Managing personas

Personas overview

A persona is a set of roles and computer groups that a user selects for a Tanium session. Assigning multiple personas to a user account enables you to enforce different sets of restrictions on what that user can see and do with the Tanium Core Platform, based on the work scope for a given session, without having to configure multiple accounts for the user. As an example, users might manage endpoints across multiple countries, each with unique privacy laws restricting the actions that users can deploy to specific endpoints based on security clearance. You might configure one persona with a role that allows actions relating only to Tanium Client maintenance on all computer groups for a particular country. You could give the same user another persona that allows security patch installations but only for the subset of computer groups that the user directly manages.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring and assigning personas. For details, see Integrating with LDAP servers.

The persona types are as follows:

Default persona

User permissions derive from roles and computer groups that are assigned to the persona and, if the user belongs to user groups, from roles and computer groups that are assigned to the default persona of those user groups. The default persona automatically applies when users log into the Tanium Console. The Tanium Server automatically assigns the default persona to new users and user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade users and groups. Each user and group has only one default persona and it is unique; multiple users and groups cannot share a default persona. You cannot delete default personas or reassign them to different users or groups.

Alternative persona

User permissions derive only from roles and computer groups that are assigned to the persona. A user can inherit multiple alternative personas from user groups, but only the permissions of the single persona that the user selects for the current Tanium session apply. You can assign an alternative persona to multiple users and user groups. Each user and group can have zero or more alternative personas.

The following figure illustrates the relationship between personas and other Tanium RBAC components:

Figure  1:  Tanium personas

Because you can reassign alternative personas among users and user groups, the best practice is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

For details on how personas interact with users, user groups, computer groups, and roles to determine the effective permissions of a user, see Tanium RBAC implementation and concepts.

You require the Administrator reserved role to perform tasks related to personas.

View personas

Go to the Permissions > Personas page to see a grid that lists all the alternative personas (it does not show the default personas of users or user groups). If the list is long, use the Filter by text field to search by persona name. To view the roles (and associated permissions), users, user groups, and computer groups that are assigned to an alternative persona, click the persona Name to open the persona configuration page. To view the assignments of a default persona, see the user configuration of the associated account (see View effective permissions).

Create a persona

  1. Go to Permissions > Personas and click New Persona.
  2. Enter a Persona Name to identify the persona.
  3. (Optional) Enter a Description of the purpose for this persona. The Personas page will show your entry in the Display Name column. Users will also see the description when they switch personas.
  4. Select the Color that the Tanium Console will display to help you quickly identify the persona when you are switching to it. If you do not want to use a color, click Reset Color .
  5. Click Save and confirm the operation when prompted. The persona configuration page opens.
  6. Configure the user, user group, computer group, and role assignments as described in the following tasks. You can then click All Personas at the top left of the page to see the new persona listed in the Personas page.

Assign users to a persona

  1. Go to Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage Users and click Edit.
  3. Select users and click Save.
  4. Click Show Preview to Continue and review the list of affected users.
  5. Click Save and confirm the operation when prompted.

Assign user groups to a persona

  1. Go to Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage User Groups and click Edit.
  3. Select user groups and click Save.
  4. Review the assignments, click Save, and confirm the operation when prompted.

Assign computer groups to a persona

  1. Go to Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage in the Computer Groups section and then click Edit.
  3. Select computer groups and click Save.
  4. Click Show Preview to Continue and review the list of affected endpoints.
  5. Click Save and confirm the operation when prompted.

Assign roles to a persona

  1. Go to Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Manage in the Roles and Effective Permissions section.
  3. Next to Grant Roles, click Edit, select roles, and click Save.
  4. Next to Deny Roles, click Edit, select roles, and click Save.
  5. Click Show Preview to Continue and review the effective permissions.
  6. Click Save and confirm the operation when prompted.

Edit a persona

To edit the user, user group, or role assignments of a persona, see the preceding sections. To edit the persona name, description, and color settings, perform the following steps:

  1. Go to Permissions > Personas and click the persona Name to open the persona configuration page.
  2. Click Edit at the top right.

    The top of the persona configuration page then displays the name, description, and color settings

  3. Update the settings, click Save, and confirm the operation when prompted.

Select a persona for your Tanium Console session

At the top right of the Tanium Console, the field beside your user name indicates your current persona. When you log in, the Default Persona for your user account applies automatically. To switch to an alternative persona or revert to the Default Persona, perform the following steps:

  1. Click the <user name> <current persona> field.

    The Select a Persona to use dialog opens and lists the personas that are assigned to your user account or to the user groups to which you belong. The dialog uses the persona names and optional descriptions and colors as identifiers.

  2. Select a persona, and click OK.

    The Tanium Console refreshes to display only the features and modules for which the selected persona has access permissions.

View the Administration > Question History page (see Question history) and Actions > Action History page (see Manage actions that are completed or in progress) to determine which persona a user used to issue a question or deploy an action.

Copy the personas configuration summary

You can copy details from the Personas page grid to a message, text file, or spreadsheet. Each row in the grid is copied as a comma-separated value string on the clipboard of the system that you use to access the Tanium Console.

  1. Go to Permissions > Personas.
  2. Click Copy All in the grid header.

Delete a persona

You can delete alternative personas but not the default persona. When you delete a persona, the Tanium Server removes the persona from any user or user group configurations that included it. Before deleting a persona, the best practice is to first delete the user and user group assignments from the persona configuration: see Assign users to a persona and Assign user groups to a persona. Then delete the persona as follows:

  1. Go to Permissions > Personas and select the persona that you want to delete.
  2. Click Delete Selected Delete Selected in the toolbar above the grid header.
  3. Click Delete and confirm the operation when prompted.