Permissions

Tenable Web App Scanning allows you to create and manage configurations that determine which users on your organization's account can perform specific actions with the organization's resources and data. This documentation refers to these configurations as permission configurationsClosed A configuration that administrators can create to determine what actions certain users and groups can perform with a given set of resources..

On the My Accounts page, each user can view the permission configurations assigned to them. However, only administrator users can view or manage permission configurations for other users. For more information, see Tenable-Provided Roles and Privileges.

When you create a user or user group, you can assign existing permission configurations to them for assets that meet the criteria specified by a previously created tag. In Tenable Web App Scanning, these assets and the tags that define them are called objectsClosed In a permission configuration, an asset and the tag that defines it..

Roles vs. Permissions: What's the difference?
  • Roles — Roles allow you to manage privileges for major functions in Tenable Web App Scanning and control which Tenable Web App Scanning modules and functions users can access.
  • Permissions — Permissions allow you to manage access to your own data, such as Tags, Assets, and their Findings.

When you create a permission configuration, you must select one or more of the following predefined permissions. These permissions determine the actions users can take with the object or objects defined in the permission configuration.

Permission Description
Can View

Allows a user or group with this permission to view the assets defined by the object.
Can Scan

Allows a user or group with this permission to scan the assets defined by the object.

Note: For a manually entered target to be considered valid, it must meet the following criteria:

  • The user is an administrator

    OR

  • The user has at least Scan Operator role privileges, AND

  • If the target does not exist within the Tenable Web App Scanning system, the user must have CanScan permissions on an object that refers to the target explicitly via IPv4, IPV6 or FQDN. If the object has more than one rule, the rules must be joined by the "Match Any" filter, OR

  • If the target already exists within the Tenable Web App Scanning system, then it must be tagged by an object for which the user has CanScan permissions.
Can Edit Allows a user or group with this permission to edit the tag that defines the object.
Can Use Allows a user or group with this permission to use the tag that defines the object.

To view your permission configurations in Tenable Web App Scanning:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears. On this page, you can control user and group access to resources in your Tenable Web App Scanning account.

  4. Click the Permissions tab.

    The Permissions tab appears. This tab contains a table that lists all of the permission configurations on your Tenable Web App Scanning instance.

    Note:The first row of the permissions table contains a read-only entry for Administrators. This entry exists to remind you that Administrators have all permissions for every resource on your account. For more information, see Roles.

On the Permissions tab, you can perform the following actions: