Add your Puppet Enterprise credentials to Security Compliance Management
To allow Security Compliance Management to communicate with Puppet Enterprise, you must add your PE credentials to Security Compliance Management.
Make sure you have classified the nodes you want to scan in Puppet Enterprise (PE).
Adding your Puppet Enterprise credentials authenticates Security Compliance Management with Role Based Access Control (RBAC).
Your Puppet Enterprise account requires the following permissions. For most versions of Puppet Enterprise, you can add these through your PE console. If you are using Puppet Enterprise 2025.6, add the following permissions except for the three tasks listed in the table. For those cases, follow these instructions to add the required task permissions instead.
| Type | Action | Instance |
|---|---|---|
| Console | View | - |
| Job Orchestrator | Start, stop and view jobs | - |
| Node Groups | View | All |
| Nodes | View node data from PuppetDB | - |
| Tasks | Run Tasks | Task: Permitted on: All nodes For PE 2025.6, follow these instructions for adding this task permission. |
| Tasks | Run Tasks | Task: Permitted on: All nodes For PE 2025.6, follow these instructions for adding this task permission. |
| Tasks | Run Tasks | Task: Permitted on: All nodes For PE 2025.6, follow these instructions for adding this task permission. |
| User Roles | Create | All |
For more information on permissions, see User permissions and user roles.
Configure RBAC permissions for PE 2025.6Set up RBAC permissions for the puppet_enterprise::register_application, comply::backup_assessor, and comply::ciscat_scan tasks, which are required for SCM to integrate with PE and run jobs.
Copy the ID of the role from the URL of that page for use in the API request to set up permissions. The ID is the number in the URL from your PE console, for example, if your URL when looking at the Security Compliance Management user role from the PE console is
<ip address>/#/admin/access-control/user-roles/2122757242/permissions, the ID you need is2122757242.From a terminal on your PE primary, use the following API request to configure RBAC permissions for both tasks. Make sure you have token authorization and have set up
puppet-accessbefore using the following API request:Copycurl -X POST "https://$(puppet config print server):4433/rbac-api/v1/command/roles/add-permissions" \
--cert $(puppet config print --section main hostcert) \
--key $(puppet config print --section main hostprivkey) \
--cacert $(puppet config print --section main localcacert) \
-H "X-Authentication:$(puppet-access show)" \
-H "Content-type: application/json" \
-d '{"role_id": <id of SCM role>,
"permissions": [
{"object_type":"tasks",
"action":"run",
"instance":"enterprise_tasks::register_application"},
{"object_type":"tasks",
"action":"run",
"instance":"comply::backup_assessor"
},
{"object_type":"tasks",
"action":"run",
"instance":"comply::ciscat_scan"
}
]
}'
- In Security Compliance Management — located at
https://<COMPLY-HOSTNAME>/— click Settings. - Click Puppet Enterprise instance.
- Enter your Puppet Enterprise hostname, username, and password.
- Click Submit.You can refresh the Puppet Enterprise node and fact information by clicking Refresh data.
You now see a list of your classified nodes on the Nodes page.
You have completed the Security Compliance Management setup process! You can now start running CIS scans on your nodes. If you're new to Security Compliance Management, try out the beginner's guide.
