Comply requirements

Review the requirements before you install and use Comply.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Comply
Tanium™ Core Platform servers: 7.4 or later
Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4 or later, the serverTanium™ Cloud automatically imports the computer groups that Comply requires.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Comply to function (required dependencies) or for specific Comply features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Comply dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Comply requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Comply, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Comply to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Comply, the server automatically updates those dependencies to the latest available versions.

If you select only Comply to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Comply has the following required dependencies at the specified minimum versions:

Tanium™ Connect 4.10.5 or later (To customize columns for exports, you must have Connect 5.8.49 or later)
Tanium™ Discover 3.0 or later required for network unauthenticated reports
Tanium™ Endpoint Configuration 1.2 or later

Endpoint Configuration is installed as part of Tanium™ Client Management 1.7 or later.

Tanium™ Interact 2.14.112 or later
Tanium™ Trends 3.6 or later
Tanium™ Reporting service 1.3.12 or later
- Tanium™ API Gateway 1.1.13 or later
- Tanium™ Blob service 1.0.6 or later
Tanium™ RDB service 1.2.62 or later
Tanium™ System User service 1.0.77 or later

Feature-specific dependencies

If you select only Comply to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Comply has the following feature-specific dependencies at the specified minimum versions:

Remote authenticated scanning requirements

Tanium Core Platform 7.4 or later
Tanium Comply 2.11 or later
Tanium Direct Connect 2.1 or later
Tanium Discover 4.5.144 or later

Investigations requirements

Tanium Client 7.4 or later
Tanium Interact 2.14.106 or later for full functionality (converting Findings filters to Investigations filters is not supported with earlier versions of Interact)

Remediate in Patch requirement

Tanium Patch 3.6.49 or later

Reporting requirement for endpoint details

Tanium Reporting 1.12 or later. Otherwise,Tanium Asset is used for endpoint details.

Client extensions

Tanium Endpoint Configuration installs client extensions for Comply on Windows and Linux endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Comply functions:

Comply CX - Provides Comply functions on the endpoint. Tanium Comply installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.

Endpoints

Supported operating systems

Tanium Client operating system support for Comply is the same as Tanium Client support (see Tanium Client Management User Guide: Client version and host system requirements) with the following addition.

Operating System	Version
AIX	7.1.4 or later The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploying the Tanium Client to AIX endpoints using a package file.

Operating System

Version

AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploying the Tanium Client to AIX endpoints using a package file.

The Tanium Scan Engine (TSE) is required for compliance assessments that leverage Tanium Certified standards.

Disk space requirements

Endpoints must have at least 200 megabytes (MB) available in free disk space.

Resource recommendations for satellites running remote authenticated scans

Satellite endpoints should have a minimum of 16 gigabytes (GB) RAM and 4 CPUs.

A minimum of 4 gigabytes (GB) allocation will be reserved by default for RAS scan heap size requirements. This can be increased in Comply Custom Settings.

Scan engines

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 11.x is provided for use with supported Windows, Linux, and macOS endpoints. JRE version 11.0.15.9.1 and later also support Mac M1 and Amazon Linux 2 EC2. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Operating system	Operating system version	Supported JRE distributions and versions	Can deploy using Comply?
Microsoft Windows Server	Microsoft Windows Server 2008 R2	Java version 8 distributions provided by Oracle	Yes
	Microsoft Windows Server 2012 and 2012 R2	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	Microsoft Windows Server 2016 and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
Microsoft Windows Workstation	Microsoft Windows 7 and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
macOS	macOS 10.15 Catalina and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
Linux	Amazon Linux 1 AMI (2016.09, 2018.03)	JRE provided with Comply Java version 8 distributions provided by Amazon	Yes
	Amazon Linux 2 LTS	JRE provided with Comply Java version 8 distributions provided by Amazon	Yes
	Debian 8.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	Red Hat Enterprise Linux (RHEL) 5.x	Upload your own version of Java 8	No⁵³
	Red Hat Enterprise Linux (RHEL) 6.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	Oracle Linux 5.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	CentOS 6.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	SUSE Linux Enterprise Server (SLES) 12.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	openSUSE 12.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
	Ubuntu 14.x and later	JRE provided with Comply Java version 8 distributions provided by either Oracle or Amazon	Yes
AIX	IBM AIX 7.1 TL1SP10 and later¹	IBM JRE 8	Yes²
	IBM AIX 7.1 TL1SP10 and later¹	OpenJDK JRE version 8 with the HotSpot JVM	Yes³
	IBM AIX 7.2	IBM JRE version 8	Yes²
	IBM AIX 7.2	OpenJDK JRE version 8 with the HotSpot JVM	Yes³
Solaris⁴²	Oracle Solaris 10 SPARC	Oracle JRE 8	Yes⁴²
	Oracle Solaris 10 x86¹¹	Oracle JRE 8	Yes⁴²
	Oracle Solaris 11 SPARC	Oracle JRE 8	Yes⁴²
	Oracle Solaris 11 x86¹¹	Oracle JRE 8	Yes⁴²
¹¹64-bit only. ²Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX endpoints. ³Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release. ⁴²Only version 8 is supported for deployment through Comply. ⁵³The JRE provided with Comply may not work with older versions of Linux. Refer to the support information provided in Amazon Corretto FAQs. Upload your own version of Java 8 if you have older versions of Linux.

