Managing personas

Personas overview

A persona is a set of roles and computer groups that a user selects for a Tanium session. Assigning multiple personas to a user account enables you to enforce different sets of restrictions on what that user can see and do with the Tanium Core Platform, based on the work scope for a given session, without having to configure multiple accounts for the user. As an example, users might manage endpoints across multiple countries, each with unique privacy laws restricting the actions that users can deploy to specific endpoints based on security clearance. You might configure one persona with a role that allows actions relating only to Tanium Client maintenance on all computer groups for a particular country. You could give the same user another persona that allows security patch installations but only for the subset of computer groups that the user directly manages.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring and assigning personas. For details, see Integrating with LDAP servers.

The persona types are as follows:

Default persona

User permissions derive from roles and computer groups that are assigned to the persona and, if the user belongs to user groups, from roles and computer groups that are assigned to the default persona of those user groups. The default persona automatically applies when users sign in to the Tanium Console. The Tanium Server automatically assigns the default persona to new users and user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade users and groups. Each user and group has only one default persona and it is unique; multiple users and groups cannot share a default persona. You cannot delete default personas or reassign them to different users or groups.

Alternative persona

User permissions derive only from roles and computer groups that are assigned to the persona. A user can inherit multiple alternative personas from user groups, but only the permissions of the single persona that the user selects for the current Tanium session apply. Note that when you assign alternative personas to a user group, the personas do not inherit permissions from that group. In the example that Figure  1 illustrates, persona A is assigned to user group SOC, in which user John is a member. If John switches to persona A, his permissions are limited to the roles and computer groups that are assigned to persona A. As long as John uses persona A, he has none of the permissions that are assigned to the default persona of his user account or that his account inherits from the default persona of user group SOC. John can inherit roles and computer groups from SOC only by switching back to his default persona.

You can assign an alternative persona to multiple users and user groups. Each user and group can have zero or more alternative personas.

Figure  1:  Tanium personas

For details on how personas interact with users, user groups, computer groups, and roles to determine the effective permissions of a user, see Tanium RBAC implementation and concepts.

Because you can reassign alternative personas among users and user groups, the best practice is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

To perform tasks related to personas, you require the Administrator reserved role or a custom role that has the Read Persona and Write Persona permissions.

View persona attributes, permissions, and assignments

  1. From the Main menu, go to Administration > Permissions > Personas.

    The page displays the persona attributes.

  2. (Optional) To display persona identifiers, click Customize Columns Customize columns and select ID.
  3. (Optional) Use the filters to find specific personas:
    • Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as persona Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. To see the effective permissions of a persona and the assigned roles, computer groups, users, and user groups, click the persona Nameselect the persona and click View Persona.

Create a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click New Persona.
  2. Enter a Persona Name to identify the persona.
  3. (Optional) Enter a Description of the purpose for this persona. The Personas page will show your entry in the Display Name column. Users will also see the description when they switch personas.
  4. Select the Color that the Main menu will display to help you quickly identify the persona. If you do not want to use a color, click Reset Color No color. Persona color
  5. Configure the user, user group, computer group, and role assignments as described in the following tasks, and then click Save.Click Save and configure the user, user group, computer group, and role assignments as described in the following tasks. You can then click All Personas at the top left of the page to see the new persona listed in the Personas page.

Manage role assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. In the Roles section, click Manage Roles.
  3. Select or deselect roles and click Apply.
  4. Review the Permissions and Content Sets that are associated with the selected roles, and then click Save.
  1. From the Main menu, go to Administration > Permissions > Personas, select the persona, and click View Persona.
  2. Click Manage in the Roles and Effective Permissions section.
  3. Next to Grant Roles, click Edit, select or deselect roles, and click Save.
  4. Next to Deny Roles, click Edit, select or deselect roles, and click Save.
  5. Click Show Preview to Continue, review the effective permissions, and click Save.

Manage user group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. Expand Expand the User Groups section and click Manage User Groups.
  3. Select or deselect user groups and click Select.
  4. Review the user group assignments and click Save.
  1. From the Main menu, go to Administration > Permissions > Personas, select the persona, and click View Persona.
  2. Click Manage User Groups and click Edit.
  3. Select or deselect user groups and click Save.
  4. Review the user group assignments and click Save.

Manage user assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. Expand Expand the Users section and click Manage Users.
  3. Select or deselect users and click Select.
  4. Review the user assignments and click Save.
  1. From the Main menu, go to Administration > Permissions > Personas, select the persona, and click View Persona.
  2. Click Manage Users and click Edit.
  3. Select or deselect users and click Save.
  4. Click Show Preview to Continue, review the list of affected users, and click Save.

Manage computer group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. Expand Expand the Computer Groups section.
  3. If you want the persona to have management rights for all endpoints, select Unrestricted Management Rights and click Save (you can skip the remaining steps).

    Tanium strongly recommends that you do not assign Unrestricted Management Rights, unless you want the users with the persona to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  4. Click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  5. Review the list of computer groups that you assigned or that derive from user group assignments, and then click Save.
  1. From the Main menu, go to Administration > Management > Users.
  2. Select the persona and click View Persona.
  3. Click Manage in the Computer Groups section and then click Edit.
  4. Select or deselect computer groups and click Save.
  5. Click Show Preview to Continue, review the list of affected endpoints, and click Save.

Edit a persona

To edit the role, user group, user, or computer group assignments of a persona, see the preceding sections. To edit the persona name, description, and color settings, perform the following steps:

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.
  2. Update the Name, Description, and Color settings and click Save.
  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select the persona and click View Persona.
  3. Click Edit at the top right, update the settings, and click Save.

Clone a persona

To add a persona that has many settings in common with an existing persona, cloning the existing persona and then modifying the clone is often a quicker method than configuring a new persona.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select a persona and click Clone.
  3. Specify a new Name, Description (optional), and Color.
  4. Edit the RBAC assignment and click Save:

Select a persona for your Tanium Console session

In the Main menu, the field beside your user name indicates your current persona. The colored disk beside the persona name is another useful indicator:

Persona color

When you sign in, the Default Persona for your user account applies automatically. To switch to an alternative persona or revert to the Default Persona, perform the following steps:

  1. In the Main menu, select <current persona> > Change Persona.

    The Select a Persona dialog opens and lists the personas that are assigned to your user account or to the user groups to which you belong. The dialog identifies personas by their name, description (if specified), and color.

  2. Click Apply beside the persona that you want to use.

    The Tanium Console refreshes to display only the features and modules for which the selected persona has access permissions.

Export and import personas

The following procedures describe how to export and import the configurations of specific personas or all personas.

Develop and test content in your lab environment before importing that content into your production environment.

Export personas

Export personas as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export personas as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select rows in the grid to export only specific personas. If you want to export all personas, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All personas in the grid or just the Selected personas.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import personas

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy persona configuration details

Copy information from the Personas page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete a persona

You can delete alternative personas but not the default persona that is assigned to each user. When you delete a persona, the Tanium Server removes the persona from any user or user group configurations that included it.

Before deleting a persona, delete the user and user group assignments from the persona configuration: see Manage user assignments for a persona and Manage user group assignments for a persona.

  1. From the Main menu, go to Administration > Permissions > Personas and select the persona that you want to delete.
  2. Click Delete Selected Delete Selected and click Confirm., click Delete, and confirm the operation when prompted.