Managing roles

Roles overview

In the context of Tanium™ role-based access control (RBAC), a role assigns grant permissions to specify allowed activities, or deny permissions to specify prohibited activities. You assign roles to users, user groups, and personas to control what users can see and do in the Tanium Core Platform.

If you plan to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, do so before configuring or assigning roles. For details, see Integrating with LDAP servers.

The Tanium implementation of RBAC supports the following role categories, which are based on the types of permissions that they grant or deny:

Micro admin roles

Micro admin roles grant or deny permissions for administrative activities in the Tanium Core Platform, such as configuring isolated Tanium Client subnets. See Managing roles.

Custom roles

Custom roles are roles that you create to grant or deny a combination of administration, platform content, module, and global permissions. See Configure a custom role.

Module roles

Module roles are pre-defined roles that grant or deny module permissions, which control access to module workbenches, features, and content sets. Some module permissions automatically enable additional provided permissions. For example, the Patch Module Write permission automatically grants the Ask Dynamic Questions permission. You cannot edit or delete pre-defined module roles.

Module roles grant module permissions, which control access to module workbenches, features, and content sets. Module roles do not have deny roles. Users who do not have a role that grants module access cannot access the module workbench or features. Some module permissions automatically enable additional provided permissions. For example, if you grant the Patch Module Write permission in a module role, it automatically grants the Ask Dynamic Questions permission.

Advanced roles

Advanced roles are pre-defined legacy roles that grant or deny platform content permissions, which control access to sensors, packages, saved questions, and other types of content that apply across all Tanium modules and shared services. You cannot edit or delete pre-defined advanced roles.

Advanced roles grant or deny content set permissions, which control access to sensors, packages, saved questions, and other types of content that apply across all Tanium modules.

Reserved roles

The predefined reserved roles assign permissions that enable special-purpose capabilities, such as loading a question from the Administration > Content > Question HistoryAdministration > Management > Question History page. These special permissions are not available to non-reserved roles. In addition to the special permissions, reserved roles can have some or all of the permissions associated with the other role categories. You cannot edit or delete reserved roles. For details, see Reserved roles.

The following figure shows the configurable components of the different role types, and the order in which you assign the components:

For an overview of how roles relate to other RBAC configuration objects such as content sets, personas, users, user groups, and computer groups, see Tanium RBAC implementation and concepts.

Roles have a many-to-many relationship with users and user groups. For example, all Tanium Interact users can have the Interact Show module role, and each of those users can have additional custom roles that provide access to the sensors and questions that they use in Interact. Similarly, you can configure permissions for the same content set across multiple roles, and each role can specify permissions across multiple content sets.

As a best practice when configuring roles, take full advantage of their modularity and cumulative effect on user permissions. For example, instead of creating a single role with all the permissions that a particular user needs, and creating another role with only slightly different permissions for another user, create several roles with smaller but unique permissions sets. You can then mix and match these minimalistic roles among various users to achieve the same effective permissions as individual roles that have comprehensive permissions. For details, see Effective role permissions.

Roles that assign write permissions, such as Write Package, implicitly assign read permissions, such as Read Package. For details, see Implied role permissions.

Users inherit roles from the user groups to which you assign those users. For details, see Inherited roles.

For a given Tanium Console session, only the permissions of the currently selected persona are available to a user, even if multiple personas are assigned to that user. For details, see Managing personas.

To add, edit, or delete roles, you must have the Administrator or Content Set Administrator reserved role or a custom role with the Permission Administrator permission. However, a Content Set Administrator cannot manage the assignment of personas or reserved roles to users and user groups.

Roles do not control access to computer management groups (see Managing computer groups) or action groups (see Managing action groups) that users select for targeting when issuing questions or deploying actions. However, roles do control the permissions required to manage computer group and action group configurations.

Grant and deny roles

You can assign multiple grant and deny roles to a user or user group. TaaSThe Tanium Server bases the effective permissions of a user or group on the cumulative effect of all the roles that are assigned to that user or group: all permissions granted or implied, minus those explicitly denied.

You can view the effective permissions of a user or user group in the Tanium Console: see Effective role permissions.

In customadvanced roles, a permission and content set in the deny role must match a permission and content set in the grant role to negate the grant permission. In the following example, the deny Write Package permission on Content Set A matches the grant Write Package permission on Content Set A, so the grant permission is negated.

Figure 3: Grant and deny roles on content set permissions (match)

In the following example, the deny Write Package permission on Content Set D does not match any grant permissions. Therefore, the deny permission has no impact on the effective permissions of the user.

Figure 4: Grant and deny roles on content set permissions (no match)

When you assign content sets to permissions in custom rolesadvanced roles or module roles, the Add all Content Sets that exist or will exist to the permissions option is equivalent to listing every content set. The following figure illustrates an example where the deny Write Package permission on Content Set D has an effect.

