Managing roles

Roles overview

In the context of Tanium™ role-based access control (RBAC), a role assigns grant permissions to specify allowed activities, or deny permissions to specify prohibited activities. You assign roles to the personas of users and user groups to control what users can see and do in the Tanium system.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring or assigning roles. For details, see Integrating with LDAP servers.

The Tanium implementation of RBAC supports the following role types:

Advanced roles

Advanced roles grant or deny content set permissions, which control access to sensors, packages, saved questions, and other types of content.

Micro admin roles

Micro admin roles grant or deny permissions that control access to system administration functions of the Tanium Server, such as the Administration > System Status page or API token requests.

Module roles

Module roles grant Tanium solution module permissions, which control access to module workbenches and features. Module roles also grant permissions for module-specific content sets. Module roles do not have deny roles. Users who do not have a role that grants module access cannot access the module workbench or features. Some module permissions automatically enable additional provided permissions. For example, if you select the Patch Module Write permission in a module role, it automatically provides the Ask Dynamic Questions permission.

Reserved roles

The predefined reserved roles assign permissions that enable special-purpose capabilities, such as managing action groups or using the Tanium Console Configuration pages. These special permissions are not available to non-reserved roles. In addition to the special permissions, reserved roles can have some or all of the permissions associated with advanced, micro admin, and module roles.

The following figure shows the configurable components of the different role types, and the order in which you assign them.

For an overview of how roles relate to other RBAC configuration objects such as content sets, personas, users, user groups, and computer groups, see Tanium RBAC implementation and concepts.

Roles have a many-to-many relationship with users and user groups. For example, all Tanium Interact users can have the Interact Show module role, and each of those users can have additional advanced roles that provide access to the sensors and questions that they use in Interact. Similarly, you can configure permissions for the same content set across multiple roles, and each role can specify permissions across multiple content sets. As a best practice when configuring roles, take full advantage of their modularity and cumulative effect on user permissions. For example, instead of creating a single role with all the permissions that a particular user needs, and creating another role with only slightly different permissions for another user, create several roles with smaller but unique permissions sets. You can then mix and match these minimalistic roles among various users to achieve the same effective permissions as individual roles that have comprehensive permissions. For details, see Effective role permissions.

Roles that assign write permissions, such as Write Sensor, implicitly assign read permissions, such as Read Sensor. For details, see Implied role permissions.

Users inherit roles from the user groups to which you assign those users. For details, see Inherited roles.

For a given Tanium Console session, only the permissions of the currently selected persona are available to a user, even if multiple personas are assigned to that user. For details, see Managing personas.

Grant and deny roles

You can assign multiple grant and deny roles to the personas of a user or user group. The Tanium system bases the effective permissions of a persona on the cumulative effect of all the roles assigned to it: all permissions granted or implied, minus those explicitly denied. For details, see Effective role permissions.

In advanced roles, the permission and content set in the deny role must match the permission and content set in the grant role to effectively negate the grant permission. In this example, the deny Write Sensor permission on Content Set A matches the grant Write Sensor permission on Content Set A, so the grant permission is negated.

In the following example, the deny Write Sensor permission on Content Set D does not match any grant permissions, so it has no impact on Erin’s effective permissions.

When you assign content sets to permissions in advanced roles, the Add all Content Sets that exist or will exist to the permissions option is equivalent to listing each and every content set. In this case, the deny Write Sensor permission on Content Set D has effect.

Grant and deny micro admin roles follow the same rules as advanced roles. In the following example, Erin is assigned a grant role with specified permissions, and two deny roles with specified permissions. Exact matches are factored out. Erin has all of the capabilities afforded by the grant role assigned to her, minus the capabilities that are specified in the deny roles that are assigned to her.

Module roles do not have deny roles. You can only grant module access. Users who do not have a role that grants module access cannot access the module workbench or functionality.

