Configure User Permissions for an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to manage user and group access to resources on your Tenable Vulnerability Management instance and that you convert your existing access groups into permission configurations. For more information, see Transition to Permission Configurations.

Required User Role: Administrator

You can configure access group permissions for individual users or a user group. If you configure access group permissions for a group, you assign all users in that group the same permissions. For more information, see User Groups.

You can assign the following access group permissions to a user or user group:

• No Access — (All Users user group only) No users (except for users or groups you specifically assign permissions) can scan the assets or targets specified in the access group. Also, no users can view related individual or aggregated scan results for the specified assets or targets.
• Can View — The user's view in aggregated scan results (workbenches/dashboards) includes data from scans of the assets or targets specified in the access group. If you assign this permission to the All Users group for the access group, all users can view aggregated scan results for the assets or targets in the access group.
• Can Scan — Users can scan assets or targets specified in the access group and view individual scan results for the assets or targets. If you do not have this permission, Tenable Vulnerability Management does not prevent you from configuring a scan using assets or targets specified in the access group; however, the scanner does not scan the assets or targets. If you assign this permission to the All Users group for the access group, all users can scan the assets or targets in the access group and view the related individual scan results.

User permissions in an access group are cumulative, rather than hierarchical. To allow a user to scan an asset or target and view results for that asset or target in aggregated results, you must set the user's permissions in the access group to both Can View and Can Scan.

Tip: To run scans auditing cloud infrastructure, configure a Scan Target access group that includes the target 127.0.0.1, and set user permissions to Can Scan.

To configure user permissions for an access group:

1. Create or edit an access group.

2. In the Users & Groups section, do any of the following:

   • Edit permissions for the All Users user group.

     The default values for the All Users user group depends on the access group:

     • For the All Assets access group, Tenable Vulnerability Management assigns Can View and Can Scan permissions to the All Users group by default. Tenable recommends you restrict these permissions during initial configuration.
     • For all other access groups, Tenable Vulnerability Management assigns No Access permissions to the All Users group by default. For these access groups, set permissions for the All Users group as follows:

     1. Next to the permission drop-down for the All Users group, click the button.

     2. Click Can View.

     3. Next to the permission drop-down, click the button again.

     4. Click Can Scan.
     5. Click Save.

        Tenable Vulnerability Management allows any user to view or scan the assets or targets in the group.

   • Add a user to the access group.

     1. In the search box, type the name of a user or group.

        As you type, a filtered list of users and groups appears.

     2. Select a user or group from the search results.

        Tenable Vulnerability Management adds the user to the access group with the default Can View permissions and adds the related label to the user listing.

     3. (Optional) Add Can Scan permissions for the user.

        1. Next to the permission drop-down for the user or group, click the button.

        2. Click Can Scan.

           Tenable Vulnerability Management adds a Can Scan label to the user listing.

     4. Click Save.

        Tenable Vulnerability Management adds the user to the access group.

   • Add permissions for an existing user.

     1. Locate the user or group you want to edit.
     2. Next to the permission drop-down for the user or group, click the button.

     3. Click Can View or Can Scan as appropriate.

        Tenable Vulnerability Management adds a label representing the new permission to the user listing.

     4. Click Save.

        Tenable Vulnerability Management saves your changes to the access group.

   • Remove permissions from an existing user.

     1. Locate the user or group you want to edit.
     2. In the label representing the permission you want to remove, click the  button.

        Tenable Vulnerability Management removes the permission label from the user listing.

        If you remove the last permission for the All Users group, Tenable Vulnerability Management sets the group permissions to No Access.

        If you remove the last permission for an individual user or group, Tenable Vulnerability Management prompts you to remove the user from the access group.

   • Remove a user from the access group.

     1. Click the button next to the user or user group you want to delete.

        The user or group disappears from the Users & Groups list.

     2. Click Save.

        Tenable Vulnerability Management saves your changes to the access group.