Custom Role Privilege Application

Custom role privileges affect different areas of the Tenable One platform. The following tables describe the actions each privilege option can perform in their respective platform application.

Note: When creating a custom role, you must enable the application for use before you can select these privileges. For more information, see Create a Custom Role.

If you disable a user's access to an application:

Tenable removes the application from the Home page within Tenable Exposure Management.
All fields/tabs related to the application are disabled, including in the Inventory, Assets, and Asset Details views in Tenable Exposure Management.

Platform Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Assets	Read (Enabled by Default) Note: To view Asset Criticality Rating and Asset Exposure Score metrics, a user must also have Lumin application access enabled.	View your assets across the platform, including: The Assets page Asset details
Findings	Read (Enabled by Default)	View your findings across the platform, including: The Findings page Finding details
My Account	Read (Enabled by Default)	View your account details on the My Account page, including: The groups to which you belong The permissions assigned to your account The API keys page
My Account	Manage	Manage your account details on the My Account page, including: Your general account information Your password Enable two factor authentication Generate API keys
Access Control	Read	View Access Control data, including: The Groups page and all data therein The Permissions page and all data therein The Roles page and all data therein The API Access Security page and all data therein
Access Control	Manage	Manage Access Control configurations, including: Groups Create, edit, or delete a group Export your list of groups Permissions Create, edit, or delete permission configurations Add or remove a permission configuration from a user or group Export your list of permission configurations Roles Create, duplicate, edit, or delete a custom role Export your list of roles Edit allowed IP addresses on the API Access Security page
Access Control Users	Read	View the Users page and all data therein.
Activity Log	Read	View the Activity Logs page and all data therein.
General Settings	Read	View the General Settings page and all data therein.
General Settings	Manage	Configure options on the General Settings page, including: Severity metric Service-Level Agreement metric Plugin Language Default Export Expiration Plugin Output Search Email Allow List
License Information	Read	View the License Information page and all data therein
Tags	Read	View the Tags page and all data therein, including: Categories Values
Target Group	Read	View existing target groups (saved lists of assets/IPs) and select them as a target when configuring a scan.
Target Group	Manage	Create, edit, and delete target groups.
Export	Manage Own	Scheduled Exports — Manage your own scheduled exports, including: Edit or delete a scheduled export Enable or disable a scheduled export Export Activity — Manage your own export activity, including: Filter your export activity list Download or export your export activity list Renew an export expiration date Stop or delete an export
Export	Manage All	Scheduled Exports — Manage all scheduled exports within your container, including: Edit or delete a scheduled export Enable or disable a scheduled export Export Activity — Manage all export activity within your container, including: Filter the export activity list Download or export the export activity list Renew an export expiration date Stop or delete an export
Hexa AI
Vulnerability Management	Use	Use the Hexa AI assistant

Tenable Exposure Management Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Exposure Signals	Read (Enabled by Default)	View the Exposure Signals page and all data therein
Exposure Signals	Write	Manage exposure signals, including: Add, edit, or duplicate a custom exposure signal Edit the priority of a built-In exposure signal Archive or delete a custom exposure signal
Inventory	Read (Enabled by Default) Note: To view Asset Criticality Rating and Asset Exposure Score metrics, a user must also have Lumin application access enabled.	View the Inventory page, its sub-pages, and all data therein, including: Assets View Asset Details Weaknesses View Weakness Details Findings View Findings Details Software View Software Details
Inventory	Write	Manage data in the Inventory section, including: Export data from any Inventory sub-page Save bookmarks Create a tag or exposure signal based off of the asset list
Analytics > Dashboards	Read	View the Dashboards page and all data therein View the Dashboard Overview page
Analytics > Dashboards	Write	Manage dashboards, including: Create, edit, and delete custom dashboards Make a copy of a dashboard Change the privacy of a custom dashboard Export dashboard data
Analytics > Exposure View	Read	View the Exposure View page and all data therein
	Write	Manage the Exposure View page, including: Comment on the Exposure View page and view comment notifications Export a section or all of the Exposure View page ConfigureExposure View page settings
	Enable Built-In Card	View the Built-in Cards section of the Exposure Card Library.
Attack Path Important! To access the Attack Path section of Tenable Exposure Management, you must enable the Can View permission for All Assets. Note that this overrides and disables the ability to enforce specific tag permissions for this user in other parts of Tenable Exposure Management. For more information, see Permissions.	Read (Enabled by Default) Note: If a user does not have access to a specific node or asset, they can see it on the page but cannot view or access any of its details.	View the Attack Path page, its sub-pages, and all data therein, including: Dashboard Top Attack Paths Top Attack Techniques Top Attack Technique Details MITRE ATT&CK Heatmap
	Write	Manage attack techniques, including: Change the status of an attack technique Export, archive/un-archive, or bookmark an attack technique Add and view comments on an attack technique View the log history for an attack technique Share an attack technique
Tags	Read (Enabled by Default)	View the Tags page and all data therein, including: View Tag Details
Tags	Write	Manage tags, including: Create, edit, or delete a tag
Connectors	Read (Enabled by Default)	View the Connectors page and all data therein
Connectors	Write	Manage connectors, including: Add, edit, or delete a connector View connector status and logs Schedule connector sync time Disable or enable a connector

Tenable Attack Surface Management Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Business	Manage	Admin Dashboard — View and manage users, inventory, and business details, including: Add users Edit Inventory details Edit Business details Subscriptions — View and manage Subscriptions, including: Add or create subscriptions Share, copy, or delete subscriptions Create alerts for subscriptions Suggestions — View and manage Suggestions, including: Add suggested domains to an inventory Archive suggested domains Add suggestion blocklist items Add source-based suggestions Activity Logs — View and manage Activity Logs. TXT Records — View and manage TXT Records. Reports — View and manage Reports, including: Add, edit, or delete a report Run a report View report details
Cloud Connectors	Manage	View and manage your cloud Integrations, including: Add, edit, or delete integrations
Inventory	Manage	View and manage your inventory from the Explore > Inventory page and all data therein, including: View assets and asset details in your inventory View asset attribution Manage asset tags Move or copy assets to another inventory Export or archive assets Create an Advanced Network Scan Create Web Application Scan Create, configure, or leave an inventory Manage Inventory Sources, Exclusion Rules, or Automation Rules Search for, filter, copy-to-clipboard, and group assets in your inventory

User Interface Section

Privilege Options

Actions Privilege Can Perform

Business

Manage

Admin Dashboard — View and manage users, inventory, and business details, including:

Add users
Edit Inventory details
Edit Business details

Subscriptions — View and manage Subscriptions, including:

Add or create subscriptions
Share, copy, or delete subscriptions
Create alerts for subscriptions

Suggestions — View and manage Suggestions, including:

Add suggested domains to an inventory
Archive suggested domains
Add suggestion blocklist items
Add source-based suggestions

Activity Logs — View and manage Activity Logs.

TXT Records — View and manage TXT Records.

Reports — View and manage Reports, including:

Add, edit, or delete a report
Run a report
View report details

Cloud Connectors

Manage

View and manage your cloud Integrations, including:

Add, edit, or delete integrations

Inventory

Manage

View and manage your inventory from the Explore > Inventory page and all data therein, including:

View assets and asset details in your inventory
View asset attribution
Manage asset tags
Move or copy assets to another inventory
Export or archive assets
Create an Advanced Network Scan
Create Web Application Scan
Create, configure, or leave an inventory
Manage Inventory Sources, Exclusion Rules, or Automation Rules
Search for, filter, copy-to-clipboard, and group assets in your inventory

Tenable Vulnerability Management Custom Role Privilege Application

Note: If you grant the Export privilege within any section, you automatically grant the user access to the Exports page and the related export data.