Implied role permissions

In grant roles, the write permission implies the read permission. The advanced role assigned to Erin and Grace has the write permission on the specified content sets, so the configuration does not need to specify the read permission. A role that has only the Read Sensor permission on the same content set is created for read-only type of users, like Bob in this example.

In deny roles, permissions are not implied. Permissions must be explicitly denied and must exactly match the permission configured in the grant role to be factored out. For example, if a deny role asserts that Write Sensor permission is denied on a specified content set, it does not imply that the Read Sensor permission is denied. When effective permissions are evaluated in the following example, the deny role permissions do not exactly match any grant role permissions, so no grant permissions are struck. The deny role is disregarded, and Bob still has Read Sensor permission on the specified content set.

Inherited roles

Users inherit role permissions from the personas that are assigned to their user groups. Erin belongs to the user group named David’s Team, so she inherits permissions from the personas that are assigned to that user group. She also has permissions from the personas that are assigned to her user configuration. The system enforces the net effect. In the following example, Erin has all the capabilities afforded by group assignment and user-specific grant roles, minus the capabilities that are specified in any deny roles assigned to her.

Reserved roles

The predefined reserved roles assign permissions for special-purpose capabilities, such as using the Tanium Console Configuration pages. The permissions are implicit, so you cannot edit or delete them. The permissions are not available to non-reserved roles. In addition to the special permissions, reserved roles can have some or all of the permissions associated with advanced, micro admin, and module roles. Special logic applies when you assign both a reserved role and non-reserved roles to a user or user group, as described in the following sections.

Administrator reserved role

The Administrator role has all permissions to all content, modules, and administrative functionality. When you assign this role, other grant roles are superfluous and deny roles (not including Deny All) are ineffective.

Exception: An advanced role with the Bypass Action Approval permission does have effect when assigned to a user with the Administrator reserved role. The Administrator reserved role does not have this permission by default. Due to the sensitive nature of bypassing approval, you must explicitly assign this permission in all cases.

Content Set Administrator reserved role

The Content Set Administrator role assigns a permission to read and write content set and role configurations, including role assignments within the personas of user and user group configurations. When a userpersona has this role, any other grant role is ignored. Deny All is the only role that can affect a user with the Content Set Administrator role.

Notice the result when both the Content Set Administrator and Administrator roles are assigned. Only the Content Set Administrator role remains effective. Be careful not to assign the Content Set Administrator role to users who must have other roles. Be careful not to assign (directly or by user group inheritance) the Content Set Administrator role to users who are assigned the Administrator role.

Content Administrator reserved role

The Content Administrator role grants read and write permissions for all content sets, as well as action management permissions. A user with this role can also have grant module roles and micro admin roles. When determining effective permissions, the Tanium system adds grant module roles, factors micro admin roles, and disregards any additional advanced roles.

Deny All reserved role

Users with the Deny All role cannot access anything in the Tanium Core Platform, regardless of any other role that you assign to them, including the Administrator role. In the following example, the only role assigned to Frank that has any effect is Deny All.

Tasks that require reserved roles

To perform the following tasks, a user must have a reserved role because the tasks are not associated with micro admin permissions that you can assign to micro admin roles.

Table 1:   Tasks requiring a reserved role

Task	Administrator	Content Administrator	Content Set Administrator
Content Alignment Use the Content Alignment page to move module-specific content to the appropriate module content set.
Permissions Create, modify, or delete user role or content set configurations.
Role settings Edit role settings in the user or user group configurations.
Personas Create, modify, assign, or delete persona configurations.
Solutions Import Tanium modules, content packs, or Tanium Console User Interface updates. View and import lab content.
Configuration View or manage any of the Configuration pages, including those for proxy settings, logging levels, plugins, plugin schedules, sensor threshold indicators, cache info, Tanium Client subnets, bandwidth throttling, Tanium licenses, Tanium root keys, trust among Tanium Core Platform servers, LDAP servers, SAML, API tokens, and Tanium Console customizations.
Question History Load a question from the Question History page.
Interact Categories Read and manage the Other Dashboards temp category.

