Tenable-Provided Roles and Privileges

The following tables describe privileges associated with each Tenable-provided user role, organized by function in their respective product.

Note: You can further refine user access to specific resources by assigning permissions to individual users or groups. For more information, see Permissions.

Area	Tenable Web App Scanning-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Activity Logs	view, export	-	-	-	-
API Keys	view, modify	view, modify	view, modify	view, modify	view, modify
Account Settings	view, modify	view, modify	view, modify	view, modify	view, modify
Agents	view, delete	view, delete	-	-	-
Agent Freeze Windows	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Agent Settings	view, modify	view, modify	-	-	-
Assets	view, modify, export, delete	view, modify, export, delete	view, modify, export, delete	view, modify, export, delete	view, export
Connectors	view, create, modify, delete	-	-	-	-
Dashboards	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete	view, create, modify, export, delete
Exclusions	view, import, export, delete	view, import, export, delete	-	-	-
Exports	view, modify, export, delete	-	-	-	-
Findings	view, export	view, export	view, export	view, export	view, export
General Settings	view, modify	-	-	-	-
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
PCI Managing	view, import, export, create, modify, delete	-	-	-	-
Recast Rules	view, create, modify, delete	-	-	-	-
Reports	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view, run, create, modify, delete	view
Scans1 User roles determine a user's abilities, but the permissions that a user has for a particular scan are dictated by scan permissions.	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create, modify, delete	view, import, run, create2 Can create scans using existing user-defined policies that are shared with the user., modify, delete	view3 Can view list of scans, but not scan configuration details., import
Scan Results	view, export, delete	view, export, delete	view, export, delete	view, export, delete	view, export, delete
Sensors	view, add, modify, delete	view, add, modify, delete	-	-	-
Scanner Groups	view, create, modify, delete	view, create, modify, delete	-	-	-
Tags4 Assigning and Unassigning tags can be done from the Asset Details page.	view, create tag category, create tag value, delete, export, assign, unassign	view, create tag value, delete, assign, unassign	view, delete, assign, unassign5 Standard users must have the Can Use permission to view, delete, assign, and unassign tags.	view, delete, assign, unassign	view, assign, unassign
User Groups	view, create, modify, delete, export	-	-	-	-
Users	view, create, modify, delete	-	-	-	-

Area	Tenable Web App Scanning-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Dashboards	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view
Tenable-Provided Scan Templates	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view	-
Scans (also requires scan permissions)	view, import, create, modify, run, delete	view, import, create, modify, run, delete	view, create, modify, run, delete	view, create6 Can create scans using existing user-defined policies that are shared with the user., modify, run, delete, move to trash	view
Managed Credentials	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete	view, create, modify, delete
Scan Permissions	view, create, modify, delete7 Administrator users can create, modify, and delete permissions for scans that any user on the account owns.	view, create, modify, delete8 Scan Manager users can create, modify, or delete permissions only on scans they own.	view, create, modify, delete9 Standard users can create, modify, or delete permissions only on scans they own.	view, create, modify, delete10 Scan Operator users can create, modify, or delete permissions only on scans they own.	-
Scan Results (also requires scan permissions)	view, delete	view, delete	view, delete	view, delete	view, delete

Area	Lumin Exposure View-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Settings	manage, read	read	read	read	read
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Exposure Card	create, share, read	create, share, read	create, share, read	share, read	read

Area	Tenable Inventory-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Access to Asset Type	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity	computing resource (host), cloud resource, web application, identity
Export	manage own	manage own	manage own	manage own	manage own
Tag	create, edit	create, edit	-	-	-

Area	Attack Path Analysis-Provided Roles and Privileges
	Administrator	Scan Manager	Standard	Scan Operator	Basic
Export	manage own	manage own	manage own	manage own	manage own
Finding	manage, read	manage, read	read	read	read
Query	search, save	search, save	search, save	search	search

Area	Tenable Identity Exposure-Provided Roles and Privileges
	Administrator	Custom
Entire Application	Read, Edit, Create	Defined in-application

Area	Tenable Attack Surface Management-Provided Roles and Privileges
	Business Administrator	Active User	View-Only User
Inventory	manage, add, modify, delete	add, modify, leave	view
Suggestions	manage, add, modify, delete	manage, add, modify, delete	view
Subscriptions	manage, add, modify, delete	manage, add, modify, delete	view
Reports	manage, add, modify, delete	manage, add, modify, delete	view
Txt Records	manage, modify, delete	manage, modify, delete	view
User Accounts	manage, modify, delete	-	-
Business	manage, modify	-	-

Area	Tenable Cloud Security-Provided Roles and Privileges
	Administrator	Collaborator	Viewer
Console Tabs	view	view	view
Reports	view, create, schedule, delete	view, create, schedule, delete	view, create
Inventory	view, manage, generate policy	view, manage, generate policy	-
Findings	view, share, manage, disable	view, share, manage	view, share
Administration	view, manage, audit	-	-