For more information, see Working with scan engines and JREs.

Unmanaged Endpoints

This section refers to remote authenticated scan support for unmanaged endpoints. Unmanaged endpoints are endpoints that do not have the Tanium Client installed. Comply provides standards for scanning the following unmanaged endpoints using a remote authenticated scan:

Listed operating systems may not be supported for both compliance and vulnerability scans. For the most complete, up to date support information, refer to the list of benchmarks and CVEs provided by the links in the table below.

Operating system	Operating system version
Cisco Systems	Compliance scan support: Cisco ASA 9.x Cisco ASA 8.x Cisco IOS 15 Cisco IOS 16 Cisco NX OS Cisco IOS-XE 12.2+ (There is no certified CIS benchmark, but Tanium has tested against the Cisco IOS-XE Router NDM STIG Benchmark and Cisco IOS-XE Router RTR STIG Benchmark)
Cisco Systems	Vulnerability scan support: Cisco IOS 12.2+ Cisco IOS-XE 12.2+ Cisco ASA 9.0+ Cisco NX OS
Juniper Networks	Compliance and Vulnerability scan support: JunOS 8.5R1 and later
VMware	ESX ESXi
All operating systems supported by the Tanium Client	Remote authenticated scanning is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed. Although you can use remote authenticated scanning for endpoints that do support the Tanium Client, you should use client-based scanning in that case for performance reasons and to take advantage of the linear chain architecture. * Some standards are still provided for older OS types that do not support the Tanium Client and therefore could be scanned using remote authenticated scanning, such as Windows XP. The complete list of standards is viewable in the Standards pulldown field when you create an assessment. The complete list of benchmarks Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/benchmarks.html The complete list of CVEs Comply provides can be viewed here: https://content.tanium.com/files/published/tvl/tvl.html (Both lists are updated daily and should display newly added benchmarks and CVEs as they appear in Comply.)

See Configure a remote authenticated scan assessment for configuration details.

Host and network security requirements

Specific ports and processes are needed to run Comply.

Ports

The following ports are required for remote authenticated scanning.

Source	Destination	Port	Protocol	Purpose
Satellite	Scan target endpoint	22	TCP	Required for SSH endpoints
Satellite	Scan target endpoint	5985	TCP	Required for Windows remote management
Satellite	Scan target endpoint	443	TCP	Required for VMware API endpoints

