Managing roles

Roles overview

In the context of Tanium™ role-based access control (RBAC), a role assigns allow permissions to specify allowed activities or deny permissions to specify prohibited activities. You assign roles to users, user groups, and personas to control what users can see and do in the Tanium Core Platform.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring or assigning roles. For details, see Integrating with LDAP servers.

The Tanium implementation of RBAC supports two role categories, which the Administration > Permissions > Roles page distinguishes with an icon in the Role Name column:

Custom roles

You can create, edit, or delete custom roles, which allow or deny any combination of administration, platform content, and module permissions. See Configure a custom role.

System roles

Tanium provides predefined system roles that you cannot edit or delete. These roles include:

Modules roles: These roles allow or deny permissions for access to module workbenches, features, and content sets. Some module permissions automatically enable additional provided permissions. For example, the Patch Module write permission automatically grants the Ask Dynamic Questions (Interact module) permission.
Reserved roles: These roles assign permissions for a range of tasks that, in many organizations, are commonly exclusive to a few users. For example, organizations typically have a small set of users who oversee all Tanium operations and require the full administrative permissions that the Administrator reserved role provides. For details, see Reserved roles.

The following figure shows the configurable components of the different role categories, and the order in which you assign the components:

Figure 1: Role configurations (click image to enlarge)

For an overview of how roles relate to other RBAC configuration objects such as content sets, personas, users, user groups, and computer groups, see Tanium RBAC implementation and concepts.

Roles have a many-to-many relationship with users and user groups. For example, all Tanium Interact users can have the Interact Show module role, and each of those users can have additional custom roles that provide access to the sensors and questions that they use in Interact. Similarly, you can configure permissions for the same content set across multiple roles, and each role can specify permissions across multiple content sets.

As a best practice when configuring roles, take full advantage of their modularity and cumulative effect on user permissions. For example, instead of creating a single role with all the permissions that a particular user needs, and creating another role with only slightly different permissions for another user, create several roles with smaller but unique permissions sets. You can then mix and match these minimalistic roles among various users to achieve the same effective permissions as individual roles that have comprehensive permissions. For details, see View effective role permissions.

Some permissions that you assign to a role automatically provide additional permissions. For example, if you assign Package write permission, it implicitly provides Package read permission. For details, see Provided role permissions.

Users inherit roles from the user groups to which you assign those users. For details, see Inherited roles.

For a given Tanium Console session, only the permissions of the currently selected persona are available to a user, even if multiple personas are assigned to that user. For details, see Managing personas.

To add, edit, or delete roles, you must have the Administrator or Content Set Administrator reserved role or a custom role with the Permission Administrator permission. However, a Content Set Administrator cannot manage the assignment of personas or reserved roles to users and user groups.

Roles do not control access to computer management groups (see Manage computer management groups) or action groups (see Managing action groups) that users select for targeting when issuing questions or deploying actions. However, roles do control the permissions required to manage computer group and action group configurations.

If Tanium Console displays RBAC errors, such as RBACInsufficientPrivilege, see Troubleshoot permission issues.

Allow and deny roles

On the Roles page, the Type column indicates if a role allows or denies permissions. You can assign multiple allow or deny roles to a user or user group. Tanium CloudThe Tanium Server bases the effective permissions of a user or group on the cumulative effect of all the roles that are assigned to that user or group: all explicitly granted or implicitly provided allow permissions minus explicit deny permissions.

You can view the View effective role permissions of a user or user group in Tanium Console.

In custom roles, a permission and content set in the deny role must match a permission and content set in the allow role to negate the allow permission. In the following example, the deny Package write permission on Content Set A matches the allow Package write permission on Content Set A, so the allow permission is negated.

Figure 2: Allow and deny roles on content set permissions (match)

In the following example, the deny Package write permission on Content Set D does not match any allow permissions. Therefore, the deny permission has no impact on the effective permissions of the user.

Figure 3: Allow and deny roles on content set permissions (no match)

When you assign content sets to permissions in custom roles, the Add all Content Sets that exist or will exist to the permissions option is equivalent to listing every content set. The following figure illustrates an example where the deny Package write permission on Content Set D has an effect.

Allow and deny matching also applies to administration permissions. In the following example, the user has one allow role and two deny roles that specify administration permissions. Tanium CloudThe Tanium Server factors out exact matches between allow and deny permissions. The user has all of the capabilities that the allow role specifies, minus the capabilities that the deny roles specify.

Figure 5: Allow and deny roles on administration permissions

Provided role permissions

Some permissions automatically provide additional permissions because of dependencies. For example, the Package write permission that enables creating packages depends on the Package read permission that enables accessing the Packages page. Similarly, the Interact Execute action permission that enables action deployment depends on the Action write permission that enables action configuration.