User Interface Section	Privilege Options	Actions Privilege Can Perform
Dashboards	Read	View your dashboards and their related data.
	Full Write	Fully manage your dashboards, including the privileges associated with Create, Delete, Edit, Export, and Share.
	Create	Create a dashboard.
	Edit	Edit a dashboard.
	Delete	Delete a dashboard.
	Export	Export a dashboard or dashboard widget.
	Share	Share one or more dashboards with other Tenable Vulnerability Management users.
Scans > Nessus/Agent Scan	Read (Enabled by default)	View your Tenable Nessus and Tenable Agent scans.
	Full Write	Fully manage your Tenable Nessus and Tenable Agent scans, including the privileges associated with Create, Delete, Edit, Export, Launch, and Submit PCI.
	Create	Create a Tenable Nessus or Tenable Agent scan.
	Delete	Delete a Tenable Nessus or Tenable Agent scan.
	Edit	Edit a Tenable Nessus or Tenable Agent scan.
	Export	Export a Tenable Nessus or Tenable Agent scan.
	Launch	Launch a Tenable Nessus or Tenable Agent scan.
	Submit PCI	Submit a Tenable Nessus or Tenable Agent scan for PCI ASV validation. Tip: For more information about PCI ASV validation, see the Tenable PCI ASV User Guide.
Scans > Shared Collections	Read (Enabled by default)	View your shared collections.
	Full Write	Fully manage your shared collections, including the privileges associated with Create, Delete, and Edit.
	Create	Create a shared collection.
	Delete	Delete a shared collection.
	Edit	Edit a shared collection.
Scans > Scan Exclusion	Read (Enabled by default)	View your scan exclusions.
	Full Write	Fully manage your shared collections, including the privileges associated with Create, Delete, Edit, and Export.
	Create	Create a scan exclusion.
	Delete	Delete a scan exclusion.
	Edit	Edit a scan exclusion.
	Export	Export a scan exclusion.
Scans > User-Defined Scan Template	Read (Enabled by default)	View your user-defined scan templates.
	Full Write	Fully manage your user-defined scan templates, including the privileges associated with Create, Delete, Edit, and Export.
	Create	Create a user-defined scan template.
	Delete	Delete a user-defined scan template.
	Edit	Edit a user-defined scan template.
	Export	Export a user-defined scan template.
Scans > Tenable-Provided Scan Template	Read (Enabled by default)	View all Tenable-provided scan templates.
Scans > Managed Credential	Read (Enabled by default)	View your managed credentials.
	Full Write	Fully manage your managed credentials, including the privileges associated with Create, Delete, Edit, and Export.
	Create	Create a managed credential.
	Delete	Delete a managed credential.
	Edit	Edit a managed credential.
	Export	Export a managed credential.
Vulnerability Intelligence	Read	View data on the Vulnerability Intelligence page.
	Full Write	Fully manage items in Vulnerability Intelligence, including the privileges associated with Export.
	Export	Export findings or assets from the Vulnerability Intelligence page.
Exposure Response	Read (Enabled by default)	View data on the Exposure Response page and its sub-pages.
	Full Write (Enabled by default)	Fully manage your exposure response initiatives, including the privileges associated with Create, Delete, Edit, and Export.
	Create (Enabled by default)	Create an exposure response initiative, combination, or report card.
	Delete (Enabled by default)	Delete an exposure response initiative.
	Edit (Enabled by default)	Edit an exposure response initiative.
	Export (Enabled by default)	Export exposure response initiative activity.
Explore	Read	View data on the Explore page and its sub-pages.
	Full Write	Fully manage your Explore findings and assets, including the privileges associated with Delete, Edit ACR, and Export.
	Delete	Delete an asset.
	Edit ACR	Edit the ACR of an asset.
	Export	Export data from the Assets and Findings tabs.
Sensors > Nessus Scanner	Read	View Nessus scanner data on the Sensors page and its sub-pages.
	Full Write	Fully manage your Nessus scanners, including the privileges associated with Delete, Edit, and Export.
	Delete	Delete a Nessus scanner.
	Edit	Edit a Nessus scanner.
	Export	Export linked Nessus scanners.
Sensors > Nessus Agent	Read	View Nessus Agent data on the Sensors page and its sub-pages.
	Full Write	Fully manage your Nessus Agents, including the privileges associated with Delete, Edit, and Export.
	Delete	Delete a Nessus Agent.
	Edit	Edit a Nessus Agent.
	Export	Export linked Nessus Agents.
Sensors > Agent Group	Read	View agent group data on the Sensors page and its sub-pages.
	Full Write	Fully manage your agent groups, including the privileges associated with Delete, Edit, and Export.
	Delete	Delete an agent group.
	Edit	Edit an agent group.
	Create	Create an agent group.
Sensors > Web Application Scanner	Read	View Web Application scanner data on the Sensors page and its sub-pages.
	Full Write	Fully manage your Web Application scanners, including the privileges associated with Delete, Edit, and Export.
	Delete	Delete a Web Application scanner.
	Edit	Edit a Web Application scanner.
	Export	Export linked Web Application scanners.
Sensors > Nessus Network Monitor	Read	View Nessus Network Monitor data on the Sensors page and its sub-pages.
	Full Write	Fully manage your Nessus Network Monitors, including the privileges associated with Delete, Edit, and Export.
	Delete	Delete a Nessus Network Monitor.
	Edit	Edit a Nessus Network Monitor.
	Export	Export linked Nessus Network Monitors.
Sensors > Scanner Group	Read	View scanner group data on the Sensors page and its sub-pages.
	Full Write	Fully manage your scanner groups, including the privileges associated with Delete, Edit, Export, and Create.
	Delete	Delete a scanner group.
	Edit	Edit a scanner group.
	Export	Export scanner group data.
	Create	Create a scanner group.
Sensors > Network	Read	View your networks and their associated data.
	Full Write	Fully manage your network data, including the privileges associated with Delete, Edit, Export, and Create.
	Delete	Delete a network.
	Edit	Edit a network.
	Export	Export network data.
	Create	Create a network.
Sensors > Linking Key	Read	View your linking keys. Important! To view a linking key for a sensor, you must have privileges to view data for that sensor type. For example, to view a Nessus linking key, you must have Sensor > Nessus Scanner permissions enabled for your account.
Sensors > Linking Key	Create	Create a linking key. Important! To generate a linking key for a sensor, you must have privileges to manage data for that sensor type. For example, to generate a Nessus linking key, you must have Sensor > Nessus Scanner permissions enabled for your account.
Recast	Read	View your recast and accept rules and their associated data.
	Full Write	Fully manage your recast and accept rules, including the privileges associated with Create, Delete, Disable, Edit, and Export.
	Create	Create a recast or accept rule.
	Delete	Delete a recast or accept rule.
	Enable/Disable	Enable/disable a recast or accept rule.
	Edit	Edit a recast or accept rule.
	Export	Export recast or accept rule data.
Reports	Read (Enabled by default)	View your reports and their associated data.
	Full Write	Fully manage your reports, including the privileges associated with Create, Delete, Download, Edit, Generate, Schedule, and Share.
	Create	Create a report.
	Delete	Delete a report.
	Download	Download a generated report.
	Edit	Edit a report.
	Generate	Generate a report.
	Schedule	Schedule a report generation.
	Share	Share one or more reports with other Tenable Vulnerability Management users.
Exports Note: Export (Read, Edit, Disable, Delete) permissions are granted to users either through the TioBackendExportManageOwn permission or through the export permissions within the Tenable Vulnerability Management category. For more information, see Permissions.	Read	View your scheduled exports and their associated data.
	Full Write	Fully manage your scheduled exports, including the privileges associated with Delete, Disable, Edit, and Export.
	Delete	Delete a scheduled export.
	Enable/Disable	Enable/disable a scheduled export.
	Edit	Edit a scheduled export.
Remediation	Read	View your remediation projects, remediation goals, and their related data.
	Full Write	Fully manage your recast and accept rules, including the privileges associated with Create, Delete, Edit, and Export.
	Create	Create a remediation project or remediation goal.
	Delete	Delete a remediation project or remediation goal.
	Edit	Edit a remediation project or remediation goal.
	Export	Export remediation project or remediation goal data.

