RBAC overview

Tanium RBAC implementation and concepts

Role-based access control (RBAC) enables you to configure granular permissions that control what individual Tanium Console and API users can see and do with the Tanium Core Platform, and which endpoints they can monitor and manage. The permissions derive from personas, roles, and computer groups that are assigned to user accounts and that users inherit from user groups. The Tanium implementation of RBAC involves the following key concepts and configuration objects.

Permissions

Permissions define the read, write, and execute activities that a user or user group is allowed to perform in the Tanium Core Platform.

  • Content Set permissions determine access to specified plugins, filter groups, sensors, packages, saved questions, dashboards, and categories.
  • Micro admin permissions determine access to the system administration pages of the Tanium Console.
  • Module permissions determine access to Tanium solution module workbenches and features.
  • Global permissions determine access rights to specified activities across all modules, such as the ability to create and manage content sets.

For more information, see Implied role permissions and Effective role permissions.

Roles

A role specifies grant permissions for allowed activities or deny permissions for prohibited activities. You can assign the following types of roles to the personas of users and user groups:

  • Advanced roles assign content set permissions.
  • Micro admin roles assign Tanium system administration permissions.
  • Module roles (grant only) assign Tanium module permissions and module-specific content set permissions.
  • Reserved roles assign permissions that enable special-purpose capabilities that other roles cannot control, such as customizing the Tanium Console.

For related tasks and details, see Managing roles.

Content sets

A content set is a group of configuration objects, including plugins, sensors, packages, filter groups, saved questions, dashboards, and categories, for which permissions control access. Actions are not explicitly considered content but are treated as belonging to the same content set as the packages that they use. Tanium provides several predefined content sets through the Default Content pack and Tanium solution modules. You can create a content set to contain custom content or to accommodate changes in the RBAC configuration of your Tanium deployment. You can assign each content object to only one content set. A role can specify permissions for multiple content sets. For details and related tasks, see Managing content sets.

Users

A Tanium user configuration associates personas, user groups, computer groups, and roles with a user account. A user can have one or more grant and deny roles. Users have no permissions other than what their roles provide. A user with no roles can sign in, but is directed to a page indicating insufficient permissions. A user can have one or more computer groups and zero or more user groups. Every user has a default persona and can have zero or more alternative personas. To authenticate users when they access the Tanium Console or API, you can configure a remote authentication service or use the authentication service that is local to the Tanium Server. For details and related tasks, see Managing users.

User groups

A Tanium user group configuration associates personas, computer groups, and roles with a set of users who inherit all the permissions of the user group. A user group can have zero or more users and one or more roles and computer groups. Every user group has a default persona and can have zero or more alternative personas. For details and related tasks, see Managing user groups.

Computer groups

Tanium users can issue questions and deploy actions only to endpoints that belong to a computer management group that is assigned to the personas of the users or their user groups. Tanium users use computer filter groups as filters in questions and question results. Users can use only the filter groups that are assigned to a content set that is associated with a role, and the role must be assigned to the personas of the users or their user groups. For details and related tasks, see Managing computer groups.

Personas

All user accounts have a predefined default persona, which is the persona that applies when users sign into the Tanium Console. When using the default persona, a user has permissions derived from all the roles and computer groups that are assigned to that persona. The default persona of a user also provides permissions inherited from the default personas of user groups to which the user is assigned. After switching to an alternative persona, the user has only the permissions derived from the roles and computer groups assigned to that persona. For details and related tasks, see Managing personas.

The following figure illustrates the relationships among these RBAC components. The arrows indicate how you assign the components to configure user permissions. The yellow highlighting indicates the best practice for configuring permissions: assign roles and computer groups to alternative personas, and assign the alternative personas to user groups. Note that the roles and computer groups that you assign directly to user groups and user accounts are effectively assigned to the default persona of those user groups and users.

Figure  1:  Relationships and assignments among RBAC components

RBAC configuration overview

The following steps summarize the workflow for configuring RBAC. The steps also explain how the components interact to define the effective permissions of users when they access the Tanium Console under different personas. The figures in these steps depict two user groups to illustrate the different implications of assigning roles and computer groups to alternative personas and default personas.

Before starting this workflow, review the important details and best practices described under Plan your RBAC implementation.

If you plan to import users and user groups from an LDAP or AD server, configure the imports before configuring RBAC (see Integrating with LDAP servers).

  1. Define roles. Note that advanced roles and module roles apply permissions to content sets. Tanium content packs and solution modules provide predefined content and content sets. You can also create custom content and content sets.

    The following figure shows an example with two advanced roles (A and D), a module role (B), and a micro admin role (C).

    Figure  2:  User role configuratons

    The next figure illustrates the relationships among content, content sets, and permissions in each example role configuration (roles A to D in Figure  2).

    Figure  3:  Role permissions and content sets

    For details and procedures related to roles, see Managing roles.

  2. Define computer management groups.

    Figure  4:  Computer management group configurations

    For details and procedures related to computer groups, see Managing computer groups.

  3. Define alternative personas. For each persona, assign roles and computer management groups.

    Figure  5:  Alternative persona configurations

    For details and procedures related to personas, see Managing personas.

  4. Configure the user groups that you imported from LDAP servers or manually add groups that are local to the Tanium Server. You can assign alternative personas to each user group, and assign roles and computer management groups to the default persona of each user group.

    Figure  6:  User group configurations

    For details and procedures related to user groups, see Managing user groups.

  5. Configure the user accounts that you imported from LDAP servers or manually add accounts that are local to the Tanium Server. Assign alternative personas and user groups to each user. You can also assign roles and computer groups to the default persona of each user.

    Figure  7:  User configurations

    For details and procedures related to users, see Managing users.

