Managing users

A user configuration associates personas, user groups, computer management groups, and roles with a user account. You can create user accounts locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server.

If your deployment requires both local and imported users, configure the imports first. See Integrating with LDAP servers.

The following figure illustrates the relationship between users and other Tanium role-based access control (RBAC) components:

Figure  1:  Tanium users
For the user role permissions required to manage users, see Manage users.

If you imported Tanium solutions with default settings, the service account that the solutions use to run background processes is the user account that performed the import. See Manage service accounts.

Review and, if necessary, update user accounts on a quarterly basis to ensure that account configurations reflect personnel changes as users leave, join, or change roles in your organization. See Tanium Maintenance User Guide: Review and update Console user accounts.

User authentication

In a Tanium Cloud deployment, all users authenticate through a Security Assertion Markup Language (SAML) identity provider (IdP). Contact Tanium Support for details.

In a deployment where users authenticate to the Tanium Console from domains in a Salesforce Information Technology Service Management (ITSM) instance, you must update the Trusted Auth Origin platform setting if the domains change. Enter the domains as a comma-separated list of URLs. See Manage platform settings.

You can configure the following methods to authenticate users when they access the Tanium Console or API:

For details about settings and events that affect the duration of Tanium Console sessions and how often users must re-authenticate, see Set Console user preferences and Sign in to the Console.

If users have issues signing in to the Tanium Console, see Troubleshoot Console access.

If you use an external service for authentication, maintain at least one user account that relies on local authentication and assign the Administrator reserved role to that account. If the external service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Default user

During the setup of your Tanium Cloud deployment, an administrator account is created that you can use to sign in to the Tanium Console for the first time. This user is based on an IdP account that your organization selects as the primary administrator for your Tanium Cloud deployment. The user has unrestricted computer group management rights. The user also has the Admin reserved role, which enables access to all the features that are available in Tanium Cloud, including the ability to configure role-based access control (RBAC) for all other Tanium Cloud users.

The Tanium Server installation process creates a Tanium Console user account that has permissions similar to the root or admin superuser in some operating systems. This initial user is assigned the All Computers computer group and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, this user is not a built-in user like root or admin, so you can modify or delete the account.

View user settings

  1. From the Main menu, go to Administration > Permissions > Users.

    The Users grid displays the basic attributes of each user, such as the user Name and the number of assigned computer groups. However, to see the specific user groups, computer groups, personas, or roles (and permissions) that are assigned, you must display the configuration of a particular user.

  2. (Optional) Use the filters to find specific users:
    • Filter by text: To filter the grid by user name, display name, or domain name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
    • Filter by status:  By default, the Users toggle is set to Active, and the grid does not show user accounts that are deleted or locked out. To show all accounts regardless of status, set the toggle to All.

      The Status column indicates which users are active Active or deleted Deleted but the column is hidden by default. To show the column, click Customize Columns Customize columns and select Status.

  3. (Optional) To see the user groups, computer groups, personas, roles, and permissions that are assigned to a user, click the user Name. For details about the permissions, see View effective role permissions for a user.

Create a user

Create user configurations on Tanium Cloud for all users who require access to the Tanium Console, REST API, modules, and shared services. Work with your IdP administrator to ensure that the user accounts are also configured in the remote identity store.

All users who require access to the Tanium Console, REST API, modules, and shared services require user configurations on the Tanium Server. Create only the user configurations that the server does not import from an AD or LDAP server (see Integrating with LDAP servers). If you create users who are local to the Tanium Server and who authenticate through an IdP, work with the IdP administrator to ensure that their user accounts are also configured in the remote identity store (see Integrating with a SAML IdP). For details about all the methods to authenticate users, see User authentication.

When you create a user, assigning roles, alternative personas, and computer groups is optional. However, a user with no roles cannot access anything after signing in to the Tanium Console. You can assign roles and computer groups directly to the user (default persona) or assign them to alternative personas and user groups that you assign to the user. If you set a default user group, all new users are automatically assigned to it (see Set the default user group). Otherwise, you must manually assign users to groups.

