Reference: User-specific saved questions

When multiple users work with the same saved question, the following factors control which users can see the question, and which question settings and results the users can see:

  • User role permissions: To view and edit a saved question, a user must have the required role permissions for the content set to which the question is assigned (see Manage saved questions). Additionally, the Visibility setting in the question determines whether the question is visible only to the owner (question creator) or to any user who has the required role permissions.
  • User-specific configuration changes: When a user saves changes to the question configuration, Tanium Cloud the Tanium Server saves a copy of the question. When users sign in to Tanium Cloudthe server, the users see only the copy with their own changes.
  • Computer group management rights: The computer groups assigned to users, user groups, and personas determine the visibility of the saved question Reissue interval and recent question results.

The following sections use an example scenario to describe how these factors determine the visibility of a question and its settings and results. All users in the example have permissions to read, create, and edit the Installed Applications on Windows Workstation question. The following table lists the users in the order that they made changes to the question configuration.

Table 1: Example user role permissions and computer group assignments

User name Role permissions Computer group management rights Question configuration edits
Admin1 AdminAdministrator reserved role Unrestricted management rights Created and saved the question with the Display this question in the list of questions that are available for drilling down and Display this question in the list of questions that are available to merge options disabled, and the Reissue interval set to one day.
User1 Read, create, and edit the saved question All Windows (endpoints that run any Windows OS) Resaved the question with Display this question in the list of questions that are available to merge enabled.
Admin2 AdminContent Administrator reserved role Unrestricted management rights Resaved the question with Display this question in the list of questions that are available to merge reverted to disabled after User1 enabled it.
User2 Read, create, and edit the saved question All Windows desktops
(endpoints that run the Windows desktop OS)
Resaved the question with Display this question in the list of questions that are available for drilling down enabled.
User3 Read, create, and edit the saved question All Windows Made no changes.

To see the question settings described in the following sections:

  1. From the Main menu, go to Administration > Content > Saved Questions.
  2. Click the title of a saved question to preview and edit the saved question.

Role permissions

Visibility

Whether a saved question is visible to users depends on their role permissions and the Visibility option in the question configuration:

  • According to RBAC: All users who have the necessary role permissions can see the question. In this example, all users have the role permissions required to read and edit saved questions in the content set that contains this question. Therefore, this option enables all users to see the question.
  • Only the Owner and Admins can see this object: Only users with the AdminAdministrator or Content Administrator reserved role, and the question owner (creator), can see the question. In this example, this option enables only Admin1 and Admin2 to see the question.
Figure  1:  Saved question visibility options

User settings

The User Settings for a saved question vary based on the role permissions and any default settings. In addition to the merge and drilldown settings, administrators can see and set default settings. The default settings are useful when you want a question to initially have the same User Settings for all users until the users edit those settings. In this context, administrators are users who have the AdminAdministrator reserved role (Admin1 and Admin2 in this example) or Content Administrator reserved role (Admin2 in this example). The default settings differ based on whether the administrator creates a new question or edits an existing question.

For information on all saved question settings, see Tanium Console User Guide: Create a saved question.

The figures in the following sections show the User Settings for counting questions. Non-counting questions have fewer options.

User settings for a new saved question

The following figure shows the User Settings for an administrator who creates a saved question.

Figure  2:  User Settings for a new saved question

The default settings include:

  • Save these settings for myself and other users with no prior settings saved: For each non-administrator user, Tanium Cloudthe Tanium Server applies the User Settings according to the changes that the user made to these settings. For non-administrator users who never changed the settings, Tanium Cloudthe server applies the settings according to whichever administrator was the last to save changes. For administrators, the latest changes that an administrator makes override any earlier changes that other administrators made.
    For all the users in this example, the server applies the settings that Admin1 configured when creating the saved question, except as follows:
    User1Merging is enabled for this user because the user made that change.
    User2Drilldown is enabled for this user because the user made that change.
    User3The settings are as Admin2 configured them because Admin2 was the last administrator user to save changes to the settings and User3 made no subsequent changes.
  • Save these settings for my view only: For each user, Tanium Cloudthe Tanium Server applies the user settings according to the changes that the user made to these settings.
    For all the users in this example, the server applies the settings that Admin1 configured when creating the saved question, except as follows:
    User1Merging is enabled for this user because the user made the change.
    User2Drilldown is enabled for this user because the user made that change.
    User3The settings are as Admin1 configured them because User3 made no changes.

User settings for an existing saved question

The following figure shows the User Settings for an administrator who is editing an existing saved question.

Figure  3:  User Settings for an existing saved question

The options are as follows:

  • Save these settings for my view only: For each user, Tanium Cloudthe Tanium Server applies the User Settings according to the changes that the user made to these settings.
    For all the users in this example, Tanium Cloudthe server applies the settings that Admin1 configured when creating the saved question except for the changes that each user saved, as follows:
    User1Merging is enabled for this user because the user made that change.
    User2Drilldown is enabled for this user because the user made that change.
    User3The settings are as Admin1 configured them because User3 made no changes.
  • Save these settings for myself and other users with no prior settings saved: For each user, Tanium Cloudthe Tanium Server applies the User Settings according to the changes that the user made to these settings. For a user who never edited the settings, Tanium Cloudthe server applies the settings according to whichever user was the last to save changes.
    For all the users in this example, Tanium Cloudthe server applies the settings that Admin1 configured when creating the saved question, except as follows:
    User1Merging is enabled for this user because the user made that change.
    User2Drilldown is enabled for this user because the user made that change.
    User3Drilldown is enabled for this user because User2 was the last user to set the values and User3 made no subsequent changes.

