Managing Roles

You can create the following types of grant and deny roles:

• Advanced
• Micro Admin
• Module (only grant)

If you are unfamiliar with Tanium™ Console role-based access control, read the Overview.

Create an advanced role

Advanced roles assign fine-grained content set permissions.

User role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Advanced Role or Deny Advanced Role to display the role configuration page.
3. Specify a configuration name.
4. Optional. Under All Content Sets Option, select the Add all Content Sets that exist or will exist to the permissions selected below option to grant or deny permissions absolutely. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
5. Under Ask Dynamic Question, click Add to enable users with this role to ask ad hoc questions.

   Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create ad hoc questions that use any of the sensors for which they have read access.

6. Under Content Set Permissions, click Add to add a permission to the configuration; click the icon to remove a permission. See Table 1 for descriptions of the permissions.
7. Add content sets to the permissions. Click the Add button to display the Content Sets selection box.
8. Select content sets and click Save to close the selection box.


9. Save the configuration.

Table 1:   Content Set Permissions

Permission	Description
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one advanced permission that has effect when granted to a user with the Administrator reserved role.
Read Sensor	Can view sensors in the Question Builder and similar user interfaces throughout the console. Can use sensors in questions if the user also has the ability to ask questions. Cannot view the Content > Sensors page unless the user also has the Write Sensor permission.
Write Sensor	Can view the Content > Sensors page. Can create, modify, and delete sensor configurations. Implies the Read Sensor and Show Preview permissions.
Read Action	Can view the Actions pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package. Implies the Read Own Action permission.
Read Own Action	Determines whether the actions of the logged in user appear in the Actions > All Pending Approval grid.
Write Action	Can view the Actions > Scheduled Actions page. Users can see rows for actions they issued. If a user has the Read Action permission on the content set for the underlying package, that user can see rows for actions that other users issued. Can see and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions. Implies the Read Own Action, Read Package, and Show Preview permissions. To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.
Write Action for Saved Question	Can see the Actions > Scheduled Actions page, but the only rows are for the actions that the user has deployed. Can see and use the Deploy Action button on the Question Results grid but only for saved questions that have associated actions. The Read Package permission is not required for the associated actions. If the saved question does not have associated actions, the Deploy Action button does not appear. Tip: Use this permission instead of the Write Action permission to limit use by action users who use Tanium products to execute standard operating procedures that someone else created.
Approve Action	Can approve actions that another user created. Users with this permission cannot approve their own actions. To view the actions on the Actions > Actions I Can Approve and Actions > All Pending Approval pages, you must also have the Read Package and Read Own Action permissions.
Read Plugin	Reserved for future use.
Execute Plugin	Reserved for future use.
Read Package	Can view packages in the Browse Packages dialog box opened from the Deploy Action workflow page. Cannot view the Content > Packages page unless the user also has the Write Package permission.
Write Package	Can view the Content > Packages page. Can create, modify, and delete package configurations. Implies the Read Package and Show Preview permissions.
Read Saved Question	Can view saved questions in the Question Results grid drill-down and similar user interfaces. Can view the Interact Saved Questions page, if the user also has access to the Interact workbench. Cannot view the Content > Saved Questions page unless the user also has the Write Saved Question permission. To issue a saved question as expected, the user also requires the Read Sensor permission for the pertinent sensor.
Write Saved Question	Can view the Content > Saved Questions page. Can create, modify, and delete saved question configurations. Implies the Read Saved Question permission. Note: Does not imply the Ask Dynamic Questions permission.
Read Dashboard	Can view the Dashboards pages, if the user also has permission to the Interact workbench. A user also needs the Read Saved Question and Read Sensor permission for the related content to use the dashboard.
Write Dashboard	Can create, modify, and delete dashboard configurations. Implies the Read Dashboard permission.
Read Dashboard Group	Can view the Categories pages, if the user also has permission to the Interact workbench. A user also needs the Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category.
Write Dashboard Group	Can create, modify, and delete category configurations. Implies the Read Category permission.
Show Preview	Not an explicit permission. Implied in the Write Action, Write Action for Saved Question, Write Package, and Write Sensor permissions. Enables authors to ask questions necessary to preview the impact of new and changed configurations. To ask preview questions, the user also needs Read Sensor on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Associated Packages	Not an explicit permission. Implied in the Write Action for Saved Question permission.

Create a Micro Admin role

Micro Admin roles assign system administration permissions.

User role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Micro Admin Role or Deny Micro Admin Role to display the role configuration page.
3. Specify a configuration name.
4. Click Add to add a permission to the configuration; click Remove to remove a permission. See Table 2 for descriptions of the permissions.
5. Save the configuration.

