Restricting policy visibility

With Enforce 1.8 or later, you You can create policies for specific content sets so that you can segment policy visibility between functional roles or groups.

Overview

To restrict policy visibility by groups, you can create a content set and an RBAC role for your functional group. A content set named West and an RBAC role named West Policy Users is used for this example.

Create a content set for a functional group

1. From the Main menu, go to Administration > Permissions > Content Sets and then click New Content Set.
2. Enter West for the content set name and an optional description and then click Save.

For more information about content sets, see Tanium Console User Guide: Managing content sets.

Create a role to assign to a user or user group

1. From the Main menu, go to Administration > Permissions > Roles and then click New Role.
2. In the Role Details section, enter West Policy Users for the role name and an optional description.
3. In the Permissions section, grant the following permissions and add required content sets.
   1. Expand Endpoint Configuration to grant the following permissions:

      Permission	Access	Content Sets
      Endpoint Configuration	READ	Enforce Global Objects West
      	WRITE	West
      Endpoint Configuration API	EXECUTE
      Endpoint Configuration Module	USE	Enforce Global Objects West

   2. Expand Enforce to grant the following permissions:

      Permission	Access	Content Sets
      Enforce	SHOW
      Enforce Create	ENFORCEMENT	Enforce Global Objects West
      Enforce Edit Any	ENFORCEMENT	West
      Policy Type	READ	Enforce Global Objects Enforce Linux Enforce Mac Enforce Service Objects Enforce Windows Reserved

4. Click Save.
5. Assign the West Policy Users RBAC role to the user or user group of your choice.
   1. From the Main menu, go to Administration > Permissions > User or Administration > Permissions > User Groups and then click on the name of the user or user group.
   2. In the Roles section, click Manage Roles, select West Policy Users and then click Apply.
   3. Scroll to the end of the page and click Save.

For more information about RBAC roles, see Tanium Console User Guide: Managing roles.

Create a policy

1. Sign in to the Tanium Console as the user with the West Policy Users RBAC role.
2. From the Main menu, go to Modules > Enforce.
3. Follow the steps in Creating policies to create a policy and select the West content set in the Content Set section.