Other versions

Managing Roles

You can create the following types of grant and deny roles:

  • Advanced
  • Micro Admin
  • Module (only grant)

If you are unfamiliar with Taniumâ„¢ Console role-based access control, read the Overview.

Create an advanced role

Advanced roles assign fine-grained content set permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

  1. Go to Permissions > Roles.
  2. Click New Role and then select Grant Advanced Role or Deny Advanced Role to display the role configuration page.
  3. Specify a configuration name.
  4. Optional. Under All Content Sets Option, select the Add all Content Sets that exist or will exist to the permissions selected below option to grant or deny permissions absolutely. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
  5. Under Ask Dynamic Question, click the icon to enable users with this role to ask ad hoc questions.

    Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create ad hoc questions that use any of the sensors for which they have read access.

  6. Under Content Set Permissions, click the icon to add a permission to the configuration; click the icon to remove a permission. See Table 1 for descriptions of the permissions.
  7. Add content sets to the permissions. Click the Add button to display the Content Sets selection box.
  8. Select content sets and click Save to close the selection box.

  9. Save the configuration.
Table 1:   Content Set Permissions
Permission Description
Bypass Action Approval Actions created by a user with this permission are not subject to approval requirements.

No role, including the Administrator reserved role, includes this permission by default.

This is the one advanced permission that has effect when granted to a user with the Administrator reserved role.

Read Sensor Can view sensors in the Question Builder and similar user interfaces throughout the console. Can use sensors in questions, if the user also has the ability to ask questions. Cannot view the Authoring > Sensors page unless the user also has the Write Sensor permission.
Write Sensor Can view the Authoring > Sensors page. Can create, modify, and delete sensor configurations. Implies the Read Sensor and Show Preview permissions.
Read Action Can view the Actions pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package.

Implies the Read Own Action permission.

Read Own Action Determines whether the logged in user's actions appear in the All Pending Approval grid.
Write Action Can view the Scheduled Action pages. Users can see rows for actions they issued. Users can see rows for actions issued by others if they have Read Action permission on the content set for the underlying package.

Can see and use the Deploy Action button on the results grid for dynamic questions and saved questions.

Implies the Read Own Action, Read Package, and Show Preview permissions.

To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.

Write Action for Saved Question Can see the Scheduled Action pages, but the only rows are for the actions that the user has deployed.

Can see and use the Deploy Action button on the results grid for saved questions but not for dynamic questions. The Read Package permission is not required.

Tip: Use this permission instead of the Write Action permission to limit use by "action users" who use Tanium to execute standard operating procedures created by someone else.

Approve Action Can approve actions that were created by another user but not their own.

To view the actions on the Actions I Can Approve and All Pending Approval pages, you must also have the Read Package and Read Own Action permissions.

Read Plugin Reserved for future use.
Execute Plugin Reserved for future use.
Read Package Can view packages in the Browse Packages dialog box in the deploy action workflow. Cannot view the Authoring > Packages page unless the user also has the Write Package permission.
Write Package Can view the Authoring > Packages page. Can create, modify, and delete package configurations. Implies the Read Package and Show Preview permissions.
Read Saved Question Can view saved questions in the results grid drill-down and similar user interfaces. Can view the Interact Saved Questions page, if the user also has access to the Interact workbench. Cannot view the Authoring > Saved Questions page unless the user also has the Write Saved Question permission.

To issue a saved question as expected, the user must also have the Read Sensor permission for the pertinent sensor.

Write Saved Question Can view the Authoring > Saved Questions page. Can create, modify, and delete saved question configurations. Implies the Read Saved Question permission.

Note: Does not imply the Ask Dynamic Questions permission.

Read Dashboard Can view the Dashboards pages, if the user also has permission to the Interact workbench.

A user also needs the Read Saved Question and Read Sensor permission for the related content to use the dashboard.

Write Dashboard Can create, modify, and delete dashboard configurations. Implies the Read Dashboard permission.
Read Dashboard Group Can view the Categories pages, if the user also has permission to the Interact workbench.

A user also needs the Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category.

Write Dashboard Group Can create, modify, and delete category configurations. Implies the Read Category permission.
Show Preview Not an explicit permission. Implied in the Write Action, Write Action for Saved Question, Write Package, and Write Sensor permissions. Enables authors to ask questions necessary to preview the impact of new and changed configurations. To ask preview questions, the user also needs Read Sensor on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Associated Packages Not an explicit permission. Implied in the Write Action for Saved Question permission.

Create a Micro Admin Role

Micro Admin roles assign system administration permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

  1. Go to Permissions > Roles.
  2. Click New Role and then select Grant Micro Admin Role or Deny Micro Admin Role to display the role configuration page.
  3. Specify a configuration name.
  4. Click the icon to add a permission to the configuration; click Remove to remove a permission. See Table 2 for descriptions of the permissions.
  5. Save the configuration.
Table 2:   Micro Admin Permissions
Permission Description
Read System Status Can view the System Status page.
Read Question History Can view the Question History page. To load and ask a question for the Question History page, the user would also need the underlying content permissions.
Read User Can view the Users page and view users that are listed on User Group and Roles pages.
Write User Can create, modify, and delete user configurations. Implies the Read User permission.
Read User Group Can view the User Group page.
Write User Group Can create, modify, and delete user group configurations. Implies the Read User Group permission.
Read Computer Group Can view the Computer Group page.
Write Computer Group Can create, modify, and delete computer group configurations. Implies the Read Computer Group permission. To create or edit computer groups, the user also needs the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Global Settings Can view the Global Settings page.
Write Global Settings Can create, modify, and delete global settings. Implies the Read Global Settings permission.
Read Whitelisted URLs Can view the Whitelisted URLs page.
Write Whitelisted URLs Can create, modify, and delete the whitelisted URLs configuration. Implies the Read Whitelisted URLs permission.

Create a Module Role

In 7.1, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.

Module Link
Asset User Guide
Comply User Guide
Connect User Guide
Detect User Guide
Discover User Guide
Incident Response User Guide
Integrity Monitor User Guide
Patch User Guide
Protect User Guide
Trace User Guide
Trends User Guide

If necessary, you can create your own module roles and assign granular module permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

  1. Go to Permissions > Roles.
  2. Click New Role and then select Grant Module Role to display the role configuration page.
  3. Specify a configuration name.
  4. Click the icon to add a module to the configuration; click Remove to remove a module.
  5. Click Edit to display the permissions selection box for the module.
  6. Select permissions and click Save to close the selection box.
  7. Save the configuration.

Assign users and user groups to a role

You can associate users and user groups with roles either in the role configuration or in the user and user group configurations.

Role requirements

You must have the Administrator role or Content Set Administrator role to manage the roles configuration. However, a Content Set Administrator cannot manage the assignment of reserved roles.

Edit the role configuration

  1. Go to Permissions > Roles.
  2. Select a role and click Edit to display the configuration summary page.
  3. Click Edit User Assignment to display the Assign Users and User Groups page.
  4. Next to User Groups, click Edit. Select groups and click Save to close the selection box.
  5. Next to Users, click Edit. Select users and click Save to close the selection box.
  6. Click Show Preview to Continue to review the impact of your changes. Review the effective permissions and save the configuration.

Delete a Role

When you delete a role configuration, the role is removed from any user and user group configurations that had included it. When deleting a role configuration, we recommend:

  1. Delete the users and user group assignments from the role configuration.
  2. Go to the effective permissions page for your users and review the resulting impact on the users' effective permissions.
  3. Delete the role configuration.

Last updated: 2/20/2018 3:46 PM | Feedback