RBAC overview

Tanium RBAC implementation and concepts

Role-based access control (RBAC) enables you to configure granular permissions that control what individual Tanium Console and API users can see and do with the Tanium Core Platform, and which endpoints they can monitor and manage. The permissions derive from personas, roles, and computer groups that are assigned to user accounts and that users inherit from user groups. The Tanium implementation of RBAC involves the following key concepts and configuration objects.

Permissions

Permissions define the activities that a user is allowed to perform in the Tanium Core Platform:

  • Read permissions allow users to view objects. For example, the Read Package permission allows users to view the Administration > Content > Packages page.
  • Write permissions allow users to create, edit, or delete objects. For example the Write Package permission allows users to create, edit, or delete package configurations.
  • Execute permissions allow users to run processes (such as initializing endpoints for Tanium™ Patch), use service accounts (such as the Tanium™ Connect service account), or perform API operations (such as through the Tanium™ Detect API).
  • Delete permissions allow users to delete objects that are beyond the scope of write permissions. For example, a delete permission is required to remove live endpoint connection files in Tanium Threat Response.
  • Special permissions allow users to perform activities that are beyond the scope of other permissions. For example, most modules have a Show permission that allows users to view the module workbench.

When you view or configure roles, the Tanium Core Platform groups permissions based on the following categories:

  • Platform content permissions control access to content types that apply across all Tanium modules and that are assigned to content sets. For example, you can assign permissions for sensors, packages, and saved questions in the Default content set.
  • Module permissions control access to module workbenches, features, and module-specific content (such as Tanium™ Trends data).
  • Administration permissions control access to the Administration > Permissions pages and Administration > Configuration pages of the Tanium Console.
  • Global permissions control access to activities that are available only to reserved roles (such as managing content sets).

For more information, see Provided role permissions and Effective role permissions.

Roles

A role specifies grant permissions for allowed activities or deny permissions for prohibited activities. You can assign the following types of roles to users and user groups:

  • Custom roles are roles that you create to assign a combination of administration, platform content, module, and global permissions.
  • Advanced roles are pre-defined legacy roles that assign platform content permissions that apply across all Tanium modules instead of specific modules.
  • Module roles are pre-defined roles that assign permissions for module-specific activities and content.
  • Reserved roles are pre-defined roles that assign global permissions for special-purpose capabilities that are beyond the scope of other roles, such as customizing the Tanium Console.

For related tasks and details, see Managing roles.

Content sets

A content set is a group of configuration objects (such as sensors, packages, and saved questions) for which permissions control access. Platform content permissions control access to content that applies across all modules. Module permissions control access to module-specific content, such as Tanium Trends data. Actions are not explicitly considered content but are treated as belonging to the same content set as the packages that they use. Tanium provides several predefined content sets through the Default Content pack and Tanium modules. You can create a content set to contain custom content or to accommodate changes in the RBAC configuration of your Tanium deployment. You can assign each content object to only one content set. A role can specify permissions for multiple content sets. For details and related tasks, see Managing content sets.

Users

A Tanium user configuration associates personas, user groups, computer groups, and roles with a user account. A user can have one or more grant and deny roles. Users have no permissions other than what their roles provide. A user with no roles can sign in, but is directed to a page indicating insufficient permissions. A user can have one or more computer groups and zero or more user groups. Every user has a default persona and can have zero or more alternative personas. To authenticate users when they access the Tanium Console or API, you can configure a remote authentication service or use the authentication service that is local to the Tanium Server. For details and related tasks, see Managing users.

User groups

A Tanium user group configuration associates personas, computer groups, and roles with a set of users who inherit all the permissions of the user group. A user group can have zero or more users and one or more roles and computer groups. Every user group has a default persona and can have zero or more alternative personas. For details and related tasks, see Managing user groups.

Computer groups

Tanium users can issue questions and deploy actions only to endpoints that belong to a computer management group that is assigned to users or their user groups. Tanium users use computer filter groups as filters in questions and question results. Users can use only the filter groups that are assigned to a content set that is associated with a role, and the role must be assigned to the users or their user groups. For details and related tasks, see Managing computer groups.

