RBAC getting started

Step 1: Review the content sets created by the server upgrade

Step 2: Review user role assignment and legacy roles

Step 3: Review visibility settings

Step 4: Re-import Tanium content packs

Step 5: Re-import solution modules

Step 6: Review module role requirements

Step 7: Review content alignment

What to do next

Step 1: Review the content sets created by the server upgrade

During upgrade from a pre-RBAC release, existing content is assigned to content sets.

Figure  1:  Content sets after upgrade from a pre-RBAC version

Go to Permissions > Content Sets and review the configuration.

Figure  2:  Content Sets configuration page

After upgrade is complete, only users with the new Administrator and Content Administrator reserved roles will have access to saved questions, dashboards, and categories. The upgrade places these in the Admin Only content set. If you want users with "lesser" roles to be able to use saved questions, you must move the saved questions to the Default content set or get started with your user-defined content sets and advanced roles.

Step 2: Review user role assignment and legacy roles

During upgrade from pre-RBAC versions, the system roles are mapped to "legacy role" configurations.

Legacy roles

The upgrade creates role configurations called "legacy roles" that are like the previous system roles. The roles that had been assigned to users are mapped to legacy role configurations. For example, a user that had been assigned the Action Approver role in 7.0 is assigned "Legacy - Action Approver" and will have the same effective permissions with RBAC.

The permissions for roles are exposed in the RBAC configuration, can be changed, and can be associated with different content sets. This is what enables the fine-grained access control. We recommend you review the configurations for "legacy roles" to learn the permissions that are required to perform typical author and administrator activities.

Figure  3:  Roles after upgrade to RBAC

Go to Permissions > Roles and review the configuration for each role. Note whether the Ask Dynamic Questions permission is enabled. Under Advanced Permissions, notice the permissions have been granted for the content sets named Default and Reserved.

Figure  4:  Roles configuration page

If you move content out of the Default content set, a user that is assigned the legacy role will not be able to access the content, unless you make changes to the configuration for the legacy role, or create a new role with the desired permissions and assign that role to the user.


Reserved roles

The Administrator and Content Administrator roles from pre-RBAC releases are mapped to RBAC reserved roles with the same name. Permissions for reserved roles are implicit. The permissions are not exposed in the configuration and cannot be changed.

The upgrade does not map a pre-RBAC role to the new RBAC Content Set Administrator reserved role.

Step 3: Review visibility settings

With RBAC, the visibility setting for saved questions, dashboards, and categories includes two options:

  • According to RBAC
  • Only the Owners and Admins can see this object

An "owner and admin only" option set in pre-RBAC releases persists upon upgrade to RBAC. All other saved questions, dashboards, and category objects are configured with the RBAC option upon upgrade.

Figure  5:  Visibility setting

You can make changes after the upgrade. For example, to expand access, move content from the Admin Only content set to your user-designed content sets that specified roles can access. To maintain tight access, change the visibility setting to Only the Owners and Admins can see this object.

Step 4: Re-import Tanium content packs

Beginning with 7.1, the content pack known as Initial Content is split into multiple content sets: Initial Content - AD, Initial Content - Base, Initial Content - Hardware, and so on.

Re-import Initial Content and all other content packs. The content changes may include:

  • Content configuration. The configurations for saved questions, sensors, packages, and so on, have been updated to include content set settings. You are welcome to change content set settings, but when you get started, you might want to go with the content set configurations specified by the content pack designers.
  • Content set configuration. The content packs have been updated to include the XML configuration for content sets themselves.
  • Role configuration. In some cases, a content pack might include the XML configuration for roles.

For example, the Initial Content - Base content pack includes a content set named Base. The content set setting for all of the content in this content pack is set to Base.

When you initially upgrade from earlier releases, we recommend you select the option Include content set overwrite when you reimport content packs. If this option is not selected, the content set setting defined in the XML is ignored, and the content remains in its present content set or, if there is no present content set, its content set setting is Default.

The Initial Content - Base content pack also redefines the "legacy roles" so that they include access to the content set named Base. Most other imports do not update role configurations.

Figure  6:  Content set and content set roles defined by import

After you have reimported the content packs, go to Permissions > Content Sets and review the configuration. Notice the content set Base has been added. Also, some sensors have been moved from Default to Base, and some saved questions have been moved from Admin Only to Base.

Figure  7:  Content Sets configuration page

Go to Permissions > Roles and review the configuration for roles. Notice the permissions have been granted for the content set named Base in addition to the ones named Default and Reserved.

Figure  8:  Roles configuration page

The initial steps for getting started with solution modules in 7.1 are similar.

Step 5: Re-import solution modules

Upon upgrade from a version earlier than 7.1.314.3071 to 7.1.314.3071 or later, the background of the Tanium Module card on the solutions page turns pink to notify you that the solution module must be reimported to enable the module's content sets, module roles, and granular module privileges.

Figure  9:  Indicators on the Solutions page

In addition, if reimport is required, users cannot navigate to the solution module workbench.

Figure  10:  Reimport required

When you reimport the solution, be sure to select the Include content set overwrite option.

Figure  11:  Import Solution

Go to the Roles page and review the module-provided roles that have been added to the console.

Figure  12:  Discover roles

Go to the New Module Role page and review the granular permissions now available.

Figure  13:  Discover granular permissions

Step 6: Review module role requirements

Upon upgrade, module access is only seamless for users with the Administrator reserved role, which grants unrestricted access to modules. All other users must be assigned new module roles that grant access.


In pre-RBAC releases, all users had access to Interact. In 7.1 and later, users must be explicitly granted access to Interact. A module role named Show Interact is created upon upgrade to facilitate the transition. It is automatically assigned to users that existed at the time of the upgrade. To assign it to new users, go to the user configuration and edit the grant roles assigned. (Note: this Show Interact role is not created for clean installs of 7.1 or later. It is provided in upgrades to make the transition easier.)

Figure  14:  Show Interact role

Ask a Question bar

In pre-RBAC releases, all users had access to the Ask a Question bar. In 7.1 and later, users must be assigned the Ask Dynamic Questions global permission. The permission must exist in any of the advanced roles assigned to the user. To facilitate the transition to RBAC, all of the legacy roles, except Legacy - Read Only User, include the Ask Dynamic Questions permission. Do not overlook this permission when you construct your own set of roles.

Figure  15:  Ask Dynamic Questions permission

The sensors available for questions are determined by Read Sensor content set permissions.

Solution modules

With RBAC, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.

Module Link
Asset User Guide
Comply User Guide
Connect User Guide
Deploy User Guide
Detect User Guide
Discover User Guide
Incident Response User Guide
Integrity Monitor User Guide
Interact User Guide
Map User Guide
Network Quarantine User Guide
Patch User Guide
Protect User Guide
Reveal User Guide
Threat Response User Guide
Trace User Guide
Trends User Guide

Step 7: Review content alignment

In some cases, Tanium solution modules require module-created sensors, packages, and saved questions to remain in special module-created content sets. If content is moved, the solution module workflow might not work as expected.

Modules report misaligned content to the Tanium Console Content Alignment page.

Go to Content > Content Alignment and click Align All Content to resolve the issue.

Figure  16:  Content Alignment page

What to do next

Manage content sets, roles, computer group, user group, and user configurations to implement your RBAC strategy.

Last updated: 4/18/2019 8:09 AM | Feedback