  6. Sign into the Tanium Console. For every user, the default persona is active by default and has permissions for all the roles and computer management groups that are directly assigned to the user account or that are inherited from user groups.

    In this example, the RBAC_Administrator role and HQ computer group are assigned to the default persona of the user. The user also inherits permissions from the Monitor role and Europe_Branch computer group that are assigned to the user group Europe.

    Figure  8:  Signing in as default persona
  7. When the user switches to an alternative persona for the Tanium Console session, that user has permissions only for the roles and computer management groups that are assigned to that persona.

    In the following figure, the user selects the NAM_Monitor persona that is inherited from the NAM user group.

    Figure  9:  Selecting an alternative persona (example 1)

    In the next figure, the user selects the APAC_Trends persona that is assigned to the user account (default persona).

    Figure  10:  Selecting an alternative persona (example 2)

The following figure shows the complete workflow to configure the effective permissions of all three personas in this example.

Figure  11:  RBAC configuration workflow

Plan your RBAC implementation

The following are important items and best practices to discuss with your team and Tanium Support (see Contact Tanium Support) when planning the RBAC implementation for your Tanium deployment.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before setting up RBAC. For details, see Integrating with LDAP servers.

Upgrades

If you are upgrading from Tanium Core Platform 7.0 or earlier, see the KB article Setting up RBAC after upgrading the Tanium Core Platform.

Naming convention

Before configuring custom roles, content sets, computer groups, and other RBAC objects, devise a naming convention that enables Tanium users to easily determine the purpose for each object and to distinguish it from similar Tanium-provided objects that are imported through Tanium modules and content packs. Distinguishing custom objects is important because it is a best practice to avoid modifying Tanium-provided objects (see Tip 4: Limit customizations to Tanium content). For example, you can use the name of your organization as a prefix in the names of custom objects.

Computer management groups

Identify the sets of endpoints that you want to manage as a group with respect to operations that Tanium users and modules perform. For example, you might configure computer groups based on the geographical organization of your organization, with a group for each region. You can also base computer groups on function (such as data centers and branch offices) or any other criteria.

Computer groups can have overlapping membership. For example, a computer group for all Windows endpoints might include endpoints that are also members of region- or function-based computer groups. Be sure to consider the impact of overlapping membership when configuring and assigning computer groups. For example, you might want users in a security operations center to have management rights to Windows endpoints so that the users can deploy security updates. However, you might not want those users to have management rights for the subset of Windows endpoints that store sensitive financial information.

Base computer group membership on sensor-based filters instead of manually defined lists to enable granular control over which endpoints to include or exclude in the groups.

Content sets

Determine how to organize content set permissions for controlling access to specific data and deploying actions on endpoints. As a best practice, ensure that the content in any particular content set is similar to minimize the risk of assigning unintended permissions to user roles. You can organize content sets based on the following:

  • Capability: read or write
  • Content type: for example, saved questions, sensors, or packages
  • Subject matter: for example, Tanium Client administration or Windows system administration

For content that is provided through Tanium modules and content packs, keep the content objects in their original Tanium-provided content sets. To sustain this practice when moving content between content sets, create copies of Tanium-provided content and move the copies instead of the original versions. Contact Tanium Support before proceeding if you need to move original Tanium-provided content.

Roles

The following are best practices for managing roles:

  • Configure module roles before advanced or micro admin roles. Module permissions grant access to a specific module and often provide additional advanced and micro admin permissions.
  • When configuring roles, take advantage of their modularity and cumulative effect on user permissions. For example, instead of creating a role with all the permissions that a particular user needs, and creating another role with only slightly different permissions for another user, create several roles with smaller but unique permissions sets. You can then mix and match these minimalistic roles among various users to achieve the same effective permissions as individual roles that have comprehensive permissions. For details, see Effective role permissions.

Do not modify Tanium-provided module roles. The process of upgrading or re-importing a module overwrites the module role configurations, along with any modifications that you made.

Personas

You can reassign alternative personas among multiple users and user groups, whereas each default persona is unique to a single user or group and you cannot reassign it. Therefore, the best practice for modularizing permissions is to assign roles and computer groups to alternative personas instead of default personas. This practice simplifies updating your RBAC implementation when necessary, such as when users leave or join your organization, or when they move between user groups.

Users and user groups

LDAP support

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, set up the imports before you perform other RBAC tasks. The Tanium Server automatically synchronizes with the LDAP server every five minutes, and you can manually synchronize at any time. The synchronization updates the Tanium Server with any changes that occurred on the LDAP server, including any new or deleted users, new or deleted user groups, and changes to group membership. Optionally, you can use an LDAP server to authenticate the imported users. For details and related tasks, see Integrating with LDAP servers.

User group permissions

Control permissions at the user group level as much as possible instead of at the user level. Assigning computer groups, roles, personas, and users to user groups minimizes the administrative effort required to update your RBAC configuration. For example, instead of modifying role assignments for the personas of each user who might join or leave your organization, or whose responsibilities might change, you can configure user groups that use sensor-based filters to dynamically adjust group membership when such changes occur.

User permissions

To identify which permissions are needed, consider what each team in your organization needs to accomplish through the Tanium system. In particular, consider the following:

  • Which users require access to which Tanium module workbenches and module content?
  • Do you want to use the Permission Administrator permission Administrator reserved role to assign full administrator permissions to a few users or assign granular micro admin permissions that grant or deny page-specific read and write access to the Administration > Management pages?

SAML authentication

You can use a Security Assertion Markup Language (SAML) identity provider (IdP) to provide single sign-on authentication for Tanium Console users. For details and related tasks, see Integrating with a SAML IdP.