Managing action approval

Some organizations implement two-person integrity, which means that actions a user initiates cannot run until another user approves those actions. A pending action is one that is initiated but not yet approved. Approvers can be users with the full Administrator role or users with the special action approval role. If your organization allows exceptions to approval requirements, you can assign a bypass approval role.

Create an action approver role

  1. Go to Permissions > Roles.
  2. Create an advanced role that grants Approve Action permission on the content sets you specify.
  3. Save the configuration.

Create a bypass action approval role

  1. Go to Permissions > Roles.
  2. Create an advanced role that grants Bypass Action Approval permission on the content sets you specify. Actions that a user with this permission creates are not subject to approval requirements.
  3. Save the configuration.

Assign the action approval and bypass roles

You can assign the action approval and bypass roles to personas, users, and user groups:

Enable or disable action approval

  1. Go to Administration > Global Settings.
  2. Select the require_action_approval setting and click Edit.
  3. Change the setting value to 1 (enable) or 0 (disable), and click Save.

If you disable action approval, actions pending approval cannot be completed. To avoid this, ask your approver to clear the list of actions pending approval before disabling the feature. Alternatively, review the actions on the Actions > Action History page and reissue actions as necessary for the desired results.

Review pending actions

When action approval is enabled, users with the Administrator reserved role can display the Actions > All Pending Approval page. The page has the same fields and action buttons as the Actions > Scheduled Actions page (see Manage scheduled actions), but displays only the actions that are waiting for approval.

Figure  1:  All Pending Approval page

Approve pending actions

After you approve a scheduled action, the approval remains in force until the schedule ends or someone modifies the scheduled action configuration.

  1. Log in as a user with the Administrator reserved role or an action approver role. The Tanium Console displays the number of actions requiring approval.
  2. Go to Actions > Actions I Can Approve.

    You can use text filters and row sorting to find actions that you want to review.

  3. Select the action you want to approve and click Approve.
  4. Review the action configuration and click Approve Action.

    The Tanium Console indicates the estimated number of endpoints that the action will affect, as entered by the user who created the action. Note that the Tanium Server does not recalculate this estimate during the approval workflow; the displayed number is the same as when the action creator configured the action, regardless of how the actual endpoint count might have changed since then.

  5. If the Estimated Number of affected endpoints exceeds the configured threshold (default is 100), enter that number.

    The Tanium Server enforces this confirmation step to ensure that you understand the impact that the action will have on your network.

    To change the threshold that controls whether the Tanium Console prompts approvers for the Estimated Number of affected endpoints, edit the prompt_estimate_threshold setting (Administration > Global Settings). Note that changing the value to 0 causes the Tanium Console to prompt approvers regardless of the number of affected endpoints.