Managing action approval

Some organizations implement two-person integrity, which means that actions a user initiates cannot deploy until another user approves those actions. A pending action is one that is initiated but not yet approved. Approvers can be users with the Administrator reserved role or a role that grants Approve Action and Sensor read permissions. If your organization allows exceptions to approval requirements, you can configure a role that grants Bypass Action Approval permission.

For the role permissions that are required to manage action approval, see Manage action approval.

Create an action approver role

Users who have a role that grants Approve Action permission can approve pending actions that are associated with packages in the specified content sets.

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Configure a custom role that grants Approve Action and Sensor read permissions on the content sets that you specify, and click Save.

Create a bypass action approval role

Users who have a role that grants Bypass Action Approval permission are not subject to approval requirements when they deploy actions that are associated with packages in the specified content sets.

  1. From the Main menu, go to Administration > Permissions > Roles.
  2. Configure a custom role that grants Bypass Action Approval permission on the content sets that you specify, and click Save.

Assign the action approval and bypass roles

You can assign the action approval and bypass roles to personas, users, and user groups:

Enable or disable action approval

  1. From the Main menu, go to Administration > Configuration > Platform Settings.
  2. In the Name column, click require_action_approval, change the setting Value to 1 (enable) or 0 (disable), and click Save.
  3. (Optional) To give users the option to approve multiple actions without being prompted to review the action configurations:
    1. In the Name column, click allow_multiple_action_approval.
    2. Change the setting Value to 1 (enable) or 0 (disable), and click Save.
    This setting enables the More > Bulk Approval option in the Actions I can Approve page.

If any pending actions exist when you disable action approval, those actions can never deploy. To avoid this, ask your approver to delete the pending actions before disabling the feature. Alternatively, after disabling the feature, go to Administration > Actions > Scheduled Actions, review the pending actions, and reissue any that are still needed.

Review and manage pending actions

When action approval is enabled, users with the Administrator reserved role can display the Administration > Actions > All Pending Approvals page. The page has the same fields and action buttons as the Administration > Actions > Scheduled Actions page (see Manage scheduled actions), but displays only the actions that are waiting for approval.

Figure  1:  All Pending Approvals page

Approve pending actions

After you approve a scheduled action, the approval remains in force until the End At date-time that is set in the action configuration or until someone modifies the configuration.

  1. Sign in as a user with the Administrator reserved role or a role that grants Approve Action permission.

    The Tanium Console displays the number of pending actions in the Main menu. Actions pending approval

  2. From the Main menu, go to Administration > Actions > Actions I Can Approve.
  3. (Optional) To find specific actions, configure any of the following filters and click Apply All:
    • Text string: Enter a text string in the Filter items field to filter the grid by any value text in any column.
    • Date Range: Filter the grid to display only actions for which the Start At date is within a specific date range. The default All means no date range filter is applied.
    • Action group: Add one or more action groups as a filter by selecting one at a time in the Select Action Group drop-down.
    • Attribute: Click Filters, click Add, select an action attribute (such as Issuer), select an operator (such as is equal to), enter a attribute value (such as administrator), and click Apply. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional) Specify the time standard that the page uses to display action settings that have date-time values:
    • Local Time: This is local to the system that you use to access the Tanium Console.
    • UTC: Coordinated Universal Time.
  5. Select the actions that you want to approve and perform one of the following steps:
    • To approve actions without reviewing their configurations, select More > Bulk Approval and click Confirm. You can skip the remaining steps. This option is available only if the allow_multiple_approval setting is set to 1 (see Enable or disable action approval).
    • To review action configurations before approving them, click Preview and perform the remaining steps.
  6. Review the action configuration and click Approve. If you selected multiple actions, use the Previous and Next widgets to navigate among the pages for each action.

    The Tanium Console indicates the estimated number of endpoints that the action will affect, as entered by the user who created the action. Note that TaaSthe Tanium Server does not recalculate this estimate during the approval workflow; the displayed number is the same as when the action creator configured the action, regardless of how the actual endpoint count might have changed since then.

  7. If the number of Estimated clients affected exceeds the configured threshold (default is 100), enter the estimated number and click Confirm.

    TaaSThe Tanium Server enforces this confirmation step to ensure that you understand the impact that the action will have on your network.

    To change the threshold that controls whether the Tanium Console prompts approvers for the Estimated clients affected, go to Administration > Configuration > Platform Settings and edit the prompt_estimate_threshold setting. Note that changing the value to 0 causes the Tanium Console to prompt approvers regardless of the number of affected endpoints.