User Roles and Permissions for VM/VMDR, PC, SCA

Tell me about user roles

Who can grant extended permissions?

 

Want to compare user roles side by side?

How to restrict/hide user information

 

What's my user role?

How to restrict view of scheduled tasks

 

Can I delete a user?

How to grant access to applications

 

Can I grant users additional permissions?

   

Tell me about user roles

  • Each user is assigned a pre-defined user role which determines what actions the user can take. The most privileged users are Managers - they have full privileges and access to all assets in the subscription.

  • Managers and Unit Managers have the ability to manage assets and users. Managers have management authority for the subscription, while Unit Managers have management authority on an assigned business unit only. 

    • If the user with the Manager role is not able to view the Vulnerability tab on VMDR, click the Get Started with VMDR link on the dashboard. It navigates you to the new VMDR dashboard. This is a one-time activity, after which you get a new VMDR dashboard with a Vulnerability tab.

    • When the Unit Manager views the scan list on the UI (Scans > Scans), the displayed count differs from what is returned when API is executed for the scan list. This discrepancy occurs due to the Show in Scope Scan List option disabled in the VM UI and the in-scope scan list enabled by default in the API.

  • Scanners and Readers have limited rights to their assigned assets. Scanners can launch scans and run reports, while readers can run reports. 
    Users with the Scanner role can only view, but not edit, the authentication records created by users with the Manager role. Sub-users (for example, scanner, unit manager role) are only allowed to edit the authentication records created by the same user roles.
    Scanner and Reader user roles have permissions for exception management capabilities and can perform the actions such as:

    • Accept/Reject exceptions
    • Create/edit compliance policies
    • Create User Defined Controls
    • Update/Delete user Defined Controls
  • Auditors have compliance management privileges. Auditors cannot run compliance scans, however they can define policies and run compliance reports. Auditors only have visibility into compliance data (not vulnerability data). This role is available when PC is enabled for the subscription.

  • A Remediation User has limited access to the UI and can access only remediation tickets and the vulnerability knowledgebase. Remediation users do not have any scanning or reporting privileges. A Manager can assign Business Unit and Asset Groups and also tickets generated by policy rules for assets (asset groups) to the Remediation User.

  • A KnowledgeBase Only user has limited access to the UI. They can send and receive vulnerability notifications and view vulnerabilities in the KnowledgeBase. (This role is only available when this feature is enabled for your subscription. Only a Manager can assign this role.)

  • A User Administrator user will only have access to users, assets groups, business units and distribution groups. Users with this role can create and edit all types of users, except other User Administrators.

    Tip: To enable an administrator user to create or modify another administrator user, reach out to Qualys Support or your technical account manager. Once this feature is activated for your subscription, the administrator user will be able to create another administrator user using a unique email ID.

    They can edit and delete Manager users as long as there is at least one Manager account remaining in the subscription. That means the User Administrator cannot delete the last Manager account and cannot change the role for the last Manager account. The User Administrator does not have permission to delete business units, distribution groups, or asset groups.

    Note: When you create or update a user for a consultant unlimited service type account, the user roles available for all users are only the Reader and the User Administrator.

    Extended Permissions for an Administrator user role to “manage user account"

    Once you create a user with a User Administrator role, the role for that user cannot be changed to any other role.

  • Contacts have one permission only - to receive scan email notifications.

Want to compare user roles side by side?

Check out these help topics:

User Roles Comparison (Vulnerability Management)

User Roles Comparison (Policy Compliance)

What's my user role?

Choose the User Profile option below your user name (in the top right corner) to see your account information, including your user role. Your role is also shown on the users list (Users > Users).

Can I grant users additional permissions (beyond their role)?

Yes, there are certain extended permissions that may be granted on a per user basis. Edit the user's account and go to the Permissions section. Select permission to give it to the user and clear permission to take it away. You will see different permissions for different user roles.

Can I delete a user?

