Managing Roles

You can create the following types of grant and deny roles:

• Advanced
• Micro Admin
• Module (only grant)

If you are unfamiliar with Tanium™ Console role-based access control, read the Overview.

Create an advanced role

Advanced roles assign fine-grained content set permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Advanced Role or Deny Advanced Role to display the role configuration page.
3. Specify a configuration name.
4. Optional. Under All Content Sets Option, select the Add all Content Sets that exist or will exist to the permissions selected below option to grant or deny permissions absolutely. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
5. Under Ask Dynamic Question, click the icon to enable users with this role to ask ad hoc questions.

   Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create ad hoc questions that use any of the sensors for which they have read access.

6. Under Content Set Permissions, click the icon to add a permission to the configuration; click the icon to remove a permission. See Table 1 for descriptions of the permissions.
7. Add content sets to the permissions. Click the Add button to display the Content Sets selection box.
8. Select content sets and click Save to close the selection box.


9. Save the configuration.

Table 1:   Content Set Permissions

Permission	Description
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one advanced permission that has effect when granted to a user with the Administrator reserved role.
Read Sensor	Can view sensors in the Question Builder and similar user interfaces throughout the console. Can use sensors in questions, if the user also has the ability to ask questions. Cannot view the Authoring > Sensors page unless the user also has the Write Sensor permission.
Write Sensor	Can view the Authoring > Sensors page. Can create, modify, and delete sensor configurations. Implies the Read Sensor and Show Preview permissions.
Read Action	Can view the Actions pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package. Implies the Read Own Action permission.
Read Own Action	Determines whether the logged in user's actions appear in the All Pending Approval grid.
Write Action	Can view the Scheduled Action pages. Users can see rows for actions they issued. Users can see rows for actions issued by others if they have Read Action permission on the content set for the underlying package. Can see and use the Deploy Action button on the results grid for dynamic questions and saved questions. Implies the Read Own Action, Read Package, and Show Preview permissions. To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.
Write Action for Saved Question	Can see the Scheduled Action pages, but the only rows are for the actions that the user has deployed. Can see and use the Deploy Action button on the results grid but only for saved questions that are configured with an associated package. The Read Package permission is not required for the associated package. If the saved question is not configured with an associated package, the Deploy Action button is not displayed. Tip: Use this permission instead of the Write Action permission to limit use by "action users" who use Tanium to execute standard operating procedures created by someone else.
Approve Action	Can approve actions that were created by another user but not their own. To view the actions on the Actions I Can Approve and All Pending Approval pages, you must also have the Read Package and Read Own Action permissions.
Read Plugin	Reserved for future use.
Execute Plugin	Reserved for future use.
Read Package	Can view packages in the Browse Packages dialog box in the deploy action workflow. Cannot view the Authoring > Packages page unless the user also has the Write Package permission.
Write Package	Can view the Authoring > Packages page. Can create, modify, and delete package configurations. Implies the Read Package and Show Preview permissions.
Read Saved Question	Can view saved questions in the results grid drill-down and similar user interfaces. Can view the Interact Saved Questions page, if the user also has access to the Interact workbench. Cannot view the Authoring > Saved Questions page unless the user also has the Write Saved Question permission. To issue a saved question as expected, the user must also have the Read Sensor permission for the pertinent sensor.
Write Saved Question	Can view the Authoring > Saved Questions page. Can create, modify, and delete saved question configurations. Implies the Read Saved Question permission. Note: Does not imply the Ask Dynamic Questions permission.
Read Dashboard	Can view the Dashboards pages, if the user also has permission to the Interact workbench. A user also needs the Read Saved Question and Read Sensor permission for the related content to use the dashboard.
Write Dashboard	Can create, modify, and delete dashboard configurations. Implies the Read Dashboard permission.
Read Dashboard Group	Can view the Categories pages, if the user also has permission to the Interact workbench. A user also needs the Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category.
Write Dashboard Group	Can create, modify, and delete category configurations. Implies the Read Category permission.
Show Preview	Not an explicit permission. Implied in the Write Action, Write Action for Saved Question, Write Package, and Write Sensor permissions. Enables authors to ask questions necessary to preview the impact of new and changed configurations. To ask preview questions, the user also needs Read Sensor on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Associated Packages	Not an explicit permission. Implied in the Write Action for Saved Question permission.