In allow roles, every write permission implicitly provides the associated read permission. In the following example, the custom role that is assigned to Eric and Grace has the Package write permission on the specified content sets, and therefore the configuration does not need to specify the Package read permission. A role that has only the Package read permission on the same content set is created for users who must have read-only permissions, like Bob in this example.

Figure 6: Eric and Grace effectively have both read and write permissions

Deny roles do not implicitly provide associated permissions. For deny roles to have an effect, they must explicitly specify permissions and those permissions must exactly match the permissions that an allow role specifies. For example, if a deny role specifies that Package write permission is denied on a content set, the role does not also deny Package read permission. In the following example, the deny role permissions do not exactly match any allow role permissions. Therefore, the deny role is disregarded and Bob still has Package read permission on the specified content sets.

Figure 7: Bob effectively has read permissions

Inherited roles

Users inherit role permissions from their user groups. In the following example, Eric inherits permissions from the roles that are assigned to the NOC user group. He also has permissions that are assigned directly to his user account. Tanium CloudThe Tanium Server enforces the net effect. In this example, even though Eric inherits the Isolated Subnets write permission and Separated Subnets write permission from the user group, the deny role that is assigned directly to his user account negates those permissions. Because no deny roles are assigned to the accounts of Bob and Grace, they have all the permissions that are inherited from the user group, including Isolated Subnets and Separated Subnets write permissions.

Reserved roles

The predefined reserved roles assign permissions for a range of tasks that, in many organizations, are commonly exclusive to a few users. For example, organizations typically have a small set of users who oversee all Tanium operations and require the full administrative permissions that the Administrator reserved role provides. Reserved roles can include special permissions, such as managing the Tanium license, that are not available to non-reserved roles.ReservedIn addition to the special permissions, reserved roles can have some or all of the platform content, administration, and module permissions that are associated with other roles. You cannot edit or delete reserved roles. Special logic applies when you assign both a reserved role and non-reserved role to a user or user group, as described in the following sections.

Admin reserved role

Assign the Admin reserved role to users who manage all Tanium content, modules, shared services, and administrative functionality.

This role can perform the following tasks:

Use all Tanium solutions and content
Configure all Tanium Core Platform settings (such as bandwidth throttles) and customize Tanium Console
View, create, edit, delete, and export all RBAC configurations, including users, user groups, personas, roles, computer groups, and API tokens
View, create, edit, delete, and export all content configurations such as sensors, packages, and scheduled actions

When you assign the Admin role, other allow roles are superfluous and deny roles are ineffective, with the following exceptions:

Bypass Action Approval: A custom role with the Bypass Action Approval permission does have effect when it is assigned to a user who has the Admin reserved role. The Admin reserved role does not have this permission by default. Due to the sensitive nature of bypassing approval, you must explicitly assign this permission in all cases.
Deny All: The Deny All reserved role negates all the permissions of the Admin reserved role.

During the setup of your Tanium Cloud deployment, an initial administrator account is created with the Admin role. You can use this account to configure RBAC for all other users, including other users who might need the Admin role.

Administrator reserved role

Assign the Administrator reserved role to users who manage all Tanium content, modules, shared services, and administrative functionality.

This role can perform the following tasks:

Import, export, update, uninstall, and use all Tanium solutions
Configure all Tanium Core Platform settings (such as bandwidth throttles) and customize Tanium Console
Manage the Tanium license and manage trust among platform components (such as Tanium Servers and Zone Servers)
View, create, edit, and delete all RBAC configurations, including users, user groups, personas, roles, computer groups, LDAP server configurations, SAML IdP connections, and API tokens
View, create, edit, delete, import, and export all content configurations such as sensors, packages, and actions

When you assign the Administrator role, other allow roles are superfluous and deny roles are ineffective, with the following exceptions:

Bypass Action Approval: A custom role with the Bypass Action Approval permission does have effect when it is assigned to a user who has the Administrator reserved role. The Administrator reserved role does not have this permission by default. Due to the sensitive nature of bypassing approval, you must explicitly assign this permission in all cases.
Deny All: The Deny All reserved role negates all the permissions of the Administrator reserved role.

Content Set Administrator reserved role

Assign the Content Set Administrator reserved role to users who manage content set and role configurations.

This role can perform the following tasks:

View, create, edit, delete, import, or export content set configurations
Manage content assignments to content sets
View, create, edit, delete, import, or export user role configurations
Manage role assignments to users, user groups, and personas

The Content Set Administrator role makes all other allow roles superfluous. The Deny All reserved role is the only role that can affect a user who has the Content Set Administrator role.

