Managing users

A user configuration associates personas, user groups, computer management groups, and roles with a user. You can create user accounts locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported users, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between users and other Tanium RBAC components:

Figure  1:  Tanium users

For the user role permissions required to manage users, see RBAC management permissions.

User authentication

You can configure the following methods to authenticate users when they access the Tanium Console or API:

  • LDAP server: see Integrating with LDAP servers.
  • Security Assertion Markup Language (SAML) identity provider (IdP): see Integrating with a SAML IdP.
  • AD server for the domain to which the Tanium Server is joined. This option is available only for Tanium Servers installed on a Windows system.
  • Windows authentication for accounts defined locally on a Tanium Server installed on a Windows system.
  • Local authentication service for accounts defined locally on a Tanium Appliance: see Tanium Appliance Deployment Guide: Configure the local authentication service.
  • Pluggable authentication module (Tanium Appliance only); consult your Technical Account Manager (TAM) for details.

If you use an external service for authentication, the best practice is to maintain at least one user account that relies on local authentication, and assign the Administrator reserved role to that account. If the external service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Default user

The Tanium Server installation process creates a Tanium Console user account that has permissions similar to the root or admin superuser in some operating systems. This initial user has the All Groups computer group permission and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, this user is not a built-in user like root or admin, so you can modify or delete the account.

View user settings

The Administration > Users page displays information about user accounts. You can use the Filter By Text field above the grid to filter by user name, display name, or domain name. You can use the Filter Results options to filter the list by User Group and Computer Group (management group) assignments. If you select Show deleted users in the filter options, the grid displays an Active column that indicates which users are active (Yes) or deleted (No). To see the computer management group, user group, persona, and role assignments, along with the associated permissions, click a user name to open the user configuration page.

Selecting a Computer Group filters the user grid based only on the computer management groups that are explicitly assigned to users. For example, a user configuration might have a role that specifies unrestricted management rights to all computer groups but does not have a Windows-only computer group assigned. If you filter by the Windows-only computer group, the list excludes that user even though the Windows-only computer group is a subset of all the computers to which the user has management rights.

Create a user

When you create a user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but cannot access anything. Do not create configurations for user accounts that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. Go to Administration > Users.
  2. Click New User.
  3. Specify a user name that matches one of the following:
    • A user account that is defined locally on the Tanium Server. For the supported authentication methods, see User authentication.
    • (Windows only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage login credentials for the user.
  4. Save the configuration.

Edit user properties

You can add name-value pairs to document user details such as full name, organization, email address, and phone number.

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Properties .
  4. Click Add Property.
  5. Use the controls to add name-value pairs.
  6. Save the configuration.

Assign computer management groups to a user

Perform the following steps to assign computer management groups to the default persona of a user. To configure computer group assignments through an alternative persona, edit the persona configuration (see Assign computer groups to a persona) and assign the persona to the user (see Assign personas to a user).

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the Computer Groups section, click Manage and Edit.
  4. Specify Selected Management Rights, select the computer management groups that you want the user to manage, and click Save.

    Selections are logically combined. The union of All Computers and No Computers is effectively All Computers. Tanium strongly recommends that you do not select Unrestricted Management Rights, unless you want the user to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign user groups to a user

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the User Groups section, click Manage and Edit.
  4. Select user groups and click Save.
  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign roles to a user

Perform the following steps to assign roles to the default persona of a user. To configure roles through an alternative persona, edit the persona configuration (see Assign roles to a persona) and assign the persona to the user (see Assign personas to a user).

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the Roles and Effective Permissions section, click Manage.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, , select roles, and click Save.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign personas to a user

The Tanium Server automatically assigns a default persona to new user accounts and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade accounts. A user with the Administrator reserved role must manually assign alternative personas as follows. For details on personas, see Managing personas.

  1. Go to Administration > Users.
  2. Click the Name of the user.
  3. Click Alternative Personas and Manage.
  4. Select personas and click Save.

View effective permissions

  1. Go to Administration > Users to open the users summary page.
  2. Click the User Name of the user configuration that you want to review.
  3. Select the type of persona for which you want to see permissions:
    • Default Persona: This is the default selection, and shows permissions for the roles that are assigned to the default persona of the user or of user groups that the user belongs to.
    • Alternative Personas: Select an alternative persona to see the permissions for the roles that are assigned to it.
  4. Review the role assignments, inherited roles, and the lists of the resulting global, micro admin, and content set permissions.
  5. Click Back to all Users to return to the Users page.

Delete, un-delete, or lock out a user

When employees leave your organization, you have the following options for locking down their access to the Tanium system:

  • Assign the Deny All role to the user. The user can still log into the Tanium Console, but cannot access any console functionality. The Administration > Users page displays grayed out user names for users with the Deny All role.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the AD or LDAP user account that is associated with the Tanium Console user configuration, or change the password if it is an administrator alias account. If the Tanium Server imported the user through an LDAP server, it is important to modify the user details on the LDAP server so that the Tanium Server does not import the user again at the next synchronization.

Considerations when deleting users

Deleting a user has the following consequences for scheduled activities:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can go to the Transfer Content page to delete the associated content or transfer its ownership to another active user.