Saved question configuration copies

Tanium CloudThe Tanium Server maintains a copy of a saved question configuration for each user who saves changes to it. Users who make no changes share the same configuration as the question creator.

In this example, Tanium Cloudthe server maintains the original configuration that Admin1 created and adds a copy for Admin2, User1, and User2 because those users made changes. Tanium CloudThe server does not add a copy for User3 because that user made no changes. Upon logging into Tanium Cloudthe server, User3 sees the saved question that Admin1 created, whereas the other users each see their own copy.

The visibility of the saved question Reissue interval and recent question results depends on computer group assignments, even among users who share the same saved question configuration as the creator. The following sections explain this in detail.

Reissue interval and computer group assignments

Tanium CloudThe Tanium Server creates a management rights identifier (computer management group ID) for each identical set of computer group assignments, and associates that identifier with each user who has the set. If a user specifies a Reissue interval when creating a saved question, other users who subsequently log into Tanium Cloudthe Tanium Server can see that setting only if they have the same computer management group ID as the creator. Otherwise, users must set their own Reissue interval, at which point the server creates user-specific copies of the question configuration.

Figure  4:  Saved question reissue interval

In this example, Admin1 creates the saved question Installed Applications on Windows Workstation and sets the Reissue interval to one day. Admin1 and Admin2 have the same computer group assignments (Unrestricted management rights), so Admin2 can see the Reissue interval that Admin1 configured. However, because User1, User2, and User3 have different computer group assignments than Admin1, they cannot see the Reissue interval that Admin1 configured.

The computer management group ID that controls Reissue visibility requires exact matching for computer group assignments. For example, if User2 creates a question, User1 and User3 cannot see its Reissue interval even though their computer group All Windows includes all the endpoints in the All Windows desktops computer group that is assigned to User2. As another example, consider what happens when an administrator assigns two computer groups to User1 (All Windows and All macOS), but assigns only one computer group to User3 (All Windows). User1 and User3 will have different computer management group IDs because the combination of computer groups assigned to each user differs. Therefore, if User1 then creates a saved question, User3 cannot see its Reissue interval.

Tanium CloudThe Tanium Server issues a saved question at the interval specified in each user-specific configuration. However, if multiple users have the same computer management group ID, Tanium Cloudthe server consolidates the redundant traffic. For example, consider what happens when User1, User2, and User3 keep the Reissue interval at one day and User3 enables drilldown. Because User3 changed a setting, Tanium Cloudthe Tanium Server adds a User3-specific copy of the question. Nevertheless, User1 and User3 have the same computer group assignments (All Windows), so Tanium Cloudthe server issues the question once per day for both users instead of twice per day. Tanium CloudThe server also has a User2-specific copy of the question. However, even though the User2 copy has the same Reissue interval as the User1 and User3 copies, User2 has a different computer group assignment (All Windows desktops), so Tanium Cloudthe server issues the User2 question separately from the other users. Ultimately, Tanium Cloudthe server issues the same question twice per day: once to the All Windows computer group (for User1 and User3) and once to the All Windows desktops computer group (for User2).

Recent results and computer group assignments

When you view the results of a saved question in Tanium Console, the results grid provides the option to show Current, Recent, or Cached data. Current data includes results only from endpoints that are currently online. In addition to data from online endpoints, Recent data includes results from offline endpoints if those results still reside in the Tanium Server cache. The server stores results for seven days by default. If an endpoint is offline when the server issues a question, the server passes any cached result for that endpoint to the results grid.

Cached data includes data retrieved by Tanium Data Service. For more information on question results settings, see Tanium Console User Guide: Display results for online and offline endpoints.

Figure  5:  Saved question recent results

When caching results for a question, Tanium Cloudthe server maintains a separate cache for each set of results that is associated with a distinct computer management group ID. Consequently, users with different computer management group IDs might see different recent results for the same endpoints.

To understand how recent results might differ for each user, consider an example where Tanium Cloudthe Tanium Server reissues the question Installed Applications on Windows Workstation twice per day: once for each computer management group ID. For offline endpoints, Tanium Cloudthe server caches one set of results for the computer management group ID associated with All Windows (results are visible to User1 and User3) and one set for the computer management group ID associated with All Windows desktops (results are visible to User2). User1 and User2 then show the results in the Saved Question Results grid and set the Zoom setting to Recent. However, say a different set of endpoints were offline when the server issued the question to All Windows than when issuing the question to All Windows desktops. As a result, Tanium Cloudthe server saved different updates to the separate results caches. User1 and User2 then see different recent (cached) results for the same endpoints that are offline while they are viewing the results grid.