Figure 12: Content Set Administrator reserved role

Notice the result when both the Content Set Administrator and Administrator roles are assigned. Only the Content Set Administrator role remains effective. Be careful not to assign the Content Set Administrator role to users who must have other roles. Be careful not to assign (directly or by user group inheritance) the Content Set Administrator role to users who are assigned the Administrator role.

Content Administrator reserved role

Assign the Content Administrator reserved role to users who manage content and actions.

This role can perform the following tasks:

View, create, edit, and delete all content configurations (such as sensors, packages, and saved questions) across all content sets
View, create, edit, deploy, and delete actions

When the Tanium Server evaluates effective permissions for a user who has the Content Administrator role, the server disregards the content permissions in other roles but evaluates other types of permissions.

Figure 13: Content Administrator reserved role

Deny All reserved role

Assign the Deny All reserved role to user accounts that must be disabled even though they are not yet deleted.

Users who have the Deny All role cannot access anything in the Tanium Core Platform, regardless of any other role that you assign to them, including the Administrator reserved role. In the following example, the only role assigned to Frank that has any effect is Deny All.

Tasks that require reserved roles

To perform the following tasks, a user must have a reserved role because the tasks are not associated with administration permissions that you can assign to custom roles.

Table 1: Tasks requiring a reserved role
Task	Administrator	Content Administrator	Content Set Administrator
Manage content sets Create, edit, or delete content set configurations.
Manage role configurations and assignments Edit roles and edit the role assignments of users, user groups, and personas.
Manage Tanium solutions Manage Tanium modules, shared services, and content-only solutions on the Administration > Configuration > Solutions page.
Manage Tanium Core Platform configuration View or manage many of the Administration > Configuration pages, including those for proxy settings, logging levels, plugins, plugin schedules, sensor threshold indicators, package file repository, Tanium licenses, Tanium root keys, downloads authentication, trust among Tanium Core Platform servers, LDAP servers, SAML, and Tanium Console customizations.

View role details

From the Main menu, go to Administration > Permissions > Roles.
The page displays each role name and category, and the number of users, user groups, and personas to which each role is assigned. The Total Users column indicates the sum of all the users who are assigned the role through their user accounts or who inherit the role from user groups.
(Optional) To display attributes that the grid hides by default, click Customize Columns and select the attributes.
(Optional) Use the filters to find specific roles:
- Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
- Filter by attribute: Filter the grid by one or more attributes, such as the Role Name. Expand the Filters section, click Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
- Filter by category: By default, the grid shows roles of All categories but you can click a Category button to show only System roles or Custom roles.
- Filter by type: By default, the grid shows roles of All types but you can click a Type button to show only Allow or Deny roles. See Allow and deny roles.
(Optional) View the permissions (and associated content sets), users, and user groups that are assigned to a role by clicking the Role Name.
To view or edit the configuration of an assigned user or user group, click the user or group name.
For details about the icons in the Permissions and Content Sets grids, see View effective role permissions.
To view the roles that are assigned to a persona, see Manage role assignments for a persona.

Configure a custom role

A custom role can include any combination of administration, platform content, and Tanium solution permissions. When you configure a custom role with platform content or solution permissions that are associated with content, such as sensors and packages, you also select the content sets to which those permissions apply.

From the Main menu, go to Administration > Permissions > Roles.
Perform one of the following steps:
- To create a role, click New Role.
- To edit a role, click a Role Name and click Edit Mode.
Specify a Role Name to identify the role.
Set the Permission Type to Allow or Deny.

For details, see Allow and deny roles.
Configure the RBAC assignments and permissions as described in the following tasks, and then click Save.

You configure persona assignments in the persona configuration page instead of the role configuration pages. See Configure role assignments for a persona.

Manage user assignments for a role
Manage user group assignments for a role
Configure role permissions
Manage content set permissions for a role

Manage user assignments for a role

Skip the first step if you opened the Create Role or Edit Role page in a previous task.

From the Main menu, go to Administration > Permissions > Roles, click the Role Name, and click Edit Mode.
Expand the Users section, click Manage Users, select or deselect users, and click Select.
If you are editing a role that already has users assigned, click the number above the Users field in the Role Details section to scroll to the Users section and expand it.
To view or edit the configuration of a particular user, click the user Name in the Users section. The Edit User page opens in a new tab.
Click Save.

Manage user group assignments for a role

Skip the first step if you opened the Create Role or Edit Role page in a previous task.

From the Main menu, go to Administration > Permissions > Roles, click the Role Name, and click Edit Mode.
Expand the User Groups section, click Manage User Groups, select or deselect groups, and click Select.
If you are editing a role that already has user groups assigned, click the number above the User Groups field in the Role Details section to scroll to the User Groups section and expand it.
To view or edit the configuration of a particular user group, click the group Name in the User Groups section. The Edit User Group page opens in a new tab.
Click Save.

