Managing Roles
You can create the following types of grant and deny roles:
- Advanced
- Micro Admin
- Module (only grant)
If you are unfamiliar with Taniumâ„¢ Console role-based access control, read the Overview.
Create an advanced role
Advanced roles assign fine-grained content set permissions.
User role requirements
You must have the Administrator role or Content Set Administrator role to create a role.
Create a role
- Go to Permissions > Roles.
- Click New Role and then select Grant Advanced Role or Deny Advanced Role to display the role configuration page.
- Specify a configuration name.
- Optional. Under All Content Sets Option, select the Add all Content Sets that exist or will exist to the permissions selected below option to grant or deny permissions absolutely. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
- Under Ask Dynamic Question, click Add
to enable users with this role to ask ad hoc questions.
Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create ad hoc questions that use any of the sensors for which they have read access.
- Under Content Set Permissions, click Add
to add a permission to the configuration; click the
icon to remove a permission. See Table 1 for descriptions of the permissions.
- Add content sets to the permissions. Click the Add button to display the Content Sets selection box.
- Select content sets and click Save to close the selection box.
- Save the configuration.
Create a Micro Admin role
Micro Admin roles assign system administration permissions.
User role requirements
You must have the Administrator role or Content Set Administrator role to create a role.
Create a role
- Go to Permissions > Roles.
- Click New Role and then select Grant Micro Admin Role or Deny Micro Admin Role to display the role configuration page.
- Specify a configuration name.
- Click Add
to add a permission to the configuration; click Remove to remove a permission. See Table 2 for descriptions of the permissions.
- Save the configuration.
Permission | Description |
---|---|
Read System Status | Can view the Administration > System Status page. |
Read Question History | Can view the Administration > Question History page. To load and ask a question for the Question History page, the user would also need the underlying content permissions. |
Read User | Can view the Administration > Users page and view users that are listed on the Administration > User Groups and Permissions > Roles pages. |
Write User | Can create, modify, and delete user configurations. Implies the Read User permission. |
Read User Group | Can view the Administration > User Groups page. |
Write User Group | Can create, modify, and delete user group configurations. Implies the Read User Group permission. |
Read Computer Group | Can view the Administration > Computer Groups page. |
Write Computer Group | Can create, modify, and delete computer group configurations. Implies the Read Computer Group permission. To create or edit computer groups, the user also needs the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. |
Read Global Settings | Can view the Administration > Global Settings page. |
Write Global Settings | Can create, modify, and delete global settings. Implies the Read Global Settings permission. |
Read Whitelisted URLs | Can view the Administration > Whitelisted URLs page. |
Write Whitelisted URLs | Can create, modify, and delete the whitelisted URLs configuration. Implies the Read Whitelisted URLs permission. |
Read Audit | Can view:
|
Read Server Status | Can view the https://<tanium_server>/info page. For details, see View the info page. |
Tasks related to some menus do not have micro admin permissions. A user must have the reserved role indicated in the following table to view the menus or perform the tasks.
Create a Module Role
In 7.1, users must be assigned a grant module role in order to see the solution module workbench and use the module features. When you upgrade to 7.1.314.3071 or later and reimport the solution modules, the import creates module-provided roles and granular permissions. In most cases, the module-provided roles have been designed to match requirements for typical module users, and you do not have to create your own module roles. Refer to the solution module user guide for information about module-provided roles.
Module | Link |
---|---|
Asset | User Guide |
Comply | User Guide |
Connect | User Guide |
Deploy | User Guide |
Detect | User Guide |
Discover | User Guide |
Incident Response | User Guide |
Integrity Monitor | User Guide |
Interact | User Guide |
Map | User Guide |
Network Quarantine | User Guide |
Patch | User Guide |
Protect | User Guide |
Reveal | User Guide |
Threat Response | User Guide |
Trace | User Guide |
Trends | User Guide |
If necessary, you can create your own module roles and assign granular module permissions.
User role requirements
You must have the Administrator role or Content Set Administrator role to create a role.
Create a role
- Go to Permissions > Roles.
- Click New Role and then select Grant Module Role to display the role configuration page.
- Specify a configuration name.
- Click Add
to add a module to the configuration; click Remove to remove a module.
- Click Edit to display the permissions selection box for the module.
- Select permissions and click Save to close the selection box.
- Save the configuration.
Assign users and user groups to a role
You can associate users and user groups with roles either in the role configuration or in the user and user group configurations.
User role requirements
You must have the Administrator role or Content Set Administrator role to manage the roles configuration. However, a Content Set Administrator cannot manage the assignment of reserved roles.
Edit the role configuration
- Go to Permissions > Roles.
- Select a role and click Edit to display the configuration summary page.
- Click Edit User Assignment to display the Assign Users and User Groups page.
- Next to User Groups, click Edit. Select groups and click Save to close the selection box.
- Next to Users, click Edit. Select users and click Save to close the selection box.
- Click Show Preview to Continue to review the impact of your changes. Review the effective permissions and save the configuration.
Clone a role
When you want to add a role that has many settings in common with an existing role, cloning the existing role and then modifying the clone is often a quicker method than configuring a new role. Note that you must still assign users and user groups to the clone, and optionally enter a description; the clone will not inherit those settings from the original role. You can clone any role except the reserved roles.
- Go to Permissions > Roles, select a role, and click Clone.
- Enter a Name to identify the role (default is Copy of <original_role_name>), update the permissions as needed, and save your changes.
- Assign users and user groups to the role (see Assign users and user groups to a role).
Export and import roles
Exporting and importing roles is useful when you need to copy the roles between Tanium deployments. For example, you might export roles to a lab deployment for testing before using the roles in a production deployment.
Export all roles
- From any Content or Permissions page, click Export to XML in the top right of the Tanium Console.
- Select Content Sets and Roles and click Export.
- Enter a File Name or use the default name, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.
Export one or more roles
- Go to Permissions > Roles, select one or more roles, and click Export
.
- Enter a File Name or use the default name, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.
Import roles
- Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
- From any Content or Permissions page, click Import from XML at the top right of the Tanium Console.
- Click Choose File, find and select the configuration file, and click Open.
- Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
- Select resolutions for any conflicts. For guidance, see Conflicts and Best practices or consult your TAM.
- Click Import again, and click Close when the import finishes.
Delete a role
When you delete a role configuration, the role is removed from any user and user group configurations that had included it. When deleting a role configuration, we recommend:
- Delete the users and user group assignments from the role configuration.
- Go to the effective permissions page for your users and review the resulting impact on the users' effective permissions.
- Delete the role configuration.
Last updated: 2/6/2019 2:40 PM | Feedback