Locked-out users

The Tanium Server designates users that it imported from an LDAP server as locked out when the LDAP synchronization data indicates that the associated LDAP account is disabled or when the data is missing. While the user has locked-out status, the user cannot log in, but scheduled content that is associated with the user continues to run.

The Administration  > Users page shows the Locked out status of users:

  • Locked out - disabled: The data returned in the latest sync indicates the account is disabled. When off-boarding employees, it is a best practice to disable the user's LDAP account rather than delete it so that associated records are not deleted.
  • Locked out - missing: There was no data for the user in the latest sync. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression that the LDAP server uses.

Check with your organization on how to handle locked out users. One option is to delete them and transfer their associated content to another user.

Delete a user

  1. Go to Administration > Users.
  2. Select the row for the user and click Delete .

    To display deleted users in the Administration > Users page, click Filter Results and select Show deleted users. The page displays an Active column that indicates which users are active (Yes) or deleted (No).

  3. (Optional) If the user has associated content to transfer or delete, click Complete Now in the message at the top of the page and perform the steps under Delete or transfer ownership for the content of a deleted user.

Un-delete a user

When un-deleting users, perform these steps for one user at a time.

  1. Go to Administration > Users.
  2. click Filter Results and select Show deleted users.

    The page displays an Active column that indicates which users are active (Yes) or deleted (No).

  3. Select the row for the deleted user and click Undelete.
  4. If the user owns content (such as saved questions or scheduled actions), select an option for processing the content:
    • Purge content: Delete the content that the user owns.
    • Migrate content: Transfer ownership to a different user. After you click Reactivate, the Tanium Console prompts you to select from a list of matching active users to assume ownership of the content. The list displays only users whose default persona has computer group management rights and RBAC permissions that exactly match the default persona of the user whom you are un-deleting.
    • Reactivate as is: Keep the user whom you are un-deleting as the content owner.
  5. Click Reactivate and confirm the operation when prompted.

    The Tanium Server then un-deletes the user and reactivates, purges, or migrates the associated content.

Delete or transfer ownership for the content of a deleted user

The Manage Non-Active User Content page lists users who are deleted or locked out and have content associated with their accounts. You can use the page to delete some of the content and to assign some of it to one or more active users. You must perform delete or transfer actions one at a time. Complete the workflow multiple times until you process all the content for the deleted user.

To transfer content from a deleted user to an active user, the computer group management rights and RBAC permissions in the default persona of the active user must exactly match those in the default persona of the deleted user. This ensures that the Tanium Server continues to enforce your RBAC restrictions. The best practice is to have users inherit rights and permissions from user groups. This makes it easy to find a matching user if you need to transfer the content of a deleted user.

After you delete a user, solution module features associated with the user, such as a scheduled Taniumâ„¢ Connect job that the user created, might stop running. If this is the case, go to the solution module and update the configuration. For example, in Connect, you can go to the Connections page and click the Take Ownership link to give ownership of the scheduled connection to the logged-in user.

  1. Go to Content Alignment > Manage Non-Active User Content.
  2. Select the row for the user and click Manage Content.
  3. Select an option to manage the content associated with the user:
    • Delete Selected Content. Use this option to clean up objects that were created by the user and are no longer needed.
    • Disable Selected Scheduled Content. Use this option to disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the deleted user.
    • Transfer Selected Content to Matching User. Use this option to transfer ownership of content that is still needed.
  4. If you select the transfer option, select a matching user.
  5. Select content.
  6. Click Confirm.

Enable or disable access for local users

By default, users whose accounts are local to the Tanium Server can access the Tanium Console. However, if you transition to an external authentication service such as an LDAP server or SAML IdP and you want to ensure all user access is through that service, disable local authentication.

Local users on a Tanium Appliance

To disable or re-enable Tanium Console access for user accounts that are local to a Tanium Appliance, see Tanium Appliance Deployment Guide: Configure the local authentication service.

Local users on a Windows server

Perform the following steps to disable or re-enable Tanium Console access for user accounts that are local to a Tanium Server installed on a Windows server.

If you disable local account logins and the remote authentication service later stops working (for example, the connection to the LDAP server or SAML IdP goes down), no users can access the Tanium Console, including the default user. In such cases, you must re-enable local authentication through the CLI by running the following command from the Tanium Server installation directory:
TaniumReceiver global-settings set soap_enable_local_auth 1

  1. Go to Administration > Global Settings and select soap_enable_local_auth in the grid.
  2. In the Selected System Setting pane, click Edit.
  3. In the Setting Value, enter 0 to disable or 1 to enable local authentication.
  4. Click Save.

Copy the users configuration summary

You can copy the details of the users configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

Copy a single row

  1. Go to Administration > Users.
  2. Select the row for a user.

    When you select a row, tools appear above the grid.

  3. Click Copy above the grid to copy the row details to the clipboard.

Copy all rows

  1. Go to Administration > Users.
  2. Click Copy All in the grid header.

Export the users configuration

You can export the users configuration to a JSON file that can be examined during troubleshooting.

  1. Go to Administration > Users.
  2. Click Export All in the grid header.