Manage role permissions

For an overview of how roles determine the effective permissions of users, and to view the permissions and associated content sets that are assigned to a role, see View effective role permissions.

To assign or unassign permissions for a role, see Configure role permissions.

For descriptions of the permissions that you can assign to roles, see:

Administration permissions
Solution permissions (such as Interact or Patch permissions)
Platform content permissions

View effective role permissions

The effective permissions of a user account are based on the cumulative effect of all roles that are assigned to the account or inherited from user groups, including:

Permissions specified in allow roles minus permissions specified in deny roles
Implicitly provided permissions in allow roles
Roles that are assigned to the persona that a user selects for a Tanium Console session. The persona can be assigned directly to the user account or inherited from a user group to which the user belongs.

Perform the following steps to see the effective permissions for a role:

From the Main menu, go to Administration > Permissions > Roles, click the Role Name, and click Edit Mode.
Review the Permissions and Content Sets. The page displays icons to indicate how permissions are derived:

	Allow permissions that you explicitly assign and that automatically provide additional permissions because of dependencies. For example, when you assign the Interact Module write permission, it automatically provides the Ask Dynamic Questions permission. For details, see Provided role permissions. The icons are grayed out for permissions that are not assigned.
	Allow permissions that you explicitly assign but that do not provide additional permissions. The icons are grayed out for permissions that are not assigned.
	Allow permissions that are implicitly assigned because other permissions provide them. You can hover over the icon to show a tool tip that indicates how the permission was derived from an explicit permission .
	Deny permissions that you explicitly assign.

When you view the configuration page for the Admin reserved rolereserved roles (such as Administrator), it displays a single Special permission under Global Permissions. When you view the configuration page for a custom role, the Global Permissions of the Admin reserved rolereserved roles are hidden because you cannot assign them.

You can expand individual solution content permissions (such as Trends Administrator permission) and Platform Content Permissions (such as Sensor read permission) to see the content sets to which the permission applies. The following icons indicate how content set assignments are derived:

	Content set that is explicitly assigned to the permission.
	Content set that is assigned because another permission implicitly provides it. You can hover over the icon to show a tool tip that indicates how the content set assignment was derived from an explicit permission .
	Content set that is assigned to a deny permission.

To review the effective permissions for a user, user group, or persona, see:

Configure role permissions

Perform one of the following tasks:

(New or existing role) Assign or unassign permissions for a single role

For a single role, to assign content sets to permissions that are associated with content, see Manage content set permissions for a role.
(Existing roles) Assign permissions and content sets to multiple roles
(Existing roles) Unassign permissions and content sets from multiple roles

Assign or unassign permissions for a single role

Perform the following steps to assign or unassign permissions for a role. Skip the first step if you opened the Create Role or Edit Role page in a previous task.

From the Main menu, go to Administration > Permissions > Roles, click the Role Name, and click Edit Mode.
Expand the section that corresponds to the type of permissions that you want to assign or unassign:
- Administration permissions
- Solution permissions (such as Interact or Patch permissions)
- Platform content permissions
Assign or unassign permissions by clicking the appropriate icons in the Special, Read, Write, Execute, or Delete column.

For details about the icons, see View effective role permissions.

Click an icon in a column header to select all the permissions of that type. For example, in the Administration permissions header, click the Special icon to assign all the available special administration permissions.
(Optional) Review all the permissions that you selected.

Click Preview at the top right of the page to display only the permissions that you selected. When you finish reviewing, click Edit Mode to continue configuring the role.
Click Save.

Assign permissions and content sets to multiple roles

From the Main menu, go to Administration > Permissions > Roles and select the roles to edit.
Select > Add Permissions.
Scroll to the Permissions section and expand the section that corresponds to the type of permissions that you want to assign:
- Administration permissions
- Solution permissions (such as Interact or Patch permissions)
- Platform content permissions
Assign permissions by clicking the appropriate icons in the Special, Read, Write, Execute, or Delete column, and then click Next.

For details about the icons, see View effective role permissions.