Table 2:   Micro Admin permissions

Permission	Description
Read System Status	Can view the Administration > System Status page.
Read Question History	Can view the Administration > Question History page. To load and ask a question for the Question History page, the user would also need the underlying content permissions.
Read User	Can view the Administration > Users page and view users that are listed on the Administration > User Groups and Permissions > Roles pages.
Write User	Can create, modify, and delete user configurations. Implies the Read User permission.
Read User Group	Can view the Administration > User Groups page.
Write User Group	Can create, modify, and delete user group configurations. Implies the Read User Group permission.
Read Computer Group	Can view the Administration > Computer Groups page.
Write Computer Group	Can create, modify, and delete computer group configurations. Implies the Read Computer Group permission. To create or edit computer groups, the user also needs the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Global Settings	Can view the Administration > Global Settings page.
Write Global Settings	Can create, modify, and delete global settings. Implies the Read Global Settings permission.
Read Whitelisted URLs	Can view the Administration > Whitelisted URLs page.
Write Whitelisted URLs	Can create, modify, and delete the whitelisted URLs configuration. Implies the Read Whitelisted URLs permission.
Read Audit	Can view: Last Login information on the Administration > Users page Last Modified on information on the user details page (select Administration > Users and click View User) Last Modification information on the Administration > Global Settings page
Read Server Status	Can view the https://<tanium_server>/info page. For details, see View the info page.

Tasks related to some menus do not have micro admin permissions. A user must have the reserved role indicated in the following table to view the menus or perform the tasks.

Table 3:   Tasks requiring a reserved role

Menu or task	Administrator	Content Administrator	Content Set Administrator
Action Group Create, modify, or delete action groups.	X
Content Alignment Use the Content Alignment page to move content to the content set expected by a module.	X
Permissions Create, modify, or delete the user roles or content sets configurations.	X		X
Users, User Groups Edit role settings in the user or user group configurations.	X		X
Effective permissions View effective permissions for users or user groups.	X		X
Solutions Import Tanium modules, content packs, or CUIC updates. View and import lab content.	X
Configuration View or manage any of the Configuration menu pages, including proxy settings, logging levels, plugins, plugin schedules, cache info, client subnets, LDAP Sync, SAML, or console color.	X
Question History Load a question from the Question History page.	X
Interact Categories Read/Manage the Other Dashboards temp category.	X	X

Create a Module Role

In 7.1, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.

Module	Link
Asset	User Guide
Comply	User Guide
Connect	User Guide
Deploy	User Guide
Detect	User Guide
Discover	User Guide
Incident Response	User Guide
Integrity Monitor	User Guide
Interact	User Guide
Map	User Guide
Network Quarantine	User Guide
Patch	User Guide
Protect	User Guide
Reveal	User Guide
Threat Response	User Guide
Trace	User Guide
Trends	User Guide

If necessary, you can create your own module roles and assign granular module permissions.

User role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Module Role to display the role configuration page.
3. Specify a configuration name.
4. Click Add to add a module to the configuration; click Remove to remove a module.
5. Click Edit to display the permissions selection box for the module.
6. Select permissions and click Save to close the selection box.
7. Save the configuration.

Assign users and user groups to a role

You can associate users and user groups with roles either in the role configuration or in the user and user group configurations.

User role requirements

You must have the Administrator role or Content Set Administrator role to manage the roles configuration. However, a Content Set Administrator cannot manage the assignment of reserved roles.

Edit the role configuration

1. Go to Permissions > Roles.
2. Select a role and click Edit to display the configuration summary page.
3. Click Edit User Assignment to display the Assign Users and User Groups page.
4. Next to User Groups, click Edit. Select groups and click Save to close the selection box.
5. Next to Users, click Edit. Select users and click Save to close the selection box.
6. Click Show Preview to Continue to review the impact of your changes. Review the effective permissions and save the configuration.

Clone a role

When you want to add a role that has many settings in common with an existing role, cloning the existing role and then modifying the clone is often a quicker method than configuring a new role. Note that you must still assign users and user groups to the clone, and optionally enter a description; the clone will not inherit those settings from the original role. You can clone any role except the reserved roles.

1. Go to Permissions > Roles, select a role, and click Clone.
2. Enter a Name to identify the role (default is Copy of <original_role_name>), update the permissions as needed, and save your changes.
3. Assign users and user groups to the role (see Assign users and user groups to a role).

Export and import roles

Exporting and importing roles is useful when you need to copy the roles between Tanium deployments. For example, you might export roles to a lab deployment for testing before using the roles in a production deployment.

Export all roles

1. From any Content or Permissions page, click Export to XML in the top right of the Tanium Console.
2. Select Content Sets and Roles and click Export.
3. Enter a File Name or use the default name, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Export one or more roles

1. Go to Permissions > Roles, select one or more roles, and click Export .
2. Enter a File Name or use the default name, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Import roles

1. Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
2. From any Content or Permissions page, click Import from XML at the top right of the Tanium Console.
3. Click Choose File, find and select the configuration file, and click Open.
4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices or consult your TAM.
6. Click Import again, and click Close when the import finishes.

Delete a role

When you delete a role configuration, the role is removed from any user and user group configurations that had included it. When deleting a role configuration, we recommend:

1. Delete the users and user group assignments from the role configuration.
2. Go to the effective permissions page for your users and review the resulting impact on the users' effective permissions.
3. Delete the role configuration.