Grant and deny matching also applies to administration permissions Grant and deny micro admin roles follow the same rules as advanced roles. In the following example, the user has one grant role and two deny roles that specify administration permissions . TaaSThe Tanium Server factors out exact matches between grant and deny permissions. The user has all of the capabilities that the grant role specifies, minus the capabilities that the deny roles specify.

Figure 6: Grant and deny roles on administrationmicro admin permissions

Module roles cannot deny permissions, only grant permissions. Users who do not have a role that grants module access cannot access the module workbench or functionality.

Implied role permissions

In grant roles, every write permission implies the associated read permission. In the following example, the customadvanced role that is assigned to Eric and Grace has the Write Package permission on the specified content sets, therefore the configuration does not need to specify the Read Package permission. A role that has only the Read Package permission on the same content set is created for users who must have read-only permissions, like Bob in this example.

Figure 7: Eric and Grace effectively have both read and write permissions

Deny roles do not have implied permissions. For deny roles to have an effect, they must explicitly specify permissions and those permissions must exactly match the permissions that a grant role specifies. For example, if a deny role specifies that Write Package permission is denied on a content set, the role does not implicitly deny Read Package permission. In the following example, the deny role permissions do not exactly match any grant role permissions. Therefore, the deny role is disregarded and Bob still has Read Package permission on the specified content sets.

Figure 8: Bob effectively has read permissions

Inherited roles

Users inherit role permissions from their user groups. In the following example, Eric inherits permissions from the roles that are assigned to the NOC user group. He also has permissions that are assigned directly to his user account. TaaSThe Tanium Server enforces the net effect. In this example, even though Eric inherits the Write Isolated Subnets and Write Separated Subnets permissions from the user group, the deny role that is assigned directly to his user account negates those permissions. Because no deny roles are assigned to the accounts of Bob and Grace, they have all the permissions that are inherited from the user group, including Write Isolated Subnets and Write Separated Subnets.

Reserved roles

The Tanium-defined reserved roles assign permissions for special-purpose capabilities, such as loading a question from the Administration > Content > Question HistoryAdministration > Management > Question History page. Because these permissions are implicit, you cannot edit or delete them and they are not available to non-reserved roles. In addition to the special permissions, reserved roles can have some or all of the permissions associated with otheradvanced, micro admin, and module roles. Special logic applies when you assign both a reserved role and non-reserved role to a user or user group, as described in the following sections.

Admin reserved role

The Admin reserved role has all permissions to all content, modules, shared services, and administrative functionality. When you assign this role, other grant roles are superfluous and deny roles are ineffective, with the following exceptions:

Bypass Action Approval: A custom role with the Bypass Action Approval permission does have effect when it is assigned to a user who has the Admin reserved role. The Admin reserved role does not have this permission by default. Due to the sensitive nature of bypassing approval, you must explicitly assign this permission in all cases.
Deny All: The Deny All reserved role negates all the permissions of the Admin reserved role.

During the setup of your Tanium as a Service (TaaS) deployment, an initial administrator account is created with the Admin role. You can use this account to configure RBAC for all other users, including other users who might need the Admin role.

Administrator reserved role

The Administrator role has all permissions to all content, modules, and administrative functionality. When you assign this role, other grant roles are superfluous and deny roles are ineffective, with the following exceptions:

Bypass Action Approval: An advanced role with the Bypass Action Approval permission does have effect when it is assigned to a user who has the Administrator reserved role. The Administrator reserved role does not have this permission by default. Due to the sensitive nature of bypassing approval, you must explicitly assign this permission in all cases.
Deny All: The Deny All reserved role negates all the permissions of the Administrator reserved role.

Content Set Administrator reserved role

The Content Set Administrator role assigns permissions to read and write content set and role configurations, including role assignments within user and user group configurations. This role makes all other grant roles superfluous. The Deny All reserved role is the only role that can affect a user who has the Content Set Administrator role.

Notice the result when both the Content Set Administrator and Administrator roles are assigned. Only the Content Set Administrator role remains effective. Be careful not to assign the Content Set Administrator role to users who must have other roles. Be careful not to assign (directly or by user group inheritance) the Content Set Administrator role to users who are assigned the Administrator role.

Content Administrator reserved role

The Content Administrator role grants read and write permissions for all content across all content sets, as well as action management permissions. When the Tanium Server evaluates effective permissions for a user who has the Content Administrator role, the server evaluates module roles and micro admin roles that are assigned, but disregards advanced roles.

Deny All reserved role

Users who have the Deny All role cannot access anything in the Tanium Core Platform, regardless of any other role that you assign to them, including the Administrator reserved role. In the following example, the only role assigned to Frank that has any effect is Deny All.

Tasks that require reserved roles

To perform the following tasks, a user must have a reserved role because the tasks are not associated with micro admin permissions that you can assign to micro admin roles.