Click an icon in a column header to select all the permissions of that type. For example, in the Administration permissions header, click the Special icon to assign all the available special administration permissions.
To show only the Permissions that you added, click Preview at the top right of the page. After reviewing the permissions, revert to Edit Mode before proceeding to the next step.
If any permissions that you assigned are associated with content, such as Package write permission, click Next and perform the remaining steps to assign content sets to those permissions. Otherwise, click Apply Permissions to complete the procedure.
Assign content sets to permissions that are associated with content.
In the grid, the first column shows the name of each permission, the content sets that you assigned to it (initially none ), and the number of roles (initially 0) to which you assigned the permission-content set pairing. For each role, an additional column shows the total number of permission-content set pairings that you assigned (initially 0) and an assigned or not assigned icon for each pairing. The Apply Permissions button is disabled until you assign at least one content set to every permission that is associated with content.
You can assign permission-content set pairings to multiple roles or a single role:
- Multiple roles:
  1. For each permission, click Add Contents Sets, select content sets, and click Select.
  2. For each permission-content set pairing that you added, click the content set name, select roles, and click Select.
- Single role: For each permission, click 0+ in a role column, select content sets, and click Select.
After you assign permission-content set pairings on the Bulk Add Permissions page, you can change any assignments that you added during the current workflow (that is, before you click Apply Permissions). You cannot remove any permission-content set pairings that were assigned before you started the current Bulk Add Permissions workflow. To change assignments that you added during the current workflow:
- Single assignment: For each pairing, click an icon in a role column to toggle between assigned or unassigned for that role.
- Multiple assignments: For each permission, click a number in a role column and then select or deselect multiple content sets for that permission.
To change permission-content set assignments after you complete the Bulk Add Permissions workflow, see Unassign permissions and content sets from multiple roles.
Click Apply Permissions.

Unassign permissions and content sets from multiple roles

From the Main menu, go to Administration > Permissions > Roles and select the roles to edit.
Click > Remove Permissions.
Scroll to the Permissions section.

The listed permissions are assigned to one or more of the Selected Roles. When you deselect permissions in the list, they are unassigned from any of those roles.
Deselect permissions by clicking the or icons in the Special, Read, Write, Execute, or Delete column.

For details about the icons, see View effective role permissions.
Click Apply Changes.

Administration permissions

The following table describes administration permissions.

To create a role that can perform all administrative tasks in Tanium Console, assign the Permission Administrator permission and the write permissions for User, User Group, Computer Group, and Persona. The Admin reserved role has all these permissions.

