Overview Zenable uses Role-Based Access Control (RBAC) to manage who can do what within your organization. The system follows these principles:
Permissions are atomic actions (e.g., “edit requirements”)Roles bundle permissions together (e.g., “Admin” has many permissions)Users are assigned roles directly or via identity provider groups
Check your permissions from the CLI Not sure whether you can do something? The Zenable CLI answers it directly. zenable auth can-i prints yes or no (and sets a matching exit code, so it’s scriptable) for any RBAC permission or MCP tool:
Check a permission
Check an MCP tool
List everything you can and cannot do
zenable auth can-i requirements:write
Every permission in the matrix below and every Zenable MCP tool is covered. --list shows them all at once with each one’s grant status.
System Roles Zenable provides six predefined roles that cover common access patterns:
Role Description Key Capabilities Viewer Read-only access View requirements, users, integrations, settings Contributor Create and edit content All Viewer permissions + write/export requirements Admin Full admin access (billing read-only) All Contributor + manage users, roles, integrations, audit logs Owner Complete access All Admin + billing management Billing Administrator Financial access View everything + manage billing and invoices Security Auditor Audit + governance access View/export audit logs, view requirements, guardrails, and governance
Custom roles are available on Enterprise plans. Contact us to learn more.
RBAC Audit Logging RBAC Audit logging is available on Professional and Enterprise plans only. Log exporting requires an Enterprise plan.
All role and permission assignments and revocations are logged for compliance, including any provided reason.
Audit logs cannot be deleted by users regardless of role.
Access audit logs via the Audit section in the management console or through the audit:read permission.
Role Permission Matrix Permission Viewer Contributor Admin Owner Billing Admin Security Auditor requirements:read ✓ ✓ ✓ ✓ ✓ ✓ requirements:write ✓ ✓ ✓ requirements:delete ✓ ✓ requirements:export ✓ ✓ ✓ context:read ✓ ✓ ✓ ✓ ✓ context:write ✓ ✓ ✓ scopes:read ✓ ✓ ✓ ✓ ✓ scopes:write ✓ ✓ ✓ guardrails:read ✓ ✓ ✓ ✓ ✓ ✓ guardrails:write ✓ ✓ ✓ findings:read ✓ ✓ ✓ ✓ findings:manage ✓ ✓ ✓ users:read ✓ ✓ ✓ ✓ ✓ users:invite ✓ ✓ users:remove ✓ ✓ users:manage_roles ✓ ✓ users:manage_seats ✓ ✓ billing:read ✓ ✓ ✓ ✓ ✓ billing:manage ✓ ✓ billing:view_invoices ✓ ✓ audit:read ✓ ✓ ✓ audit:export ✓ ✓ ✓ governance:read ✓ ✓ ✓ ✓ ✓ governance:manage ✓ ✓ governance:delete ✓ ✓ integrations:read ✓ ✓ ✓ ✓ ✓ integrations:manage ✓ ✓ settings:read ✓ ✓ ✓ ✓ ✓ settings:manage ✓ ✓ feature_flags:read ✓ ✓ feature_flags:manage ✓ ✓ marketplace:publish requirements:approve ✓ ✓ ✓ guardrails:approve ✓ ✓ ✓ approvals:read ✓ ✓ ✓ ✓ approvals:feedback ✓ ✓ ✓ approvals:manage ✓ ✓ company:manage ✓
Permissions by Category Requirements Permission Description requirements:readView and search requirements requirements:writeCreate and edit requirements requirements:deletePermanently delete requirements and associated guardrails requirements:exportExport requirements to external formats
Deleting a requirement is permanent and also deletes all guardrails associated with that requirement. This action cannot be undone.
Context Permission Description context:readView reviewer contexts at customer and tenant levels context:writeCreate, edit, and delete reviewer contexts
Scopes Permission Description Minimum Tier scopes:readView scope definitions Professional scopes:writeCreate, edit, and delete scope definitions Professional
Guardrails Permission Description Minimum Tier guardrails:readView guardrails Professional guardrails:writeCreate, edit, and delete guardrails Professional
Findings Permission Description Minimum Tier findings:readView code review findings and resolutions Professional findings:manageCreate, update, and resolve findings Professional
Users Permission Description users:readView team members users:inviteInvite new users users:removeRemove users from tenant users:manage_rolesAssign and revoke roles users:manage_seatsRelease and reassign seat licenses for users in tenant
Billing Permission Description billing:readView billing information billing:manageModify subscription billing:view_invoicesDownload invoices
Audit Permission Description Minimum Tier audit:readView audit logs Professional audit:exportExport audit logs Enterprise
Governance Permission Description Minimum Tier governance:readView governance domains and evidence Professional governance:manageCreate and edit governance domains and map requirements to them Professional governance:deleteDelete governance domains from the tenant taxonomy Professional
Deleting a governance domain is permanent. Requirements mapped to the domain must be reassigned or explicitly unmapped as part of the deletion flow.
Integrations Permission Description integrations:readView configured integrations integrations:manageAdd, remove, configure integrations
Settings Permission Description settings:readView tenant settings settings:manageModify tenant configuration
Feature Flags Permission Description feature_flags:readView feature flags feature_flags:manageEnable/disable feature flags
Marketplace Permission Description Minimum Tier marketplace:publishPublish new versions of marketplace requirements Enterprise
Approvals Permission Description Minimum Tier requirements:approveCast a binding approve/reject decision on requirement proposals Professional guardrails:approveCast a binding approve/reject decision on guardrail regeneration requests Professional approvals:readView approval flows, pending requests, and the full feedback thread (everything is transparent — no per-record hiding) Professional approvals:feedbackSubmit non-binding feedback (vote up/down, add commentary) on an approval request Professional approvals:manageCreate, edit, and archive approval flow definitions Professional
Learn more about approval workflows .
Company Permission Description company:manageManage company-wide settings that apply across every tenant (owner only)
