Managing personas

Personas overview

A persona is a set of roles and computer groups that a user selects for a Tanium session. Assigning multiple personas to a user account enables you to enforce different sets of restrictions on what that user can see and do with the Tanium Core Platform, based on the work scope for a given session, without having to configure multiple accounts for the user. As an example, users might manage endpoints across multiple countries, each with unique privacy laws restricting the actions that users can deploy to specific endpoints based on security clearance. You might configure one persona with a role that allows actions relating only to Tanium Client maintenance on all computer groups for a particular country. You could give the same user another persona that allows security patch installations but only for the subset of computer groups that the user directly manages.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring and assigning personas. For details, see Integrating with LDAP servers.

The persona types are as follows:

Default persona

User permissions derive from roles and computer groups that are assigned to the persona and, if the user belongs to user groups, from roles and computer groups that are assigned to the default persona of those user groups. The default persona automatically applies when users sign in to Tanium Console. The Tanium Server automatically assigns the default persona to new users and user groups and, after you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade users and groups. Each user and group has only one default persona and it is unique; multiple users and groups cannot share a default persona. You cannot delete default personas or reassign them to different users or groups.

Alternative persona

User permissions derive only from roles and computer groups that are assigned to the persona. A user can inherit multiple alternative personas from user groups, but only the permissions of the single persona that the user selects for the current Tanium session apply. Note that when you assign alternative personas to a user group, the personas do not inherit permissions from that group. In the example that Figure  1 illustrates, persona A is assigned to user group SOC, in which user John is a member. If John switches to persona A, his permissions are limited to the roles and computer groups that are assigned to persona A. As long as John uses persona A, he has none of the permissions that are assigned to the default persona of his user account or that his account inherits from the default persona of user group SOC. John can inherit roles and computer groups from SOC only by switching back to his default persona.

You can assign an alternative persona to multiple users and user groups. Each user and group can have zero or more alternative personas.

Figure  1:  Tanium personas

For details on how personas interact with users, user groups, computer groups, and roles to determine the effective permissions of a user, see Tanium RBAC implementation and concepts.

For the role permissions that are required to manage personas, see Manage personas.

If Tanium Console displays RBAC errors (such as RBACInsufficientPrivilege) when you try to access certain features after switching to a persona, see Troubleshoot permission issues.

View persona details

  1. From the Main menu, go to Administration > Permissions > Personas.

    The page displays the persona attributes.

  2. (Optional) To display persona identifiers, click Customize Columns Customize columns and select ID.
  3. (Optional) Use the filters to find specific personas:
    • Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as persona Name. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. View the effective permissions of a persona and the assigned roles, computer groups, users, and user groups by clicking the persona Name. For details about the permissions, see View effective role permissions for a persona.

Create a persona

  1. From the Main menu, go to Administration > Permissions > Personas and click New Persona.
  2. Enter a Persona Name to identify the persona.
  3. (Optional) Enter a Description of the purpose for this persona. The Personas page will show your entry in the Display Name column. Users will also see the description when they switch personas.
  4. Select the Color that the Main menu will display to help you quickly identify the persona.Persona color
  5. Configure the role, user group, user, and computer group assignments:
  6. Review the assignments and click Save.

Edit a persona

  1. From the Main menu, go to Administration > Permissions > Personas
  2. Click the persona Name and click Edit Mode.
  3. Update the Name, Description, and Color settings.
  4. Edit the role, user group, user, and computer group assignments:
  5. Review your changes and click Save.

Manage role assignments for a persona

For an overview of how effective permissions are derived for a persona, and to view the roles and associated content sets that are assigned to a persona, see View effective role permissions for a persona.

To assign or unassign roles and associated content sets for a persona, see Configure role assignments for a persona.

View effective role permissions for a persona

The effective permissions of a persona are based on the cumulative effect of all the assigned roles, including:

  • Permissions specified in allow roles minus permissions specified in deny roles
  • Implicitly provided permissions in allow roles

Perform the following steps to see the effective permissions for a persona:

  1. From the Main menu, go to Administration > Permissions > Personas and click the persona Name.

  2. Review the assigned and inherited roles, permissions, and content sets. The page displays icons to indicate:

    Explicit permission Allow roles or permissions

    Super explicit permission Deny roles or permissions

    The role configuration pages indicate whether permissions are explicitly assigned or implicitly provided. See View effective role permissions.

