Scan Permissions Migration

System target group permissions that controlled whether users can scan specified targets have been migrated to access groups.

Note: Tenable plans to deprecate access groups in the near future. Currently, you can still create and manage access groups. However, Tenable recommends that you instead use permissions to manage user and group access to resources on your Tenable Vulnerability Management instance.

This migration affects your existing Tenable Vulnerability Management configuration as follows:

Component	Action
Existing access group	Tenable Vulnerability Management: Updates any existing access group to an access group of the Manage Assets type. Replaces the All Users toggle with a default All Users group. Assigns Can View permissions to any existing users or user groups that currently have view access.
Existing system target groups	For each existing system target group, Tenable Vulnerability Management: Creates a new access group with a type of Scan Targets. This access group specifies the same scan targets as the existing system target group. Tenable Vulnerability Management lists migration as the owner of the migrated access groups. Moves any user with Can Scan permissions in the system target group to the new access group, and assigns the user Can Scan permissions for that access group. To ensure users can view results for the targets, configure Can View permissions for users in the access group. Note: This migration does not delete existing system target groups. The migration removes only the Can Scan permissions from the system target groups. Note: If, at the time of migration, an existing target group includes scan permissions, a Scan label may appear for the group in the Permissions column of the target groups table in the new Tenable Vulnerability Management user interface. This label indicates historical scan permissions only; access groups specify the current scan permissions.
Existing scan configurations, dashboard filters, and saved searches	Existing scan configurations retain the system target group as a target setting. Existing dashboard filters and saved searches retain the system target group as a filter setting. If you have Can Use permissions for a system target group, you can continue to use the system target group to specify a group of targets in a scan configuration and to use the system target group in filters for dashboards and searches. However, to specify which users can view scan results for the targets, configure Can View permissions in the appropriate access group.

Component

Action

Existing access group

Tenable Vulnerability Management:

Updates any existing access group to an access group of the Manage Assets type.
Replaces the All Users toggle with a default All Users group.
Assigns Can View permissions to any existing users or user groups that currently have view access.

Existing system target groups

For each existing system target group, Tenable Vulnerability Management:

Creates a new access group with a type of Scan Targets. This access group specifies the same scan targets as the existing system target group. Tenable Vulnerability Management lists migration as the owner of the migrated access groups.
Moves any user with Can Scan permissions in the system target group to the new access group, and assigns the user Can Scan permissions for that access group. To ensure users can view results for the targets, configure Can View permissions for users in the access group.

Note: This migration does not delete existing system target groups. The migration removes only the Can Scan permissions from the system target groups.

Note: If, at the time of migration, an existing target group includes scan permissions, a Scan label may appear for the group in the Permissions column of the target groups table in the new Tenable Vulnerability Management user interface. This label indicates historical scan permissions only; access groups specify the current scan permissions.

Existing scan configurations, dashboard filters, and saved searches

Existing scan configurations retain the system target group as a target setting. Existing dashboard filters and saved searches retain the system target group as a filter setting. If you have Can Use permissions for a system target group, you can continue to use the system target group to specify a group of targets in a scan configuration and to use the system target group in filters for dashboards and searches. However, to specify which users can view scan results for the targets, configure Can View permissions in the appropriate access group.