Table 1: Tasks requiring a reserved role
Task	Administrator	Content Administrator	Content Set Administrator
Manage content alignment Use the Administration > Content > Content Alignment page to move module-specific content to the appropriate module content set.
Manage content sets Create, edit, or delete content set configurations.
Manage role configurations and assignments Edit roles and edit the role assignments of users, user groups, and personas.
Manage personas Create, edit, assign, or delete personas.
Manage Tanium solutions Import Tanium modules, content packs, or Tanium Console User Interface updates. View and import lab content.
Manage Tanium Core Platform configuration View or manage any of the Administration > Configuration pages, including those for proxy settings, logging levels, plugins, plugin schedules, sensor threshold indicators, package file repository, Tanium Client subnets, bandwidth throttles, Tanium licenses, Tanium root keys, trust among Tanium Core Platform servers, LDAP servers, SAML, API tokens, and Tanium Console customizations.
Load questions from Question History Load a question from the Administration > Management > Question History page.
Manage Interact categories Read and manage the Other Dashboards category.

Effective role permissions

The effective permissions of a user are based on the cumulative effect of all the assigned and inherited roles, including the following:

Permissions specified in grant roles minus permissions specified in deny roles
Implied permissions in grant roles
Roles that are assigned to the persona that a user selects for a Tanium Console session
Roles inherited from a persona that is assigned to user groups, after the user selects that persona for a Tanium Console session

In the user and user group configuration pages, the Permissions section uses the following icons to indicate effective permissions:

	Grant permission that you must explicitly assign.
	Grant permission that you must explicitly assign and that automatically provides or implies additional permissions because of dependencies. For example, when you assign the Write Interact Module permission, it automatically provides the Ask Dynamic Questions permission. Most write permissions (such as Write Package) imply read permissions (such as Read Package).
	Deny permission.

The user and user group configuration pages list the Admin reserved role under Global Permissions if you assign that role. The user and user group configuration pages list the Administrator, Content Administrator, and Content Set Administrator reserved roles under Global Permissions if you assign those roles. However, when you view the configuration page for a custom role in Edit Mode, the Global Permissions are hidden because you cannot assign them.

You can expand each of the module content permissions, Platform Content Permissions, and Global Permissions to list the content sets to which the permission applies:

	Content set that is explicitly assigned to the permission.
	Content set that is assigned because another permission implies or provides it.

The user and user group configuration pages also list the assigned Content Sets by content type. For implied or provided permissions , hover over the icon to show a tool tip that indicates how the permission was derived from an explicit permission .

Figure 16: Permission-content set assignments

The user and user group configuration pages have a Roles and Effective Permissions section that clarifies how the Tanium Server derives effective permissions.

In the roles section, hover over the tile for an inherited role to see the user group from which it was inherited. Click the tile for a role to highlight the associated permissions in the permissions sections. Click the All Roles tile to redisplay the permissions without highlighting.

View roles

From the Main menu, go to Administration > Permissions > Roles.
The page displays each role name and category, and the number of users, user groups, and personas to which each role is assigned. The Total Users column indicates the sum of all the users who are assigned the role through their user accounts or who inherit the role from user groups.
(Optional) To display attributes that the grid hides by default, click Customize Columns and select the attributes.
(Optional) Use the filters to find specific roles:
- Filter by text: To filter the grid by column values, enter a text string in the Filter items field.
- Filter by attribute: Filter the grid by one or more attributes, such as the Role Name. Expand the Filters section, click Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
(Optional) To see the permissions, personas, users, and user groups that are assigned to a role, click the Role Name.
To view or edit the configuration of an assigned user or user group, click the user or group name.

Configure a custom role

Create or edit a custom role that assigns administration, platform content, and module permissions.

From the Main menu, go to Administration > Permissions > Roles.
Perform one of the following steps:
- To create a role, click New Role.
- To edit a role, click a Role Name and click Edit Mode.
Specify a Role Name to identify the role.

Set the Permission Type to Allow (grant) or Deny.

The Permissions section lists all the permissions that you can assign by clicking an icon in the Special, Read, Write, Execute, or Delete column. You can click an icon in a column header to select all the permissions of that type. For example, in the Administration permissions header, click the Special icon to assign all the available special administration permissions. The lists use gray icons to indicate unassigned permissions and the following colored icons to indicate assigned permissions:

	Permission that you must explicitly assign.
	Permission that you must explicitly assign and that automatically provides or implies additional permissions because of dependencies. For example, when you assign the Write Interact Module permission, it automatically provides the Ask Dynamic Questions global permission. Most write permissions (such as Write Package) imply read permissions (such as Read Package).
	Permission that is automatically enabled because it has a dependency with another permission or because a higher level permission implies it.

A later step in this procedure explains how to assign content sets to permissions that apply to content.

To assign roles to personas, see Manage role assignments for a persona.