All other Comply port requirements are the same as Tanium Client port requirements. See Tanium Client: Network connectivity, ports, and firewalls.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Comply security exclusions
Target Device	Exclusion Type	Exclusion
Module Server	Process	<Module Server>\services\comply-service\node.exe
	Process	<Module Server>\services\comply-service\node_modules\ovalindex\build\bin\ovalindex.exe
	Process	<Module Server>\services\comply-service\__new__\src\util\7z\7za.exe
	Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints	Process	<Tanium Client>\TaniumCX.exe
	File	<Tanium Client>\TaniumClientExtensions.dll
	File	<Tanium Client>\TaniumClientExtensions.dll.sig
	File	<Tanium Client>\extensions\TaniumComply.dll
	File	<Tanium Client>\extensions\TaniumComply.dll.sig
	File	<Tanium Client>\extensions\comply\data\comply.db
	File	<Tanium Client>\extensions\comply\data\current-ciscat-config.json
	File	<Tanium Client>\extensions\comply\data\current-intel-config.json
	File	<Tanium Client>\extensions\comply\data\current-java-config.json
	File	<Tanium Client>\extensions\comply\data\current-joval-config.json
	File	<Tanium Client>\extensions\comply\data\current-scan-config.json
	File	<Tanium Client>\extensions\comply\downloads\download.db
	Process	<Tanium Client>\extensions\comply\jre\bin\java.exe
	File	<Tanium Client>\Tools\Comply\run-assessment.vbs
	File	<Tanium Client>\Tools\Comply\delete-assessment.vbs
Linux/macOS/AIX endpoints	Process	<Tanium Client>/TaniumCX
	File	<Tanium Client>/libTaniumClientExtensions.so
	File	<Tanium Client>/libTaniumClientExtensions.so.sig
	File	<Tanium Client>/extensions/libTaniumComply.so
	File	<Tanium Client>/extensions/libTaniumComply.so.sig
	File	<Tanium Client>/extensions/comply/data/comply.db
	File	<Tanium Client>/extensions/comply/data/current-ciscat-config.json
	File	<Tanium Client>/extensions/comply/data/current-intel-config.json
	File	<Tanium Client>/extensions/comply/data/current-java-config.json
	File	<Tanium Client>/extensions/comply/data/current-joval-config.json
	File	<Tanium Client>/extensions/comply/data/current-scan-config.json
	File	<Tanium Client>/extensions/comply/downloads/download.db
	Process	<Tanium Client>/extensions/comply/jre/bin/java
	File	<Tanium Client>/Tools/Comply/run-assessment.sh
	File	<Tanium Client>/Tools/Comply/delete-assessment.sh
Tanium scan engine - all supported endpoints	File	<Tanium Client>/extensions/comply/engines/joval/Joval-Utilities.jar
CIS-CAT engine -all supported endpoints	File	<Tanium Client>/extensions/comply/engines/ciscat/CISCAT.jar
CIS-CAT engine - Linux endpoints only	File	<Tanium Client>/extensions/comply/engines/ciscat/CIS-CAT.sh
CIS-CAT engine -Windows endpoints only	File	<Tanium Client>\extensions\comply\engines\ciscat\CIS-CAT.BAT
SCC engine - Windows endpoints	Process	<Tanium Client>\extensions\comply\engines\scc\cscc.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\cscc32.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\cscc64.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc32.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc64.exe
SCC engine - Linux/macOS endpoints	Process	<Tanium Client>\extensions/comply/engines/scc/cscc
	File	<Tanium Client>\extensions/comply/engines/scc/cscc.bin
	Process	<Tanium Client>\extensions/comply/engines/scc/scc
	File	<Tanium Client>\extensions/comply/engines/scc/scc.bin

Comply security exclusions
Target Device	Exclusion Type	Exclusion
Windows endpoints	Process	<Tanium Client>\TaniumCX.exe
	File	<Tanium Client>\TaniumClientExtensions.dll
	File	<Tanium Client>\TaniumClientExtensions.dll.sig
	File	<Tanium Client>\extensions\TaniumComply.dll
	File	<Tanium Client>\extensions\TaniumComply.dll.sig
	File	<Tanium Client>\extensions\comply\data\comply.db
	File	<Tanium Client>\extensions\comply\data\current-ciscat-config.json
	File	<Tanium Client>\extensions\comply\data\current-intel-config.json
	File	<Tanium Client>\extensions\comply\data\current-java-config.json
	File	<Tanium Client>\extensions\comply\data\current-joval-config.json
	File	<Tanium Client>\extensions\comply\data\current-scan-config.json
	File	<Tanium Client>\extensions\comply\downloads\download.db
	Process	<Tanium Client>\extensions\comply\jre\bin\java.exe
	File	<Tanium Client>\Tools\Comply\run-assessment.vbs
	File	<Tanium Client>\Tools\Comply\delete-assessment.vbs
Linux/macOS/AIX endpoints	Process	<Tanium Client>/TaniumCX
	File	<Tanium Client>/libTaniumClientExtensions.so
	File	<Tanium Client>/libTaniumClientExtensions.so.sig
	File	<Tanium Client>/extensions/libTaniumComply.so
	File	<Tanium Client>/extensions/libTaniumComply.so.sig
	File	<Tanium Client>/extensions/comply/data/comply.db
	File	<Tanium Client>/extensions/comply/data/current-ciscat-config.json
	File	<Tanium Client>/extensions/comply/data/current-intel-config.json
	File	<Tanium Client>/extensions/comply/data/current-java-config.json
	File	<Tanium Client>/extensions/comply/data/current-joval-config.json
	File	<Tanium Client>/extensions/comply/data/current-scan-config.json
	File	<Tanium Client>/extensions/comply/downloads/download.db
	Process	<Tanium Client>/extensions/comply/jre/bin/java
	File	<Tanium Client>/Tools/Comply/run-assessment.sh
	File	<Tanium Client>/Tools/Comply/delete-assessment.sh
Tanium scan engine - all supported endpoints	File	<Tanium Client>/extensions/comply/engines/joval/Joval-Utilities.jar
CIS-CAT engine -all supported endpoints	File	<Tanium Client>/extensions/comply/engines/ciscat/CISCAT.jar
CIS-CAT engine - Linux endpoints only	File	<Tanium Client>/extensions/comply/engines/ciscat/CIS-CAT.sh
CIS-CAT engine -Windows endpoints only	File	<Tanium Client>\extensions\comply\engines\ciscat\CIS-CAT.BAT
SCC engine - Windows endpoints	Process	<Tanium Client>\extensions\comply\engines\scc\cscc.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\cscc32.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\cscc64.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc32.exe
	Process	<Tanium Client>\extensions\comply\engines\scc\scc64.exe
SCC engine - Linux/macOS endpoints	Process	<Tanium Client>/extensions/comply/engines/scc/cscc
	File	<Tanium Client>/extensions/comply/engines/scc/cscc.bin
	Process	<Tanium Client>/extensions/comply/engines/scc/scc
	File	<Tanium Client>/extensions/comply/engines/scc/scc.bin

