Managing users

A user configuration associates personas, user groups, computer management groups, and roles with a user. You can create user accounts locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported users, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between users and other Tanium RBAC components:

Figure  1:  Tanium users

For the user role permissions required to manage users, see RBAC management permissions.

User authentication

In a Tanium as a Service (TaaS) deployment, all users authenticate through a Security Assertion Markup Language (SAML) identity provider (IdP). Contact Tanium Support for details.

You can configure the following methods to authenticate users when they access the Tanium Console or API:

If you use an external service for authentication, the best practice is to maintain at least one user account that relies on local authentication, and assign the Administrator reserved role to that account. If the external service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Default user

During the setup of your Tanium as a Service (TaaS) deployment, an administrator account is created that you can use to sign into the Tanium Console for the first time. This user is based on an IdP account that your organization selects as the primary administrator for your TaaS deployment. The user has unrestricted computer group management rights. The user also has the Admin reserved role, which enables access to all the features that are available in TaaS, including the ability to configure role-based access control (RBAC) for all other TaaS users.

The Tanium Server installation process creates a Tanium Console user account that has permissions similar to the root or admin superuser in some operating systems. This initial user is assigned the All Computers computer group and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, this user is not a built-in user like root or admin, so you can modify or delete the account.

View user settings

  1. From the Main menu, go to Administration > Management > Users.

    The Users grid displays the basic attributes of each user, such as the user Name and the number of assigned computer groups. However, to see the specific user groups, computer groups, personas, or roles (and permissions) that are assigned, you must display the configuration of a particular user.

    To display deleted users, set the Users toggle to All (default is Active users only). The Status column indicates which users are active Active or deleted Deleted.

  2. (Optional) Use the filters to find specific users:
    • Filter by text: To filter the grid by user name, display name, or domain name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the user groups, computer groups, personas, roles, and permissions that are assigned to a user, select the user and click View User.

Create a user

When you create a user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can sign into the Tanium Console but cannot access anything. Do not create configurations for user accounts that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, go to Administration > Management > Users.
  2. Click New User.
  3. Specify a user name that matches an account in your IdP. one of the following:
    • A user account that is defined locally on the Tanium Server.
    • A user account that is defined in your IdP.
    • (Windows only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage sign in credentials for the user.
  4. Click Save to create the user.
  5. Add optional user properties and assign computer groups, user groups, roles, and personas to the user, as described in the following sections.

For the methods to authenticate users, see User authentication.

Edit user properties

You can add name-value pairs to document user details such as full name, organization, email address, and phone number.

  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. Click Properties .
  4. Click Add Property.
  5. Use the controls to add name-value pairs and click Save.User properties

Assign computer management groups to a user

Perform the following steps to assign computer management groups to the default persona of a user. To configure computer group assignments through an alternative persona, edit the persona configuration (see Assign computer groups to a persona) and assign the persona to the user (see Assign personas to a user).
  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. In the Computer Groups section, click Manage and Edit.
  4. Specify Selected Management Rights, select computer management groups, and click Save.

    Selections are logically combined. The union of All Computers and No Computers is effectively All Computers. Tanium strongly recommends that you do not select Unrestricted Management Rights, unless you want the user to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Show Preview to Continue, review the impact of your changes, and click Save.

Assign user groups to a user

  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. In the User Groups section, click Manage and Edit.
  4. Select user groups and click Save.
  5. Click Show Preview to Continue , review the impact of your changes, and click Save.

Assign roles to a user

Perform the following steps to assign roles to the default persona of a user. To configure roles through an alternative persona, edit the persona configuration (see Assign roles to a persona) and assign the persona to the user (see Assign personas to a user).

  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. In the Roles and Effective Permissions section, click Manage.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, select roles, and click Save.
  6. Click Show Preview to Continue, review the impact of your changes, and click Save.

Assign personas to a user

TaaS The Tanium Server automatically assigns a default persona to new user accounts and, after you upgrade to Tanium Core Platform 7.4 or later, to existing pre-upgrade accounts. A user with the Admin Administrator reserved role must manually assign alternative personas as follows. For details on personas, see Managing personas.

  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. Click Alternative Personas and Manage.
  4. Select personas and click Save.

View effective permissions

  1. From the Main menu, go to Administration > Management > Users to open the users summary page.
  2. Select the user and click View User.
  3. Select the type of persona for which you want to see permissions:
    • Default Persona: This is the default selection, and shows permissions for the roles that are assigned to the default persona of the user or of user groups that the user belongs to.
    • Alternative Personas: Select an alternative persona to see the permissions for the roles that are assigned to it.
  4. Review the role assignments, inherited roles, and the lists of the resulting global, micro admin, and content set permissions.
  5. Click Back to all Users to return to the Users page.

Delete, undelete, or lock out a user

When employees leave your organization, you have the following options for locking down their access to the Tanium system:

  • Assign the Deny All role to the user. The user can still sign into the Tanium Console, but cannot access any console functionality. The Administration > Management > Users page displays grayed-out user names for users with the Deny All role.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the AD or LDAP user account that is associated with the Tanium Console user configuration, or change the password if it is an administrator alias account. If the Tanium Server imported the user through an LDAP server, it is important to modify the user details on the LDAP server so that the Tanium Server does not import the user again at the next synchronization.

