Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported groups, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between user groups and other Tanium RBAC components:

Figure  1:  Tanium user groups

For the user role permissions required to manage user groups, see RBAC management permissions.

View user groups

Use the Administration > User Groups page to view, add, edit, or delete user groups. You can use the text field above the grid to filter by user group name or use the Filter Results options to filter by User and Computer Group (management group) assignments.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click New User Group.
  3. Specify a configuration name and save the configuration.

Assign computer management groups to a user group

Perform the following steps to assign computer management groups to the default persona of a user group. To configure computer group assignments through an alternative persona, edit the persona configuration (see Assign computer groups to a persona) and assign the persona to the user group (see Assign personas to a user group).

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click the Name of the user group configuration that you want to edit.
  3. In the Computer Groups section, click Manage and Edit.
  4. Select items and click Save.

    Specify No Management Rights Assigned if you do not want users to inherit computer groups from this configuration. Otherwise, specify Selected Management Rights and then select the computer groups that you want users to inherit from this configuration.

  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign users to a user group

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click the Name of the user group configuration that you want to edit.
  3. Click Manage Users and Edit.
  4. Select users and click Save.
  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign roles to a user group

Perform the following steps to assign roles to the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Assign roles to a persona) and assign the persona to the user group (see Assign personas to a user group).

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click the Name of the user group configuration that you want to edit.
  3. Click Edit Roles.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, click Edit, select roles, and click Save.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign personas to a user group

The Tanium Server automatically assigns a default persona to new user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user with the Admin Administrator reserved role must manually assign alternative personas as follows. For details on personas, see Managing personas.

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click the Name of the user group.
  3. Click Alternative Personas and Manage.
  4. Select personas and click Save.

Delete a user group

When you delete a user group configuration, users stop inheriting persona, computer management group, and role assignments from it. Perform the following tasks in the given order as a best practice when deleting a user group:

  1. Delete the persona and user assignments from the user group. For the steps, see Assign users to a user group and Assign personas to a user group.

  2. Review the impact of deleting persona and user assignments on the effective permissions of users. For the steps, see View effective permissions.

  3. Delete the user group configuration: From the Main menu, select Console > Administration > User Groups Administration > User Groups, select the group, and click Delete Selected Delete Selected.

View effective permissions

  1. From the Main menu, select Console > Administration > User Groups to open the user groups summary page.
  2. Click the Name of the user group configuration that you want to review.
  3. Select the type of persona for which you want to see permissions:
    • Default Persona: This is the default selection, and shows permissions for the roles that are assigned to the default persona of the user group.
    • Alternative Personas: Select an alternative persona to see permissions for the roles that are assigned to it.
  4. Review the role assignments and the lists of the resulting global, micro admin, and content set permissions.
  5. Click Back to all User Groups to return to the User Groups page.

Copy the user groups configuration summary

You can copy the details of the user groups configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string: User Group name, computer group count, user count, grant role count, deny role count.

Copy a single row

  1. From the Main menu, select Console > Administration > User Groups.
  2. Select the row for a user group.

    When you select a row, tools appear above the grid.

  3. Click Copy above the grid to copy the row details to the clipboard.

Copy all rows

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click Copy All in the grid header.

Export the user groups configuration

You can export the user groups configuration to a JSON file that can be examined during troubleshooting.

  1. From the Main menu, select Console > Administration > User Groups.
  2. Click Export All in the grid header.