For remote vulnerability assessments, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

For best results, add a recursive security exclusion for the Tanium Client directory:

Windows endpoints: <Tanium Client>
This path is usually C:\Program Files (x86)\Tanium\Tanium Client.
Linux endpoints: /opt/Tanium/TaniumClient

User role requirements

The following tables list the role permissions required to use Comply. To review a summary of the predefined roles, see Set up Comply users.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Do not assign the Comply Service Account and Comply Service Account - All Content Sets roles to users. These roles are for internal purposes only.

Comply user role permissions
Permission	Comply Administrator ¹, ²,³,⁴,⁵	Comply Operator ¹,²,³,⁴,⁵	Comply Deployment Administrator ¹,²,³	Comply Report Content Administrator ¹	Comply Report Administrator ¹, ², ³	Comply Report Reviewer ¹,²	Comply Custom Check Writer ³	Comply RAS Assessment Creator ⁴, ⁵	Comply Endpoint Configuration Approver ³
Comply View the Comply workbench	ADMIN OPERATOR SHOW	OPERATOR SHOW	SHOW	SHOW	SHOW	SHOW	SHOW	SHOW
Comply Components Manage all back-end components in Comply such as actions
Comply Custom Check View, create, and edit custom checks	WRITE	WRITE					WRITE
Comply Deployment View, create, and edit targets and update Comply engines	READ WRITE	READ WRITE	READ WRITE
Comply Investigation View and create findings investigations	READ WRITE	READ WRITE
Comply Report View, create, and edit Comply reports and assessments	READ WRITE	READ WRITE			READ WRITE	READ		READ WRITE
Comply Report Content View and manage Comply standards	READ WRITE	READ WRITE	READ WRITE	READ WRITE	READ	READ	READ	READ
Comply Reports View and create reports (minimum required privileges for viewing and creating reports and findings)					READ WRITE	READ
Comply Credential View, create, and edit credentials for RAS assessments	READ WRITE	READ WRITE			READ			READ
Comply RAS Assessment View, create, and edit RAS assessments	READ WRITE	READ WRITE			READ WRITE			READ WRITE
Comply Scan View assessments and run on demand scans	EXECUTE	EXECUTE			EXECUTE			EXECUTE
Comply Endpoint Configuration Approve Enables approver privileges in Tanium Endpoint Configuration for Comply changes									APPROVE
Interact Result Expansion Content View, create, and edit expansions (internal purposes only)	READ WRITE	READ WRITE
¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ²This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ³ This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. ⁴ This role provides module permissions for Tanium Direct Connect. For more information, see Tanium Direct Connect User Guide: User role requirements. ⁵ This role provides module permissions for Tanium Discover. For more information, see Tanium Discover User Guide: User role requirements.

Provided Comply platform content user role permissions
Permissions	Comply Administrator	Comply Operator	Comply Deployment Administrator	Comply Report Content Administrator	Comply Report Administrator	Comply Report Reviewer	Comply Custom Check Writer	Comply RAS Assessment Creator
Action	READ WRITE	READ WRITE	READ WRITE		READ WRITE	READ		READ WRITE
Action For Saved Question	WRITE	WRITE			WRITE			WRITE
Own Action	READ	READ	READ		READ	READ		READ
Package	READ WRITE	READ WRITE	READ WRITE		READ WRITE			READ WRITE
Plugin	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Saved Question	READ WRITE	READ WRITE	READ WRITE		READ WRITE	READ		READ WRITE
Sensor	READ	READ	READ		READ	READ		READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.