Tenable Web App Scanning Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
Assets	Create	Create a web application.
Web Application Scan	Read	View scan configurations and results.
	Manage	Manage web application scans, including: Create, launch, edit, or delete web application scans Copy a scan Export scan results
	Import	Import a web application scan.
	Submit PCI	Submit a completed PCI scan to Tenable's ASV (Approved Scanning Vendor) team for validation and attestation.
Tenable-Provided Scan Template	User	Select and apply a built-in Tenable scan template (for example, "Basic Network Scan") to a new scan they are creating. Users cannot modify the Tenable template itself.
Managed Credential	Read	View and select existing managed credentials to use them in a scan. This does not let the user see the actual password or secret.
Managed Credential	Manage	Create, edit, and delete the managed credentials stored in the platform's vault.
Recast/Accept Rule	Read	View the Recast page and all data therein, including: Recast rule details Recast columns Recast filters
Recast/Accept Rule	Manage	Manage recast and accept rules, including: Add or edit recast/accept rules Disable or delete recast/accept rules
User-Defined Scan Template	Read	View the settings of a scan template created by another user.
User-Defined Scan Template	Manage	Create, edit, and delete custom scan templates.

Tenable AI Exposure Custom Role Privilege Application

User Interface Section	Privilege Options	Actions Privilege Can Perform
AI Exposure Admin	Use	Modify settings within the Tenable AI Exposure application.