Managing action approval

Some organizations implement two-person integrity, which means that actions a user initiates cannot run until another user approves those actions. A pending action is one that is initiated but not yet approved. Approvers can be users with the Admin Administrator reserved role or users with the special action approval role. If your organization allows exceptions to approval requirements, you can assign a bypass approval role.

Create an action approver role

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Create an advanced role that grants Approve Action permission on the content sets that you specify, and click Save.

Create a bypass action approval role

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Create an advanced role that grants Bypass Action Approval permission on the content sets that you specify, and click Save.

    Actions that a user with this permission creates are not subject to approval requirements.

Assign the action approval and bypass roles

You can assign the action approval and bypass roles to personas, users, and user groups:

Enable or disable action approval

Contact Tanium Support to enable or disable action approval.

  1. From the Main menu, go to Administration > Management > Global Settings.
  2. Select the require_action_approval setting and click Edit.
  3. Change the setting value to 1 (enable) or 0 (disable), and click Save.

If you disable action approval, actions pending approval cannot be completed. To avoid this, ask your approver to clear the list of actions pending approval before disabling the feature. Alternatively, review the actions on the Actions > Action History page and reissue actions as necessary for the desired results.

Review and manage pending actions

When action approval is enabled, users with the Admin Administrator reserved role can display the Actions > Pending Approval page. The page has the same fields and action buttons as the Actions > Scheduled Actions page (see Manage scheduled actions), but displays only the actions that are waiting for approval.

Figure  1:  Pending Approval page

Approve pending actions

After you approve a scheduled action, the approval remains in force until the schedule ends or someone modifies the scheduled action configuration.

  1. Sign in as a user with the Admin Administrator reserved role or an action approver role.

    The Tanium Console displays the number of actions requiring approval in the Main menu. Actions pending approval

  2. From the Main menu, go to Administration > Actions > Actions I Can Approve.
  3. (Optional) To find specific actions, configure any of the following filters and click Apply All:
    • Time: Select Local Time (default), which is local to the system that you use to access the Tanium Console, or Coordinated Universal Time (UTC).
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Text string: Enter a text string in the Filter items field to filter the grid by any value text in any column.
    • Date Range: Filter the grid to display only actions for which the Start Time is within a specific date range. The default All means no date range filter is applied.
    • Attribute: Click Filters, click Add, select an action attribute (such as Issuer), select an operator (such as is equal to), enter a attribute value (such as administrator), and click Apply. After you finish specifying attributes, click Apply All to filter the grid.
  4. Select the action you want to approve and click Approve.
  5. Review the action configuration and click Approve Action.

    The Tanium Console indicates the estimated number of endpoints that the action will affect, as entered by the user who created the action. Note that the Tanium Server does not recalculate this estimate during the approval workflow; the displayed number is the same as when the action creator configured the action, regardless of how the actual endpoint count might have changed since then.

  6. If the Estimated Number of affected endpoints exceeds the configured threshold (default is 100), enter that number.

    The Tanium Server enforces this confirmation step to ensure that you understand the impact that the action will have on your network.

    To change the threshold that controls whether the Tanium Console prompts approvers for the Estimated Number of affected endpoints, edit the prompt_estimate_threshold setting (Administration > Global Settings). Note that changing the value to 0 causes the Tanium Console to prompt approvers regardless of the number of affected endpoints.