Managing user role, computer group, and persona assignments through user groups is a best practice. By combining that practice with a default user group, you can automatically provision new users with all the RBAC permissions that they need.

You can use the automatic or manual method to create users.

Automatically create users

You can configure Tanium Cloud to automatically create users when they sign in to the Tanium Console if their user names match a regular expression that you specify. This is useful for creating configurations for all the users in a particular domain, such as example.com. Typically, you configure automatic user creation through Tanium Cloud Management Portal when you first set up Tanium Cloud. However, you can also configure or modify the feature after initial setup.

To automatically add users and user groups from a SAML IdP to Tanium Cloud, configure System for Cross-Domain Identity Management (SCIM). The synchronization between the IdP and Tanium Cloud includes attributes such as user-to-group assignments that are configured in the IdP. See Tanium Cloud Deployment Guide: Configure SCIM provisioning.

The following steps involve configuring a platform setting, which requires signing in to the Console as a user with the Global Settings write permission.

  1. Set the default user group if it not already set. A default group is required for automatic user creation.
  2. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
  3. In the Name column, click user_auto_provision_regex.
  4. Enter a regular expression to match the user names of the accounts that you want to create and click Save.

    For example, the regular expression [email protected] matches all user names that have the format <user>@example.com, such as [email protected]

When a matching user signs in to the Tanium Console for the first time, Tanium Cloud creates a user configuration that has no RBAC assignments except the default user group. You can then configure any settings that the user requires but does not inherit from the default user group. If necessary, you can reassign the user to a user group other than the default group.

Manually create a user

  1. From the Main menu, go to Administration > Permissions > Users and click New User.
  2. Specify a User Name that matches an account in your IdP. one of the following:
    • A user account that is defined locally on the Tanium Server. If the account does not yet exist on the server, a later step in this procedure describes how to add it.
    • (Windows deployment only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage sign-in credentials for the user.
  3. Configure any settings that the user requires but does not inherit from a default user group. If necessary, you can reassign the user to a user group other than the default group.
  4. Click Save to create the user.
  5. (Tanium Appliance deployment only) Add the user account on the Appliance and configure the local authentication service as described in Tanium Appliance Deployment Guide: Configure the local authentication service.
  6. (Windows deployment, local account only) Add the user account on the Tanium Server if it does not yet exist there:
    1. Sign in to the Tanium Server host as the Administrator user.
    2. From the Windows Windows menu, open the Control Panel.

    3. Select User Accounts, click Manage another account, and click Add a user account.

    4. Complete the following fields and click Next:

      • User name
      • Password
      • Reenter password
      • Password hint

    5. Click Finish and verify that the list of accounts includes the one that you just added.

Configure user display name and properties

For each user, you can configure an optional display name that appears as the label for the user dropdown list in the Main menu:

Display name

You can also configure user properties, which are name-value pairs that record optional user details such as full name, organization, email address, and phone number.

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Click the user Name and click Edit Mode.
  3. Enter a Display Name.
  4. Update properties as follows and then click Save:
    • Add: Click Add properties or, if the user already has some properties, click Add Add, and then enter a name-value pair in the text fields.
    • Edit: Overwrite the entries of existing name-value pairs.
    • Delete: Click Delete Delete beside a name-value pair.

Manage role assignments for a user

For an overview of how effective permissions are derived for a user, and to view the roles and associated content sets that are assigned to a user, see View effective role permissions for a user.

To assign or unassign roles and associated content sets for a user, see Configure role assignments for a user.

View effective role permissions for a user

The effective permissions of a user are based on the cumulative effect of all the assigned and inherited roles, including:

  • Permissions specified in allow roles minus permissions specified in deny roles
  • Implicitly provided permissions in allow roles

Perform the following steps to see the effective permissions for a user:

  1. From the Main menu, go to Administration > Permissions > Users and click the user Name.

  2. Review the assigned and inherited roles, permissions, and content sets. The page displays icons to indicate:

    Explicit permission Allow roles or permissions

    Super explicit permission Deny roles or permissions

    The role configuration pages indicate whether permissions are explicitly assigned or implicitly provided. See View effective role permissions.

