the page but cannot view or access any of its details.	View the Attack Path page, its sub-pages, and all data therein, including: Dashboard Top Attack Paths Top Attack Techniques Top Attack Technique Details MITRE ATT&CK Heatmap
	Write	Manage attack techniques, including: Change the status of an attack technique Export, archive/un-archive, or bookmark an attack technique Add and view comments on an attack technique View the log history for an attack technique Share an attack technique
Tags	Read (Enabled by Default)	View the Tags page and all data therein, including: View Tag Details
Tags	Write	Manage tags, including: Create, edit, or delete a tag
Connectors	Read (Enabled by Default)	View the Connectors page and all data therein
Connectors	Write	Manage connectors, including: Add, edit, or delete a connector View connector status and logs Schedule connector sync time Disable or enable a connector

Tenable Attack Surface Management Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Business	Manage	Admin Dashboard — View and manage users, inventory, and business details, including: Add users Edit Inventory details Edit Business details Subscriptions — View and manage Subscriptions, including: Add or create subscriptions Share, copy, or delete subscriptions Create alerts for subscriptions Suggestions — View and manage Suggestions, including: Add suggested domains to an inventory Archive suggested domains Add suggestion blocklist items Add source-based suggestions Activity Logs — View and manage Activity Logs. TXT Records — View and manage TXT Records. Reports — View and manage Reports, including: Add, edit, or delete a report Run a report View report details
Cloud Connectors	Manage	View and manage your cloud Integrations, including: Add, edit, or delete integrations
Inventory	Manage	View and manage your inventory from the Explore > Inventory page and all data therein, including: View assets and asset details in your inventory View asset attribution Manage asset tags Move or copy assets to another inventory Export or archive assets Create an Advanced Network Scan Create Web Application Scan Create, configure, or leave an inventory Manage Inventory Sources, Exclusion Rules, or Automation Rules Search for, filter, copy-to-clipboard, and group assets in your inventory

User Interface Section

Privilege Options

Actions Privilege Can Perform

Business

Manage

Admin Dashboard — View and manage users, inventory, and business details, including:

Add users
Edit Inventory details
Edit Business details

Subscriptions — View and manage Subscriptions, including:

Add or create subscriptions
Share, copy, or delete subscriptions
Create alerts for subscriptions

Suggestions — View and manage Suggestions, including:

Add suggested domains to an inventory
Archive suggested domains
Add suggestion blocklist items
Add source-based suggestions

Activity Logs — View and manage Activity Logs.

TXT Records — View and manage TXT Records.

Reports — View and manage Reports, including:

Add, edit, or delete a report
Run a report
View report details

Cloud Connectors

Manage

View and manage your cloud Integrations, including:

Add, edit, or delete integrations

Inventory

Manage

View and manage your inventory from the Explore > Inventory page and all data therein, including:

View assets and asset details in your inventory
View asset attribution
Manage asset tags
Move or copy assets to another inventory
Export or archive assets
Create an Advanced Network Scan
Create Web Application Scan
Create, configure, or leave an inventory
Manage Inventory Sources, Exclusion Rules, or Automation Rules
Search for, filter, copy-to-clipboard, and group assets in your inventory

Tenable Vulnerability Management Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Vulnerability Management
Dashboards	Manage	Manage your dashboards, including: Create, edit, or delete a dashboard Filter, rename, duplicate, or set a default dashboard Manage dashboard exports
Dashboards	Share	Share one or more dashboards with other Tenable Vulnerability Management users.
Export	Manage Own	Scheduled Exports — Manage your own scheduled exports, including: Edit or delete a scheduled export Enable or disable a scheduled export Export Activity — Manage your own export activity, including: Filter your export activity list Download or export your export activity list Renew an export expiration date Stop or delete an export
Export	Manage All	Scheduled Exports — Manage all scheduled exports within your container, including: Edit or delete a scheduled export Enable or disable a scheduled export Export Activity — Manage all export activity within your container, including: Filter the export activity list Download or export the export activity list Renew an export expiration date Stop or delete an export
Recast/Accept Rule	Read	View the Recast page and all data therein, including: Recast rule details Recast columns Recast filters
Recast/Accept Rule	Manage	Manage recast and accept rules, including: Add or edit recast/accept rules Disable or delete recast/accept rules
Tags	Read	View the Tags page and all data therein, including: Categories Values
Scan
Nessus/Agent Scan	Read	View scan configurations and results.
	Manage	Create, edit, delete, and launch Nessus scanner or agent scans.
	Submit PCI	Submit a completed PCI scan to Tenable's ASV (Approved Scanning Vendor) team for validation and attestation.
Scan Exclusion	Read	View targets that are excluded from scans.
Scan Exclusion	Manage	Create, edit, and delete scan exclusions.
Shared Collections	Read	View shared collections.
Shared Collections	Manage	Manage shared collections, including: Create, edit, or delete a shared collection Add or remove scans from a shared collection
Tenable-Provided Scan Template	User	Select and apply a built-in Tenable scan template (for example, "Basic Network Scan") to a new scan they are creating. Users cannot modify the Tenable template itself.
User-Defined Scan Template	Read	View the settings of a scan template created by another user.
User-Defined Scan Template	Manage	Create, edit, and delete custom scan templates.
Managed Credential	Read	View and select existing managed credentials to use them in a scan. This does not let the user see the actual password or secret.
Managed Credential	Manage	Create, edit, and delete the managed credentials stored in the platform's vault.
Target Group	Read	View existing target groups (saved lists of assets/IPs) and select them as a target when configuring a scan.
Target Group	Manage	Create, edit, and delete target groups.
Sensors
Agent	Read	View agents and agent groups. This allows a user to see the list of linked agents and agent groups. They can view details like agent status and linking keys. They cannot edit agent group settings, unlink agents, or use the agent groups in a scan.
Scanner	Read	View scanners and scanner groups. This allows a user to see all linked scanners, cloud scanners, and scanner groups. They can view scanner status, version, and configuration details. They cannot edit scanner settings, delete scanners, or use the scanners in a scan.

Tenable Web App Scanning Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Assets	Create	Create a web application.
Web Application Scan	Read	View scan configurations and results.
	Manage	Manage web application scans, including: Create, launch, edit, or delete web application scans Copy a scan Export scan results
	Import	Import a web application scan.
	Submit PCI	Submit a completed PCI scan to Tenable's ASV (Approved Scanning Vendor) team for validation and attestation.
Tenable-Provided Scan Template	User	Select and apply a built-in Tenable scan template (for example, "Basic Network Scan") to a new scan they are creating. Users cannot modify the Tenable template itself.
Managed Credential	Read	View and select existing managed credentials to use them in a scan. This does not let the user see the actual password or secret.
Managed Credential	Manage	Create, edit, and delete the managed credentials stored in the platform's vault.
Recast/Accept Rule	Read	View the Recast page and all data therein, including: Recast rule details Recast columns Recast filters
Recast/Accept Rule	Manage	Manage recast and accept rules, including: Add or edit recast/accept rules Disable or delete recast/accept rules
User-Defined Scan Template	Read	View the settings of a scan template created by another user.
User-Defined Scan Template	Manage	Create, edit, and delete custom scan templates.