(Optional) To manage user assignments, expand the Users section, click Manage Users, select or deselect users, and click Select.
If you are editing a role that already has users assigned, click the number above the Users field in the Role Details section to scroll to the Users section and expand it.
To view or edit the configuration of a particular user, click the user Name in the Users section. The Edit User page opens in a new tab.
(Optional) To manage user groups assignments, expand the User Groups section, click Manage User Groups, select the groups, and click Select.
If you are editing a role that already has user groups assigned, click the number above the User Groups field in the Role Details section to scroll to the User Groups section and expand it.
To view or edit the configuration of a particular group, click the group Name in the User Groups section. The Edit User Group page opens in a new tab.

Expand

the Administration section and select any of the following permissions that the role requires.

To create a role that can perform all administrative tasks in the Tanium Console, assign the Permission Administrator, Write User, Write User Group, Write Computer Group, and Write Persona permissions. The Admin reserved role has all these permissions.

Table 2: Administration permissions
Permission	Description
Permission Administrator	Provides the following administration permissions as a bundle: Read User Read User Group Read Role Write Role Grant Role Read Content Set Write Content Set Read Persona
Action Group	Read permission enables users to view and export action group configurations in the Scheduled Actions page. Write permission enables users to create, edit, and delete action group configurations. Write permission implies the Read Action Group permission.
Allowed URLs	Read permission enables users to view allowed URL configurations on the Allowed URLs page and to export the configurations in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete allowed URL configurations. Write permission implies Read Allowed URLs permission.
Audit	Read permission enables users to view: Last Sign In information on the Users page Last Modified information on the user configuration page Last Modification information on the Global Settings page
Computer Group	Read permission enables users to view computer management groups and export them in CSV format. The Export Content permission is required to export in JSON format. Additional permissions are required to view the user group, user, and persona assignments of computer management groups: see Manage computer management groups. Write permission enables users to create, edit, and delete computer management groups and filter groups. Write permission implies the Read Computer Group and Write Filter Group permissions. To create a computer management group or filter group in which membership is based on a sensor filter, users require the following permissions in addition Write Computer Group: Read Sensor (platform content) permission on the Reserved content set, which includes content that is used to ask preview questions. Write Interact Module (module) permission. Computer groups with manually defined membership do not require the Read Sensor or Write Interact Module permissions.
Export Content	Enables users to export the following content types in JSON format: Allowed URLs Computer management groups Content sets Filter groups Packages Roles Saved questions Scheduled actions Sensors
Import Signed Content	Enables users to import digitally signed content files into the Tanium Server.
Global bandwidth throttles	Read permission enables users to view global bandwidth throttles on the Bandwidth Throttles page. Write permission enables users to create, edit, and delete global bandwidth throttles.
Global Settings	Read permission enables users to view the global settings of Tanium Core Platform servers and Tanium Clients on the Platform Settings page. Write permission enables you to create, edit, or delete global settings. Write permission implies the Read Global Settings permission.
Isolated Subnets	Read permission enables users to view and export isolated client subnet configurations on the Administration > Configuration > Subnets page. Write permission enables users to create, edit, and delete isolated client subnet configurations. Write permission implies Read Isolated Subnets permission.
Persona	Read permission enables users to view and export persona configurations. The Permission Administrator permission implies the Read Persona permission. Write permission enables users to create, edit, and delete personas when combined with the Permission Administrator permission. Write permission implies the Read Persona permission. Users require additional permissions to edit the assignment of other RBAC objects (such as users) to personas: see Manage personas.
Public Key	Read permission enables Tanium REST API users to download the Tanium public key (tanium.pub) or initialization file (tanium-init.dat). Only the Administrator reserved role can access the Infrastructure page to download those files through the Tanium Console.
Question History	Read permission enables users to view the Question History page. To issue a question from the Question History page, users also require Platform Content Permissions on the corresponding content sets.
Separated Subnets	Read permission enables users to view and export separated client subnet configurations on the Subnets page. Write permission enables users to create, edit, and delete isolated client subnet configurations. Write permission implies Read Separated Subnets permission.
Server Status	Read permission enables users to view the https://<Tanium_Server>/info page. For details, see View the info page.
Subnet bandwidth throttles	Read permission enables users to view site-specific bandwidth throttles on the Bandwidth Throttles page. Write permission enables users to create, edit, and delete site-specific bandwidth throttles.
Client Status	Read permission enables users to view the Client Status page.
Token - Revoke	Enables users to create or revoke API tokens that are used to access TaaSthe Tanium Server.
Token - Use	Enables users to send requests to the TaaSthe Tanium Server for new API tokens.
Token - View	Enables users to view the API Tokens page.
User	Read permission enables users to view and export user configurations on the Users page. Write permission enables users to create, edit, and delete user configurations. Write permission implies Read User permission. Additional permissions are required to view and edit the role, user group, and persona assignments of users: see Manage users.
User Group	Read permission enables users to view and export user group configurations on the User Groups page. Write permission enables users to create, edit, and delete user group configurations. Write permission implies Read User Group permission. Additional permissions are required to view and edit the role, user, and persona assignments of user groups: see Manage user groups.
Management Rights	Read permission enables users to view the computer management group assignments of users, user groups, and personas when combined with the Read Computer Group permission. Write Management Rights is one of the permissions that are required to edit the computer management group assignments of users, user groups, and personas. For additional required permissions, see Manage computer management groups. Read Management Rights and Write Management Rights are not explicit permissions; the Permission Administrator permission implies them.
Content Set	Read permission enables users to view content set configurations. Write permission enables users to: Create, edit, and delete content sets Move content between content sets Export content sets in CSV format. The Export Content administration permission is required to export in JSON format. These are not explicit permissions; the Permission Administrator permission implies them.
Role	Read permission enables users to view role configurations and export them in CSV format. The Export Content permission is required to export in JSON format. Write permission enables users to create, edit, and delete role configurations. Grant permission is one of the permissions that are required to edit the role assignments of users, user groups, and personas. These are not an explicit permissions; the Permission Administrator permission implies them. Users require the following combined permissions to manage role assignments: Permission Administrator and Write User permissions are required to edit the role assignments of users. Permission Administrator and Write User Group permissions are required to edit the role assignments of user groups. Permission Administrator and Write Persona permissions are required to edit the role assignments of personas.

