Managing action approval

Some organizations implement two-person integrity, which means that actions a user initiates cannot deploy until another user approves those actions. A pending action is one that is initiated but not yet approved. Approvers can be users with the Administrator reserved role or a role that grants Approve Action and Sensor read permissions. If your organization allows exceptions to approval requirements, you can configure a role that grants Bypass Action Approval permission.

For the role permissions that are required to manage action approval, see Manage action approval.

Create an action approver role

Users who have a role that grants Approve Action permission can approve pending actions that are associated with packages in the specified content sets.

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Configure a custom role that grants Approve Action and Sensor read permissions on the content sets that you specify, and click Save.

Create a bypass action approval role

Users who have a role that grants Bypass Action Approval permission are not subject to approval requirements when they deploy actions that are associated with packages in the specified content sets.

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Configure a custom role that grants Bypass Action Approval permission on the content sets that you specify, and click Save.

Assign the action approval and bypass roles

You can assign the action approval and bypass roles to personas, users, and user groups:

Enable or disable action approval

  1. From the Main menu, go to Administration > Configuration > Settings > Platform Settings.
  2. Set Require Action Approval to ON (enable) or OFF (disable), and click Save All.
  3. (Optional) Give users the option to approve multiple actions without being prompted to review the action configurations:Set Bulk Approval to ON (enable) or OFF (disable), and click Save All.

    This setting enables the More > Bulk Approval option in the Actions I can Approve page.

If any pending actions exist when you disable action approval, those actions can never deploy. To avoid this, ask your approver to delete the pending actions before disabling the feature. Alternatively, after disabling the feature, go to Administration > Actions > Scheduled Actions, review the pending actions, and reissue any that are still needed.

Review and manage pending actions

When action approval is enabled, users with the Administrator reserved role can display the Administration > Actions > All Pending Approvals page. The page has the same fields and action buttons as the Administration > Actions > Scheduled Actions page (see Manage scheduled actions), but displays only the actions that are waiting for approval.

Figure  1:  All Pending Approvals page

Approve pending actions

You can approve one-time only or recurring (scheduled) actions that other users create. For recurring actions, approval is a manual process only for the first deployment interval and is automatic for subsequent intervals. The approval remains in force until the End At date-time that is set in the action configuration or until someone modifies the configuration.

Even if you are assigned a role that grants Approve Action permission, you cannot approve an action that you modified. If you modify an action, only other users who have Approve Action permission can approve it.

  1. Sign in as a user who is assigned a role with Approve Action permission.

    The Administration menu and its Actions > Actions I Can Approve sub-menu show the number of actions that you can approve. Actions pending approval

  2. From the Main menu, go to Administration > Actions > Actions I Can Approve.
  3. (Optional) To find specific actions, configure any of the following filters and click Apply All:
    • Text string: Enter a text string in the Filter items field to filter the grid by any value text in any column.
    • Date Range: Filter the grid to display only actions for which the Start At date is within a specific future date range, such as the next 24 Hours. The default All means no date range filter is applied.
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Attribute: Click Filters, click Add, select an action attribute (such as Issuer), select an operator (such as is equal to), enter a attribute value (such as administrator), and click Apply. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional) Specify the time standard that the page uses to display action settings that have date-time values:
    • Local Time: This is local to the system that you use to access the Tanium Console.
    • UTC: Coordinated Universal Time.
  5. Select the actions that you want to approve and perform one of the following steps:
    • To approve actions without reviewing their configurations, select More > Bulk Approval and click Confirm. You can skip the remaining steps. This option is available only if the Bulk Approval setting is enabled (see Enable or disable action approval).
    • To review action configurations before approving them, click Preview and perform the remaining steps.
  6. Review the action configuration and click Approve. If you selected multiple actions, use the Previous Previous and Next Next widgets to navigate among the pages for each action.

    The Tanium Console indicates the estimated number of endpoints that the action will affect, as entered by the user who created the action. Note that Tanium Cloudthe Tanium Server does not recalculate this estimate during the approval workflow; the displayed number is the same as when the action creator configured the action, regardless of how the actual endpoint count might have changed since then.

  7. If the number of Estimated clients affected exceeds the configured threshold (default is 100), enter the estimated number and click Confirm.

    Tanium CloudThe Tanium Server enforces this confirmation step to ensure that you understand the impact that the action will have on your network.

    To change the threshold that controls whether the Tanium Console prompts approvers for the Estimated clients affected, go to Administration > Configuration > Settings > Platform Settings and edit the Prompt Estimate Threshold setting. Note that changing the value to 0 causes the Tanium Console to prompt approvers regardless of the number of affected endpoints.