Table 2: Administration permissions
Permission	Description
Permission Administrator	Provides the following administration permissions as a bundle: Read permissions for User, User Group, Role, Persona, and Content Set Write permissions for Role and Content Set Grant permission for Role
Action Group	Read permission enables users to view and export action group configurations in the Action Groups page. Action Group read permission overrides the Visibility setting. A user who has Action Group read and action deployment permissions can select any action group when deploying an action. A user who has Action Group read and Approve Action permissions can approve actions that target any action group. However, the computer groups that are assigned to a user still control which endpoints run an action that the user deploys to the selected action group. Write permission enables users to create, edit, and delete action group configurations. Write permission provides the Action Group read permission.
Allowed URLs	Read permission enables users to view allowed URL configurations on the Allowed URLs page and to export the configurations in CSV format. The Export Content administrationmicro admin permission is required to export in JSON format. Write permission enables users to create, edit, and delete allowed URL configurations. Write permission provides Allowed URLs read permission.
Audit	Read permission enables users to view: Last Sign In information on the Users page Last Modified information on the user configuration page Last Modification information on the Settings page
Computer Group	Read permission enables users to view computer management groups and export them in CSV format. The Export Content permission is required to export in JSON format. Additional permissions are required to view the user group, user, and persona assignments of computer management groups. See Manage computer management groups. Write permission enables users to create, edit, and delete computer management groups. Write permission provides the Computer Group read permission. To create a computer management group in which membership is based on a sensor filter, users require the following permissions in addition Computer Group write: Sensor (platform content): Read permission on the Reserved content set, which includes content that is used to ask preview questions Interact Module (module): Write permission Computer groups with manually defined membership do not require the Sensor read or Interact Module write permissions.
Export Content	Enables users to export the following content types in JSON format: Actions Allowed URLs Computer management groups Content sets Filter groups Packages Roles Saved questions Scheduled actions Sensors Only the Administrator reserved role can export categories and dashboards.
Import Signed Content	Enables users to import digitally signed content files, such as for sensor configurations.
Global bandwidth throttles	Read permission enables users to view global bandwidth throttles on the Bandwidth Throttles page. Write permission enables users to create, edit, and delete global bandwidth throttles.
Global Settings	Read permission enables users to view the platform settings of Tanium CloudTanium Core Platform servers and Tanium Clients on the Settings page. Write permission enables you to edit, create, or delete platform settings. Write permission provides the Global Settings read permission.
Https Certificates	Read permission enables users to view information about certificates and certificate signing requests (CSRs) on the Administration > Configuration > SSL Certificates page. Only the Administrator reserved role can generate CSRs and upload new certificates.
Intentional Subnets	Read permission enables users to view and export intentional client subnet configurations on the Administration > Configuration > Subnets page. Write permission enables users to create, edit, and delete intentional client subnet configurations. Write permission provides Intentional Subnets read permission.
Isolated Subnets	Read permission enables users to view and export isolated client subnet configurations on the Administration > Configuration > Subnets page. Write permission enables users to create, edit, and delete isolated client subnet configurations. Write permission provides Isolated Subnets read permission.
Persona	Read permission enables users to view and export persona details. The Permission Administrator permission provides the Persona read permission. Write permission enables users to create, edit, and delete personas when combined with the Permission Administrator permission. Write permission provides the Persona read permission. Users require additional permissions to edit the assignment of other RBAC objects (such as users) to personas. See Manage personas.
Public Key	Read permission enables Tanium REST API users to download the Tanium public key (tanium.pub) or initialization file (tanium-init.dat). Only the Administrator reserved role can access the Infrastructure page to download those files through Tanium Console.
Question History	Read permission enables users to view the Question History page. To issue a question from the Question History page, users also require the following permissions: Interact module permissions: Interact show Interact Module read Platform Content Permissions: Saved Question read permission on the content sets that contain the questions that the user is allowed to issue. Sensor read permission on the content sets that contain the sensors that are used in the questions that the user is allowed to issue.
Separated Subnets	Read permission enables users to view and export separated client subnet configurations on the Subnets page. Write permission enables users to create, edit, and delete isolated client subnet configurations. Write permission provides Separated Subnets red permission.
Server Status	Read permission enables users to view the https://<Tanium_Server>/info page. For details, see View the info page.
Subnet bandwidth throttles	Read permission enables users to view site-specific bandwidth throttles on the Bandwidth Throttles page. Write permission enables users to create, edit, and delete site-specific bandwidth throttles.
Client Status	Read permission enables users to view the Client Status page.
Token - Revoke	Enables users to create or revoke API tokens that are used to access Tanium Cloudthe Tanium Server.
Token - Use	Enables users to send requests to the Tanium Cloudthe Tanium Server for new API tokens.
Token - View	Enables users to view the API Tokens page.
Token - Rotate	Enables users to rotate API tokens. Rotation deletes the selected token and creates a new one. The expiration timer of the new token is reset and has the same interval as the deleted token.
User	Read permission enables users to view and export user configurations on the Users page. Write permission enables users to create, edit, and delete user configurations. Write permission provides User read permission. Additional permissions are required to view and edit the role, user group, and persona assignments of users. See Manage users.
User Group	Read permission enables users to view and export user group configurations on the User Groups page. Write permission enables users to create, edit, and delete user group configurations. Write permission provides User Group read permission. Additional permissions are required to view and edit the role, user, and persona assignments of user groups. See Manage user groups.
Management Rights	Read permission enables users to view the computer management group assignments of users, user groups, and personas when combined with the Read Computer Group permission. Management Rights write permission is one of the permissions that are required to edit the computer management group assignments of users, user groups, and personas. For additional required permissions, see Manage computer management groups. Management Rights read and write are not explicit permissions; the Permission Administrator permission provides them.
Content Set	Read permission enables users to view content set configurations. Write permission enables users to: Create, edit, and delete content sets Move content between content sets Export content sets in CSV format. The Export Content administration permission is required to export in JSON format. These are not explicit permissions; the Permission Administrator permission provides them.
Role	Read permission enables users to view role configurations and export them in CSV format. The Export Content permission is required to export in JSON format. Write permission enables users to create, edit, and delete role configurations. Grant permission is one of the permissions that are required to edit the role assignments of users, user groups, and personas. These are not an explicit permissions; the Permission Administrator permission provides them. Users require the following combined permissions to manage role assignments: Permission Administrator and User write permissions are required to edit the role assignments of users. Permission Administrator and User Group write permissions are required to edit the role assignments of user groups. Permission Administrator and Persona write permissions are required to edit the role assignments of personas.

Solution permissions

See the following Tanium solution user guides for information about solution-specific permissions. Some of these permissions require content set assignments. See Manage content set permissions for a role.

Platform content permissions

The following table describes the permissions for Tanium Core Platform content. After assigning these permissions to a role, you must apply them to content sets. See Manage content set permissions for a role.