For each module that has permissions you want to assign, expand the <module name> section and select the permissions.
See the module user guides for information about the required permissions for module-specific roles:

Expand

the Platform Content Permissions section and select any permissions that the role requires:

Table 3: Platform content permissions
Permission	Description
Action	Read permission enables users to view the Administration > Actions pages. The visibility of specific actions (grid rows) depends on the Read Action permission on the content set for the underlying package. The permission enables users to re-download package files and copy grid rows to the clipboard. Write permission enables users to: See scheduled actions that they issued. Export scheduled actions in CSV format. The Export Content administration permission is required to export in JSON format Use the Deploy Action button on the Question Results grid. Write Action permission implies Read Own Action, Read Package, and Show Preview permissions. To deploy, edit, or check the status of an action, users also need Read Sensor and Read Saved Question permissions on the Reserved content set. The Reserved content set includes content that is used to ask preview and polling questions.
Action for Saved Question	Write permission enables users to: Access the Scheduled Actions page and see the actions they have deployed. See and use the Deploy Action button on the Question Results grid for saved questions that have associated packages. The Read Package permission is not required for the associated packages. If the saved question does not have associated packages, the Deploy Action button does not appear. Write permission implies Show Preview permission. Tip: Use the Write Action for Saved Question permission instead of the Write Action permission to limit use by action users who use Tanium products to execute standard operating procedures that someone else created.
Approve Action	Enables a user to approve actions that other users created. Users with this permission cannot approve their own actions. To view the actions on the Actions I Can Approve and All Pending Approval pages, users also require the Read Package and Read Own Action permissions. Bypass Action Approval permission enables users to deploy their actions without approval even if action approval is configured. No role, including the Administrator reserved role, includes this permission by default. This is the one platform content permission that has effect when granted to a user with the Administrator reserved role.
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one advanced permission that has effect when granted to a user with the Administrator role.
Dashboard	Read permission enables users to view dashboards in the Interact Content page, if those users also have Show Interact permission. The users also require Read Saved Question and Read Sensor permission for the related content to use the dashboard. Write permission enables users to create, edit, and delete dashboard configurations. Write permission implies Read Dashboard permission.
Dashboard Group	Read permission enables users to view categories in the Interact Content page, if those users also have Show Interact permission. Users also require Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category. Write permission enables users to create, modify, and delete category configurations. Write permission implies the Read Category permission.
Filter Group	Read permission enables users to: View the Filter Groups page Use filter groups for filtering questions, question results, and various lists in the Tanium Console Export filter groups in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete filter group configurations. Write permission implies the Read Filter Group permission.
Own Action	Read permission enables a signed-in user to view his or her actions in the All Pending Approval grid.
Package	Read permission enables users to: View packages in the Deployment Package list of the Action Deployment page. View packages in the Packages page. Export packages in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete package configurations. Write permission implies Read Package and Show Preview permissions.
Associated Packages	Read Associated Packages is not an explicit permission; the Write Action for Saved Question permission implies Read Associated Packages permission.
Plugin	Reserved for future use.
Saved Question	Read permission enables users to: View saved questions in the Question Results grid drill-down and similar user interfaces. View saved questions in the Interact Overview page, if the user also has Show Interact permission. Issue saved questions, if the user also has Read Sensor permission on the content sets that contain the sensors in those questions. View the Saved Questions page. Export saved questions in CSV format. The Export Content administration permission is required to export in JSON format. Write permission enables users to create, edit, and delete saved question configurations. Write permission implies Read Saved Question permission but does not imply Ask Dynamic Questions permission.
Sensor	Read permission enables users to: View sensors in the Question Builder and similar user interfaces throughout the Tanium Console. Use sensors in questions if the user also has the ability to ask questions. Writer permission enables users to create, edit, and delete sensor configurations. Write permission implies Read Sensor and Show Preview permissions.
Preview	Show Preview is not an explicit permission. The Write Action, Write Action for Saved Question,Write Sensor, and Write Package permissions imply Show Preview. Show Preview enables users to ask questions that are necessary to preview the impact of new and changed action, sensor, and package configurations. To ask preview questions, the user also needs Read Sensor permission on the Reserved content set, which includes content that is used to ask the preview questions.