Effective role permissions

The effective permissions of a user persona are based on the cumulative effect of all the assigned and inherited roles, including the following:

• Permissions specified in grant roles minus permissions specified in deny roles
• Implied permissions in grant roles
• Roles assigned to the persona that a user selects for a Tanium Console session
• Roles inherited from a persona that is assigned to user groups, after the user selects that persona for a Tanium Console session

The user and user group configuration pages have a Roles and Effective Permissions section that clarifies how the Tanium system derives effective permissions.

In the roles section, hover over the tile for an inherited role to see the user group from which it was inherited. Click the tile for a role to highlight the associated permissions in the permissions sections. Click the All Roles tile to redisplay the permissions without highlighting.

Create an advanced role

Advanced roles grant or deny content set permissions, which control access to sensors, packages, saved questions, and other content.

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Advanced Role or Deny Advanced Role to display the role configuration page.
3. Specify a configuration Name.
4. (Optional) In the All Content Sets Option section, select Add all Content Sets that exist or will exist to the permissions selected below to grant or deny permissions across all existing and future content sets. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
5. In the Ask Dynamic Question section, click Add + to enable users with this role to ask dynamic (ad-hoc) questions.

   Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create dynamic questions that use any of the sensors for which they have read access.

6. In the Advanced Permissions section, click Add + to add a permission to the configuration. See Table 2 for descriptions of the permissions.
7. Add content sets to each permission: click Add in the permission tile, select content sets, and click Save.
8. Save the configuration.

Table 2:   Content Set Permissions

Permission	Description
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one advanced permission that has effect when granted to a user with the Administrator reserved role.
Read Sensor	Can view sensors in the Question Builder and similar user interfaces throughout the console. Can use sensors in questions if the user also has the ability to ask questions. Cannot view the Content > Sensors page unless the user also has the Write Sensor permission.
Write Sensor	Can view the Content > Sensors page. Can create, modify, and delete sensor configurations. Implies the Read Sensor and Show Preview permissions.
Read Action	Can view the Actions pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package. The permission enables users to re-download package files and copy grid rows to the clipboard. Implies the Read Own Action permission.
Read Own Action	Determines whether the actions of the logged in user appear in the Actions > All Pending Approval grid.
Write Action	Can view the Actions > Scheduled Actions page. Users can see rows for actions they issued. If a user has the Read Action permission on the content set for the underlying package, that user can see rows for actions that other users issued. Can see and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions. Implies the Read Own Action, Read Package, and Show Preview permissions. To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.
Write Action for Saved Question	Can see the Actions > Scheduled Actions page, but the only rows are for the actions that the user has deployed. Can see and use the Deploy Action button on the Question Results grid but only for saved questions that have associated actions. The Read Package permission is not required for the associated actions. If the saved question does not have associated actions, the Deploy Action button does not appear. Tip: Use this permission instead of the Write Action permission to limit use by action users who use Tanium products to execute standard operating procedures that someone else created.
Read Filter Group	Can see the Content > Filter Groups page, and use filter groups for filtering questions, question results, and various lists in the Tanium Console.
Write Filter Group	Create, modify, and delete filter group configurations. Implies the Read Filter Group permission.
Approve Action	Can approve actions that another user created. Users with this permission cannot approve their own actions. To view the actions on the Actions > Actions I Can Approve and Actions > All Pending Approval pages, you must also have the Read Package and Read Own Action permissions.
Read Plugin	Reserved for future use.
Execute Plugin	Reserved for future use.
Read Package	Can view packages in the Browse Packages dialog opened from the Deploy Action workflow page. Cannot view the Content > Packages page unless the user also has the Write Package permission.
Write Package	Can view the Content > Packages page. Can create, modify, and delete package configurations. Implies the Read Package and Show Preview permissions.
Read Saved Question	Can view saved questions in the Question Results grid drill-down and similar user interfaces. Can view the Interact Saved Questions page, if the user also has access to the Interact workbench. Cannot view the Content > Saved Questions page unless the user also has the Write Saved Question permission. To issue a saved question as expected, the user also requires the Read Sensor permission for the pertinent sensor.
Write Saved Question	Can view the Content > Saved Questions page. Can create, modify, and delete saved question configurations. Implies the Read Saved Question permission. Note: Does not imply the Ask Dynamic Questions permission.
Read Associated Packages	Not an explicit permission. Implied in the Write Action for Saved Question permission.
Read Dashboard	Can view the Dashboards pages, if the user also has permission to the Interact workbench. A user also needs the Read Saved Question and Read Sensor permission for the related content to use the dashboard.
Write Dashboard	Can create, modify, and delete dashboard configurations. Implies the Read Dashboard permission.
Read Dashboard Group	Can view the Categories pages, if the user also has permission to the Interact workbench. A user also needs the Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category.
Write Dashboard Group	Can create, modify, and delete category configurations. Implies the Read Category permission.
Show Preview	Not an explicit permission. Implied in the Write Action, Write Action for Saved Question, Write Package, and Write Sensor permissions. Enables authors to ask questions necessary to preview the impact of new and changed configurations. To ask preview questions, the user also needs Read Sensor on the Reserved content set. The Reserved content set includes content used to ask preview questions.

