Skip to main content

title: Roles and Permissions description: “Control access with role-based permissions”

Overview

Zenable uses Role-Based Access Control (RBAC) to manage who can do what within your organization. The system follows these principles:
  • Permissions are atomic actions (e.g., “edit requirements”)
  • Roles bundle permissions together (e.g., “Admin” has many permissions)
  • Users are assigned roles directly or via identity provider groups

System Roles

Zenable provides six predefined roles that cover common access patterns:
RoleDescriptionKey Capabilities
ViewerRead-only accessView requirements, users, integrations, settings
ContributorCreate and edit contentAll Viewer permissions + write/export requirements
AdminFull admin access (billing read-only)All Contributor + manage users, roles, integrations, audit logs
OwnerComplete accessAll Admin + billing management
Billing AdministratorFinancial accessView everything + manage billing and invoices
Security AuditorAudit accessView and export audit logs only
Custom roles are available on Enterprise plans. Contact us to learn more.

RBAC Audit Logging

RBAC Audit logging is available on Professional and Enterprise plans only. Log exporting requires an Enterprise plan.
All role and permission assignments and revocations are logged for compliance, including any provided reason. Audit logs cannot be deleted by users regardless of role. Access audit logs via the Audit section in the management console or through the audit:read permission.

Role Permission Matrix

PermissionViewerContributorAdminOwnerBilling AdminSecurity Auditor
requirements:read
requirements:write
requirements:delete
requirements:export
context:read
context:write
scopes:read
scopes:write
guardrails:read
guardrails:write
users:read
users:invite
users:remove
users:manage_roles
billing:read
billing:manage
billing:view_invoices
audit:read
audit:export
integrations:read
integrations:manage
settings:read
settings:manage
feature_flags:read
feature_flags:manage
marketplace:publish

Permissions by Category

Requirements

PermissionDescription
requirements:readView and search requirements
requirements:writeCreate and edit requirements
requirements:deletePermanently delete requirements and associated guardrails
requirements:exportExport requirements to external formats
Deleting a requirement is permanent and also deletes all guardrails associated with that requirement. This action cannot be undone.

Context

PermissionDescription
context:readView reviewer contexts at customer and tenant levels
context:writeCreate, edit, and delete reviewer contexts

Scopes

PermissionDescriptionMinimum Tier
scopes:readView scope definitionsProfessional
scopes:writeCreate, edit, and delete scope definitionsProfessional

Guardrails

PermissionDescriptionMinimum Tier
guardrails:readView guardrailsProfessional
guardrails:writeCreate, edit, and delete guardrailsProfessional

Users

PermissionDescription
users:readView team members
users:inviteInvite new users
users:removeRemove users from tenant
users:manage_rolesAssign and revoke roles

Billing

PermissionDescription
billing:readView billing information
billing:manageModify subscription
billing:view_invoicesDownload invoices

Audit

PermissionDescriptionMinimum Tier
audit:readView audit logsProfessional
audit:exportExport audit logsEnterprise

Integrations

PermissionDescription
integrations:readView configured integrations
integrations:manageAdd, remove, configure integrations

Settings

PermissionDescription
settings:readView tenant settings
settings:manageModify tenant configuration

Feature Flags

PermissionDescription
feature_flags:readView feature flags
feature_flags:manageEnable/disable feature flags

Marketplace

PermissionDescriptionMinimum Tier
marketplace:publishPublish new versions of marketplace requirementsEnterprise
Need help? Contact us at hello@zenable.io