    If you assign the Admin reserved role, it appearsreserved roles (such as Administrator), they appear under Global Permissions with a single Special permission Explicit permission.

  3. (Optional) Expand Expand an individual permission to review the content sets that are assigned to it. Only solution content permission (such as Trends Administrator permission) and platform content permissions (such as Sensor read permission) are associated with content sets. The page displays icons to indicate the type of permission to which the content sets are assigned:

    Explicit permission Allow permission

    Deny permission Deny permission

Figure  2:  Effective permissions

Configure role assignments for a user

Perform the following steps to update the role assignments for the default persona of a user. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user (see Manage persona assignments for a user).

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Click the user Name and click Edit Mode.
  3. In the Roles section, click Manage Roles.
  4. Select or deselect roles and click Apply.

  5. (Optional) Review the Permissions and Content Sets that are associated with the selected roles. See View effective role permissions for a user.

  6. Click Save.

Manage user group assignments for a user

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Click the user Name and click Edit Mode.
  3. Expand Expand the User Groups section and click Manage User Groups.
  4. Select or deselect user groups and click Select.
  5. Review the inherited Roles, Permissions, Content Sets, and Computer Groups, and then click Save.

Manage computer group assignments for a user

Perform the following steps to update the computer management group assignments for the default persona of a user. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user (see Manage persona assignments for a user).

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Click the user Name and click Edit Mode.
  3. Expand Expand the Computer Groups section.
  4. If you want the user to have management rights for all endpoints, select Unrestricted Management Rights and click Save (you can skip the remaining steps).

    Tanium strongly recommends that you do not assign Unrestricted Management Rights, unless you want the user to be able to issue questions to all endpoints across all computer groups regardless of security considerations.

  5. Click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  6. Review the list of computer groups that you assigned or that the user inherits from user groups, and then click Save.

Manage persona assignments for a user

Tanium Cloud The Tanium Server automatically assigns a default persona to new user accounts and, after you upgrade to Tanium Core Platform 7.4 or later, to existing pre-upgrade accounts. A user who has a role with Permission Administrator, Write Persona, and Write User permissions with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions. For details on personas, see Managing personas.

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Click the user Name and click Edit Mode.
  3. Expand Expand the Personas section and click Manage Personas.
  4. Select or deselect personas, and click Select.
  5. Review the assigned Personas and click Save.

Export user details

You can export user details as a CSV file. When you open the file in an application that supports CSV format, it lists the users with the same attributes (columns) as the Users page displays and (optionally) lists the RBAC assignments of each user.

  1. From the Main menu, go to Administration > Permissions > Users.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific users. If you want to export all users, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name. Tanium CloudThe Tanium Server automatically appends the file suffix (.csv).
  6. Select an Export Data option: All users in the grid or just the Selected users.
  7. Set the file Format to List of Users - CSV. Optionally, select With RBAC Details to include the names of user groups, roles, personas, and computer groups that are assigned to users. For users that are members of user groups, the exported data includes the names of roles, personas, and computer groups that the users inherit.
  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy user configuration details

Copy configuration details from the grid in the Users page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete, un-delete, or lock out a user

When employees leave your organization, you have the following options for locking down their access to the Tanium system:

  • Assign the Deny All role to the user. The user can still sign in to the Tanium Console, but cannot access any Console functionality.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the AD or LDAP user account that is associated with the Tanium Console user configuration, or change the password if it is an administrator alias account. If the Tanium Server imported the user through an LDAP server, it is important to modify the user details on the LDAP server so that the Tanium Server does not import the user again at the next synchronization. When you disable a user account on the LDAP server, the account has locked out status on the Tanium Server. See Locked-out users.