Considerations when deleting users

Deleting a user has the following consequences for scheduled activities:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can delete the content that the user owns or transfer ownership to an active user: see Delete, disable, or transfer ownership for the content of a non-active user.

Locked-out users

The Tanium Server designates users that it imported from an LDAP server as locked out when the LDAP synchronization data indicates that the associated LDAP account is disabled or when the data is missing. While the user has locked-out status, the user cannot sign in, but scheduled content that the user owns continues to run.

The Administration > Management  > Users page shows the Locked out status of users:

  • Locked out - disabled: The data that the latest LDAP synchronization returns indicates the user account is disabled. When off-boarding employees, the best practice is to disable LDAP accounts rather than delete them to avoid deleting associated records.
  • Locked out - missing: The latest LDAP synchronization returned no data for the user. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression that the LDAP server uses.

Check the policy of your organization for managing locked-out users. One option is to delete them and transfer the content that they own to another user see Delete, disable, or transfer ownership for the content of a non-active user.

Delete a user

  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click Delete Delete.

    To display deleted users, set the Users toggle to All (default is Active users only). The Status column indicates which users are active Active or deleted Deleted.

  3. (Optional) Transfer, disable, or delete content that the deleted user owned: see Delete, disable, or transfer ownership for the content of a non-active user.

Undelete a user

Undelete one user at a time:

  1. From the Main menu, go to Administration > Management > Users.
  2. Set the Users toggle to All (default is Active users only).

    The Status column indicates which users are active Active or deleted Deleted.

  3. Select the row for the deleted user, click Undelete User Undelete User, and confirm the operation.

Delete, disable, or transfer ownership for the content of a non-active user

The Manage Non-Active User Content page lists users who are deleted or locked out and who own content. You can use the page to delete, disable, or transfer ownership of that content. By default, the persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. You can transfer ownership from the personas of a non-active user to the personas of one or more active users. You must perform one delete, disable, or transfer operation at a time. Repeat the operations as many times as necessary to process all the content for the non-active user.

When you transfer content ownership, the new owner does not have to match the non-active user with respect to role permissions and computer management group assignments. However, transferring ownership of scheduled actions and saved questions to a non-matching user might have unintended consequences. For example, all scheduled actions that you transfer to a non-matching user are disabled after the transfer. Before performing the transfer, compare the computer management group assignments of the non-active user and the new owner to understand which endpoints will receive the actions and questions after the transfer. To see computer group assignments for a user, from the Main menu go to Administration > Management > Users, select the user, and click View User.

Perform the following steps to delete, disable, or transfer ownership of the content that a non-active user owns:

  1. From the Main menu, go to Administration > Content > Content Alignment and click Manage Non-Active User Content.
  2. Select the row for the user (persona) and click Manage Content.
  3. Select an option to manage the content.

    • Delete Selected Content: Remove content that the non-active user owns and that no other users need.
    • Disable Selected Scheduled Content: Disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the non-active user.
    • Transfer Selected Content to Matching User: Transfer ownership of content that is still needed to a user that has the same role and computer management group assignments as the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a matching persona of the new owner.
    • Transfer Selected Content to Administrator: Transfer ownership of content that is still needed to any user who has the Administrator reserved role, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
    • Transfer Selected Content to Any User: Transfer ownership of content that is still needed to any user, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
  4. In the Select Content section, review and select the content that you want to delete, disable, or transfer.Select Content
  5. Click Confirm.

After you delete a user, Tanium module features associated with the user, such as a scheduled Tanium Connect job that the user created, might stop running. If this is the case, go to the module workbench and update the configuration. For example, in Connect, you can go to the Connections page and click the Take Ownership link to give ownership of the scheduled connection to the user account that you used to sign in.

Enable or disable access for local users

By default, users whose accounts are local to the Tanium Server can access the Tanium Console. However, if you transition to an external authentication service such as an LDAP server or SAML IdP and you want to ensure all user access is through that service, disable local authentication.

Local users on a Tanium Appliance

To disable or re-enable Tanium Console access for user accounts that are local to a Tanium Appliance, see Tanium Appliance Deployment Guide: Configure the local authentication service.

Local users on a Windows server

Perform the following steps to disable or re-enable Tanium Console access for user accounts that are local to a Tanium Server installed on a Windows server.

If you disable local account sign ins and the remote authentication service later stops working (for example, the connection to the LDAP server or SAML IdP goes down), no users can access the Tanium Console, including the default user. In such cases, you must re-enable local authentication through the CLI by running the following command from the Tanium Server installation folder:
TaniumReceiver global-settings set soap_enable_local_auth 1

  1. From the Main menu, go to Administration > Management > Global Settings and select soap_enable_local_auth in the grid.
  2. In the Selected System Setting pane, click Edit.
  3. In the Setting Value, enter 0 to disable or 1 to enable local authentication, and then click Save.

Export or import user configurations

The following procedures describe how to export and import the configurations of specific users or all users.

Develop and test content in your lab environment before importing that content into your production environment.

Export user configurations

Export user configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export user configurations as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Management > Users.
  2. Select rows in the grid to export only specific user configurations. If you want to export all user configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-users-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All user configurations in the grid or just the Selected user configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user configurations

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy user configuration details

Copy configuration details from the grid in the Users page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Management > Users.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.