Welcome to the Tenable Role-Based Access Control Best Practices Guide

This guide explains how to plan, configure, and maintain role-based access control (RBAC) in Tenable Vulnerability Management. It is intended for platform administrators and security team leads who are responsible for managing user access in a shared Tenable One environment.

When multiple users share a Tenable One instance — especially across geographic or business boundaries — controlling who can see and do what becomes critical. Without a deliberate access strategy, users may encounter data they shouldn't see, accidentally modify scan configurations, or submit support tickets for behavior that is working as designed.

This guide walks you through the recommended approach for implementing RBAC effectively: from understanding the core model, to configuring roles and permissions, to applying best practices that keep your access controls secure and maintainable over time.

How to Use This Guide

This guide is organized into three topics. If you are new to RBAC, read them in order. If you are returning to address a specific need, navigate directly to the relevant topic.

Topic Description
Welcome You are here. Understand what this guide covers, what RBAC is, and what you need before you begin.
Get Started with Role-Based Access Control Step-by-step configuration: roles, permissions, groups, tags, and users.
RBAC Best Practices Recommendations for scan organization, credential management, and ongoing maintenance.
Troubleshooting Solutions for common access issues, including users seeing unexpected data, scan failures caused by misconfigured groups, and permission configurations that are not behaving as expected.

What Is RBAC?

Role-based access control (RBAC) is a security model in which access to a system is determined by the roles assigned to users, rather than by individually configured permissions for each user. Tenable implements RBAC through three complementary components:

  • Roles — Define what actions a user can perform and which product modules they can access. For example, whether a user can create a scan, manage credentials, or administer other users.
  • Permissions — Define which data a user can access. Permissions are always scoped to a set of assets identified by a tag. For example, whether a user can view or scan assets tagged Region:EMEA.
  • Tags — Key-value pairs assigned to assets that define the scope a permission applies to. Tags are the mechanism that drives data segmentation in Tenable One.

A useful shorthand: a role answers “what can this user do?” while a permission answers “which assets can they do it on?”

Note: Products in the Tenable One platform — such as Tenable Exposure Management and Tenable Identity Exposure — have their own role models, which can also be managed from within Tenable Vulnerability Management. For more information, see Tenable-Provided Roles and Privileges.

Prerequisites

Before you begin configuring RBAC, confirm the following:

  • You have an Administrator role in Tenable Vulnerability Management.
  • You have a clear understanding of your organization's team structure — which teams exist, which assets they are responsible for, and what actions they need to perform.
  • You have reviewed, or are prepared to review, your organization's existing asset tagging strategy. Tags drive permission scoping, so a well-organized tag structure is essential to effective RBAC.

Related Topics