Create a micro admin role

Micro admin roles assign Tanium system administration permissions.

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Micro Admin Role or Deny Micro Admin Role to display the role configuration page.
3. Specify a configuration Name.
4. Click Add + to add a permission to the configuration. See Table 3 for descriptions of the permissions.

   Some administrative tasks in the Tanium Console are not associated with micro admin permissions; only users who have a reserved role can perform these tasks. For details, see Tasks that require reserved roles.

5. Save the configuration.

Table 3:   Micro admin permissions

Permission	Description
Read System Status	Can view the Administration > System Status page.
Read Question History	Can view the Administration > Question History page. To load and ask a question for the Question History page, the user would also need the underlying content permissions.
Read User	Can view the Administration > Users page and view users that are listed on the Administration > User Groups and Permissions > Roles pages.
Write User	Can create, modify, and delete user configurations. Implies the Read User permission.
Read User Group	Can view the Administration > User Groups page.
Write User Group	Can create, modify, and delete user group configurations. Implies the Read User Group permission.
Read Computer Group	Can view the Administration > Computer Groups page and Content > Filter Groups page.
Write Computer Group	Can create, modify, and delete computer management group and filter group configurations. Implies the Read Computer Group permission. To create computer groups in which membership is based on a sensor filter, the user also needs the Read Sensor permission on the Reserved content set. The Reserved content set includes content that is used to ask preview questions. Computer groups in which membership is manually defined do not require this permission.
Read Global Settings	Can view the Administration > Global Settings page.
Write Global Settings	Can create, modify, and delete global settings. Implies the Read Global Settings permission.
Read Whitelisted URLs	Can view the Administration > Whitelisted URLs page.
Write Whitelisted URLs	Can create, modify, and delete the whitelisted URLs configuration. Implies the Read Whitelisted URLs permission.
Read Audit	Can view: Last Login information on the Administration > Users page Last Modified on information on the user details page (select Administration > Users and click View User) Last Modification information on the Administration > Global Settings page
Read Server Status	Can view the https://<Tanium_Server>/info page. For details, see About Us.
View Token	Can view the Configuration > Authentication > API Tokens page.
Use Token	Can send requests to the Tanium Server for new API tokens.
Revoke Token	Can revoke API tokens that are used to access the Tanium Server.
Import Signed Content	Can import digitally signed content files.
Read Action Group	Can view specific action groups in the Actions > Scheduled Actions page.
Write Action Group	Can create, modify, and delete action groups. Implies the Read Action Group permission.