(Optional) Review all the permissions that you selected.
At the top right of the page, click Preview to display only the permissions that you selected. When you finish reviewing, click Edit Mode to continue configuring the role.

Assign Content Sets to the pertinent module content permissions and Platform Content Permissions that you selected:

To assign all existing and future content sets to all the pertinent content permissions that you selected, select Add all Content Sets that exist or will exist to the permissions selected above. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
To assign specific content sets to all the pertinent content permissions that you selected, click Add Content Sets, select the sets, and click Select.
To assign specific content sets to a specific permission:
1. Scroll to the Permissions section and click the number beside the permission icon, such as .
2. Select the content sets and click Select.

To review the content set assignments for a specific permission, expand it in the Permissions section. The following icons indicate how a content set permission is derived:

	Content set that is explicitly assigned to the permission.
	Content set that is assigned because another permission implies or provides it.

To review the content set assignments for all permissions, see the Content Sets grid. The following grid icons indicate how a content set permission is derived:

	Content set that you explicitly assigned.
	Content set that you explicitly assigned and that is associated with a permission that automatically provides or implies additional permissions because of dependencies.
	Content set that is automatically assigned because it has a dependency with another permission.

To create a custom content set without leaving the role configuration page, click New Content Set, enter a Name to identify the set, and click Save.

Click Save.

Create an advanced role

Advanced roles grant or deny content set permissions, which control access to sensors, packages, saved questions, and other content.

From the Main menu, go to Administration > Permissions > Roles.
Select New Role > Grant Advanced Role or New Role > Deny Advanced Role.
Specify a Name to identify the role.
(Optional) In the All Content Sets Option section, select Add all Content Sets that exist or will exist to the permissions selected below to grant or deny permissions across all existing and future content sets. This option is useful, for example, when you want a user to always be able to read sensors or never be able to write actions.
In the Ask Dynamic Question section, click Add to enable users with this role to ask dynamic (ad-hoc) questions.
Ask Dynamic Questions is a global permission. If it is enabled in any role assigned to a user, the user has permission to create dynamic questions that use any of the sensors for which they have read access.
In the Advanced Permissions section, click Add for each permission that you want the role to grant or deny. Table 4 describes the permissions.
Add content sets to each permission. Skip this step if you selected Add all Content Sets that exist or will exist to the permissions selected below.
To create a custom content set without leaving the role configuration page, click Apply New Content Set, click New Content Set, enter a Name and (optional) Description, and click Save.
- Add the same content sets to all permissions: Click Apply New Content Set, select content sets, and click Save.
- Add content sets to a specific permission: Click Add in the permission tile, select content sets, and click Save.
Click Save to save the role configuration.

