During upgrade from a pre-RBAC release, existing content is assigned to content sets.
Go to Permissions > Content Sets and review the configuration.
After upgrade is complete, only users with the new Administrator and Content Administrator reserved roles will have access to saved questions, dashboards, and categories. The upgrade places these in the Admin Only content set. If you want users with "lesser" roles to be able to use saved questions, you must move the saved questions to the Default content set or get started with your user-defined content sets and advanced roles.
During upgrade from pre-RBAC versions, the system roles are mapped to "legacy role" configurations.
The upgrade creates role configurations called "legacy roles" that are like the previous system roles. The roles that had been assigned to users are mapped to legacy role configurations. For example, a user that had been assigned the Action Approver role in 7.0 is assigned "Legacy - Action Approver" and will have the same effective permissions with RBAC.
The permissions for roles are exposed in the RBAC configuration, can be changed, and can be associated with different content sets. This is what enables the fine-grained access control. We recommend you review the configurations for "legacy roles" to learn the permissions that are required to perform typical author and administrator activities.
Go to Permissions > Roles and review the configuration for each role. Note whether the Ask Dynamic Questions permission is enabled. Under Advanced Permissions, notice the permissions have been granted for the content sets named Default and Reserved.
If you move content out of the Default content set, a user that is assigned the legacy role will not be able to access the content, unless you make changes to the configuration for the legacy role, or create a new role with the desired permissions and assign that role to the user.
The Administrator and Content Administrator roles from pre-RBAC releases are mapped to RBAC reserved roles with the same name. Permissions for reserved roles are implicit. The permissions are not exposed in the configuration and cannot be changed.
The upgrade does not map a pre-RBAC role to the new RBAC Content Set Administrator reserved role.
With RBAC, the visibility setting for saved questions, dashboards, and categories includes two options:
- According to RBAC
- Only the Owners and Admins can see this object
An "owner and admin only" option set in pre-RBAC releases persists upon upgrade to RBAC. All other saved questions, dashboards, and category objects are configured with the RBAC option upon upgrade.
You can make changes after the upgrade. For example, to expand access, move content from the Admin Only content set to your user-designed content sets that specified roles can access. To maintain tight access, change the visibility setting to Only the Owners and Admins can see this object.
Beginning with 7.1, the content pack known as Initial Content is split into multiple content sets: Initial Content - AD, Initial Content - Base, Initial Content - Hardware, and so on.
Re-import Initial Content and all other content packs. The content changes may include:
- Content configuration. The configurations for saved questions, sensors, packages, and so on, have been updated to include content set settings. You are welcome to change content set settings, but when you get started, you might want to go with the content set configurations specified by the content pack designers.
- Content set configuration. The content packs have been updated to include the XML configuration for content sets themselves.
- Role configuration. In some cases, a content pack might include the XML configuration for roles.
For example, the Initial Content - Base content pack includes a content set named Base. The content set setting for all of the content in this content pack is set to Base.
When you initially upgrade from earlier releases, we recommend you select the option Include content set overwrite when you reimport content packs. If this option is not selected, the content set setting defined in the XML is ignored, and the content remains in its present content set or, if there is no present content set, its content set setting is Default.
The Initial Content - Base content pack also redefines the "legacy roles" so that they include access to the content set named Base. Most other imports do not update role configurations.
After you have reimported the content packs, go to Permissions > Content Sets and review the configuration. Notice the content set Base has been added. Also, some sensors have been moved from Default to Base, and some saved questions have been moved from Admin Only to Base.
Go to Permissions > Roles and review the configuration for roles. Notice the permissions have been granted for the content set named Base in addition to the ones named Default and Reserved.
The initial steps for getting started with solution modules in 7.1 are similar.
Upon upgrade from a version earlier than 7.1.314.3071 to 7.1.314.3071 or later, the background of the Tanium Module card on the solutions page turns pink to notify you that the solution module must be reimported to enable the module's content sets, module roles, and granular module privileges.
In addition, if reimport is required, users cannot navigate to the solution module workbench.
When you reimport the solution, be sure to select the Include content set overwrite option.
Go to the Roles page and review the module-provided roles that have been added to the console.
Go to the New Module Role page and review the granular permissions now available.
Upon upgrade, module access is only seamless for users with the Administrator reserved role, which grants unrestricted access to modules. All other users must be assigned new module roles that grant access.
In pre-RBAC releases, all users had access to Interact. In 7.1 and later, users must be explicitly granted access to Interact. A module role named Show Interact is created upon upgrade to facilitate the transition. It is automatically assigned to users that existed at the time of the upgrade. To assign it to new users, go to the user configuration and edit the grant roles assigned. (Note: this Show Interact role is not created for clean installs of 7.1 or later. It is provided in upgrades to make the transition easier.)
In pre-RBAC releases, all users had access to the Ask a Question bar. In 7.1 and later, users must be assigned the Ask Dynamic Questions global permission. The permission must exist in any of the advanced roles assigned to the user. To facilitate the transition to RBAC, all of the legacy roles, except Legacy - Read Only User, include the Ask Dynamic Questions permission. Do not overlook this permission when you construct your own set of roles.
The sensors available for questions are determined by Read Sensor content set permissions.
With RBAC, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.
|Incident Response||User Guide|
|Integrity Monitor||User Guide|
|Network Quarantine||User Guide|
|Threat Response||User Guide|
In some cases, Tanium solution modules require module-created sensors, packages, and saved questions to remain in special module-created content sets. If content is moved, the solution module workflow might not work as expected.
Modules report misaligned content to the Tanium Console Content Alignment page.
Manage content sets, roles, computer group, user group, and user configurations to implement your RBAC strategy.
Last updated: 2/6/2019 2:40 PM | Feedback