Create a Micro Admin Role

Micro Admin roles assign system administration permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Micro Admin Role or Deny Micro Admin Role to display the role configuration page.
3. Specify a configuration name.
4. Click the icon to add a permission to the configuration; click Remove to remove a permission. See Table 2 for descriptions of the permissions.
5. Save the configuration.

Table 2:   Micro Admin Permissions

Permission	Description
Read System Status	Can view the System Status page.
Read Question History	Can view the Question History page. To load and ask a question for the Question History page, the user would also need the underlying content permissions.
Read User	Can view the Users page and view users that are listed on User Group and Roles pages.
Write User	Can create, modify, and delete user configurations. Implies the Read User permission.
Read User Group	Can view the User Group page.
Write User Group	Can create, modify, and delete user group configurations. Implies the Read User Group permission.
Read Computer Group	Can view the Computer Group page.
Write Computer Group	Can create, modify, and delete computer group configurations. Implies the Read Computer Group permission. To create or edit computer groups, the user also needs the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions.
Read Global Settings	Can view the Global Settings page.
Write Global Settings	Can create, modify, and delete global settings. Implies the Read Global Settings permission.
Read Whitelisted URLs	Can view the Whitelisted URLs page.
Write Whitelisted URLs	Can create, modify, and delete the whitelisted URLs configuration. Implies the Read Whitelisted URLs permission.

Tasks related to some menus do not have micro admin permissions. A user must have the reserved role indicated in the following table to view the menus or perform the tasks.

Table 3:   Tasks requiring a reserved role

Menu or task	Administrator	Content Administrator	Content Set Administrator
Action Group Create, modify, or delete action groups.	X
Content Alignment Use the Content Alignment page to move content to the content set expected by a module.	X
Permissions Create, modify, or delete the user roles or content sets configurations.	X		X
Users, User Groups Edit role settings in the user or user group configurations.	X		X
Effective permissions View effective permissions for users or user groups.	X		X
Solutions Import Tanium modules, content packs, or CUIC updates. View and import lab content.	X
Configuration View or manage any of the Configuration menu pages, including proxy settings, logging levels, plugins, plugin schedules, cache info, client subnets, LDAP Sync, SAML, or console color.	X
Question History Load a question from the Question History page.	X
Info page View the info page.	X
Interact Categories Read/Manage the Other Dashboards temp category.	X	X

Create a Module Role

In 7.1, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.

Module	Link
Asset	User Guide
Comply	User Guide
Connect	User Guide
Detect	User Guide
Discover	User Guide
Incident Response	User Guide
Integrity Monitor	User Guide
Map	User Guide
Network Quarantine	User Guide
Patch	User Guide
Protect	User Guide
Trace	User Guide
Trends	User Guide

If necessary, you can create your own module roles and assign granular module permissions.

Role requirements

You must have the Administrator role or Content Set Administrator role to create a role.

Create a role

1. Go to Permissions > Roles.
2. Click New Role and then select Grant Module Role to display the role configuration page.
3. Specify a configuration name.
4. Click the icon to add a module to the configuration; click Remove to remove a module.
5. Click Edit to display the permissions selection box for the module.
6. Select permissions and click Save to close the selection box.
7. Save the configuration.

Assign users and user groups to a role

You can associate users and user groups with roles either in the role configuration or in the user and user group configurations.

Role requirements

You must have the Administrator role or Content Set Administrator role to manage the roles configuration. However, a Content Set Administrator cannot manage the assignment of reserved roles.

Edit the role configuration

1. Go to Permissions > Roles.
2. Select a role and click Edit to display the configuration summary page.
3. Click Edit User Assignment to display the Assign Users and User Groups page.
4. Next to User Groups, click Edit. Select groups and click Save to close the selection box.
5. Next to Users, click Edit. Select users and click Save to close the selection box.
6. Click Show Preview to Continue to review the impact of your changes. Review the effective permissions and save the configuration.

Delete a Role

When you delete a role configuration, the role is removed from any user and user group configurations that had included it. When deleting a role configuration, we recommend:

1. Delete the users and user group assignments from the role configuration.
2. Go to the effective permissions page for your users and review the resulting impact on the users' effective permissions.
3. Delete the role configuration.