Table 4: Content set permissions
Permission	Description
Bypass Action Approval	Actions created by a user with this permission are not subject to approval requirements. No role, including the Administrator reserved role, includes this permission by default. This is the one advanced permission that has effect when granted to a user with the Administrator role.
Read Sensor	Can view sensors in the Sensors page, Question Builder, and similar user interfaces throughout the console. Can use sensors in questions if the user also has the ability to ask questions.
Write Sensor	Can create, modify, and delete sensor configurations. Implies the Read Sensor and Show Preview permissions.
Read Action	Can view the Administration > Actions pages. Visibility of rows in the grid depends on the Read Action permission on the content set for the underlying package. The permission enables users to re-download package files and copy grid rows to the clipboard. Implies the Read Own Action permission.
Read Own Action	Determines whether the actions of the signed in user appear in the All Pending Approval grid.
Write Action	Can view the Scheduled Actions page. Users can see rows for actions they issued. If a user has the Read Action permission on the content set for the underlying package, that user can see rows for actions that other users issued. Can see and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions. Implies the Read Own Action, Read Package, and Show Preview permissions. To deploy an action, edit an action, or check action status, a user also needs Read Sensor and Read Saved Question on the Reserved content set. The Reserved content set includes content used to ask preview and polling questions.
Write Action for Saved Question	Can see the Scheduled Actions page, but the only rows are for the actions that the user has deployed. Can see and use the Deploy Action button on the Question Results grid but only for saved questions that have associated actions. The Read Package permission is not required for the associated actions. If the saved question does not have associated actions, the Deploy Action button does not appear. Tip: Use this permission instead of the Write Action permission to limit use by action users who use Tanium products to execute standard operating procedures that someone else created.
Read Filter Group	Can see the Filter Groups page, and use filter groups for filtering questions, question results, and various lists in the Tanium Console.
Write Filter Group	Create, modify, and delete filter group configurations. Implies the Read Filter Group permission.
Approve Action	Can approve actions that another user created. Users with this permission cannot approve their own actions. To view the actions on the Actions I Can Approve and All Pending Approval pages, you must also have the Read Package and Read Own Action permissions.
Read Plugin	Reserved for future use.
Execute Plugin	Reserved for future use.
Read Package	Can view packages in the Browse Packages dialog opened from the Deploy Action workflow page. Cannot view the Packages page unless the user also has the Write Package permission.
Write Package	Can view the Packages page. Can create, modify, and delete package configurations. Implies the Read Package and Show Preview permissions.
Read Saved Question	Can view saved questions in the Question Results grid drill-down and similar user interfaces. Can view the Interact Saved Questions page, if the user also has access to the Interact workbench. Cannot view the Saved Questions page unless the user also has the Write Saved Question permission. To issue a saved question as expected, the user also requires the Read Sensor permission for the pertinent sensor.
Write Saved Question	Can view the Saved Questions page. Can create, modify, and delete saved question configurations. Implies the Read Saved Question permission. Note: Does not imply the Ask Dynamic Questions permission.
Read Associated Packages	Not an explicit permission. Implied in the Write Action for Saved Question permission.
Read Dashboard	Can view dashboards in the Interact Content page, if the user also has permission to the Interact workbench. A user also needs the Read Saved Question and Read Sensor permission for the related content to use the dashboard.
Write Dashboard	Can create, modify, and delete dashboard configurations. Implies the Read Dashboard permission.
Read Dashboard Group	Can view categories in the Interact Content page, if the user also has permission to the Interact workbench. A user also needs the Read Dashboard, Read Saved Question, and Read Sensor permissions on the related content to use the category.
Write Dashboard Group	Can create, modify, and delete category configurations. Implies the Read Category permission.
Show Preview	Not an explicit permission. Implied in the Write Action, Write Action for Saved Question, Write Sensor, and Write Package permissions. Enables authors to ask questions necessary to preview the impact of new and changed configurations. To ask preview questions, the user also needs Read Sensor on the Reserved content set. The Reserved content set includes content used to ask preview questions.

Create a micro admin role

Micro admin roles assign Tanium system administration permissions.

From the Main menu, go to Administration > Permissions > Roles.
Select New Role > Grant Micro Admin Role or New Role > Deny Micro Admin Role to display the role configuration page.
Enter a Name to identify the role.
Click Add for each permission that you want the role to grant or deny (see the following table), and click Save.
Some administrative tasks in the Tanium Console are not associated with micro admin permissions; only users who have a reserved role can perform these tasks. For details, see Tasks that require reserved roles.

Table 5: Micro admin permissions
Permission	Description
Read System Status	Can view the Client Status page.
Read Question History	Can view the Question History page. To issue a question from the Question History page, the user also needs advanced role permissions on the corresponding content sets.
Read User	Can view and export user configurations. Additional permissions are required to view the role, user group, and persona assignments of users: see Manage users.
Write User	Can create, modify, and delete users. Implies the Read User permission. Additional permissions are required to edit the role, user group, and persona assignments of users: see Manage users.
Read User Group	Can view and export user group configurations. Additional permissions are required to view the role, user, and persona assignments of user groups: see Manage user groups.
Write User Group	Can create, modify, and delete user groups. Implies the Read User Group permission. Additional permissions are required to edit the role, user, and persona assignments of user groups: see Manage user groups.
Read Computer Group	Can view and export computer management groups and filter groups. Implies the Read Filter Group permission. Additional permissions are required to view the user group, user, and persona assignments of computer management groups: see Manage computer management groups.
Write Computer Group	Can create, modify, and delete computer management groups and filter groups. Implies the Read Computer Group and Write Filter Group permissions. To create a computer management group or filter group in which membership is based on a sensor filter, the following permissions are required in addition Write Computer Group: Read Sensor (advanced) permission on the Reserved content set, which includes content that is used to ask preview questions. Interact Module Write (module) permission. Computer groups with manually defined membership do not require the Read Sensor or Interact Module Write permissions.
Read Persona	Can view and export persona configurations and assignments. The Permission Administrator permission implies the Read Persona permission.
Write Persona	Can create, edit, and delete personad. Implies the Read Persona permission. Additional permissions are required to edit the user, user group, and role assignments of personas: see Manage personas.
Read Global Settings	Can view the Global Settings page.
Write Global Settings	Can create, modify, and delete global settings. Implies the Read Global Settings permission.
Read Allowed Urls	Can view the Allowed URLs page.
Write Allowed Urls	Can create, modify, and delete the allowed URLs configuration. Implies the Read Allowed Urls permission.
Read Audit	Can view: Last Sign In information on the Users page Last Modified on information on the user configuration page Last Modification information on the Global Settings page
Read Server Status	Can view the https://<Tanium_Server>/info page. For details, see View the info page.
View Token	Can view the API Tokens page.
Use Token	Can send requests to TaaSthe Tanium Server for new API tokens.
Revoke Token	Can revoke API tokens that are used to access TaaSthe Tanium Server.
Export Content	Can export the following content types: Allowed URLs Computer groups Content sets Filter groups Packages Roles Saved questions Scheduled actions Sensors Only the Administrator reserved role can export categories and dashboards.
Import Signed Content	Can import digitally signed content files.
Read Action Group	Can view specific action groups in the Scheduled Actions page.
Write Action Group	Can create, modify, and delete action groups. Implies the Read Action Group permission.