Personas

All user accounts have a predefined default persona, which is the persona that applies when users sign in to the Tanium Console. When using the default persona, a user has permissions derived from all the roles and computer groups that are assigned to that persona. The default persona of a user also provides permissions inherited from the default personas of user groups to which the user is assigned. After switching to an alternative persona, the user has only the permissions derived from the roles and computer groups assigned to that persona. For details and related tasks, see Managing personas.

The following figure illustrates the relationships among these RBAC components. The arrows indicate how you assign the components to configure user permissions. The yellow highlighting indicates the best practice for configuring permissions: assign roles and computer groups to alternative personas, and assign the alternative personas to user groups. Note that the roles and computer groups that you assign directly to user groups and user accounts are effectively assigned to the default persona of those user groups and users.

Figure  1:  Relationships and assignments among RBAC components

RBAC configuration overview

The following steps summarize the workflow for configuring RBAC. The steps also explain how the components interact to define the effective permissions of users when they access the Tanium Console under different personas. The figures in these steps depict two user groups to illustrate the different implications of assigning roles and computer groups to alternative personas and default personas.

Before starting this workflow, review the important details and best practices described under Plan your RBAC implementation.

If you plan to import users and user groups from an LDAP or AD server, configure the imports before configuring RBAC (see Integrating with LDAP servers).

  1. Configure custom roles. Note that roles with platform content permissions and module permissions apply permissions to content sets. Tanium content packs and solution modules provide predefined content and content sets. You can also create custom content and content sets.

    The following figure shows an example with three custom roles (A, C, D) and one predefined module role (B).

    Figure  2:  User role configurations

    The next figure illustrates the relationships among content, content sets, and permissions in each example role configuration (roles A through D in Figure  2).

    Figure  3:  Role permissions and content sets

    For details and procedures related to roles, see Managing roles.

  2. Define computer management groups.

    Figure  4:  Computer management group configurations

    For details and procedures related to computer groups, see Managing computer groups.

  3. Define alternative personas. For each persona, assign roles and computer management groups.

    Figure  5:  Alternative persona configurations

    For details and procedures related to personas, see Managing personas.

  4. Configure the user groups that you imported from LDAP servers or manually add groups that are local to the Tanium Server. You can assign alternative personas to each user group, and assign roles and computer management groups to the default persona of each user group.

    Figure  6:  User group configurations

    For details and procedures related to user groups, see Managing user groups.

  5. Configure the user accounts that you imported from LDAP servers or manually add accounts that are local to the Tanium Server. Assign alternative personas and user groups to each user. You can also assign roles and computer groups to the default persona of each user.

    Figure  7:  User configurations

    For details and procedures related to users, see Managing users.

  6. Sign in to the Tanium Console. For every user, the default persona is active by default and has permissions for all the roles and computer management groups that are directly assigned to the user account or that are inherited from user groups.

    In this example, the RBAC_Administrator role and HQ computer group are assigned to the default persona of the user. The user also inherits permissions from the Monitor role and Europe_Branch computer group that are assigned to the user group Europe.

    Figure  8:  Signing in as default persona
  7. When the user switches to an alternative persona for the Tanium Console session, that user has permissions only for the roles and computer management groups that are assigned to that persona.

    In the following figure, the user selects the NAM_Monitor persona that is inherited from the NAM user group.

    Figure  9:  Selecting an alternative persona (example 1)

    In the next figure, the user selects the APAC_Trends persona that is assigned to the user account (default persona).

    Figure  10:  Selecting an alternative persona (example 2)

The following figure shows the complete workflow to configure the effective permissions of all three personas in this example.

Figure  11:  RBAC configuration workflow

Plan your RBAC implementation

The following are important items and best practices to discuss with your team and Tanium Support (see Contact Tanium Support) when planning the RBAC implementation for your Tanium deployment.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before setting up RBAC. For details, see Integrating with LDAP servers.

