Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported groups, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between user groups and other Tanium RBAC components:

Figure  1:  Tanium user groups

For the user role permissions required to manage user groups, see RBAC management permissions.

View user groups

  1. From the Main menu, go to Administration > User Groups.

    The User Groups grid displays the basic attributes of each user group, such as the group Name and the number of assigned computer groups. However, to see the specific users, computer groups, personas, or roles (and permissions) that are assigned, you must display the configuration of a particular user group.

  2. (Optional) Use the filters to find specific user groups:
    • Filter by text: To filter the grid by user group name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the users, computer groups, personas, roles, and permissions that are assigned to a user group, select the user group and click View User Group.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Click New User Group, specify a User Group Name, and click Save.
  3. Assign computer groups, users, roles, and personas to the user group, as described in the following sections.

Assign computer management groups to a user group

Perform the following steps to assign computer management groups to the default persona of a user group. To configure computer group assignments through an alternative persona, edit the persona configuration (see Assign computer groups to a persona) and assign the persona to the user group (see Assign personas to a user group).

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. In the Computer Groups section, click Manage and Edit.
  4. Select items and click Save.

    Specify No Management Rights Assigned if you do not want users to inherit computer groups from this configuration. Otherwise, specify Selected Management Rights and then select the computer groups that you want users to inherit from this configuration.

  5. Click Show Preview to Continue, review the impact of your changes, and click Save.

Assign users to a user group

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Manage Users and Edit.
  4. Select users and click Save.
  5. Click Show Preview to Continue, review the impact of your changes, and click Save.

Assign roles to a user group

Perform the following steps to assign roles to the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Assign roles to a persona) and assign the persona to the user group (see Assign personas to a user group).

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Edit Roles.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, click Edit, select roles, and click Save.
  6. Click Show Preview to Continue, review the impact of your changes, and click Save.

Assign personas to a user group

The Tanium Server automatically assigns a default persona to new user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user with the Admin Administrator reserved role must manually assign alternative personas as follows. For details on personas, see Managing personas.

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Alternative Personas and Manage.
  4. Select personas and click Save.

Delete a user group

When you delete a user group configuration, users stop inheriting persona, computer management group, and role assignments from it. Perform the following tasks in the given order as a best practice when deleting a user group:

  1. Delete the persona and user assignments from the user group. For the steps, see Assign users to a user group and Assign personas to a user group.

  2. Review the impact of deleting persona and user assignments on the effective permissions of users. For the steps, see View effective permissions.

  3. Delete the user group configuration: From the Main menu, go to Administration > Management > User Groups Administration > User Groups, select the group, and click Delete Selected Delete Selected.

View effective permissions

  1. From the Main menu, go to Administration > Management > User Groups to open the user groups summary page.
  2. Click the Name of the user group configuration that you want to review.
  3. Select the type of persona for which you want to see permissions:
    • Default Persona: This is the default selection, and shows permissions for the roles that are assigned to the default persona of the user group.
    • Alternative Personas: Select an alternative persona to see permissions for the roles that are assigned to it.
  4. Review the role assignments and the lists of the resulting global, micro admin, and content set permissions.
  5. Click Back to all User Groups to return to the User Groups page.

Export or import user group configurations

The following procedures describe how to export and import the configurations of specific user groups or all user groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export user group configurations

Export user group configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export user group configurations as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select rows in the grid to export only specific user group configurations. If you want to export all user group configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-user_groups-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All user group configurations in the grid or just the Selected user group configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user group configurations

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy the user group configuration details

Copy configuration details from the grid in the User Groups page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Management > User Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.