Table 3: Platform content permissions
Permission	Description
Action	Action read permission enables users to perform the following tasks on the Scheduled Actions, All Pending Approvals, and Action History pages: View actions. The visibility of specific actions (grid rows) depends on Action read permission on the content set for the associated packages. Export the actions in CSV format. The Export Content administration permission is required to export actions in JSON format. Copy the actions to the clipboard. View action status, when combined with other content permissions. Action write permissions enable users to perform the following tasks on the Scheduled Actions, All Pending Approvals, and Action History pages: Reissue or edit actions, when combined with Sensor read permissions on the Reserved content set. The Reserved content set includes content that is used to ask preview questions. View the status of, and re-download, packages that are associated with actions. Disable or enable actions. Change the action groups that actions target. Create copies of action configurations. Delete actions. Stop actions. Action read permission provides Own Action read permission. Action write permission provides Own Action read, Package read, and Show Preview permissions.
Action for Saved Question	Write permission enables users to: Access the Scheduled Actions page and see the actions they have deployed. See and use the Deploy Action button on the Question Results grid for saved questions that have associated packages. The Package read permission is not required for the associated packages. If the saved question does not have associated packages, the Deploy Action button does not appear. Write permission provides Own Action read and Show Preview permissions. Use the Action for Saved Question write permission instead of the Action write permission to limit use by action users who use Tanium products to execute standard operating procedures that someone else created.
Approve Action	Enables users to perform the following tasks on the Actions I Can Approve page: View actions that require approval. Users cannot view their own actions on this page. Approve actions that other users own, when combined with Sensor read permission. Users cannot approve their own actions. Export the actions in CSV format. Export Content (administration) permission is required to export actions in JSON format. Copy the actions to the clipboard.
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one platform content permission that has effect when granted to a user with the Administrator role.
Dashboard	Read permission enables users to view dashboards in the Interact Content page, if those users also have Interact show permission. The users also require read permissions for Saved Question and Sensor on related content to use the dashboard. Write permission enables users to create, edit, and delete dashboard configurations. Write permission provides Dashboard read permission.
Dashboard Group	Read permission enables users to view categories in the Interact Content page, if those users also have Interact show permission. Users also require read permissions for Dashboard, Saved Question, and Sensor on the related content to use the category. Write permission enables users to create, modify, and delete category configurations. Write permission provides the Category read permission.
Filter Group	Read permission enables users to: View the Filter Groups page Use filter groups for filtering questions, question results, and various lists in Tanium Console Export filter groups in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete filter group configurations. Write permission provides the Filter Group read permission.
Own Action	Enables users to perform the following tasks on their own actions (not those of other users) on the Scheduled Actions, All Pending Approvals, and Action History pages: View the actions. Export the actions in CSV format. The Export Content administration permission is required to export actions in JSON format. Copy the actions to the clipboard. View action status, when combined with other content permissions. The following permissions provide Own Action read permission: Action read Action write Action for Saved Question write User cannot create their own actions unless they have Action write and Interact Module read permissions.
Package	Read permission enables users to: View packages in the Deployment Package list of the Action Deployment page. View packages in the Packages page. Export packages in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete package configurations. Write permission provides Package read and Show Preview permissions.
Associated Packages	Associated Packages read permission is not an explicit permission; the Action for Saved Question write permission provides Associated Packages read permission.
Plugin	Reserved for future use.
Saved Question	Read permission enables users to: View saved questions in the Question Results grid drill-down and similar user interfaces. View saved questions in the Interact Overview page, if the user also has Interact show permission. Issue saved questions, if the user also has Sensor read permission on the content sets that contain the sensors in those questions. View the Saved Questions page. Export saved questions in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete saved question configurations. Write permission provides Saved Question read permission but does not provide Ask Dynamic Questions permission.
Sensor	Read permission enables users to: View sensor configurations. View sensors in the Question Builder and similar user interfaces throughout Tanium Console. Use sensors in questions if the user also has the ability to ask questions. Write permission enables users to create, edit, and delete sensor configurations. Write permission provides Sensor read and Show Preview permissions.
Show Preview	Show Preview is not an explicit permission. The write permissions for Action, Action for Saved Question, Sensor, and Package provide Show Preview. Show Preview enables users to ask questions that are necessary to preview the impact of new and changed action, sensor, and package configurations. To ask preview questions, the user also needs Sensor read permission on the Reserved content set, which includes content that is used to ask the preview questions.

Manage content set permissions for a role

When you configure a role with permissions for Tanium solution content (such as Trends Administrator permission) or platform content (such as Sensor read permission), you must assign Content Sets to the pertinent permissions.

Manage content set permissions for multiple roles

You can add or remove content set assignments for multiple roles when you configure role permissions:

Assign permissions and content sets to multiple roles
Unassign permissions and content sets from multiple roles

Manage content set permissions for a single role

Skip the first step in this procedure if you opened the Create Role or Edit Role page in a previous task.