Considerations when deleting users

When you delete a user or persona, scheduled content that the user or persona owns stops running, including:

Locked-out users

The Tanium Server designates users that it imported from an LDAP server as locked out when the LDAP synchronization data indicates that the associated LDAP account is disabled or when the data is missing. While the user has locked-out status, the user cannot sign in, but scheduled content that the user owns continues to run.

The Administration > Permissions > Users page shows the Locked out status of users:

  • Locked out - Disabled: The data that the latest LDAP synchronization returns indicates the user account is disabled.

    When off-boarding employees, disable LDAP accounts rather than delete them to avoid deleting associated records.

  • Locked out - Missing: The latest LDAP synchronization returned no data for the user. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression that the LDAP server uses.

Check the policy of your organization for managing locked-out users. One option is to delete them and transfer the content that they own to another user see Managing users.

Delete a user

  1. From the Main menu, go to Administration > Permissions > Users and select the user.
  2. Click Delete Delete and Confirm.

    To display deleted users, set the Users toggle to All (default is Active users only). The Status column indicates which users are active Active or deleted Deleted.

To transfer or delete content that the deleted user owned, see Delete or transfer content for a non-active user.

Un-delete a user

By default, the persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. When you un-delete users who own content, you can delete or transfer ownership of that content.

Un-delete one user at a time:

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Set the Users toggle to All (default is Active users only).

    The Status column indicates which users are active Active or deleted Deleted.

  3. Select the row for the deleted user, click Undelete User Undelete User, and click Confirm.

Delete or transfer content for a non-active user

The Deleted User Content page lists user accounts that are deleted or locked out and that own content. You can use the page to delete or transfer ownership of that content. The default or alternative persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. You can transfer ownership from the personas of a non-active user to the personas of one or more active users.

You can transfer content ownership only to an active user account or persona that has the same role and computer management group assignments as the non-active user or persona. To review the role and computer management group assignments of users or personas, see View user settings or View persona details.

In a Tanium Core Platform release before version 7.5.2.2554, if you delete a persona configuration instead of deleting the user to which the persona is assigned, you can delete or transfer content that the persona owned. In version 7.5.2554 or later, yYou cannot delete a persona that owns content.

You require a role with the Permission Administrator permission to manage the content of non-active users.

Delete content or transfer its ownership for one user at a time:

  1. From the Main menu, go to Administration > Permissions > Deleted User Content.
  2. Click Manage Content in the row of the user account (persona) for which you want to transfer content.

  3. Select content that requires the same action. For example, select all the actions and questions that you want to transfer to the same user. To transfer content to multiple users, you must repeat this step for each user.

    To reassign content to a different content set before transferring, click the name in the Content Set column to open the configuration page for that content set. See View content set details.

  4. Click an action button:
    • Delete: Remove content that the non-active user owns and that no other users need. In the confirmation dialog, review the content that you selected and click Delete to proceed.
    • Transfer: Select the user name (persona) of the new owner and click Transfer to proceed.

Disable or enable local user access

By default, users whose accounts are local to the Tanium Server can access the Tanium Console. However, if you transition to an external authentication service such as an LDAP server or SAML IdP and you want to ensure all user access is through that service, disable local authentication.

Maintain at least one user account that relies on local authentication and assign the Administrator reserved role to that account. If the external authentication service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Local users on a Tanium Appliance

To disable or re-enable Tanium Console access for user accounts that are local to a Tanium Appliance, see Tanium Appliance Deployment Guide: Configure the local authentication service.

Local users on a Windows server

Perform the following steps to disable or re-enable Tanium Console access for user accounts that are local to a Tanium Server installed on a Windows server.

If you disable local account sign ins and the remote authentication service later stops working (for example, the connection to the LDAP server or SAML IdP goes down), no users can access the Tanium Console, including the default user. In such cases, you must re-enable local authentication through the CLI by running the following command from the Tanium Server installation folder:
TaniumReceiver global-settings set soap_enable_local_auth 1

  1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
  2. In the Name column, click soap_enable_local_auth.
  3. In the Value, enter 0 to disable or 1 to enable local authentication, and then click Save.