Restricting policy visibility

With Enforce 1.8 or later, you You can create policies for specific content sets so that you can segment policy visibility between functional roles or groups.

Overview

To restrict policy visibility by groups, you can create a content set and an RBAC role for your functional group. A content set named West and an RBAC role named West Policy Users is used for this example.

Before you begin

Ensure that you have Enforce 1.8 or later.

Create a content set for a functional group

  1. From the Main menu, go to Administration > Permissions > Content Sets and then click New Content Set.
  2. Enter West for the content set name and an optional description, and then click Save.

For more information about content sets, see Tanium Console User Guide: Managing content sets.

Create a role to assign to a user or user group

  1. From the Main menu, go to Administration > Permissions > Roles and then click New Role.
  2. In the Role Details section, enter West Policy Users for the role name and an optional description.
  3. In the Permissions section, grant the following permissions and add required content sets.
    1. Expand Endpoint Configuration to grant the following permissions:
      PermissionAccessContent Sets
      Endpoint ConfigurationREAD

      Enforce Global Objects

      West

      WRITEWest
      Endpoint Configuration APIEXECUTE 
      Endpoint Configuration ModuleUSE

      Enforce Global Objects

      West

    2. Expand Enforce to grant the following permissions:
      PermissionAccessContent Sets
      EnforceSHOW

       

      Enforce CreateENFORCEMENT

      Enforce Global Objects

      West

      Enforce Edit AnyENFORCEMENTWest
      Policy TypeREAD

      Enforce Global Objects

      Enforce Linux

      Enforce Mac

      Enforce Service Objects

      Enforce Windows

      Reserved

  4. Click Save.
  5. Assign the West Policy Users RBAC role to the user or user group of your choice.
    1. From the Main menu, go to Administration > Permissions > User or Administration > Permissions > User Groups and then click on the name of the user or user group.
    2. In the Roles section, click Manage Roles, select West Policy Users, and then click Apply.
    3. Scroll to the end of the page and click Save.

For more information about RBAC roles, see Tanium Console User Guide: Managing roles.

Create a policy

  1. Sign in to the Tanium Console as the user with the West Policy Users RBAC role.
  2. From the Main menu, go to Modules > Enforce.
  3. Follow the steps in Creating policies to create a policy and select the West content set in the Content Set section.