You can delete the user who do not have a POC and POC_BU  next to the name. A POC and POC_BU with a name show the user is the primary contact of some business unit.  You can not delete a primary contact user unless you assign the primary contact of that business unit to some other user. To know more about how to delete a user, refer to Delete a User and Transfer Items to New Owner

Add/Remove assetsAdd/Remove assets

Allow a Unit Manager to add IPs and domains to their business unit, and thus to the subscription. Once new assets are added, they are available to all Managers for inclusion in other business units and asset groups.

Your subscription may be configured to allow this permission to be granted to Scanners, giving them the ability to add IPs to the subscription. Scanners in Consultant subscriptions may be granted this permission.

Note that current configuration gives only Manager the permission to remove an added IP.

Create/edit authentication records/vaultsCreate/edit authentication records/vaults

Allow a Unit Manager to create and edit authentication records and vaults. Your subscription may be configured to allow this permission to be granted to Scanners.

Create option profilesCreate option profiles

Scanners and Unit Managers have the ability to create option profiles by default. Clear this check box to remove this ability from the user.

Manage external IDs for usersManage external IDs for users

The Manager Primary Contact (for the subscription) may grant this permission to Managers, Unit Managers and User Administrators. When granted, the user can assign/edit an external ID in a user's account settings.

Why don't I see this option?Why don't I see this option?

The Manager Primary Contact must first enable the External IDs security setting at Users > Setup > Security.

Manage virtual scanner appliancesManage virtual scanner appliances

Allow a Unit Manager to create, edit and delete virtual scanners from the scanner appliances list. Your subscription may be configured to allow this permission to be granted to Scanners.

Manage offline scanner appliancesManage offline scanner appliances

Allow a Unit Manager to create, edit and delete offline scanners from the scanner appliances list.

Purge host information/historyPurge host information/history

Allow a user to purge host information collected from scans. Purging hosts permanently removes host information from your account.

Users with VM/VMDR:

Create/edit remediation policyCreate/edit remediation policy

Allow a Unit Manager to create a remediation policy for their business unit. The rules set in the business unit's policy will take precedence over the policy set for the subscription.

Create/edit virtual hostsCreate/edit virtual hosts

Allow a user to create new virtual host configurations for scanning. Users with this permission are allowed to add, edit and delete virtual hosts for IP addresses that are included in the user’s account.

Users with PC:

Accept/Reject exceptionsAccept/Reject exceptions

Allow a Unit Manager to accept/reject exceptions for compliance policies for the hosts in their business unit.

Create/edit compliance policiesCreate/edit compliance policies

Allow a Unit Manager to create and edit compliance policies on the hosts in their assigned business unit.

Create User Defined ControlsCreate User Defined Controls

Allow a Unit Manager to create user-defined controls (UDCs) for the subscription.

Update/Delete User Defined ControlsUpdate/Delete User Defined Controls

Allow a Unit Manager to edit and delete user-defined controls (UDCs) in the subscription.

Users with SCA:

Create/edit policiesCreate/edit policies

Allow a Unit Manager to create and edit policies on the hosts in their assigned business unit.

Users with WAS:

Manage / Create web applicationsManage / Create web applications

Allow a user to perform web application management tasks based on the user's web application access permissions. Select "Create web applications" to give the user the ability to create web applications.

Who can grant extended permissions?

Managers and Unit Managers can grant extended permissions. A Unit Manager can grant extended permissions to users in their business unit as long as the Unit Manager also has the permission. For example, if the Unit Manager has permission to purge host information/history, then the Unit Manager can grant this permission to another user. Only the Manager Primary Contact can grant the "Manage external IDs for users" permission.

How to restrict/hide user information

You may not want users in one business unit to see information about users in other business units. In this case, go to Users > Setup > User Permissions and select from these options:

Restrict view of user information for users outside of business unit - When selected, we'll hide certain user details (e.g. contact information and asset groups) for users in other business units.

Hide users outside the business unit - When selected along with the first option, we'll hide all users in other business units on the users list (on the Users tab) and in other areas of the UI where users are listed like when creating distribution groups, reassigning tickets, etc.

How to restrict view of scheduled tasks

You may not want users to see scan schedules for assets that they don't have permission to. In this case, go to Users > Setup > User Permissions and select the option "Restrict view of scheduled tasks on unassigned assets". Then click Save.