Managing personas

Personas overview

A persona is a set of roles and computer groups that a user selects for a Tanium session. Assigning multiple personas to a user account enables you to enforce different sets of restrictions on what that user can see and do with the Tanium Core Platform, based on the work scope for a given session, without having to configure multiple accounts for the user. As an example, users might manage endpoints across multiple countries, each with unique privacy laws restricting the actions that users can deploy to specific endpoints based on security clearance. You might configure one persona with a role that allows actions relating only to Tanium Client maintenance on all computer groups for a particular country. You could give the same user another persona that allows security patch installations but only for the subset of computer groups that the user directly manages.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring and assigning personas. For details, see Integrating with LDAP servers.

The persona types are as follows:

Default persona

User permissions derive from roles and computer groups that are assigned to the persona and, if the user belongs to user groups, from roles and computer groups that are assigned to the default persona of those user groups. The default persona automatically applies when users sign in to the Tanium Console. The Tanium Server automatically assigns the default persona to new users and user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade users and groups. Each user and group has only one default persona and it is unique; multiple users and groups cannot share a default persona. You cannot delete default personas or reassign them to different users or groups.

Alternative persona

User permissions derive only from roles and computer groups that are assigned to the persona. A user can inherit multiple alternative personas from user groups, but only the permissions of the single persona that the user selects for the current Tanium session apply. Note that when you assign alternative personas to a user group, the personas do not inherit permissions from that group. In the example that Figure  1 illustrates, persona A is assigned to user group SOC, in which user John is a member. If John switches to persona A, his permissions are limited to the roles and computer groups that are assigned to persona A. As long as John uses persona A, he has none of the permissions that are assigned to the default persona of his user account or that his account inherits from the default persona of user group SOC. John can inherit roles and computer groups from SOC only by switching back to his default persona.

You can assign an alternative persona to multiple users and user groups. Each user and group can have zero or more alternative personas.

Figure  1:  Tanium personas

For details on how personas interact with users, user groups, computer groups, and roles to determine the effective permissions of a user, see Tanium RBAC implementation and concepts.

Because you can reassign alternative personas among users and user groups, the best practice is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

For the role permissions that are required to manage personas, see Manage personas.

View persona details

  1. From the Main menu, go to Administration > Permissions > Personas.

    The page displays the persona attributes.

  2. (Optional) To display persona identifiers, click Customize Columns Customize columns and select ID.
  3. (Optional) Use the filters to find specific personas:
    • Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as persona Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. To see the effective permissions of a persona and the assigned roles, computer groups, users, and user groups, click the persona Name.

Create a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click New Persona.
  2. Enter a Persona Name to identify the persona.
  3. (Optional) Enter a Description of the purpose for this persona. The Personas page will show your entry in the Display Name column. Users will also see the description when they switch personas.
  4. Select the Color that the Main menu will display to help you quickly identify the persona.Persona color
  5. Configure the user, user group, computer group, and role assignments as described in the following tasks, and then click Save.

Edit a persona

  1. From the Main menu, go to Administration > Permissions > Personas
  2. Click the persona Name and click Edit Mode.
  3. Update the Name, Description, and Color settings.
  4. Edit the role, user group, user, and computer group assignments:
  5. Review your changes and click Save.

Manage role assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. In the Roles section, click Manage Roles.
  4. Select or deselect roles and click Apply.

    You cannot assign the Content Administrator or Content Set Administrator reserved role to a persona.

  5. Review the Permissions and Content Sets that are associated with the selected roles, and then click Save.







Manage user group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the User Groups section and click Manage User Groups.
  4. Select or deselect user groups and click Select.
  5. Review the user group assignments and click Save.

Manage user assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the Users section and click Manage Users.
  4. Select or deselect users and click Select.
  5. Review the user assignments and click Save.

Manage computer group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the Computer Groups section.
  4. If you want the persona to have management rights for all endpoints, select Unrestricted Management Rights and click Save (you can skip the remaining steps).

    Tanium strongly recommends that you do not assign Unrestricted Management Rights, unless you want the users with the persona to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  6. Review the list of computer groups that you assigned or that derive from user group assignments, and then click Save.

View effective permissions for a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. Review the assigned and inherited roles, permissions, and content sets. For details, see Effective role permissions.

Clone a persona

To add a persona that has many settings in common with an existing persona, cloning the existing persona and then modifying the clone is often a quicker method than configuring a new persona.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select a persona and click Clone.
  3. Specify a new Name, Description (optional), and Color.
  4. Edit the RBAC assignment and click Save:

Select a persona for your Console session

In the Main menu, the field beside your user name indicates your current persona. The colored disk beside the persona name is another useful indicator:

Persona color

When you sign in, the Default Persona for your user account applies automatically. To switch to an alternative persona or revert to the Default Persona, perform the following steps:

  1. In the Main menu, select <current persona> > Change Persona.

    The Select a Persona dialog opens and lists the personas that are assigned to your user account or to the user groups to which you belong. The dialog identifies personas by their name, description (if specified), and color.

  2. Click Apply beside the persona that you want to use.



    The Tanium Console refreshes to display only the features and modules for which the selected persona has access permissions.

Export and import personas

The following procedures describe how to export and import the configurations of specific personas or all personas.

Develop and test content in your lab environment before importing that content into your production environment.

Export personas

Export personas as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export personas as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select rows in the grid to export only specific personas. If you want to export all personas, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All personas in the grid or just the Selected personas.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import personas

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy persona configuration details

Copy information from the Personas page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete a persona

You can delete alternative personas but not the default persona that is assigned to each user. When you delete a persona, TaaSthe Tanium Server removes the persona from any user or user group configurations that included it. You cannot delete a persona that owns content.

Before deleting a persona, delete the user and user group assignments from the persona configuration: see Manage user assignments for a persona and Manage user group assignments for a persona.

  1. From the Main menu, go to Administration > Permissions > Personas and select the persona that you want to delete.
  2. Click Delete Selected Delete Selected and click Confirm.