User Roles and Permissions for VM/VMDR, PC, SCA

Tell me about user roles

• Each user is assigned a pre-defined user role which determines what actions the user can take. The most privileged users are Managers - they have full privileges and access to all assets in the subscription.

• Managers and Unit Managers have the ability to manage assets and users. Managers have management authority for the subscription, while Unit Managers have management authority on an assigned business unit only.

• Scanners and Readers have limited rights on their assigned assets. Scanners can launch scans and run reports. Readers can run reports.

• Auditors have compliance management privileges. Auditors cannot run compliance scans, however they can define policies and run compliance reports. Auditors only have visibility into compliance data (not vulnerability data). This role is available when PC is enabled for the subscription.

• A Remediation User has limited access to the UI and can access only remediation tickets and the vulnerability knowledgebase. Remediation users do not have any scanning or reporting privileges. A Manager can assign Business Unit and Asset Groups and also tickets generated by policy rules for assets (asset groups) to the Remediation User.

• A KnowledgeBase Only user has limited access to the UI. They can send and receive vulnerability notifications and view vulnerabilities in the KnowledgeBase. (This role is only available when this feature is enabled for your subscription. Only a Manager can assign this role.)

• A User Administrator user will only have access to users, assets groups, business units and distribution groups. Users with this role can create and edit all types of users, except other User Administrators.

  Tip: To enable an administrator user to create or modify another administrator user, reach out to Qualys Support or your technical account manager. Once this feature is activated for your subscription, the administrator user will be able to create another administrator user using a unique email ID.

  They can edit and delete Manager users as long as there is at least one Manager account remaining in the subscription. That means the User Administrator cannot delete the last Manager account and cannot change the role for the last Manager account. The User Administrator does not have permission to delete business units, distribution groups, or asset groups.

  Extended Permissions for an Administrator user role to “manage user account"

  Once you create a user with a User Administrator role, the role for that user cannot be changed to any other role.

• Contacts have one permission only - to receive scan email notifications.

Want to compare user roles side by side?

Check out these help topics:

User Roles Comparison (Vulnerability Management)

User Roles Comparison (Policy Compliance)

What's my user role?

Choose the User Profile option below your user name (in the top right corner) to see your account information, including your user role. Your role is also shown on the users list (Users > Users).

Can I grant users additional permissions (beyond their role)?

Yes, there are certain extended permissions that may be granted on a per user basis. Edit the user's account and go to the Permissions section. Select a permission to give it to the user, and clear a permission to take it away. You will see different permissions for different user roles.

Can I delete a user?

You can delete the user who do not have an asterisk (*) next to the name. An asterisk (*) with name shows the user is primary contact of some business unit, you can not delete a primary contact user unless you assign the primary contact of that business unit to some other user. To know more about how to delete a user, refer to Delete a User and Transfer Items to New Owner

Add/Remove assets

Create/edit authentication records/vaults

Create option profiles

Manage external IDs for users

Manage virtual scanner appliances

Manage offline scanner appliances

Purge host information/history

Users with VM/VMDR:

Create/edit remediation policy

Create/edit virtual hosts

Users with PC:

Accept/Reject exceptions

Create/edit compliance policies

Create User Defined Controls

Update/Delete User Defined Controls

Users with SCA:

Create/edit policies

Users with WAS:

Manage / Create web applications

Who can grant extended permissions?

Managers and Unit Managers can grant extended permissions. A Unit Manager can grant extended permissions to users in their business unit as long as the Unit Manager also has the permission. For example, if the Unit Manager has permission to purge host information/history, then the Unit Manager can grant this permission to another user. Only the Manager Primary Contact can grant the "Manage external IDs for users" permission.

How to restrict/hide user information

You may not want users in one business unit to see information about users in other business units. In this case, go to Users > Setup > User Permissions and select from these options:

Restrict view of user information for users outside of business unit - When selected, we'll hide certain user details (e.g. contact information and asset groups) for users in other business units.

Hide users outside the business unit - When selected along with the first option, we'll hide all users in other business units on the users list (on the Users tab) and in other areas of the UI where users are listed like when creating distribution groups, reassigning tickets, etc.

How to restrict view of scheduled tasks

You may not want users to see scan schedules for assets that they don't have permission to. In this case, go to Users > Setup > User Permissions and select the option "Restrict view of scheduled tasks on unassigned assets". Then click Save.