    If you assign the Admin reserved role, it appearsreserved roles (such as Administrator), they appear under Global Permissions with a single Special permission Explicit permission.

  3. (Optional) Expand Expand an individual permission to review the content sets that are assigned to it. Only solution content permission (such as Trends Administrator permission) and platform content permissions (such as Sensor read permission) are associated with content sets. The page displays icons to indicate the type of permission to which the content sets are assigned:

    Explicit permission Allow permission

    Deny permission Deny permission

Figure  2:  Effective permissions

Configure role assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. In the Roles section, click Manage Roles.
  4. Select or deselect roles and click Apply.

    You cannot assign the Content Administrator or Content Set Administrator reserved role to a persona.

  5. (Optional) Review the Permissions and Content Sets that are associated with the selected roles. See View effective role permissions for a persona.

  6. Click Save.

Manage user group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the User Groups section and click Manage User Groups.
  4. Select or deselect user groups and click Select.
  5. Review the user group assignments and click Save.

Manage user assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the Users section and click Manage Users.
  4. Select or deselect users and click Select.
  5. Review the user assignments and click Save.

Manage computer group assignments for a persona

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Click the persona Name and click Edit Mode.
  3. Expand Expand the Computer Groups section.
  4. If you want the persona to have management rights for all endpoints, select Unrestricted Management Rights and click Save (you can skip the remaining steps).

    Tanium strongly recommends that you do not assign Unrestricted Management Rights, unless you want the users with the persona to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  6. Review the list of computer groups that you assigned or that derive from user group assignments, and then click Save.

Transfer content that a persona owns

By default, the user account (default persona) or alternative persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. Consider transferring content ownership if you plan to delete a persona or change the roles or computer groups that are assigned to that persona. In Tanium Core Platform 7.5.2554 or later, you cannot delete a persona that owns content. See Managing users.

Clone a persona

To add a persona that has many settings in common with an existing persona, cloning the existing persona and then modifying the clone is often a quicker method than configuring a new persona.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Select a persona and click Clone.
  3. Specify a new Name, Description (optional), and Color.
  4. Edit the RBAC assignments and click Save:
  5. Review your changes and click Save.

Select a persona for your Console session

In the Main menu, a colored ring around the user icon Selected persona indicates that an alternative persona is selected for the Tanium Console session. The ring matches the color that is assigned in the persona configuration. If you select the default persona, the icon has no colored ring. When you sign in, the Default Persona for your user account applies automatically. To switch to an alternative persona or revert to the Default Persona, perform the following steps.

Hovering over the user icon Selected persona opens a menu that displays the name of the current persona.

  1. In the Main menu, hover over the user icon User and click Persona: User <current persona>.

    The Select a Persona dialog then lists the personas that are assigned to your user account or to the user groups to which you belong. The dialog identifies personas by their name, description (if specified), and color.

  2. Click Apply beside the persona that you want to use.

    Select a Persona

    Console refreshes to display only the features and solutions for which the selected persona has access permissions.

Export persona details

You can export personas as a CSV file. When you open the file in an application that supports CSV format, it lists the personas with the same attributes (columns) as the Personas page displays and (optionally) lists the RBAC assignments of each persona.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. (Optional) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific personas. If you want to export all personas, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name. Tanium CloudThe Tanium Server automatically appends the file suffix (.csv).
  6. Select an Export Data option: All personas in the grid or just the Selected personas.

  7. Set the file Format to List of Personas - CSV. Optionally, select With RBAC Details to include the computer groups and roles that are assigned to the personas.

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access Tanium Console.

Copy persona configuration details

Copy information from the Personas page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Personas.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete a persona

You can delete alternative personas but not the default persona that is assigned to each user. When you delete a persona, Tanium Cloudthe Tanium Server removes the persona from any user or user group configurations that included it. In a Tanium Core Platform release before version 7.5.2.2554, if you delete a persona configuration instead of deleting the user to which the persona is assigned, you can delete or transfer content that the persona owned (see Delete or transfer content for a non-active user). In version 7.5.2554 or later, yYou cannot delete a persona that owns content.

Before deleting a persona, delete the user and user group assignments from the persona configuration. See Manage user assignments for a persona and Manage user group assignments for a persona.

  1. From the Main menu, go to Administration > Permissions > Personas and select the persona that you want to delete.
  2. Click Delete Selected Delete Selected and click Confirm.