From the Main menu, go to Administration > Permissions > Roles, click the Role Name, and click Edit Mode.
Perform one of the following sub-steps:

To assign all existing and future content sets to all the pertinent content permissions that you selected, select Add all Content Sets that exist or will exist to the permissions selected above. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions, regardless of content set assignments.
To assign specific content sets to all the pertinent content permissions that you selected, click Apply Content Sets, select the sets, and click Select. The Content Sets selection dialog shows a check mark for any contents sets that are already assigned to all the selected permissions and shows a dash — for content sets that are applied to some (but not all) of the selected permissions.
Content sets that you assign through the Content Sets selection dialog override content set assignments for individual permissions. For example, if you previously assigned the Interact content set specifically to the Sensor read permission but then deselect that content set during the Apply Content Sets workflow, the Sensor read permission does not apply to the Interact content set.
To assign specific content sets to a specific permission:
1. Scroll to the Permissions section and click the number beside the permission icon, such as:
2. Select the content sets and click Select.
  Content sets that you assign to specific permissions are added to any previous assignments. For example, if you assigned the Base content set to all pertinent content permissions (Apply Content Sets workflow) and subsequently assigned the Interact content set specifically to the Sensor read permission, then both the Base and Interact content sets are assigned to the Sensor read permission.

To create a custom content set without leaving the role configuration page, click New Content Set, enter a Name to identify the set, and click Save. You can then assign the new content set to permissions.

(Optional) Review the content set assignments.

The role configuration pages use icons to indicate how permissions and content set assignments are derived. For details, see View effective role permissions.

To review the content set assignments of a specific permission, expand it in the Permissions section.
To review the content set assignments for all permissions, see the Content Sets grid.

Click Save.

Clone a role

To add a role that has many settings in common with an existing role, cloning the existing role and then modifying the clone is often a quicker method than configuring a new role. You can clone any role except the reserved roles.

From the Main menu, go to Administration > Permissions > Roles.
Select a role and click Clone.
Enter a Role Name to identify the role.
Update the user, user group, role, and content set assignments if necessary:

Manage user assignments for a role
Manage user group assignments for a role
Configure role permissions
Manage content set permissions for a role

Click Save.

Export and import roles

The following procedures describe how to export and import specific roles or all roles.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export roles

Export roles as a file in one of the following formats:

CSV: When you open the file in an application that supports CSV format, it lists the roles with the same attributes (columns) as the Roles page displays and (optionally) lists the RBAC assignments of each role.
JSON: If you are assigned the Administrator reserved role, you can export role configurations as a JSON file to import them into another Tanium Server.

Perform the following steps to export roles:

From the Main menu, go to Administration > Permissions > Roles.
(Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns in the grid and select the attributes.
Select rows in the grid to export only specific roles. If you want to export all roles, skip this step.
Click Export .
(Optional) Edit the default export File Name.
The file suffix (.csv or .json) changes automatically based on the Format selection.
Select an Export Data option: All roles in the grid or just the Selected roles.
Select the file Format:
- List of Roles - CSV
  
  Optionally, select With RBAC Details to include the number of users, user groups, and personas to which the roles are assigned, along with the permissions that are assigned to the roles. The report includes a Total Users column that shows the total number of users to which each role is assigned either through direct assignment to user accounts or through assignments inherited from user groups.
- Role Definitions - JSON (Administrator reserved role only)
Click Export.
Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access Tanium Console.

Import roles

Users who are assigned a role with Import Signed Content permission can import content files that are in JSON or XML format. The Administrator reserved role has this permission.

(Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.
If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.
From the Main menu, go to any of the following Administration pages:
- Configuration > Solutions
- Permissions > Filter Groups
- Under Content, select Sensors, Packages, or Saved Questions
- Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
Select an Import option based on the source of the content:
- Import > Import Files: Perform one of the following steps to select one or more files:
  - Drag and drop files from your file explorer.
  - Click Browse for File, select the files, and click Open.
- Import > Import URL: Enter the URL in the Import URL field, and click Import.
For each file, expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
Click Begin Install.

Copy role configuration details

Copy information from the Roles page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

From the Main menu, go to Administration > Permissions > Roles.
Perform one of the following steps:
- Copy row information: Select one or more rows and click Copy .
- Copy cell information: Hover over the cell, click Options , and click Copy .

Delete a role

Deleting a role removes it from any user, user group, and persona to which it was assigned.

Perform the following tasks before deleting a role:

Delete the user assignments from the role configuration: Manage user assignments for a role.
Delete the user group assignments from the role configuration: Manage user group assignments for a role.
Go to the effective permissions page for your users and review the resulting impact on the effective permissions: View effective role permissions for a user.

To delete a role:

From the Main menu, go to Administration > Permissions > Roles.
Select the role and click Delete .