User Roles and Permissions for VM/VMDR, PC, SCA

Tell me about user roles

Who can grant extended permissions?

 

Want to compare user roles side by side?

How to restrict/hide user information

 

What's my user role?

How to restrict view of scheduled tasks

 

Can I delete a user?

How to grant access to applications

 

Can I grant users additional permissions?

   

Tell me about user roles

Want to compare user roles side by side?

Check out these help topics:

User Roles Comparison (Vulnerability Management)

User Roles Comparison (Policy Compliance)

What's my user role?

Choose the User Profile option below your user name (in the top right corner) to see your account information, including your user role. Your role is also shown on the users list (Users > Users).

Can I grant users additional permissions (beyond their role)?

Yes, there are certain extended permissions that may be granted on a per user basis. Edit the user's account and go to the Permissions section. Select a permission to give it to the user, and clear a permission to take it away. You will see different permissions for different user roles.

Can I delete a user?

You can delete the user who do not have an asterisk (*) next to the name. An asterisk (*) with name shows the user is primary contact of some business unit, you can not delete a primary contact user unless you assign the primary contact of that business unit to some other user. To know more about how to delete a user, refer to Delete a User and Transfer Items to New Owner

Add/Remove assetsAdd/Remove assets

Allow a Unit Manager to add IPs and domains to their business unit, and thus to the subscription. Once new assets are added, they are available to all Managers for inclusion in other business units and asset groups.

Your subscription may be configured to allow this permission to be granted to Scanners, giving them the ability to add IPs to the subscription. Scanners in Consultant subscriptions may be granted this permission.

Note that current configuration gives only Manager the permission to remove an added IP.

Create/edit authentication records/vaultsCreate/edit authentication records/vaults

Allow a Unit Manager to create and edit authentication records and vaults. Your subscription may be configured to allow this permission to be granted to Scanners.

Create option profilesCreate option profiles

Scanners and Unit Managers have the ability to create option profiles by default. Clear this check box to remove this ability from the user.

Manage external IDs for usersManage external IDs for users

The Manager Primary Contact (for the subscription) may grant this permission to Managers, Unit Managers and User Administrators. When granted, the user can assign/edit an external ID in a user's account settings.

Why don't I see this option?Why don't I see this option?

The Manager Primary Contact must first enable the External IDs security setting at Users > Setup > Security.

Manage virtual scanner appliancesManage virtual scanner appliances

Allow a Unit Manager to create, edit and delete virtual scanners from the scanner appliances list. Your subscription may be configured to allow this permission to be granted to Scanners.

Manage offline scanner appliancesManage offline scanner appliances

Allow a Unit Manager to create, edit and delete offline scanners from the scanner appliances list.

Purge host information/historyPurge host information/history

Allow a user to purge host information collected from scans. Purging hosts permanently removes host information from your account.

Users with VM/VMDR:

Create/edit remediation policyCreate/edit remediation policy

Allow a Unit Manager to create a remediation policy for their business unit. The rules set in the business unit's policy will take precedence over the policy set for the subscription.

Create/edit virtual hostsCreate/edit virtual hosts

Allow a user to create new virtual host configurations for scanning. Users with this permission are allowed to add, edit and delete virtual hosts for IP addresses that are included in the user’s account.

Users with PC:

Accept/Reject exceptionsAccept/Reject exceptions

Allow a Unit Manager to accept/reject exceptions for compliance policies for the hosts in their business unit.

Create/edit compliance policiesCreate/edit compliance policies

Allow a Unit Manager to create and edit compliance policies on the hosts in their assigned business unit.

Create User Defined ControlsCreate User Defined Controls

Allow a Unit Manager to create user-defined controls (UDCs) for the subscription.

Update/Delete User Defined ControlsUpdate/Delete User Defined Controls

Allow a Unit Manager to edit and delete user-defined controls (UDCs) in the subscription.

Users with SCA:

Create/edit policiesCreate/edit policies

Allow a Unit Manager to create and edit policies on the hosts in their assigned business unit.

Users with WAS:

Manage / Create web applicationsManage / Create web applications

Allow a user to perform web application management tasks based on the user's web application access permissions. Select "Create web applications" to give the user the ability to create web applications.

Who can grant extended permissions?

Managers and Unit Managers can grant extended permissions. A Unit Manager can grant extended permissions to users in their business unit as long as the Unit Manager also has the permission. For example, if the Unit Manager has permission to purge host information/history, then the Unit Manager can grant this permission to another user. Only the Manager Primary Contact can grant the "Manage external IDs for users" permission.

How to restrict/hide user information

You may not want users in one business unit to see information about users in other business units. In this case, go to Users > Setup > User Permissions and select from these options:

Restrict view of user information for users outside of business unit - When selected, we'll hide certain user details (e.g. contact information and asset groups) for users in other business units.

Hide users outside the business unit - When selected along with the first option, we'll hide all users in other business units on the users list (on the Users tab) and in other areas of the UI where users are listed like when creating distribution groups, reassigning tickets, etc.

How to restrict view of scheduled tasks

You may not want users to see scan schedules for assets that they don't have permission to. In this case, go to Users > Setup > User Permissions and select the option "Restrict view of scheduled tasks on unassigned assets". Then click Save.