Create a module role

Module roles grant Tanium solution module permissions, which control access to module workbenches and features. Module roles also grant permissions for module-specific content sets. Module roles do not have deny roles. Users who do not have a role that grants module access cannot access the module workbench or features. Some module permissions enable provided permissions, which a role configuration includes automatically when you select module permissions. For example, if you select the Patch Module Write permission, the role automatically includes the Ask Dynamic Questions permission.

Requirements for module-specific roles

See the module user guides for information about the required permissions for module-specific roles:

Add a module role

Perform the following steps to add a module role:

From the Main menu, go to Administration > Permissions > Roles.
Select New Role > Grant Module Role to display the role configuration page.
Enter a Name to identify the role.
(Optional) In the All Content Sets Option section, select Add all Content Sets that exist or will exist to the permissions selected below to grant permissions across all existing and future content sets that are associated with the module. This option applies only to modules such as Trends that have module-specific content.
In the Module Permissions section, click Add beside each module for which you want the role to grant permissions.
For each module, click Edit, select permissions, and click Save.
For each module that has module-specific content, click Add in each permission tile, select content sets, and click Save. Skip this step if you selected Add all Content Sets that exist or will exist to the permissions selected below.
To create a custom content set without leaving the role configuration page, click Apply New Content Set at the top right of the Module Permissions section, click New Content Set, enter a Name and (optional) Description, and click Save.
- Add the same content sets to all permissions: Click Apply New Content Set, select content sets, and click Save.
- Add content sets to a specific permission: Click Add in the permission tile, select content sets, and click Save.
Click Save to save the role configuration.

Manage user and user group assignments for a role

To assign roles to personas, see Manage role assignments for a persona.

From the Main menu, go to Administration > Permissions > Roles and click the Role Name.
Expand the Users section, click Manage Users, select or deselect users, and click Select.
Expand the User Groups section, click Manage User Groups, select or deselect users, and click Select.
Review the user and user group assignments, and then click Save.

From the Main menu, go to Administration > Permissions > Roles.
Select a role and click Edit.
Click Edit User Assignment to display the Assign Users and User Groups page.
Next to User Groups, click Edit. Select groups and click Save.
Next to Users, click Edit. Select users and click Save.
Click Show Preview to Continue, review the effective permissions, and click Save.

Clone a role

To add a role that has many settings in common with an existing role, cloning the existing role and then modifying the clone is often a quicker method than configuring a new role. Note that you must still assign users and user groups to the clone, and optionally enter a description; the clone will not inherit those settings from the original role. You can clone any role except the reserved roles.

From the Main menu, go to Administration > Permissions > Roles.
Select a role and click Clone.
Enter a Role Name to identify the role, update the permissions as needed, and click Save.
Assign users and user groups to the role (see Managing roles).

Export and import roles

The following procedures describe how to export and import the configurations of specific roles or all roles.

Develop and test content in your lab environment before importing that content into your production environment.

Export roles

Export roles as a CSV file to view their settings in an application that supports that format. If your user account has a role with the Export Content permission, you can also export roles as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

If you want to export or import other types of content in addition to roles, see Manage Tanium shared services and content.

From the Main menu, go to Administration > Permissions > Roles.
Select rows in the grid to export only specific roles. If you want to export all roles, skip this step.
Click Export .
(Optional) Edit the default export File Name.
The file suffix (.csv or .json) changes automatically based on the Format selection.
Select an Export Data option: All roles in the grid or just the Selected roles.
Select the file Format: JSON or CSV.
Click Export.
TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import roles

You can import content files that are in JSON or XML format.

Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
From the Main menu, go to Administration > Configuration > Solutions.
Scroll to the Content section and click Import Content.
Click Choose File, select the content file, and click Open.
Click Import.
If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
Click Import again, and click Close when the import finishes.

Copy role configuration details

Copy information from the Roles page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

From the Main menu, go to Administration > Permissions > Roles.
Perform one of the following steps:
- Copy row information: Select one or more rows and click Copy .
- Copy cell information: Hover over the cell, click Options , and click Copy .

Delete a role

Deleting a role removes it from any user, user group, and persona to which it was assigned.

Perform the following tasks before deleting a role:

Delete the user and user group assignments from the role configuration: Managing roles.
Go to the effective permissions page for your users and review the resulting impact on the effective permissions: View effective permissions for users.

To delete a role:

From the Main menu, go to Administration > Permissions > Roles.
Select the role and click Delete .