Managing personas

Personas overview

A persona is a set of roles and computer groups that a user selects for a Tanium session. Assigning multiple personas to a user account enables you to enforce different sets of restrictions on what that user can see and do with the Tanium Core Platform, based on the work scope for a given session, without having to configure multiple accounts for the user. As an example, users might manage endpoints across multiple countries, each with unique privacy laws restricting the actions that users can deploy to specific endpoints based on security clearance. You might configure one persona with a role that allows actions relating only to Tanium Client maintenance on all computer groups for a particular country. You could give the same user another persona that allows security patch installations but only for the subset of computer groups that the user directly manages.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring and assigning personas. For details, see Integrating with LDAP servers.

The persona types are as follows:

Default persona

User permissions derive from roles and computer groups that are assigned to the persona and, if the user belongs to user groups, from roles and computer groups that are assigned to the default persona of those user groups. The default persona automatically applies when users sign into the Tanium Console. The Tanium Server automatically assigns the default persona to new users and user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade users and groups. Each user and group has only one default persona and it is unique; multiple users and groups cannot share a default persona. You cannot delete default personas or reassign them to different users or groups.

Alternative persona

User permissions derive only from roles and computer groups that are assigned to the persona. A user can inherit multiple alternative personas from user groups, but only the permissions of the single persona that the user selects for the current Tanium session apply. You can assign an alternative persona to multiple users and user groups. Each user and group can have zero or more alternative personas.

The following figure illustrates the relationship between personas and other Tanium RBAC components:

Figure  1:  Tanium personas

Because you can reassign alternative personas among users and user groups, the best practice is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

For details on how personas interact with users, user groups, computer groups, and roles to determine the effective permissions of a user, see Tanium RBAC implementation and concepts.

To perform tasks related to personas, you require the Admin Administrator reserved role or a custom role that has the Read Persona and Write Persona micro admin permissions.

View persona attributes, permissions, and assignments

  1. From the Main menu, go to Administration > Permissions > Personas.

    The page displays the persona attributes.

  2. (Optional) To displays persona identifiers, click Customize Columns Customize columns and select ID.
  3. (Optional) Use the filters to find specific personas:
    • Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as persona Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional) To see the effective permissions of a persona, the roles and computer groups assigned to it, and the names of users and user groups to which the persona is assigned, select the persona and click View Persona.

Create a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click New Persona.
  2. Enter a Persona Name to identify the persona.
  3. (Optional) Enter a Description of the purpose for this persona. The Personas page will show your entry in the Display Name column. Users will also see the description when they switch personas.
  4. Select the Color that the Tanium Console will display to help you quickly identify the persona when you are switching to it. If you do not want to use a color, click Reset Color No color.
  5. Click Save and confirm the operation when prompted.
  6. Configure the user, user group, computer group, and role assignments as described in the following tasks. You can then click All Personas at the top left of the page to see the new persona listed in the Personas page.

Assign users to a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage Users and click Edit.
  3. Select users and click Save.
  4. Click Show Preview to Continue, review the list of affected users, and click Save.

Assign user groups to a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage User Groups and click Edit.
  3. Select user groups and click Save.
  4. Review the assignments and click Save.

Assign computer groups to a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage in the Computer Groups section and then click Edit.
  3. Select computer groups and click Save.
  4. Click Show Preview to Continue, review the list of affected endpoints, and click Save.

Assign roles to a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage in the Roles and Effective Permissions section.
  3. Next to Grant Roles, click Edit, select roles, and click Save.
  4. Next to Deny Roles, click Edit, select roles, and click Save.
  5. Click Show Preview to Continue, review the effective permissions, and click Save.

Edit a persona

To edit the user, user group, or role assignments of a persona, see the preceding sections. To edit the persona name, description, and color settings, perform the following steps:

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Edit at the top right.

    The top of the persona configuration page then displays the name, description, and color settings

  3. Update the settings and click Save.

Select a persona for your Tanium Console session

At the top right of the Tanium Console, the field beside your user name indicates your current persona. When you sign in, the Default Persona for your user account applies automatically. To switch to an alternative persona or revert to the Default Persona, perform the following steps:

  1. In the Main menu, select <current persona> > Change Persona.

    The Select a Persona dialog opens and lists the personas that are assigned to your user account or to the user groups to which you belong. The dialog uses the persona names and optional descriptions and colors as identifiers.

  2. Click Apply beside the persona that you want to use.

    The Tanium Console refreshes to display only the features and modules for which the selected persona has access permissions.

View the Administration > Management > Question History page (see Question history) and Administration > Actions > Action History page (see Manage actions that are completed or in progress) to determine which persona a user used to issue a question or deploy an action.

Export and import personas

The following procedures describe how to export and import the configurations of specific personas or all personas.

Develop and test content in your lab environment before importing that content into your production environment.

Export personas

Export personas as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export personas as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select rows in the grid to export only specific personas. If you want to export all personas, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-personas-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All personas in the grid or just the Selected personas.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import personas

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy persona configuration details

Copy information from the Personas page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete a persona

You can delete alternative personas but not the default persona. When you delete a persona, the Tanium Server removes the persona from any user or user group configurations that included it. Before deleting a persona, the best practice is to first delete the user and user group assignments from the persona configuration: see Assign users to a persona and Assign user groups to a persona. Then delete the persona as follows:

  1. From the Main menu, go to Administration > Permissions > Personas and select the persona that you want to delete.
  2. Click Delete Selected Delete Selected in the toolbar above the grid header.
  3. Click Delete and confirm the operation when prompted.