Naming convention

Before configuring custom roles, content sets, computer groups, and other RBAC objects, devise a naming convention that enables Tanium users to easily determine the purpose for each object and to distinguish it from similar Tanium-provided objects that are imported through Tanium modules and content packs. Distinguishing custom objects is important because it is a best practice to avoid modifying Tanium-provided objects (see Tip 4: Limit customizations to Tanium content). For example, you can use the name of your organization as a prefix in the names of custom objects.

Computer management groups

Identify the sets of endpoints that you want to manage as a group with respect to operations that Tanium users and modules perform. For example, you might configure computer groups based on the geographical organization of your organization, with a group for each region. You can also base computer groups on function (such as data centers and branch offices) or any other criteria.

Computer groups can have overlapping membership. For example, a computer group for all Windows endpoints might include endpoints that are also members of region- or function-based computer groups. Be sure to consider the impact of overlapping membership when configuring and assigning computer groups. For example, you might want users in a security operations center to have management rights to Windows endpoints so that the users can deploy security updates. However, you might not want those users to have management rights for the subset of Windows endpoints that store sensitive financial information.

Base computer group membership on sensor-based filters instead of manually defined lists to enable granular control over which endpoints to include or exclude in the groups.

Content sets

Determine how to organize content set permissions for controlling access to specific data and deploying actions on endpoints. As a best practice, ensure that the content in any particular content set is similar to minimize the risk of assigning unintended permissions to user roles. You can organize content sets based on the following:

  • Capability: read or write permissions
  • Content type: for example, saved questions, sensors, or packages
  • Subject matter: for example, Tanium Client administration or Windows system administration

For content that is provided through Tanium modules and content packs, keep the content objects in their original Tanium-provided content sets. To sustain this practice when moving content between content sets, create copies of Tanium-provided content and move the copies instead of the original versions. Contact Tanium Support before proceeding if you need to move original Tanium-provided content.

Roles

The following are best practices for managing roles:

  • Configure custom roles that specify module permissions before configuring roles that specify platform content or administration permissions. Module permissions grant access to a specific module and often provide additional platform content and administration permissions.
  • When configuring roles, take advantage of their modularity and cumulative effect on user permissions. For example, instead of creating a role with all the permissions that a particular user needs, and creating another role with only slightly different permissions for another user, create several roles with smaller but unique permissions sets. You can then mix and match these minimalistic roles among various users to achieve the same effective permissions as individual roles that have comprehensive permissions. For details, see Effective role permissions.

Personas

You can reassign alternative personas among multiple users and user groups, whereas each default persona is unique to a single user or group and you cannot reassign it. Therefore, the best practice for modularizing permissions is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

Users and user groups

LDAP support

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, set up the imports before you perform other RBAC tasks. The Tanium Server automatically synchronizes with the LDAP server every five minutes, and you can manually synchronize at any time. The synchronization updates the Tanium Server with any changes that occurred on the LDAP server, including any new or deleted users, new or deleted user groups, and changes to group membership. Optionally, you can use an LDAP server to authenticate the imported users. For details and related tasks, see Integrating with LDAP servers.

User group permissions

Control permissions at the user group level as much as possible instead of at the user level. Assigning computer groups, roles, personas, and users to user groups minimizes the administrative effort required to update your RBAC configuration. For example, instead of modifying role assignments for the personas of each user who might join or leave your organization, or whose responsibilities might change, you can configure user groups that use sensor-based filters to dynamically adjust group membership when such changes occur.

User permissions

To identify which permissions are needed, consider what each team in your organization needs to accomplish through the Tanium system. In particular, consider the following:

  • Which users require access to which Tanium module workbenches and module content?
  • Do you want to use the Permission Administrator permission Administrator reserved role to assign full administrator permissions to a few users or assign granular administration permissions that grant or deny page-specific read and write access to the Administration > Configuration pages?

SAML authentication

You can use a Security Assertion Markup Language (SAML) identity provider (IdP) to provide single sign-on authentication for Tanium Console users. For details and related tasks, see Integrating with a SAML IdP.