Create a module role

Module roles grant Tanium solution module permissions, which control access to module workbenches and features. Module roles also grant permissions for module-specific content sets. Module roles do not have deny roles. Users who do not have a role that grants module access cannot access the module workbench or features. Some module permissions enable provided permissions, which a role configuration includes automatically when you select module permissions. For example, if you select the Patch Module Write permission, the role automatically includes the Ask Dynamic Questions permission.

Refer to the module user guides for information about module-specific roles.

Module	Link
Asset	User Guide
Comply	User Guide
Connect	User Guide
Deploy	User Guide
Detect	User Guide
Direct Connect	User Guide
Discover	User Guide
End-User Notifications	User Guide
Health Check	User Guide
Incident Response	User Guide
Integrity Monitor	User Guide
Interact	User Guide
Map	User Guide
Network Quarantine	User Guide
Patch	User Guide
Performance	User Guide
Protect	User Guide
Reputation	User Guide
Reveal	User Guide
Threat Response	User Guide
Trace	User Guide
Trends	User Guide

Perform the following steps to create a module role:

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Module Role to display the role configuration page.
3. Specify a Name to identify the role.
4. (Optional) In the All Content Sets Option section, select Add all Content Sets that exist or will exist to the permissions selected below to grant permissions across all existing and future content sets that are associated with the module. This option appears only for custom modules that have module-specific content.
5. In the Module Permissions section, click Add + to add a module to the configuration.
6. Click Edit to open the permissions selection box for the module.
7. Select permissions and click Save to close the selection box.
8. If this role is for a custom module that has module-specific content, add content sets to each permission: click Add in the permission tile, select content sets, and click Save. Skip this step if you selected Add all Content Sets that exist or will exist to the permissions selected below.
9. Save the configuration.

Assign users and user groups to a role

You can assign users and user groups to roles in the role configuration (as follows) or in the user and user group configurations.

1. Go to Permissions > Roles.
2. Select a role and click Edit to display the role configuration page.
3. Click Edit User Assignment to display the Assign Users and User Groups page.
4. Next to User Groups, click Edit. Select groups and click Save to close the selection box.
5. Next to Users, click Edit. Select users and click Save to close the selection box.
6. Click Show Preview to Continue to review the impact of your changes. Review the effective permissions and save the configuration.
7. Save your changes.

Clone a role

To add a role that has many settings in common with an existing role, cloning the existing role and then modifying the clone is often a quicker method than configuring a new role. Note that you must still assign users and user groups to the clone, and optionally enter a description; the clone will not inherit those settings from the original role. You can clone any role except the reserved roles.

1. Go to Permissions > Roles, select a role, and click Clone.
2. Enter a Name to identify the role, update the permissions as needed, and save your changes.
3. Assign users and user groups to the role (see Assign users and user groups to a role).

Export and import roles

Exporting and importing roles is useful when you need to copy the roles between Tanium deployments. For example, you might export roles to a lab deployment for testing before using the roles in a production deployment.

Export all roles

1. From any Content or Permissions page, click Export Content in the top right of the Tanium Console.
2. Select Content Sets and Roles, select the Export Format (JSON or XML), and click Export.
3. Enter a File Name or use the default name, and then click OK. The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Export one or more roles

1. Go to Permissions > Roles, select one or more roles, and click Export .
2. Enter a File Name or use the default name, and then click OK. The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Import roles

You can import files that are in JSON or XML format.

1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
2. Go to any Content or Permissions page and click Import Content at the top right of the page.
3. Click Choose File, find and select the configuration file, and click Open.
4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
6. Click Import again, and click Close when the import finishes.

Delete a role

When you delete a role configuration, the role is removed from any user and user group configurations that had included it. When deleting a role configuration, we recommend:

1. Delete the users and user group assignments from the role configuration.
2. Go to the effective permissions page for your users and review the resulting impact on the users' effective permissions.
3. Delete the role configuration.